From 83b81c7072f222f252e3d67c1f1155a80ee08eb8 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 9 Apr 2024 20:37:35 +0100 Subject: [PATCH 1/3] Introduce Options to edit Request Subject during command 'sign-req' Global option: --new-subject * Specify replacement subject for command 'sign-req'. See OpenSSL command 'ca', option -subj, for subject syntax details. 'sign-req' command option: 'newsubj' * Force 'sign-req' to use global option --new-subject, above. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 34 ++++++++++++++++++++++++++++++---- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 54c851a36..362ada953 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2102,17 +2102,33 @@ Option conflict --req-cn: # Enforce commonName export EASYRSA_REQ_CN="$file_name_base" - # Check for preserve-dn + # Check optional subject + force_subj= while [ "$1" ]; do case "$1" in + newsubj*) + # verify force_subj opts are used correctly + [ "$EASYRSA_NEW_SUBJECT" ] || user_error "\ +To force a new certificate subject, global option --new-subject +must also be specified." + force_subj="$EASYRSA_NEW_SUBJECT" + ;; preserve*) export EASYRSA_PRESERVE_DN=1 ;; - *) warn "Ignoring unknown option '$1'" + *) + user_error "Unknown option '$1'" esac shift done + # verify force_subj opts are used correctly + if [ "$EASYRSA_NEW_SUBJECT" ]; then + [ "$force_subj" ] || user_error "\ +To force a new certificate subject, command option 'newsubj' +must also be specified." + fi + # Cert type must NOT be COMMON [ "$crt_type" = COMMON ] && user_error "\ Invalid certificate type: '$crt_type'" @@ -2309,8 +2325,14 @@ for '$EASYRSA_CERT_EXPIRE' days" fi # Set confirm DN - confirm_dn="$(display_dn req "$req_in")" || \ - die "sign-req: display_dn" + if [ "$force_subj" ]; then + confirm_dn="\ +Forced subject= + $force_subj" + else + confirm_dn="$(display_dn req "$req_in")" || \ + die "sign-req: display_dn" + fi # Set confirm SAN # SAN from .req @@ -2388,6 +2410,7 @@ $confirm_details" # => confirm end -in "$req_in" -out "$crt_out_tmp" \ -extfile "$ext_tmp" \ ${EASYRSA_PRESERVE_DN:+ -preserveDN} \ + ${force_subj:+ -subj "$force_subj"} \ ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \ ${EASYRSA_NO_TEXT:+ -notext} \ ${EASYRSA_CERT_EXPIRE:+ -days "$EASYRSA_CERT_EXPIRE"} \ @@ -5164,6 +5187,9 @@ while :; do EASYRSA_SAN="$val" fi ;; + --new-subject) + export EASYRSA_NEW_SUBJECT="$val" + ;; --usefn) export EASYRSA_P12_FR_NAME="$val" ;; From b0651875427febf51930c6a7e84829ac77c02bc3 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 9 Apr 2024 21:44:59 +0100 Subject: [PATCH 2/3] help: Add global option --new-subject and command option 'newsubj' Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 362ada953..ac8f66f52 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -176,6 +176,7 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" This request file must exist in the reqs/ dir and have a .req file extension. See 'import-req' for importing from other sources." opts=" + * newsubj - Replace subject. See 'help subject'. * preserve - Use the DN-field order of the CSR not the CA." ;; build|build-client-full|build-server-full|build-serverClient-full) @@ -469,6 +470,24 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" eg: '--batch --req-cn=NAME build-ca [subca]' Can only be used in BATCH mode." + ;; + --new-subject|newsubj*|subject) + text_only=1 + text=" +* Global Option: --new-subject= + + This global option is used to set the new certificate subject, + when signing a new certificate + +* REQUIRES Command option: 'newsubj', for command 'sign-req' + + Using command 'sign-req', add command option 'newsubj', + to FORCE the --new-subject to be used. + + Example: + --new-subject='/CN=foo' sign-req client bar newsubj + + See OpenSSL command 'ca', option -subj, for full details." ;; tool*|util*|more) # Test features @@ -601,6 +620,9 @@ Certificate & Request options: (these impact cert/req field values) : Add a subjectAltName. For more info and syntax, see: 'easyrsa help altname' +--new-subject : Specify a new subject field to sign a request with. + For more info and syntax, see: 'easyrsa help subject' + --usefn=NAME : export-p12, set 'friendlyName' to NAME For more, see: 'easyrsa help friendly' From 763ce6eccc8dfe7d5ce2ab2e94b37e49a401cde7 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 9 Apr 2024 22:24:21 +0100 Subject: [PATCH 3/3] ChangeLog: Allow editing Request Subject during command 'sign-req' Signed-off-by: Richard T Bonhomme --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 442a82738..853b8d751 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Introduce Options to edit Request Subject during command 'sign-req' + Global Option: --new-subject -- Command 'sign-req' option: 'newsubj' + First proposed in: (#439) -- Completed: (83b81c7) (#1111) * docs: Update EasyRSA-Renew-and-Revoke.md (f6c2bf5) (#1109) * Remove all 'renew' code; replaced by 'expire' code (9d94207) (#1109) * Introduce commands: 'expire' and 'revoke-expired' (a1890fa) (#1109)