Add DNSName flag to scepclient (#202)

micromdm · Aug 13, 2022 · 699e8df · 699e8df
1 parent 3aa7a5a
commit 699e8df
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/cmd/scepclient/csr.go b/cmd/scepclient/csr.go
@@ -18,8 +18,8 @@ const (
 )
 
 type csrOptions struct {
-	cn, org, country, ou, locality, province, challenge string
-	key                                                 *rsa.PrivateKey
+	cn, org, country, ou, locality, province, dnsName, challenge string
+	key                                                          *rsa.PrivateKey
 }
 
 func loadOrMakeCSR(path string, opts *csrOptions) (*x509.CertificateRequest, error) {
@@ -44,6 +44,7 @@ func loadOrMakeCSR(path string, opts *csrOptions) (*x509.CertificateRequest, err
 		CertificateRequest: x509.CertificateRequest{
 			Subject:            subject,
 			SignatureAlgorithm: x509.SHA256WithRSA,
+			DNSNames:           subjOrNil(opts.dnsName),
 		},
 	}
 	if opts.challenge != "" {

diff --git a/cmd/scepclient/scepclient.go b/cmd/scepclient/scepclient.go
@@ -50,6 +50,7 @@ type runCfg struct {
 	debug           bool
 	logfmt          string
 	caCertMsg       string
+	dnsName         string
 }
 
 func run(cfg runCfg) error {
@@ -88,6 +89,7 @@ func run(cfg runCfg) error {
 		province:  cfg.province,
 		challenge: cfg.challenge,
 		key:       key,
+		dnsName:   cfg.dnsName,
 	}
 
 	csr, err := loadOrMakeCSR(cfg.csrPath, opts)
@@ -234,10 +236,11 @@ func logCerts(logger log.Logger, certs []*x509.Certificate) {
 
 // validateFingerprint makes sure fingerprint looks like a hash.
 // We remove spaces and colons from fingerprint as it may come in various forms:
-//     e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-//     E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
-//     e3b0c442 98fc1c14 9afbf4c8 996fb924 27ae41e4 649b934c a495991b 7852b855
-//     e3:b0:c4:42:98:fc:1c:14:9a:fb:f4:c8:99:6f:b9:24:27:ae:41:e4:64:9b:93:4c:a4:95:99:1b:78:52:b8:55
+//
+//	e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+//	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
+//	e3b0c442 98fc1c14 9afbf4c8 996fb924 27ae41e4 649b934c a495991b 7852b855
+//	e3:b0:c4:42:98:fc:1c:14:9a:fb:f4:c8:99:6f:b9:24:27:ae:41:e4:64:9b:93:4c:a4:95:99:1b:78:52:b8:55
 func validateFingerprint(fingerprint string) (hash []byte, err error) {
 	fingerprint = strings.NewReplacer(" ", "", ":", "").Replace(fingerprint)
 	hash, err = hex.DecodeString(fingerprint)
@@ -279,6 +282,7 @@ func main() {
 		flProvince          = flag.String("province", "", "province for certificate")
 		flCountry           = flag.String("country", "US", "country code in certificate")
 		flCACertMessage     = flag.String("cacert-message", "", "message sent with GetCACert operation")
+		flDNSName           = flag.String("dnsname", "", "DNS name to be included in the certificate (SAN)")
 
 		// in case of multiple certificate authorities, we need to figure out who the recipient of the encrypted
 		// data is.
@@ -340,6 +344,7 @@ func main() {
 		debug:           *flDebugLogging,
 		logfmt:          logfmt,
 		caCertMsg:       *flCACertMessage,
+		dnsName:         *flDNSName,
 	}
 
 	if err := run(cfg); err != nil {

diff --git a/scep/scep.go b/scep/scep.go
@@ -85,7 +85,6 @@ const (
 // reasons:
 type FailInfo string
 
-//
 const (
 	BadAlg          FailInfo = "0"
 	BadMessageCheck          = "1"