From 8c977cd3eda08efc21ebd29f5921a73e7e67131b Mon Sep 17 00:00:00 2001
From: Andrey Arapov <andrey.arapov@nixaid.com>
Date: Fri, 12 Oct 2018 06:59:27 +0200
Subject: [PATCH] add --san-ip and few fixes

---
 gencert.sh | 63 +++++++++++++++++++++++++++++++++---------------------
 1 file changed, 39 insertions(+), 24 deletions(-)

diff --git a/gencert.sh b/gencert.sh
index d255457..a17c5ae 100755
--- a/gencert.sh
+++ b/gencert.sh
@@ -19,6 +19,7 @@ print_help() {
   --ca        - CA cert name\t\t\t(default: ca.crt)
   --cadays    - CA cert expiration in days\t(default: 3650)\n
   --nosan     - do not write SAN records\n
+  --san-ip    - specify custom SAN IP records manually. Implies --nosan\n
   --debug     - show extra information\n
   --rsa       - generate RSA keys instead of ECDSA\n
   --rsa-size  - set RSA key size\n"
@@ -33,7 +34,7 @@ parse_arguments() {
   
   # read arguments
   opts=$(getopt \
-      --longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,debug,rsa,rsa-size:" \
+      --longoptions "help,cn:,key:,cert:,days:,cakey:,ca:,cadays:,nosan,san-ip:,debug,rsa,rsa-size:" \
       --name "$(basename "$0")" \
       --options "" \
       -- "$@"
@@ -88,6 +89,11 @@ parse_arguments() {
         shift 1
         ;;
 
+      --san-ip)
+        ARG_SAN_IP=$2
+        shift 2
+        ;;
+
       --debug)
         ARG_DEBUG=1
         shift 1
@@ -108,28 +114,7 @@ parse_arguments() {
         ;;
     esac
   done
-  
-  if [ -z "${ARG_CN}" ]; then
-    echo "[${ME}] ERROR: Please specify CN, example \"--cn your.site.com\""
-    print_help;
-    exit 1
-  fi
-  
-  # For debugging purposes
-  if [ "${ARG_DEBUG}" -eq 1 ]; then
-    echo ARG_CN=$ARG_CN
-    echo ARG_KEY=$ARG_KEY
-    echo ARG_CERT=$ARG_CERT
-    echo ARG_DAYS=$ARG_DAYS
-    echo ARG_CAKEY=$ARG_CAKEY
-    echo ARG_CA=$ARG_CA
-    echo ARG_CADAYS=$ARG_CADAYS
-    echo ARG_NOSAN=$ARG_NOSAN
-    echo ARG_DEBUG=$ARG_DEBUG
-    echo ARG_RSA=$ARG_RSA
-    echo ARG_RSA_SIZE=$ARG_RSA_SIZE
-  fi
-  
+
   #  prepare common variables
   ##
   
@@ -141,9 +126,33 @@ parse_arguments() {
   SERVER_KEY="${ARG_KEY:-private.key}"
   SERVER_CERT="${ARG_CERT:-public.crt}"
   DAYS="${ARG_DAYS:-365}"
+  NOSAN="${ARG_NOSAN}"
+  SAN_IP="${ARG_SAN_IP}"
   DEBUG="${ARG_DEBUG}"
   RSA="${ARG_RSA}"
   RSA_SIZE="${ARG_RSA_SIZE:-2048}"
+
+  if [ -z "${CN}" ]; then
+    echo "[${ME}] ERROR: Please specify CN, example \"--cn your.site.com\""
+    print_help;
+    exit 1
+  fi
+
+  # For debugging purposes
+  if [ "${DEBUG}" -eq 1 ]; then
+    echo CN=$CN
+    echo KEY=$KEY
+    echo CERT=$CERT
+    echo DAYS=$DAYS
+    echo CAKEY=$CAKEY
+    echo CA=$CA
+    echo CADAYS=$CADAYS
+    echo NOSAN=$NOSAN
+    echo SAN_IP=$SAN_IP
+    echo DEBUG=$DEBUG
+    echo RSA=$RSA
+    echo RSA_SIZE=$RSA_SIZE
+  fi
 }
 
 #  install openssl
@@ -232,7 +241,13 @@ basicConstraints = CA:FALSE
 keyUsage = critical, digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth"
 
-  if [ -z "$ARG_NOSAN" ]; then
+  if [ ! -z "$SAN_IP" ]; then
+    echo "[${ME}] Using user-provided SAN records: " ${SAN_IP}
+    i=1
+    IFS=,
+    PAYLOAD="subjectAltName = @alt_names\n[ alt_names ]\n$(for IP in $SAN_IP; do echo "IP.${i} = ${IP}" ; i=$((i + 1)); done)"
+    unset IFS
+  elif [ -z "$NOSAN" ]; then
     # Gather IPs for SAN
     
     i=1