Split certificate file from config file into certdir and certfile.

This way we can still chroot to certdir but the the certificate file is not fixed to "cert.pem". Writing of chain.pem and fullchain.pem is currently broken with this. OK benno
author: florian <florian@openbsd.org> 2017-01-21 08:54:26 +0000
committer: florian <florian@openbsd.org> 2017-01-21 08:54:26 +0000
commit: 62492c74b37699a86b6a85e958c42ad554f30687 (patch)
tree: b58e0f83a02713504d03a3c2849ec32e9fda2d8d
parent: Add Allwinner A64 devices to OpenBSD/arm64. This means we can run (diff)
download: wireguard-openbsd-62492c74b37699a86b6a85e958c42ad554f30687.tar.xz
wireguard-openbsd-62492c74b37699a86b6a85e958c42ad554f30687.zip
4 files changed, 98 insertions, 58 deletions
diff --git a/usr.sbin/acme-client/extern.h b/usr.sbin/acme-client/extern.h
index f7a27abb1a3..18e53ddd112 100644
--- a/usr.sbin/acme-client/extern.h
+++ b/usr.sbin/acme-client/extern.h
@@ -1,4 +1,4 @@
-/*	$Id: extern.h,v 1.7 2017/01/21 08:52:30 florian Exp $ */
+/*	$Id: extern.h,v 1.8 2017/01/21 08:54:26 florian Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -21,13 +21,6 @@
 
 #define MAX_SERVERS_DNS 8
 
-#define	CERT_PEM "cert.pem"
-#define	CERT_BAK "cert.pem~"
-#define	CHAIN_PEM "chain.pem"
-#define	CHAIN_BAK "chain.pem~"
-#define	FCHAIN_PEM "fullchain.pem"
-#define	FCHAIN_BAK "fullchain.pem~"
-
 #ifndef nitems
 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
 #endif
@@ -183,9 +176,10 @@ int		 acctproc(int, const char *, int);
 int		 certproc(int, int);
 int		 chngproc(int, const char *);
 int		 dnsproc(int);
-int		 revokeproc(int, const char *,
+int		 revokeproc(int, const char *, const char *,
 			int, int, const char *const *, size_t);
-int		 fileproc(int, const char *);
+int		 fileproc(int, const char *, const char *, const char *,
+			const char *);
 int		 keyproc(int, const char *,
 			const char **, size_t, int);
 int		 netproc(int, int, int, int, int, int, int, int,
diff --git a/usr.sbin/acme-client/fileproc.c b/usr.sbin/acme-client/fileproc.c
index ee8bc1103a5..918ca4a6f8d 100644
--- a/usr.sbin/acme-client/fileproc.c
+++ b/usr.sbin/acme-client/fileproc.c
@@ -1,4 +1,4 @@
-/*	$Id: fileproc.c,v 1.8 2017/01/21 08:53:10 florian Exp $ */
+/*	$Id: fileproc.c,v 1.9 2017/01/21 08:54:26 florian Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -61,9 +61,12 @@ serialise(const char *tmp, const char *real,
 }
 
 int
-fileproc(int certsock, const char *certdir)
+fileproc(int certsock, const char *certdir, const char *certfile, const char
+    *chainfile, const char *fullchainfile)
 {
 	char		*csr = NULL, *ch = NULL;
+	char		*certfile_bak = NULL, *chainfile_bak = NULL;
+	char		*fullchainfile_bak = NULL;
 	size_t		 chsz, csz;
 	int		 rc = 0;
 	long		 lval;
@@ -112,23 +115,30 @@ fileproc(int certsock, const char *certdir)
 	 */
 
