From 8d40587dd5305995a9c88aa438975f331008a152 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 18 Oct 2023 17:10:09 +0100 Subject: [PATCH 01/27] Remove prefer_vars_in_pki_msg() Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c26d21c4f..7037339b0 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -96,10 +96,6 @@ DIRECTORY STATUS (commands would take effect on these locations) vars-file: ${EASYRSA_VARS_FILE:-Missing or undefined}${ivmsg} x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined} $CA_status" - - # if the vars file in use is not in the PKI - # and not user defined then Show the messages - prefer_vars_in_pki_msg } # => usage() # Detailed command help @@ -1374,7 +1370,7 @@ Your newly created PKI dir is: warn "\ A vars file has not been created in your new PKI because conflicting vars files have been found elsewhere." - prefer_vars_in_pki_msg + #prefer_vars_in_pki_msg else unset -v EASYRSA_VARS_FILE select_vars @@ -1392,30 +1388,12 @@ IMPORTANT: To use a global vars file, use global option --vars=" else - prefer_vars_in_pki_msg + : #prefer_vars_in_pki_msg fi verbose "\ init_pki: x509-types dir ${EASYRSA_EXT_DIR:-Not found}" } # => init_pki() -# Must be used in two places, so made it a function -prefer_vars_in_pki_msg() { - if [ "$vars_in_pki" ] || [ "$user_vars_true" ] || - [ "$EASYRSA_NO_VARS" ] - then - return - fi - - # Never show this message - return - - information " -IMPORTANT: - The preferred location for 'vars' is within the PKI folder. - To silence this message move your 'vars' file to your PKI - or declare your 'vars' file with option: --vars=" -} # => prefer_vars_in_pki_msg() - # Copy data-files from various sources install_data_to_pki() { # From b683db94210b185d41134a69760365e4d715a95c Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 18 Oct 2023 17:17:07 +0100 Subject: [PATCH 02/27] Remove $no_new_vars Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 7037339b0..db40eacdd 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1362,22 +1362,12 @@ Failed to install required data-files to PKI. (init)" Your newly created PKI dir is: * $EASYRSA_PKI" - # Installation information - # if $no_new_vars then there are one or more known vars - # which are not in the PKI. All further commands will fail - # until vars is manually corrected - if [ "$no_new_vars" ]; then - warn "\ -A vars file has not been created in your new PKI because -conflicting vars files have been found elsewhere." - #prefer_vars_in_pki_msg - else - unset -v EASYRSA_VARS_FILE - select_vars - information " + # Select and show vars file + unset -v EASYRSA_VARS_FILE + select_vars + information " Using Easy-RSA configuration: * ${EASYRSA_VARS_FILE:-undefined}" - fi # For new PKIs , pki/vars was auto-created, show message if [ "$new_vars_true" ]; then @@ -1476,8 +1466,7 @@ install_data_to_pki: $context - COMPLETED" # Create PKI/vars from PKI/example unset -v new_vars_true - if [ "$user_vars_true" ] || \ - [ "$no_new_vars" ] + if [ "$user_vars_true" ] then : # ok - Do not make a PKI/vars if another vars exists verbose "\ @@ -6946,7 +6935,7 @@ unset -v \ alias_days \ prohibit_no_pass \ invalid_vars \ - no_new_vars user_vars_true \ + user_vars_true \ do_build_full error_build_full_cleanup \ internal_batch \ easyrsa_exit_with_error error_info From 67380b30e0c120fe31677f76f15e6b148d005c62 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 18 Oct 2023 20:07:30 +0100 Subject: [PATCH 03/27] Remove $new_vars_true Allows removal of the 'init-pki' section of 'install_data_to_pki()'. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 35 +---------------------------------- 1 file changed, 1 insertion(+), 34 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index db40eacdd..5ac8bf099 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1369,17 +1369,6 @@ Your newly created PKI dir is: Using Easy-RSA configuration: * ${EASYRSA_VARS_FILE:-undefined}" - # For new PKIs , pki/vars was auto-created, show message - if [ "$new_vars_true" ]; then - information " -IMPORTANT: - Easy-RSA 'vars' template file has been created in your new PKI. - Edit this 'vars' file to customise the settings for your PKI. - To use a global vars file, use global option --vars=" - - else - : #prefer_vars_in_pki_msg - fi verbose "\ init_pki: x509-types dir ${EASYRSA_EXT_DIR:-Not found}" } # => init_pki() @@ -1465,7 +1454,6 @@ install_data_to_pki: $context - COMPLETED" fi # Create PKI/vars from PKI/example - unset -v new_vars_true if [ "$user_vars_true" ] then : # ok - Do not make a PKI/vars if another vars exists @@ -1474,28 +1462,7 @@ install_data_to_pki: $context - Not creating pki/vars" else case "$context" in init-pki) - # Only create for 'init-pki', if one does not exist - # 'init-pki soft' should have it's own 'vars' file - if [ -e "${EASYRSA_PKI}/${vars_file_example}" ] && \ - [ ! -e "${EASYRSA_PKI}/${vars_file}" ] - then - # Failure means that no vars will exist and - # 'cp' will generate an error message - # This is not a fatal error - if cp "${EASYRSA_PKI}/${vars_file_example}" \ - "${EASYRSA_PKI}/${vars_file}" - then - new_vars_true=1 - vars="${EASYRSA_PKI}/${vars_file}" - verbose "\ -install_data_to_pki: $context - vars = '$vars'" - else - unset -v new_vars_true vars - warn "\ -install_data_to_pki: $context - Failed to install vars file" - fi - fi - ;; + : ;; # No change to current 'vars' required vars-setup) : ;; # No change to current 'vars' required x509-types-only) From cebd9585bee88e31d021c1a9783cd4e05a4626f9 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 18 Oct 2023 20:30:44 +0100 Subject: [PATCH 04/27] Remove $vars, replaced by $EASYRSA_VARS_FILE Only effects upgrade, up23_manage_upgrade_23() Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5ac8bf099..2fac6b82c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6682,21 +6682,22 @@ up23_manage_upgrade_23 () EASYRSA_FOUND_VARS=0 # Verify all existing versions of vars/vars.bat - if [ -f "$vars" ] + if [ -f "$EASYRSA_VARS_FILE" ] then - if grep -q 'Complain if a user tries to do this:' "$vars" + if grep -q 'Complain if a user tries to do this:' \ + "$EASYRSA_VARS_FILE" then EASYRSA_FOUND_VARS=1 EASYRSA_VARS_IS_VER3=1 fi # Easyrsa v3 does not use NOR allow use of `export`. - if grep -q 'export' "$vars" + if grep -q 'export' "$EASYRSA_VARS_FILE" then EASYRSA_FOUND_VARS=1 EASYRSA_VARS_IS_VER2=1 - EASYRSA_VER2_VARSFILE="$vars" - EASYRSA_TARGET_VARSFILE="$vars" + EASYRSA_VER2_VARSFILE="$EASYRSA_VARS_FILE" + EASYRSA_TARGET_VARSFILE="$EASYRSA_VARS_FILE" fi fi From a116b27eddb476704e65cf74238316e785df9e1e Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 18 Oct 2023 20:34:11 +0100 Subject: [PATCH 05/27] Remove $vars_file and $vars_file_example Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 -- 1 file changed, 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 2fac6b82c..6d7af5e28 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1388,8 +1388,6 @@ install_data_to_pki() { shift # Set required sources - vars_file='vars' - vars_file_example='vars.example' ssl_cnf_file='openssl-easyrsa.cnf' x509_types_dir='x509-types' From 3ae9c86a11be9f49a28858c2162569d223516330 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 18 Oct 2023 20:39:27 +0100 Subject: [PATCH 06/27] Remove $user_vars_true Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 6d7af5e28..5da375628 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1451,27 +1451,6 @@ install_data_to_pki: $context - COMPLETED" return fi - # Create PKI/vars from PKI/example - if [ "$user_vars_true" ] - then - : # ok - Do not make a PKI/vars if another vars exists - verbose "\ -install_data_to_pki: $context - Not creating pki/vars" - else - case "$context" in - init-pki) - : ;; # No change to current 'vars' required - vars-setup) - : ;; # No change to current 'vars' required - x509-types-only) - die "install_data_to_pki - unexpected context" ;; - '') - die "install_data_to_pki - unspecified context" ;; - *) - die "install_data_to_pki - unknown context: $context" - esac - fi - # Check PKI is updated - Omit unnecessary checks if [ -e "${EASYRSA_PKI}/${ssl_cnf_file}" ]; then : # ok @@ -6901,7 +6880,6 @@ unset -v \ alias_days \ prohibit_no_pass \ invalid_vars \ - user_vars_true \ do_build_full error_build_full_cleanup \ internal_batch \ easyrsa_exit_with_error error_info @@ -7063,7 +7041,6 @@ while :; do export EASYRSA_SUBCA_LEN="$val" ;; --vars) - user_vars_true=1 export EASYRSA_VARS_FILE="$val" ;; --copy-ext) From a05fa59b0ecd24f3ac8b5aae37edb0dcc6ff0224 