From a16e0708837f52ca327849f4ae480fe3ddae9bd0 Mon Sep 17 00:00:00 2001
From: Chl <chl-dev@bugness.org>
Date: Tue, 3 Oct 2023 20:27:58 +0200
Subject: [PATCH] openssl-little-CA: notice/warning about stripped
 SubjectAltName

---
 openssl-little-CA/CA.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/openssl-little-CA/CA.sh b/openssl-little-CA/CA.sh
index d92c110..36c31fb 100755
--- a/openssl-little-CA/CA.sh
+++ b/openssl-little-CA/CA.sh
@@ -177,6 +177,13 @@ case $1 in
     exit $RET
     ;;
 -sign|-signreq)
+		# Display a notice/warning when copy_extensions is disabled/enabled
+		# FIXME: we grep on the whole openssl.cnf file instead of just the 'ca' -> 'CA_default' section
+		if grep -q '^[[:space:]]*copy_extensions[[:space:]]*=[[:space:]]*copy' $( echo "$SSLEAY_CONFIG" | sed 's/-config//' ); then
+			echo "warning: copy_extensions is enabled, read the certificate carefully before signing."
+		else
+			echo "notice: copy_extensions disabled, extension such as SubjectAltName will be stripped."
+		fi
     $CA -policy policy_anything -out newcert.pem -days "$DAYS" -infiles newreq.pem
     RET=$?
     cat newcert.pem