 	if (FILE_REMOVE == op) {
-		if (-1 == unlink(CERT_PEM) && ENOENT != errno) {
-			warn("%s/%s", certdir, CERT_PEM);
-			goto out;
-		} else
-			dodbg("%s/%s: unlinked", certdir, CERT_PEM);
-
-		if (-1 == unlink(CHAIN_PEM) && ENOENT != errno) {
-			warn("%s/%s", certdir, CHAIN_PEM);
-			goto out;
-		} else
-			dodbg("%s/%s: unlinked", certdir, CHAIN_PEM);
-
-		if (-1 == unlink(FCHAIN_PEM) && ENOENT != errno) {
-			warn("%s/%s", certdir, FCHAIN_PEM);
-			goto out;
-		} else
-			dodbg("%s/%s: unlinked", certdir, FCHAIN_PEM);
+		if (certfile) {
+			if (-1 == unlink(certfile) && ENOENT != errno) {
+				warn("%s/%s", certdir, certfile);
+				goto out;
+			} else
+				dodbg("%s/%s: unlinked", certdir, certfile);
+		}
+
+		if (chainfile) {
+			if (-1 == unlink(chainfile) && ENOENT != errno) {
+				warn("%s/%s", certdir, chainfile);
+				goto out;
+			} else
+				dodbg("%s/%s: unlinked", certdir, chainfile);
+		}
+
+		if (fullchainfile) {
+			if (-1 == unlink(fullchainfile) && ENOENT != errno) {
+				warn("%s/%s", certdir, fullchainfile);
+				goto out;
+			} else
+				dodbg("%s/%s: unlinked", certdir,
+				    fullchainfile);
+		}
 
 		rc = 2;
 		goto out;
@@ -141,12 +151,32 @@ fileproc(int certsock, const char *certdir)
 	 * Once downloaded, dump it into CHAIN_BAK.
 	 */
 
-	if (NULL == (ch = readbuf(certsock, COMM_CHAIN, &chsz)))
+	if (asprintf(&certfile_bak, "%s~", certfile) == -1) {
+		warn("asprintf");
 		goto out;
-	if (!serialise(CHAIN_BAK, CHAIN_PEM, ch, chsz, NULL, 0))
+	}
+
+	if (chainfile)
+		if (asprintf(&chainfile_bak, "%s~", chainfile) == -1) {
+			warn("asprintf");
+			goto out;
+		}
+
+	if (fullchainfile)
+		if (asprintf(&fullchainfile_bak, "%s~", fullchainfile) == -1) {
+			warn("asprintf");
+			goto out;
+		}
+
+	if (NULL == (ch = readbuf(certsock, COMM_CHAIN, &chsz)))
 		goto out;
 
-	dodbg("%s/%s: created", certdir, CHAIN_PEM);
+	if (chainfile) {
+		if (!serialise(chainfile_bak, chainfile, ch, chsz, NULL, 0))
+			goto out;
+
+		dodbg("%s/%s: created", certdir, chainfile);
+	}
 
 	/*
 	 * Next, wait until we receive the DER encoded (signed)
@@ -157,10 +187,10 @@ fileproc(int certsock, const char *certdir)
 
 	if (NULL == (csr = readbuf(certsock, COMM_CSR, &csz)))
 		goto out;
-	if (!serialise(CERT_BAK, CERT_PEM, csr, csz, NULL, 0))
+	if (!serialise(certfile_bak, certfile, csr, csz, NULL, 0))
 		goto out;
 
-	dodbg("%s/%s: created", certdir, CERT_PEM);
+	dodbg("%s/%s: created", certdir, certfile);
 
 	/*
 	 * Finally, create the full-chain file.
@@ -168,16 +198,21 @@ fileproc(int certsock, const char *certdir)
 	 * We return the special error code 2 to indicate that the
 	 * on-file certificates were changed.
 	 */
+	if (fullchainfile) {
+		if (!serialise(fullchainfile_bak, fullchainfile, csr, csz, ch,
+		    chsz))
+			goto out;
 
-	if (!serialise(FCHAIN_BAK, FCHAIN_PEM, csr, csz, ch, chsz))
-		goto out;
-
-	dodbg("%s/%s: created", certdir, FCHAIN_PEM);
+		dodbg("%s/%s: created", certdir, fullchainfile);
+	}
 
 	rc = 2;
 out:
 	close(certsock);
 	free(csr);
 	free(ch);
+	free(certfile_bak);
+	free(chainfile_bak);
+	free(fullchainfile_bak);
 	return (rc);
 }
diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c
index b831f7085d1..b67aea8cf0a 100644
--- a/usr.sbin/acme-client/main.c
+++ b/usr.sbin/acme-client/main.c
@@ -1,4 +1,4 @@
-/*	$Id: main.c,v 1.23 2017/01/21 08:52:30 florian Exp $ */
+/*	$Id: main.c,v 1.24 2017/01/21 08:54:26 florian Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -19,6 +19,7 @@
 
