about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--bounce.c57
-rw-r--r--pounce.146
2 files changed, 15 insertions, 88 deletions
diff --git a/bounce.c b/bounce.c
index 9ab0f1d..556c682 100644
--- a/bounce.c
+++ b/bounce.c
@@ -135,7 +135,7 @@ static struct timeval parseInterval(const char *str) {
 }
 
 static void hashPass(void);
-static void genCert(const char *path, const char *ca);
+static void genCert(const char *path);
 
 int main(int argc, char *argv[]) {
 	int error;
@@ -256,7 +256,7 @@ int main(int argc, char *argv[]) {
 		}
 	}
 	if (blindReq & CapUnsupported) errx(EX_USAGE, "unsupported capability");
-	if (genPath) genCert(genPath, caPath);
+	if (genPath) genCert(genPath);
 
 	if (bindPath[0]) {
 		struct stat st;
@@ -498,56 +498,25 @@ static void hashPass(void) {
 }
 #endif
 
-static void genReq(const char *path) {
-	const char *name = strrchr(path, '/');
-	name = (name ? &name[1] : path);
-	char subj[256];
-	snprintf(subj, sizeof(subj), "/CN=%.*s", (int)strcspn(name, "."), name);
-	execlp(
-		OPENSSL_BIN, "openssl", "req",
-		"-new", "-newkey", "rsa:4096", "-sha256", "-nodes",
-		"-subj", subj, "-keyout", path,
-		NULL
-	);
-	err(EX_UNAVAILABLE, "openssl");
-}
-
-static void redir(int dst, int src) {
-	int fd = dup2(src, dst);
-	if (fd < 0) err(EX_OSERR, "dup2");
-	close(src);
-}
-
-static void genCert(const char *path, const char *ca) {
-	int out = open(path, O_WRONLY | O_APPEND | O_CREAT, 0600);
-	if (out < 0) err(EX_CANTCREAT, "%s", path);
-
+static void genCert(const char *path) {
 	int error;
+
 #ifdef __OpenBSD__
 	error = pledge("stdio proc exec", NULL);
 	if (error) err(EX_OSERR, "pledge");
 #endif
 
-	int rw[2];
-	error = pipe(rw);
-	if (error) err(EX_OSERR, "pipe");
-
-	pid_t pid = fork();
-	if (pid < 0) err(EX_OSERR, "fork");
-	if (!pid) {
-		close(rw[0]);
-		redir(STDOUT_FILENO, rw[1]);
-		genReq(path);
-	}
+	const char *name = strrchr(path, '/');
+	name = (name ? &name[1] : path);
+	char subj[256];
+	snprintf(subj, sizeof(subj), "/CN=%.*s", (int)strcspn(name, "."), name);
 
-	close(rw[1]);
-	redir(STDIN_FILENO, rw[0]);
-	redir(STDOUT_FILENO, out);
+	umask(0066);
 	execlp(
-		OPENSSL_BIN, "openssl", "x509",
-		"-req", "-days", "3650", "-CAcreateserial",
-		(ca ? "-CA" : "-signkey"), (ca ? ca : path),
+		OPENSSL_BIN, "openssl", "req",
+		"-x509", "-new", "-newkey", "rsa:4096", "-sha256", "-days", "3650",
+		"-nodes", "-subj", subj, "-out", path, "-keyout", path,
 		NULL
 	);
-	err(EX_UNAVAILABLE, "openssl");
+	err(127, "openssl");
 }
diff --git a/pounce.1 b/pounce.1
index e4919d2..ce54479 100644
--- a/pounce.1
+++ b/pounce.1
@@ -1,4 +1,4 @@
-.Dd July 16, 2023
+.Dd November  5, 2024
 .Dt POUNCE 1
 .Os
 .
@@ -45,7 +45,6 @@
 .Op Ar config ...
 .
 .Nm
-.Op Fl A Ar ca
 .Fl g Ar cert
 .
 .Nm
@@ -403,11 +402,6 @@ Generate a TLS client certificate using
 .Xr openssl 1
 and write it to
 .Ar path .
-The certificate is signed
-by the certificate authority if
-.Fl A
-is set,
-otherwise it is self-signed.
 .
 .It Fl o
 Print the server certificate chain
@@ -529,7 +523,7 @@ not to the server.
 .Ss Generating Client Certificates
 .Bl -enum
 .It
-Generate self-signed client certificates and private keys:
+Generate client certificates and private keys:
 .Bd -literal -offset indent
 $ pounce -g client1.pem
 $ pounce -g client2.pem
@@ -553,42 +547,6 @@ local-ca = auth.pem
 .Ed
 .El
 .
-.Pp
-Alternatively,
-client certificates can be signed
-by a generated certificate authority:
-.
-.Bl -enum
-.It
-Generate a self-signed certificate authority:
-.Bd -literal -offset indent
-$ pounce -g auth.pem
-.Ed
-.It
-Generate and sign client certificates
-using the CA:
-.Bd -literal -offset indent
-$ pounce -A auth.pem -g client1.pem
-$ pounce -A auth.pem -g client2.pem
-.Ed
-.It
-Since only the public key is needed
-for certificate verification,
-extract it from the CA:
-.Bd -literal -offset indent
-$ openssl x509 -in auth.pem -out ~/.config/pounce/auth.crt
-.Ed
-.It
-Configure
-.Nm
-to verify client certificates
-against the CA:
-.Bd -literal -offset indent
-local-ca = auth.crt
-# or: $ pounce -A auth.crt
-.Ed
-.El
-.
 .Ss Configuring CertFP
 .Bl -enum
 .It