Add support for adding any SAN identifier

bin/certified-csr

@@ -20,13 +20,15 @@
 #/   CN=<common-name>            certificate common name (usually a domain name)
 #/   +<dns>                      add a DNS name to the certificate's subject alternative names
 #/   +<ip>                       add an IP address to the certificate's subject alternative names
+#/   +<ID>:<value>               add any x509 SAN property, useful for RID, URI, email, etc
 
 set -e
 
 . "$(dirname "$(dirname "$0")")/lib/certified.sh"
 
 SAN_DNS=""
 SAN_IP=""
+SAN_ID=""
 while [ "$#" -gt 0 ]
 do
     case "$1" in
@@ -60,7 +62,9 @@ do
         ST=*) ST="$(echo "$1" | cut -d"=" -f"2-")" shift;;
         +*)
             SAN="$(echo "$1" | cut -c"2-")" shift
-            if is_ip "$SAN"
+            if is_san_id "$SAN"
+            then SAN_ID="$SAN_ID $SAN"
+            elif is_ip "$SAN"
             then SAN_IP="$SAN_IP $SAN"
             elif is_dns "$SAN"
             then SAN_DNS="$SAN_DNS $SAN"
@@ -142,7 +146,7 @@ default_md = sha256
 distinguished_name = dn
 prompt = no
 EOF
-    if [ "$SAN_DNS" -o "$SAN_IP" ]
+    if [ "$SAN_DNS" -o "$SAN_IP" -o "$SAN_ID" ]
     then cat <<EOF
 
 [san]
@@ -160,6 +164,14 @@ EOF
         echo "IP.$I = $IP"
         I=$(($I + 1))
     done
+    I=1
+    for SID in $SAN_ID
+    do
+        ID="$(echo "$SID" | cut -f1 -d":")"
+        VAL="$(echo "$SID" | cut -f2- -d":")"
+        echo "$ID.$I = $VAL"
+        I=$(($I + 1))
+    done
     cat <<EOF
 
 [x509_extensions]

lib/certified.sh

@@ -54,6 +54,11 @@ is_ip() {
     echo "$1" | grep -E -q "([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]).([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]).([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]).([0-9]|[0-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])"
 }
 
+# Return zero if the first characters represents a valid looking SAN identifier
+is_san_id() {
+    echo "$1" | grep -E -q "^[a-zA-Z0-9]+:.*"
+}
+
 # Log a message to stderr, in bold and prefixed with "certified: ".
 log() {
     echo "$(tput "bold")$(basename "$0"): $*$(tput "sgr0")" >&2

