Teach ikectl to include extensions in the CSR, rather than just adding them

when signing the certificates by the local CA. This can make things easier if
you want to take a CSR from ikectl to another CA for signing, they often copy
extensions from the request.  ok reyk@

2 files changed, 27 insertions, 16 deletions

diff --git a/usr.sbin/ikectl/ikeca.c b/usr.sbin/ikectl/ikeca.c
index 401771560e9..2f1144bce81 100644
--- a/usr.sbin/ikectl/ikeca.c
+++ b/usr.sbin/ikectl/ikeca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikeca.c,v 1.40 2015/11/02 12:21:27 jsg Exp $	*/
+/*	$OpenBSD: ikeca.c,v 1.41 2017/01/31 21:35:07 sthen Exp $	*/
 
 /*
  * Copyright (c) 2010 Jonathan Gray <jsg@openbsd.org>
@@ -101,11 +101,12 @@ const char *ca_env[][2] = {
 	{ "$ENV::CERT_ST", NULL },
 	{ "$ENV::EXTCERTUSAGE", NULL },
 	{ "$ENV::NSCERTTYPE", NULL },
+	{ "$ENV::REQ_EXT", NULL },
 	{ NULL }
 };
 
 int		 ca_sign(struct ca *, char *, int);
-int		 ca_request(struct ca *, char *);
+int		 ca_request(struct ca *, char *, int);
 void		 ca_newpass(char *, char *);
 char		*ca_readpass(char *, size_t *);
 int		 fcopy(char *, char *, mode_t);
@@ -198,12 +199,32 @@ ca_delkey(struct ca *ca, char *keyname)
 }
 
 int
-ca_request(struct ca *ca, char *keyname)
+ca_request(struct ca *ca, char *keyname, int type)
 {
 	char		cmd[PATH_MAX * 2];
+	char		hostname[HOST_NAME_MAX+1];
+	char		name[128];
 	char		path[PATH_MAX];
 
 	ca_setenv("$ENV::CERT_CN", keyname);
+
+	strlcpy(name, keyname, sizeof(name));
+
+	if (type == HOST_IPADDR) {
+		ca_setenv("$ENV::CERTIP", name);
+		ca_setenv("$ENV::REQ_EXT", "x509v3_IPAddr");
+	} else if (type == HOST_FQDN) {
+		if (!strcmp(keyname, "local")) {
+			if (gethostname(hostname, sizeof(hostname)))
+				err(1, "gethostname");
+			strlcpy(name, hostname, sizeof(name));
+		}
+		ca_setenv("$ENV::CERTFQDN", name);
+		ca_setenv("$ENV::REQ_EXT", "x509v3_FQDN");
+	} else {
+		errx(1, "unknown host type %d", type);
+	}
+
 	ca_setcnf(ca, keyname);
 
 	snprintf(path, sizeof(path), "%s/private/%s.csr", ca->sslpath, keyname);
@@ -222,22 +243,11 @@ int
 ca_sign(struct ca *ca, char *keyname, int type)
 {
 	char		cmd[PATH_MAX * 2];
-	char		hostname[HOST_NAME_MAX+1];
-	char		name[128];
 	const char	*extensions = NULL;
 
-	strlcpy(name, keyname, sizeof(name));
-
 	if (type == HOST_IPADDR) {
-		ca_setenv("$ENV::CERTIP", name);
 		extensions = "x509v3_IPAddr";
 	} else if (type == HOST_FQDN) {
-		if (!strcmp(keyname, "local")) {
-			if (gethostname(hostname, sizeof(hostname)))
-				err(1, "gethostname");
-			strlcpy(name, hostname, sizeof(name));
-		}
-		ca_setenv("$ENV::CERTFQDN", name);
 		extensions = "x509v3_FQDN";
 	} else {
 		errx(1, "unknown host type %d", type);
@@ -294,7 +304,7 @@ ca_certificate(struct ca *ca, char *keyname, int type, int action)
 	}
 
 	ca_key_create(ca, keyname);
-	ca_request(ca, keyname);
+	ca_request(ca, keyname, type);
 	ca_sign(ca, keyname, type);
 
 	return (0);
diff --git a/usr.sbin/ikectl/ikeca.cnf b/usr.sbin/ikectl/ikeca.cnf
index e884090b442..47207ac7df0 100644
--- a/usr.sbin/ikectl/ikeca.cnf
+++ b/usr.sbin/ikectl/ikeca.cnf
@@ -1,4 +1,4 @@
-# $OpenBSD: ikeca.cnf,v 1.8 2015/11/02 12:21:27 jsg Exp $
+# $OpenBSD: ikeca.cnf,v 1.9 2017/01/31 21:35:07 sthen Exp $
 
 CERT_C			= DE
 CERT_ST			= Lower Saxony
@@ -24,6 +24,7 @@ NSCERTTYPE		= server,client
 #default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 #attributes		= req_attributes
+req_extensions		= $ENV::REQ_EXT
 
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)