Browse code
check-fullchain: add support for missing -ext option.
Some older versions of openssl x509 lack the -ext option.
Xavier G authored on18/03/2021 20:41:50 Showing1 changed files
| ... | ... |
@@ -48,9 +48,32 @@ function x509_prop {
|
| 48 | 48 |
} |
| 49 | 49 |
|
| 50 | 50 |
function x509_prop_ext {
|
| 51 |
+ # Does openssl support the -ext option? |
|
| 52 |
+ if [ -z "${openssl_ext_support}" ]; then
|
|
| 53 |
+ openssl_ext_support='yes' |
|
| 54 |
+ openssl x509 -in /dev/null -ext test 2>&1 | grep -qx 'unknown option -ext' && openssl_ext_support='no' |
|
| 55 |
+ fi |
|
| 56 |
+ |
|
| 51 | 57 |
local cert_file="${1}"; shift
|
| 52 | 58 |
local extension="${1}"; shift
|
| 53 |
- x509_prop "${cert_file}" -ext "${extension}"
|
|
| 59 |
+ |
|
| 60 |
+ if [ "${openssl_ext_support}" == 'yes' ]; then
|
|
| 61 |
+ x509_prop "${cert_file}" -ext "${extension}"
|
|
| 62 |
+ else |
|
| 63 |
+ # Simulate -ext by parsing the output of -text: |
|
| 64 |
+ [ "${extension}" == 'authorityKeyIdentifier' ] && title='Authority Key Identifier'
|
|
| 65 |
+ [ "${extension}" == 'subjectAltName' ] && title='Subject Alternative Name'
|
|
| 66 |
+ [ "${extension}" == 'subjectKeyIdentifier' ] && title='Subject Key Identifier'
|
|
| 67 |
+ x509_prop "${cert_file}" -text | extract_extension "${title}"
|
|
| 68 |
+ [ "${extension}" == 'authorityKeyIdentifier' ] && echo
|
|
| 69 |
+ fi |
|
| 70 |
+} |
|
| 71 |
+ |
|
| 72 |
+function extract_extension {
|
|
| 73 |
+ title="${1}" perl -nle '
|
|
| 74 |
+ $p = ($1 eq $ENV{q[title]}) ? 100000 : 0 if m#^ {12}X509v3 ([^:]+)#;
|
|
| 75 |
+ -- $p if m#^ {12}#;
|
|
| 76 |
+ s#^ {12}## && print if $p > 0'
|
|
| 54 | 77 |
} |
| 55 | 78 |
|
| 56 | 79 |
function x509_prop_val {
|