share/man/man1/certified-ca.1

@@ -1,13 +1,13 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "CERTIFIED\-CA" "1" "October 2015" "" "Certified"
+.TH "CERTIFIED\-CA" "1" "January 2017" "" "Certified"
 .
 .SH "NAME"
 \fBcertified\-ca\fR \- generate a CA
 .
 .SH "SYNOPSIS"
-\fBcertified\-ca\fR [\fB\-\-bits\fR=\fIbits\fR] [\fB\-\-crl\-url\fR=\fIcrl\-url\fR] [\fB\-\-days\fR=\fIdays\fR] [\fB\-\-db\fR=\fIdb\fR] [\fB\-\-encrypt\-intermediate\fR] [\fB\-\-intermediate\-password\fR=\fIintermediate\-password\fR] [\fB\-\-ocsp\-url\fR=\fIocsp\-url\fR] [\fB\-\-revoke\fR] [\fB\-\-root\-crl\-url\fR=\fIroot\-crl\-url\fR] [\fB\-\-root\-password\fR=\fIroot\-password\fR] [\fBOU\fR=\fIorg\-unit\fR] \fBC\fR=\fIcountry\fR \fBST\fR=\fIstate\fR \fBL\fR=\fIlocality\fR \fBO\fR=\fIorganization\fR \fBCN\fR=\fIcommon\-name\fR
+\fBcertified\-ca\fR [\fB\-\-bits\fR=\fIbits\fR] [\fB\-\-crl\-url\fR=\fIcrl\-url\fR] [\fB\-\-days\fR=\fIdays\fR] [\fB\-\-db\fR=\fIdb\fR] [\fB\-\-encrypt\-intermediate\fR] [\fB\-\-intermediate\-password\fR=\fIintermediate\-password\fR] [\fB\-\-ocsp\-url\fR=\fIocsp\-url\fR] [\fB\-\-revoke\fR] [\fB\-\-root\-crl\-url\fR=\fIroot\-crl\-url\fR] [\fB\-\-root\-password\fR=\fIroot\-password\fR] [\fBOU\fR=\fIorg\-unit\fR] \fBC\fR=\fIcountry\fR \fBST\fR=\fIstate\fR \fBL\fR=\fIlocality\fR \fBO\fR=\fIorganization\fR \fBCN\fR=\fIcommon\-name\fR [\fB+\fR\fIdns\fR[\fI\.\.\.\fR]] [\fB+\fR\fIip\fR[\fI\.\.\.\fR]] [\fB+\fR\fIid\fR:\fIvalue\fR[\fI\.\.\.\fR]]
 .
 .SH "DESCRIPTION"
 Generate two private keys\. The first is self\-signed to generate the root CA certificate\. It is then used to sign the second to generate the intermediate CA certificate\. The root CA certificate should be installed on laptops and servers\. The intermediate CA signs subsequent certificates and may itself be revoked in the event its private key is compromised\.
@@ -85,6 +85,10 @@ Certificate common name (usually a domain name or \fICompany CA\fR)\.
 \fB+\fR\fIdns\fR, \fB+\fR\fIip\fR
 Add a DNS name or IP address to the certificate\'s subject alternative names\.
 .
+.TP
+\fB+\fR\fIid\fR:\fIvalue\fR
+Add any SAN field to the certificate\'s subject alternative names, ie: URI:mailto:nobody@example\.com\.
+.
 .SH "THEME SONG"
 Led Zeppelin \- "Fool in the Rain"
 .

share/man/man1/certified-ca.1.ronn

@@ -2,7 +2,7 @@
 
 ## SYNOPSIS
 
-`certified-ca` [`--bits`=_bits_] [`--crl-url`=_crl-url_] [`--days`=_days_] [`--db`=_db_] [`--encrypt-intermediate`] [`--intermediate-password`=_intermediate-password_] [`--ocsp-url`=_ocsp-url_] [`--revoke`] [`--root-crl-url`=_root-crl-url_] [`--root-password`=_root-password_] [`OU`=_org-unit_] `C`=_country_ `ST`=_state_ `L`=_locality_ `O`=_organization_ `CN`=_common-name_
+`certified-ca` [`--bits`=_bits_] [`--crl-url`=_crl-url_] [`--days`=_days_] [`--db`=_db_] [`--encrypt-intermediate`] [`--intermediate-password`=_intermediate-password_] [`--ocsp-url`=_ocsp-url_] [`--revoke`] [`--root-crl-url`=_root-crl-url_] [`--root-password`=_root-password_] [`OU`=_org-unit_] `C`=_country_ `ST`=_state_ `L`=_locality_ `O`=_organization_ `CN`=_common-name_ [`+`_dns_[_..._]] [`+`_ip_[_..._]] [`+`_id_:_value_[_..._]]
 
 ## DESCRIPTION
 
@@ -46,6 +46,8 @@ _db_ is an OpenSSL database that `certified`(1) uses to issue and revoke certifi
   Certificate common name (usually a domain name or _Company CA_).
 * `+`_dns_, `+`_ip_:
   Add a DNS name or IP address to the certificate's subject alternative names.
+* `+`_id_:_value_:
+  Add any SAN field to the certificate's subject alternative names, ie: URI:mailto:nobody@example.com.
 
