1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
#! /usr/bin/env tclsh
set dir [file normalize [file dirname [info script]]]
lappend auto_path [file join $dir ..]
package require pki 0.10
proc loadCertData {directory} {
foreach certFile [glob -nocomplain -directory $directory *.crt] {
set rootFile [file rootname $certFile]
set id [file tail $rootFile]
set keyFile "${rootFile}.key"
set keyPassFile "${rootFile}.key.password"
if {![file readable $certFile] || ![file readable $keyFile]} {
continue
}
set password ""
if {[file exists $keyPassFile]} {
set fd [open $keyPassFile r]
set password [gets $fd]
close $fd
}
set fd [open $certFile]
set cert [dict get [::pki::parse [read $fd]] certificate]
close $fd
set fd [open $keyFile]
set cert [dict merge $cert [::pki::pkcs::parse_key [read $fd] $password]]
close $fd
dict set toProcess $id [dict create certFile $certFile data $cert]
}
return $toProcess
}
proc updateCerts {caCert certs} {
foreach {id cert} $certs {
set certFile [dict get $cert certFile]
set cert [dict get $cert data]
set validStart [clock seconds]
set extensions [dict get $cert extensions]
if {$id eq "ca"} {
set oldSerialNumber [dict get $cert serial_number]
set isCA true
set validEnd [clock add $validStart 10 years]
set serialNumber [expr {$oldSerialNumber + 1}]
} else {
set isCA false
set validEnd [clock add $validStart 9 years]
set serialNumber [clock microseconds]
}
# pki 0.10 didnt support these
dict unset extensions id-ce-authorityKeyIdentifier
dict unset extensions id-ce-subjectKeyIdentifier
dict unset extensions 2.5.29.37
set newCert [::pki::x509::create_cert $cert $caCert $serialNumber $validStart $validEnd $isCA $extensions 1 sha256]
set fd [open $certFile w]
puts $fd [string trimright $newCert "\n"]
close $fd
}
}
set certInfo [loadCertData $dir]
set caCert [dict get $certInfo ca data]
updateCerts $caCert $certInfo
|
