forked from mirrors/kore
small acme fixes.
- don't create the NID for the acme extension several times - add missing pledges for openbsd keymgr (it will write+create files)
This commit is contained in:
parent
c78535aa5d
commit
bb39643b48
23
src/keymgr.c
23
src/keymgr.c
|
@ -168,6 +168,9 @@ static int acmeproc_ready = 0;
|
|||
/* Renewal timer for all domains under acme control. */
|
||||
static struct kore_timer *acme_renewal = NULL;
|
||||
|
||||
/* oid for acme extension. */
|
||||
static int acme_oid = -1;
|
||||
|
||||
struct acme_order {
|
||||
int state;
|
||||
struct kore_timer *timer;
|
||||
|
@ -226,6 +229,12 @@ int keymgr_active = 0;
|
|||
char *keymgr_root_path = NULL;
|
||||
char *keymgr_runas_user = NULL;
|
||||
|
||||
#if defined(KORE_USE_ACME)
|
||||
static const char *keymgr_pledges = "stdio rpath wpath cpath";
|
||||
#else
|
||||
static const char *keymgr_pledges = "stdio rpath";
|
||||
#endif
|
||||
|
||||
void
|
||||
kore_keymgr_run(void)
|
||||
{
|
||||
|
@ -278,10 +287,15 @@ kore_keymgr_run(void)
|
|||
keymgr_reload();
|
||||
|
||||
#if defined(__OpenBSD__)
|
||||
if (pledge("stdio rpath", NULL) == -1)
|
||||
if (pledge(keymgr_pledges, NULL) == -1)
|
||||
fatalx("failed to pledge keymgr process");
|
||||
#endif
|
||||
|
||||
#if defined(KORE_USE_ACME)
|
||||
acme_oid = OBJ_create(ACME_TLS_ALPN_01_OID, "acme", "acmeIdentifier");
|
||||
X509V3_EXT_add_alias(acme_oid, NID_subject_key_identifier);
|
||||
#endif
|
||||
|
||||
while (quit != 1) {
|
||||
now = kore_time_ms();
|
||||
if ((now - last_seed) > RAND_POLL_INTERVAL) {
|
||||
|
@ -1059,8 +1073,8 @@ keymgr_acme_challenge_cert(const void *data, size_t len, struct key *key)
|
|||
X509_NAME *name;
|
||||
X509 *x509;
|
||||
const u_int8_t *digest;
|
||||
int slen, i;
|
||||
u_int8_t *cert, *uptr;
|
||||
int slen, acme, i;
|
||||
char hex[(SHA256_DIGEST_LENGTH * 2) + 1];
|
||||
|
||||
kore_log(LOG_INFO, "[%s] generating tls-alpn-01 challenge cert",
|
||||
|
@ -1107,11 +1121,8 @@ keymgr_acme_challenge_cert(const void *data, size_t len, struct key *key)
|
|||
if (!X509_set_issuer_name(x509, name))
|
||||
fatalx("X509_set_issuer_name(): %s", ssl_errno_s);
|
||||
|
||||
acme = OBJ_create(ACME_TLS_ALPN_01_OID, "acme", "acmeIdentifier");
|
||||
X509V3_EXT_add_alias(acme, NID_subject_key_identifier);
|
||||
|
||||
sk = sk_X509_EXTENSION_new_null();
|
||||
keymgr_x509_ext(sk, acme, "critical,%s", hex);
|
||||
keymgr_x509_ext(sk, acme_oid, "critical,%s", hex);
|
||||
keymgr_x509_ext(sk, NID_subject_alt_name, "DNS:%s", key->dom->domain);
|
||||
|
||||
for (i = 0; i < sk_X509_EXTENSION_num(sk); i++) {
|
||||
|
|
Loading…
Reference in New Issue