validate CN

This allows $CN to be used unquoted

1 files changed, 19 insertions, 0 deletions

diff --git a/request_cert.sh b/request_cert.sh
index 75b8dda..5caa15c 100644
--- a/request_cert.sh
+++ b/request_cert.sh
@@ -23,11 +23,30 @@ if [ -z "${VAULT_TOKEN-}" ]; then
    echo $VAULT_TOKEN
 fi
 
+# These two extended regular expression are matching
+# RFC952, B. Lexical grammar, <name> and <hname>, respectively
+readonly RFC952_name_ERE='[0-9A-Za-z]([0-9A-Za-z-]*[0-9A-Za-z])?'
+readonly RFC952_hname_ERE="$name_ERE(\\.$name_ERE)*"
+
+# usage: is_hostname STRING
+# Check if STRING is a valid host name per RFC952
+is_hostname() {
+  echo "$1" | grep -Eq "^$RFC952_hname_ERE\$"
+}
+
 if [ $# = 2 ] && [ "$1" = -s ]; then
    CN=$2
+   if ! is_hostname "$CN"; then
+     echo "error: specified FQDN is not a valid hostname: $CN" >&2
+     exit 1
+   fi
    cert_request_data=$(jq -c -n --arg common_name "$CN" --arg ttl 90d '{$common_name,$ttl}'
 elif [ $# = 1 ]; then
    CN=$( cat $1 | jq -r ".common_name" )
+   if ! is_hostname "$CN"; then
+     echo "error: common_name in $1 is not a valid hostname: $CN" >&2
+     exit 1
+   fi
    cert_request_data=$(cat "$1")
 else
    echo "USAGE: $0 -s <fqdn>|<filename>"