 #include <ctype.h>
 #include <err.h>
+#include <libgen.h>
 #include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -35,8 +36,8 @@ int
 main(int argc, char *argv[])
 {
 	const char	 **alts = NULL;
-	char		 *certdir = NULL, *acctkey = NULL, *chngdir = NULL;
-	char		 *auth = NULL, *agreement = NULL;
+	char		 *certdir = NULL, *certfile = NULL, *acctkey = NULL;
+	char		 *chngdir = NULL, *auth = NULL, *agreement = NULL;
 	char		 *conffile = CONF_FILE;
 	int		  key_fds[2], acct_fds[2], chng_fds[2], cert_fds[2];
 	int		  file_fds[2], dns_fds[2], rvk_fds[2];
@@ -105,7 +106,17 @@ main(int argc, char *argv[])
 	 * specified them on the command-line.
 	 */
 
-	certdir = domain->cert;
+	if ((certdir = dirname(domain->cert)) != NULL) {
+		if ((certdir = strdup(certdir)) == NULL)
+			err(EXIT_FAILURE, "strdup");
+	} else
+		err(EXIT_FAILURE, "dirname");
+
+	if ((certfile = basename(domain->cert)) != NULL) {
+		if ((certfile = strdup(certfile)) == NULL)
+			err(EXIT_FAILURE, "strdup");
+	} else
+		err(EXIT_FAILURE, "basename");
 
 	if ((auth = domain->auth) == NULL) {
 		/* use the first authority from the config as default XXX */
@@ -325,7 +336,7 @@ main(int argc, char *argv[])
 		free(alts);
 		close(dns_fds[0]);
 		close(rvk_fds[0]);
-		c = fileproc(file_fds[1], certdir);
+		c = fileproc(file_fds[1], certdir, certfile, NULL, NULL);
 		/*
 		 * This is different from the other processes in that it
 		 * can return 2 if the certificates were updated.
@@ -357,7 +368,7 @@ main(int argc, char *argv[])
 
 	if (0 == pids[COMP_REVOKE]) {
 		proccomp = COMP_REVOKE;
-		c = revokeproc(rvk_fds[0], certdir, force, revocate,
+		c = revokeproc(rvk_fds[0], certdir, certfile, force, revocate,
 		    (const char *const *)alts, altsz);
 		free(alts);
 		exit(c ? EXIT_SUCCESS : EXIT_FAILURE);
diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c
index f137cba6bf3..e0d0a0c7d28 100644
--- a/usr.sbin/acme-client/revokeproc.c
+++ b/usr.sbin/acme-client/revokeproc.c
@@ -1,4 +1,4 @@
-/*	$Id: revokeproc.c,v 1.8 2016/09/13 17:13:37 deraadt Exp $ */
+/*	$Id: revokeproc.c,v 1.9 2017/01/21 08:54:26 florian Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -91,8 +91,8 @@ X509expires(X509 *x)
 }
 
 int
-revokeproc(int fd, const char *certdir, int force, int revocate,
-    const char *const *alts, size_t altsz)
+revokeproc(int fd, const char *certdir, const char *certfile, int force,
+    int revocate, const char *const *alts, size_t altsz)
 {
 	char		*path = NULL, *der = NULL, *dercp, *der64 = NULL;
 	char		*san = NULL, *str, *tok;
@@ -114,7 +114,7 @@ revokeproc(int fd, const char *certdir, int force, int revocate,
 	 * We allow "f" to be NULL IFF the cert doesn't exist yet.
 	 */
 
