From 1f5f0517f45ee844ccc3ac9d81475a2068e29913 Mon Sep 17 00:00:00 2001
From: Alex Bramley <a.bramley@gmail.com>
Date: Sat, 13 Mar 2010 14:30:18 +0000
Subject: [PATCH] Add -q/--no-qualify to ca-create-cert and subjectAltName to
 client certs.

---
 bin/ca-create-cert     | 17 +++++++++--------
 doc/ca-create-cert.pod | 12 ++++++++++++
 tpl/client-ext.tpl     |  1 +
 3 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/bin/ca-create-cert b/bin/ca-create-cert
index a960035..dc45c99 100755
--- a/bin/ca-create-cert
+++ b/bin/ca-create-cert
@@ -3,6 +3,7 @@
 . "/home/alex/code/ca-scripts/lib/ca-functions"
 
 ALT_NAMES=()
+QUALIFY=1
 CNF_ONLY=0
 CSR_ONLY=0
 CRT_ONLY=0
@@ -11,8 +12,6 @@ MAKE_P12=0
 # XXX: in the ca_extension_policy section of ca-config.tpl it states that the 
 #      C= and O= DN values in a CSR have to match those of the CA
 #      should we have options here to change them when it will cause breakage?
-# XXX: Should we provide a -q option to disable the automatic qualification of
-#      host and user names with CA_DOMAIN? It might irritate people...
 usage() {
     cat <<__EOT__
 Usage:
@@ -29,6 +28,7 @@ Options:
   -b, --bits BITS       Generate a BITS bit certificate instead of CA_CRT_BITS
   -n, --alt-name NAME   Alternative host name (can be provided multiple times)
   -p, --pkcs12          Create PKCS#12 certificate archive from generated cert
+  -q, --no-qualify      Don't qualify short (dotless) names with CA_DOMAIN
   -r, --csr-only        Only generate CSR, don't sign it
   -s, --crt-only        Only sign certificate, requires CSR in place
   -x, --cnf-only        Only generate templates, do not create CSR or sign CRT
@@ -60,6 +60,7 @@ while :; do
         -b|--bits) shift; CA_CRT_BITS="$1"; shift;;
         -n|--alt-name) shift; ALT_NAMES+=("$1"); shift;;
         -p|--pkcs12) MAKE_P12=1; shift;;
+        -q|--no-qualify) QUALIFY=0; shift;;
         -r|--csr-only) CSR_ONLY=1; shift;;
         -s|--crt-only) CRT_ONLY=1; shift;;
         -x|--cnf-only) CNF_ONLY=1; shift;;
@@ -89,13 +90,13 @@ if [ 1 -eq "$CSR_ONLY" -a 1 -eq "$CRT_ONLY" ]; then
 fi
 
 if [ "$CA_CRT_TYPE" = "user" ]; then
-    # append @$CA_DOMAIN to user CN if it's not already there
-    if [ "${CA_CRT_CN%%@*}" = "$CA_CRT_CN" ]; then
+    # append @$CA_DOMAIN to user CN if it's not already there and -q not set
+    if [ 1 -eq "$QUALIFY" -a "${CA_CRT_CN%%@*}" = "$CA_CRT_CN" ]; then
         CA_CRT_CN="$CA_CRT_CN@$CA_DOMAIN";
     fi
 else
     # fully qualify server or client CN with $CA_DOMAIN if it's not already
-    if [ "${CA_CRT_CN%%.*}" = "$CA_CRT_CN" ]; then
+    if [ 1 -eq "$QUALIFY" -a "${CA_CRT_CN%%.*}" = "$CA_CRT_CN" ]; then
         # however we may also want the unqualified one as an alt-name
         ALT_NAMES+=("$CA_CRT_CN")
         CA_CRT_CN="$CA_CRT_CN.$CA_DOMAIN"
@@ -112,14 +113,14 @@ else
 fi
 
 CA_CRT_ALT_NAMES=""
-# generate a list of alternative DNS names for server certificates
-if [ "$CA_CRT_TYPE" = "server" ]; then
+# generate a list of alternative DNS names for server or client certificates
+if [ "$CA_CRT_TYPE" != "user" ]; then
     i=1
     for ALT_NAME in "$CA_CRT_CN" "${ALT_NAMES[@]}"; do
         # also fully-qualify unqualified alt-names too (see below)
         # NOTE: except when it's the previously-fully-qualified CN...
         # XXX: maybe we should uniq the alt-names? hmm.
-        if [ "${ALT_NAME%%.*}" = "$ALT_NAME" \
+        if [ 1 -eq "$QUALIFY" -a "${ALT_NAME%%.*}" = "$ALT_NAME" \
           -a "${CA_CRT_CN%%.*}" != "$ALT_NAME" ]; then
             CA_CRT_ALT_NAMES="${CA_CRT_ALT_NAMES}DNS.$i=$ALT_NAME.$CA_DOMAIN\n"
             i=$(( $i+1 ))
diff --git a/doc/ca-create-cert.pod b/doc/ca-create-cert.pod
index d0c6afe..e6e2781 100755
--- a/doc/ca-create-cert.pod
+++ b/doc/ca-create-cert.pod
@@ -98,6 +98,18 @@ Generate a PKCS#12 format certificate archive containing the new certificate
 and private key along with the CA certificate. See pkcs12(1ssl) for more
 details about PKCS#12 archives.
 
+=item B<-q>, B<--no-qualify>
+
+Disable qualifying of the certificate's common name (and alternative names) with
+B<CA_DOMAIN>.
+
+Host names for I<server> and I<client> certificates are treated as unqualified
+if they do not contain any dots and qualified to I<common name>.B<CA_DOMAIN>.
+The unqualified name is preserved as an additional DNS name in the X.509v3
+I<subjectAltName> extension in this case. User names are treated as unqualified
+if they do not contain an "@" symbol and are qualified to I<common
+name>@B<CA_DOMAIN>.
+
 =item B<-r>, B<--csr-only>
 
 Causes B<ca-create-cert> to generate just the X.509 certificate signing
diff --git a/tpl/client-ext.tpl b/tpl/client-ext.tpl
index 95096dc..cc810db 100644
--- a/tpl/client-ext.tpl
+++ b/tpl/client-ext.tpl
@@ -15,3 +15,4 @@ crlDistributionPoints   = URI:%CA_CRL_URI%
 [ client_altname ]
 URI=%CA_CRT_URI%
 email=move
+%CA_CRT_ALT_NAMES%