From 5a29b92e1a6b961bf0c78f578f21c06d5c612fab Mon Sep 17 00:00:00 2001 From: June McEnroe Date: Tue, 5 Nov 2024 20:06:51 -0500 Subject: Remove (in)ability to sign certificates with -A and -g This broke quite a while ago due to changes in openssl(1) and it's kind of a bad way to do things anyway. Just remove it. This fixes -g, which was entirely broken. --- bounce.c | 57 +++++++++++++-------------------------------------------- pounce.1 | 46 ++-------------------------------------------- 2 files changed, 15 insertions(+), 88 deletions(-) diff --git a/bounce.c b/bounce.c index 9ab0f1d..556c682 100644 --- a/bounce.c +++ b/bounce.c @@ -135,7 +135,7 @@ static struct timeval parseInterval(const char *str) { } static void hashPass(void); -static void genCert(const char *path, const char *ca); +static void genCert(const char *path); int main(int argc, char *argv[]) { int error; @@ -256,7 +256,7 @@ int main(int argc, char *argv[]) { } } if (blindReq & CapUnsupported) errx(EX_USAGE, "unsupported capability"); - if (genPath) genCert(genPath, caPath); + if (genPath) genCert(genPath); if (bindPath[0]) { struct stat st; @@ -498,56 +498,25 @@ static void hashPass(void) { } #endif -static void genReq(const char *path) { - const char *name = strrchr(path, '/'); - name = (name ? &name[1] : path); - char subj[256]; - snprintf(subj, sizeof(subj), "/CN=%.*s", (int)strcspn(name, "."), name); - execlp( - OPENSSL_BIN, "openssl", "req", - "-new", "-newkey", "rsa:4096", "-sha256", "-nodes", - "-subj", subj, "-keyout", path, - NULL - ); - err(EX_UNAVAILABLE, "openssl"); -} - -static void redir(int dst, int src) { - int fd = dup2(src, dst); - if (fd < 0) err(EX_OSERR, "dup2"); - close(src); -} - -static void genCert(const char *path, const char *ca) { - int out = open(path, O_WRONLY | O_APPEND | O_CREAT, 0600); - if (out < 0) err(EX_CANTCREAT, "%s", path); - +static void genCert(const char *path) { int error; + #ifdef __OpenBSD__ error = pledge("stdio proc exec", NULL); if (error) err(EX_OSERR, "pledge"); #endif - int rw[2]; - error = pipe(rw); - if (error) err(EX_OSERR, "pipe"); - - pid_t pid = fork(); - if (pid < 0) err(EX_OSERR, "fork"); - if (!pid) { - close(rw[0]); - redir(STDOUT_FILENO, rw[1]); - genReq(path); - } + const char *name = strrchr(path, '/'); + name = (name ? &name[1] : path); + char subj[256]; + snprintf(subj, sizeof(subj), "/CN=%.*s", (int)strcspn(name, "."), name); - close(rw[1]); - redir(STDIN_FILENO, rw[0]); - redir(STDOUT_FILENO, out); + umask(0066); execlp( - OPENSSL_BIN, "openssl", "x509", - "-req", "-days", "3650", "-CAcreateserial", - (ca ? "-CA" : "-signkey"), (ca ? ca : path), + OPENSSL_BIN, "openssl", "req", + "-x509", "-new", "-newkey", "rsa:4096", "-sha256", "-days", "3650", + "-nodes", "-subj", subj, "-out", path, "-keyout", path, NULL ); - err(EX_UNAVAILABLE, "openssl"); + err(127, "openssl"); } diff --git a/pounce.1 b/pounce.1 index e4919d2..ce54479 100644 --- a/pounce.1 +++ b/pounce.1 @@ -1,4 +1,4 @@ -.Dd July 16, 2023 +.Dd November 5, 2024 .Dt POUNCE 1 .Os . @@ -45,7 +45,6 @@ .Op Ar config ... . .Nm -.Op Fl A Ar ca .Fl g Ar cert . .Nm @@ -403,11 +402,6 @@ Generate a TLS client certificate using .Xr openssl 1 and write it to .Ar path . -The certificate is signed -by the certificate authority if -.Fl A -is set, -otherwise it is self-signed. . .It Fl o Print the server certificate chain @@ -529,7 +523,7 @@ not to the server. .Ss Generating Client Certificates .Bl -enum .It -Generate self-signed client certificates and private keys: +Generate client certificates and private keys: .Bd -literal -offset indent $ pounce -g client1.pem $ pounce -g client2.pem @@ -553,42 +547,6 @@ local-ca = auth.pem .Ed .El . -.Pp -Alternatively, -client certificates can be signed -by a generated certificate authority: -. -.Bl -enum -.It -Generate a self-signed certificate authority: -.Bd -literal -offset indent -$ pounce -g auth.pem -.Ed -.It -Generate and sign client certificates -using the CA: -.Bd -literal -offset indent -$ pounce -A auth.pem -g client1.pem -$ pounce -A auth.pem -g client2.pem -.Ed -.It -Since only the public key is needed -for certificate verification, -extract it from the CA: -.Bd -literal -offset indent -$ openssl x509 -in auth.pem -out ~/.config/pounce/auth.crt -.Ed -.It -Configure -.Nm -to verify client certificates -against the CA: -.Bd -literal -offset indent -local-ca = auth.crt -# or: $ pounce -A auth.crt -.Ed -.El -. .Ss Configuring CertFP .Bl -enum .It -- cgit 1.4.1