 ## THEME SONG
 

share/man/man1/certified-csr.1

@@ -1,13 +1,13 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "CERTIFIED\-CSR" "1" "October 2015" "" "Certified"
+.TH "CERTIFIED\-CSR" "1" "January 2017" "" "Certified"
 .
 .SH "NAME"
 \fBcertified\-csr\fR \- generate certificate signing requests
 .
 .SH "SYNOPSIS"
-\fBcertified\-csr\fR [\fB\-\-bits\fR=\fIbits\fR] [\fB\-\-ca\fR] [\fB\-\-crl\-url\fR=\fIcrl\-url\fR] [\fB\-\-days\fR=\fIdays\fR] [\fB\-\-db\fR=\fIdb\fR] [\fB\-\-encrypt\fR] [\fB\-\-issuer\fR=\fIissuer\fR] [\fB\-\-issuer\-name\fR=\fIissuer\-name\fR] [\fB\-\-name\fR=\fIname\fR] [\fB\-\-ocsp\-url\fR=\fIocsp\-url\fR] [\fB\-\-password\fR=\fIpassword\fR] [\fBC\fR=\fIcountry\fR] [\fBST\fR=\fIstate\fR] [\fBL\fR=\fIlocality\fR] [\fBO\fR=\fIorganization\fR] [\fBOU\fR=\fIorg\-unit\fR] \fBCN\fR=\fIcommon\-name\fR [\fB+\fR\fIdns\fR[\fI\.\.\.\fR]] [\fB+\fR\fIip\fR[\fI\.\.\.\fR]]
+\fBcertified\-csr\fR [\fB\-\-bits\fR=\fIbits\fR] [\fB\-\-ca\fR] [\fB\-\-crl\-url\fR=\fIcrl\-url\fR] [\fB\-\-days\fR=\fIdays\fR] [\fB\-\-db\fR=\fIdb\fR] [\fB\-\-encrypt\fR] [\fB\-\-issuer\fR=\fIissuer\fR] [\fB\-\-issuer\-name\fR=\fIissuer\-name\fR] [\fB\-\-name\fR=\fIname\fR] [\fB\-\-ocsp\-url\fR=\fIocsp\-url\fR] [\fB\-\-password\fR=\fIpassword\fR] [\fBC\fR=\fIcountry\fR] [\fBST\fR=\fIstate\fR] [\fBL\fR=\fIlocality\fR] [\fBO\fR=\fIorganization\fR] [\fBOU\fR=\fIorg\-unit\fR] \fBCN\fR=\fIcommon\-name\fR [\fB+\fR\fIdns\fR[\fI\.\.\.\fR]] [\fB+\fR\fIip\fR[\fI\.\.\.\fR]] [\fB+\fR\fIid\fR:\fIvalue\fR[\fI\.\.\.\fR]]
 .
 .SH "DESCRIPTION"
 Generate a certificate signing request\.
@@ -89,6 +89,10 @@ Certificate common name (usually a domain name)\.
 \fB+\fR\fIdns\fR, \fB+\fR\fIip\fR
 Add a DNS name or IP address to the certificate\'s subject alternative names\.
 .
+.TP
+\fB+\fR\fIid\fR:\fIvalue\fR
+Add any SAN field to the certificate\'s subject alternative names, ie: URI:mailto:nobody@example\.com\.
+.
 .SH "THEME SONG"
 Led Zeppelin \- "Fool in the Rain"
 .

share/man/man1/certified-csr.1.ronn

@@ -2,7 +2,7 @@
 
 ## SYNOPSIS
 
-`certified-csr` [`--bits`=_bits_] [`--ca`] [`--crl-url`=_crl-url_] [`--days`=_days_] [`--db`=_db_] [`--encrypt`] [`--issuer`=_issuer_] [`--issuer-name`=_issuer-name_] [`--name`=_name_] [`--ocsp-url`=_ocsp-url_] [`--password`=_password_] [`C`=_country_] [`ST`=_state_] [`L`=_locality_] [`O`=_organization_] [`OU`=_org-unit_] `CN`=_common-name_ [`+`_dns_[_..._]] [`+`_ip_[_..._]]
+`certified-csr` [`--bits`=_bits_] [`--ca`] [`--crl-url`=_crl-url_] [`--days`=_days_] [`--db`=_db_] [`--encrypt`] [`--issuer`=_issuer_] [`--issuer-name`=_issuer-name_] [`--name`=_name_] [`--ocsp-url`=_ocsp-url_] [`--password`=_password_] [`C`=_country_] [`ST`=_state_] [`L`=_locality_] [`O`=_organization_] [`OU`=_org-unit_] `CN`=_common-name_ [`+`_dns_[_..._]] [`+`_ip_[_..._]] [`+`_id_:_value_[_..._]]
 
 ## DESCRIPTION
 
@@ -48,6 +48,8 @@ Additional DNS names, including wildcards, and IP addresses can be added to the
   Certificate common name (usually a domain name).
 * `+`_dns_, `+`_ip_:
   Add a DNS name or IP address to the certificate's subject alternative names.
+* `+`_id_:_value_:
+  Add any SAN field to the certificate's subject alternative names, ie: URI:mailto:nobody@example.com.
 