-	if (-1 == asprintf(&path, "%s/%s", certdir, CERT_PEM)) {
+	if (-1 == asprintf(&path, "%s/%s", certdir, certfile)) {
 		warn("asprintf");
 		goto out;
 	} else if (NULL == (f = fopen(path, "r")) && ENOENT != errno) {
@@ -140,7 +140,7 @@ revokeproc(int fd, const char *certdir, int force, int revocate,
 	 */
 
 	if (NULL == f && revocate) {
-		warnx("%s/%s: no certificate found", certdir, CERT_PEM);
+		warnx("%s/%s: no certificate found", certdir, certfile);
 		(void)writeop(fd, COMM_REVOKE_RESP, REVOKE_OK);
 		goto out;
 	} else if (NULL == f && ! revocate) {
@@ -181,7 +181,7 @@ revokeproc(int fd, const char *certdir, int force, int revocate,
 			continue;
 
 		if (NULL != san) {
-			warnx("%s/%s: two SAN entries", certdir, CERT_PEM);
+			warnx("%s/%s: two SAN entries", certdir, certfile);
 			goto out;
 		}
 
@@ -204,7 +204,7 @@ revokeproc(int fd, const char *certdir, int force, int revocate,
 	}
 
 	if (NULL == san) {
-		warnx("%s/%s: does not have a SAN entry", certdir, CERT_PEM);
+		warnx("%s/%s: does not have a SAN entry", certdir, certfile);
 		goto out;
 	}
 
@@ -234,12 +234,12 @@ revokeproc(int fd, const char *certdir, int force, int revocate,
 				break;
 		if (j == altsz) {
 			warnx("%s/%s: unknown SAN entry: %s",
-			    certdir, CERT_PEM, tok);
+			    certdir, certfile, tok);
 			goto out;
 		}
 		if (found[j]++) {
 			warnx("%s/%s: duplicate SAN entry: %s",
-			    certdir, CERT_PEM, tok);
+			    certdir, certfile, tok);
 			goto out;
 		}
 	}
@@ -248,7 +248,7 @@ revokeproc(int fd, const char *certdir, int force, int revocate,
 		if (found[j])
 			continue;
 		warnx("%s/%s: domain not listed: %s",
-		    certdir, CERT_PEM, alts[j]);
+		    certdir, certfile, alts[j]);
 		goto out;
 	}
 
@@ -259,7 +259,7 @@ revokeproc(int fd, const char *certdir, int force, int revocate,
 	 */
 
 	if (revocate) {
-		dodbg("%s/%s: revocation", certdir, CERT_PEM);
+		dodbg("%s/%s: revocation", certdir, certfile);
 
 		/*
 		 * First, tell netproc we're online.
@@ -294,15 +294,15 @@ revokeproc(int fd, const char *certdir, int force, int revocate,
 
 	if (REVOKE_EXP == rop)
 		dodbg("%s/%s: certificate renewable: %lld days left",
-		    certdir, CERT_PEM,
+		    certdir, certfile,
 		    (long long)(t - time(NULL)) / 24 / 60 / 60);
 	else
 		dodbg("%s/%s: certificate valid: %lld days left",
-		    certdir, CERT_PEM,
+		    certdir, certfile,
 		    (long long)(t - time(NULL)) / 24 / 60 / 60);
 
 	if (REVOKE_OK == rop && force) {
-		warnx("%s/%s: forcing renewal", certdir, CERT_PEM);
+		warnx("%s/%s: forcing renewal", certdir, certfile);
 		rop = REVOKE_EXP;
 	}
author	florian <florian@openbsd.org>	2017-01-21 08:54:26 +0000
committer	florian <florian@openbsd.org>	2017-01-21 08:54:26 +0000
commit	62492c74b37699a86b6a85e958c42ad554f30687 (patch)
tree	b58e0f83a02713504d03a3c2849ec32e9fda2d8d
parent	Add Allwinner A64 devices to OpenBSD/arm64. This means we can run (diff)
download	wireguard-openbsd-62492c74b37699a86b6a85e958c42ad554f30687.tar.xz wireguard-openbsd-62492c74b37699a86b6a85e958c42ad554f30687.zip