Skip to content

Commit

Permalink
Merge branch 'REMOVE-default-server-san' of ssh://github.com/TinCanTe…
Browse files Browse the repository at this point in the history
…ch/easy-rsa into TinCanTech-REMOVE-default-server-san

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Mar 15, 2024
2 parents 6f45b81 + 0dc7141 commit 1e3f97e
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 61 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog

3.2.0 (TBD)

* Remove default server subject alternative name (0b85a5d) (#576)
* Move Status Reports to 'easyrsa-tools.lib' (214b909) (#1080)
* export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a)
(#1084 - Based on #1081)
Expand Down
61 changes: 0 additions & 61 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -458,9 +458,6 @@ These commands are safe to test and will NOT effect your PKI.
Display SAN of certificate:
display-san <file_name_base>

Generate default SAN of request:
default-san <file_name_base>

Display EKU of certificate:
show-eku <file_name_base>

Expand Down Expand Up @@ -2210,25 +2207,6 @@ basicConstraints is not defined, cannot use 'pathlen'"
unset -v ns_cert_type
esac

# If type is server and no subjectAltName was
# requested then add one to the extensions file
if [ -z "$EASYRSA_EXTRA_EXTS" ]; then
# default server SAN
case "$crt_type" in
server|serverClient)
# req san or default server SAN
__san="$(display_san req "$req_in")"
if [ "$__san" ]; then
__san="subjectAltName = $__san"
else
__san="$(default_server_san "$req_in")"
fi
[ "$__san" ] || die "No default server SAN!"
export EASYRSA_EXTRA_EXTS="$__san"
unset -v __san
esac
fi

# Generate the extensions file for this cert:
ext_tmp=""
easyrsa_mktemp ext_tmp || \
Expand Down Expand Up @@ -3692,41 +3670,6 @@ display_san - input error"
fi
} # => display_san()

# generate default SAN from req/X509, passed by full pathname
default_server_san() {
[ "$#" = 1 ] || die "\
default_server_san - input error"

path="$1"
shift

# Command line support for <file_name_base>
if [ -e "$path" ]; then
: # ok
else
path="${EASYRSA_PKI}/reqs/${path}.req"
[ -e "$path" ] || \
user_error "Missing file: $path"
fi

# Extract CN from DN
cn="$(
easyrsa_openssl req -in "$path" -noout -subject \
-nameopt sep_multiline |
awk -F'=' '/^ *CN=/{print $2}'
)"

# See: https://github.com/OpenVPN/easy-rsa/issues/576
# Select default SAN
if echo "$cn" | grep -q \
-E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$'
then
print "subjectAltName = IP:$cn"
else
print "subjectAltName = DNS:$cn"
fi
} # => default_server_san()

# Verify certificate against CA
verify_cert() {
# pull filename base:
Expand Down Expand Up @@ -5762,10 +5705,6 @@ Place a copy of easyrsa-tools.lib in a standard system location."
verify_working_env
display_san "$@"
;;
default-san)
verify_working_env
default_server_san "$@"
;;
x509-eku|show-eku)
verify_working_env
ssl_cert_x509v3_eku "$@" || \
Expand Down

0 comments on commit 1e3f97e

Please sign in to comment.