 ## THEME SONG
 

share/man/man1/certified.1

@@ -1,13 +1,13 @@
 .\" generated with Ronn/v0.7.3
 .\" http://github.com/rtomayko/ronn/tree/0.7.3
 .
-.TH "CERTIFIED" "1" "October 2015" "" "Certified"
+.TH "CERTIFIED" "1" "January 2017" "" "Certified"
 .
 .SH "NAME"
 \fBcertified\fR \- generate and sign certificates
 .
 .SH "SYNOPSIS"
-\fBcertified\fR [\fB\-\-bits\fR=\fIbits\fR] [\fB\-\-ca\fR] [\fB\-\-ca\-password\fR=\fIca\-password\fR] [\fB\-\-days\fR=\fIdays\fR] [\fB\-\-db\fR=\fIdb\fR] [\fB\-\-encrypt\fR] [\fB\-\-issuer\fR=\fIissuer\fR] [\fB\-\-issuer\-name\fR=\fIissuer\-name\fR] [\fB\-\-name\fR=\fIname\fR] [\fB\-\-no\-sign\fR] [\fB\-\-password\fR=\fIpassword\fR] [\fB\-\-revoke\fR] [\fB\-\-self\-signed\fR] [\fBC\fR=\fIcountry\fR] [\fBST\fR=\fIstate\fR] [\fBL\fR=\fIlocality\fR] [\fBO\fR=\fIorganization\fR] [\fBOU\fR=\fIorg\-unit\fR] \fBCN\fR=\fIcommon\-name\fR [\fB+\fR\fIdns\fR[\fI\.\.\.\fR]] [\fB+\fR\fIip\fR[\fI\.\.\.\fR]]
+\fBcertified\fR [\fB\-\-bits\fR=\fIbits\fR] [\fB\-\-ca\fR] [\fB\-\-ca\-password\fR=\fIca\-password\fR] [\fB\-\-days\fR=\fIdays\fR] [\fB\-\-db\fR=\fIdb\fR] [\fB\-\-encrypt\fR] [\fB\-\-issuer\fR=\fIissuer\fR] [\fB\-\-issuer\-name\fR=\fIissuer\-name\fR] [\fB\-\-name\fR=\fIname\fR] [\fB\-\-no\-sign\fR] [\fB\-\-password\fR=\fIpassword\fR] [\fB\-\-revoke\fR] [\fB\-\-self\-signed\fR] [\fBC\fR=\fIcountry\fR] [\fBST\fR=\fIstate\fR] [\fBL\fR=\fIlocality\fR] [\fBO\fR=\fIorganization\fR] [\fBOU\fR=\fIorg\-unit\fR] \fBCN\fR=\fIcommon\-name\fR [\fB+\fR\fIdns\fR[\fI\.\.\.\fR]] [\fB+\fR\fIip\fR[\fI\.\.\.\fR]] [\fB+\fR\fIid\fR:\fIvalue\fR[\fI\.\.\.\fR]]
 .
 .SH "DESCRIPTION"
 Generate and sign a certificate with the CA in \fIdb\fR unless \fB\-\-revoke\fR is given, in which case the certificate is revoked instead\.
@@ -97,6 +97,10 @@ Certificate common name (usually a domain name)\.
 \fB+\fR\fIdns\fR, \fB+\fR\fIip\fR
 Add a DNS name or IP address to the certificate\'s subject alternative names\.
 .
+.TP
+\fB+\fR\fIid\fR:\fIvalue\fR
+Add any SAN field to the certificate\'s subject alternative names, ie: URI:mailto:nobody@example\.com\.
+.
 .SH "THEME SONG"
 Led Zeppelin \- "Fool in the Rain"
 .