diff options
| author |   florian <florian@openbsd.org> | 2016-09-01 12:17:00 +0000 |
|---|---|---|
| committer | florian <florian@openbsd.org> | 2016-09-01 12:17:00 +0000 |
| commit | a8bb3d0cfc471b8af701e1abcbd864812b60cea3 (patch) | |
| tree | 01b8a85f77e0ed9ddfb5c28e12f73137d3948954 /usr.sbin/acme-client/main.c | |
| parent | sync (diff) | |
| download | wireguard-openbsd-a8bb3d0cfc471b8af701e1abcbd864812b60cea3.tar.xz wireguard-openbsd-a8bb3d0cfc471b8af701e1abcbd864812b60cea3.zip | |
Implement table driven selection to which ACME authorities we can
talk.
Suggest by and OK deraadt, OK benno.
(Later on deraadt and benno discussed if this should be handled with a
config file. This seems to be good enough for now. We can do a config
file later.)
Diffstat (limited to 'usr.sbin/acme-client/main.c')
| -rw-r--r-- | usr.sbin/acme-client/main.c | 38 |
1 files changed, 29 insertions, 9 deletions
diff --git a/usr.sbin/acme-client/main.c b/usr.sbin/acme-client/main.c index c390ba103d9..a690f0467a7 100644 --- a/usr.sbin/acme-client/main.c +++ b/usr.sbin/acme-client/main.c @@ -1,4 +1,4 @@ -/* $Id: main.c,v 1.8 2016/09/01 00:35:22 florian Exp $ */ +/* $Id: main.c,v 1.9 2016/09/01 12:17:00 florian Exp $ */ /* * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv> * @@ -27,14 +27,22 @@ #include "extern.h" -#define AGREEMENT "https://letsencrypt.org" \ - "/documents/LE-SA-v1.1.1-August-1-2016.pdf" #define SSL_DIR "/etc/ssl/acme" #define SSL_PRIV_DIR "/etc/ssl/acme/private" #define ETC_DIR "/etc/acme" #define WWW_DIR "/var/www/acme" #define PRIVKEY_FILE "privkey.pem" +struct authority authorities[] = { +#define DEFAULT_AUTHORITY 0 + {"letsencrypt", + "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", + "https://acme-v01.api.letsencrypt.org/directory"}, + {"letsencrypt-staging", + "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", + "https://acme-staging.api.letsencrypt.org/directory"}, +}; + /* * This isn't RFC1035 compliant, but does the bare minimum in making * sure that we don't get bogus domain names on the command line, which @@ -80,7 +88,7 @@ main(int argc, char *argv[]) rvk_fds[2]; pid_t pids[COMP__MAX]; int c, rc, newacct, remote, revocate, force, - staging, multidir, newkey, backup; + multidir, newkey, backup, authority; extern int verbose; extern enum comp proccomp; size_t i, altsz, ne; @@ -88,11 +96,12 @@ main(int argc, char *argv[]) alts = NULL; newacct = remote = revocate = verbose = force = - multidir = staging = newkey = backup = 0; + multidir = newkey = backup = 0; + authority = DEFAULT_AUTHORITY; certdir = keyfile = acctkey = chngdir = NULL; - agreement = AGREEMENT; + agreement = NULL; - while (-1 != (c = getopt(argc, argv, "bFmnNrstva:f:c:C:k:"))) + while (-1 != (c = getopt(argc, argv, "bFmnNrs:tva:f:c:C:k:"))) switch (c) { case ('a'): agreement = optarg; @@ -136,7 +145,15 @@ main(int argc, char *argv[]) revocate = 1; break; case ('s'): - staging = 1; + authority = -1; + for (i = 0; i < nitems(authorities); i++) { + if (strcmp(authorities[i].name, optarg) == 0) { + authority = i; + break; + } + } + if (-1 == authority) + errx(EXIT_FAILURE, "unknown acme authority"); break; case ('t'): /* @@ -152,6 +169,9 @@ main(int argc, char *argv[]) goto usage; } + if (NULL == agreement) + agreement = authorities[authority].agreement; + argc -= optind; argv += optind; if (0 == argc) @@ -287,7 +307,7 @@ main(int argc, char *argv[]) c = netproc(key_fds[1], acct_fds[1], chng_fds[1], cert_fds[1], dns_fds[1], rvk_fds[1], - newacct, revocate, staging, + newacct, revocate, authority, (const char *const *)alts, altsz, agreement); free(alts); |