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 18 Oct 2023 21:07:44 +0100 Subject: [PATCH 07/27] For shellcheck: Add directives to ignore unreachable code Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5da375628..8a2a3d5bc 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -4404,6 +4404,7 @@ ssl_cert_serial() { } # => ssl_cert_serial() # Get certificate start date +# shellcheck disable=2317 # Unreachable code .. ssl_cert_not_before_date() { verbose "DEPRECATED: ssl_cert_not_before_date()" [ "$#" = 2 ] || die "\ @@ -4446,6 +4447,7 @@ ssl_cert_not_after_date - failed to set var '$*'" } # => ssl_cert_not_after_date() # SSL -- v3 -- startdate iso_8601 +# shellcheck disable=2317 # Unreachable code .. iso_8601_cert_startdate() { verbose "NEW: iso_8601_cert_startdate" [ "$#" = 2 ] || die "\ @@ -4795,6 +4797,7 @@ db_date_to_iso_8601_date: force_set_var - $2 - $out_date" # Convert default SSL date to iso_8601 date # This may not be feasible, due to different languages # Alow the caller to assess those errors (eg. Fall-back) +# shellcheck disable=2317 # Unreachable code .. cert_date_to_iso_8601_date() { verbose "iso_8601-WIP: cert_date_to_iso_8601_date" die "BLOCKED: cert_date_to_iso_8601_date" @@ -5313,6 +5316,7 @@ before they can be revoked." # Fake declare known variables for shellcheck # Use these options without this function: # -o all -e 2250,2244,2248 easyrsa +# shellcheck disable=2317 # Unreachable code .. satisfy_shellcheck() { die "Security feature enabled!" # Add more as/if required From 7960b4ca5eec41cbcf42feaa47b5382f5405587c Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 18 Oct 2023 21:17:58 +0100 Subject: [PATCH 08/27] install_data_to_pki(): Downgrade Failure to Warning If the openssl-easyrsa.cnf file fails to copy then try to create it using create_openssl_easyrsa_cnf(). If creating the file also fails then that is a fatal error. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 8a2a3d5bc..f3669eaae 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1437,7 +1437,7 @@ install_data_to_pki() { if [ -e "${EASYRSA_PKI}/${source}" ]; then continue else - cp "${area}/${source}" "$EASYRSA_PKI" || die \ + cp "${area}/${source}" "$EASYRSA_PKI" || warn \ "Failed to copy to PKI: ${area}/${source}" fi done From 5cb462dc39b468dffada532dfcb6340c510f9998 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 19 Oct 2023 00:41:23 +0100 Subject: [PATCH 09/27] escape_hazard(): Reuse source_vars() This catches misuse of command options for DN. eg: --dn-mode=org --req-ou="Test backtick: `" build-* foo Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c26d21c4f..ce61c841a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -996,13 +996,8 @@ export EASYRSA_REQ_SERIAL=\"$EASYRSA_REQ_SERIAL\"\ escape_hazard - Failed to write temp-file" # Reload fields from fully escaped temp-file - # shellcheck disable=SC1090 # can't follow ... - (. "$escape_hazard_tmp") || die "\ -escape_hazard - Failed to source temp-file" - + source_vars "$escape_hazard_tmp" verbose "escape_hazard: COMPLETED" - # shellcheck disable=SC1090 # can't follow ... - . "$escape_hazard_tmp" } # => escape_hazard() # Replace environment variable names with current value @@ -5684,12 +5679,6 @@ No Easy-RSA 'vars' configuration file exists!" # Source a vars file source_vars() { - # Never use vars file - if [ "$EASYRSA_NO_VARS" ]; then - verbose "source_vars: EASYRSA_NO_VARS" - return - fi - # File to be sourced target_file="$1" @@ -7223,7 +7212,7 @@ esac select_vars # source the vars file -source_vars "$EASYRSA_VARS_FILE" +[ "$EASYRSA_NO_VARS" ] || source_vars "$EASYRSA_VARS_FILE" # then set defaults default_vars From 5f207cda0eed642ebd7f47ef81ee0f930f3359b8 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 19 Oct 2023 02:51:22 +0100 Subject: [PATCH 10/27] source_vars(): Use grep efficiently Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 70 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 47 insertions(+), 23 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ce61c841a..3c58c647a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5701,36 +5701,60 @@ Using Easy-RSA 'vars' configuration: if grep -q \ -e 'EASYRSA_PASSIN' -e 'EASYRSA_PASSOUT' \ -e '[^(]`[^)]' \ + -e '[[:blank:]]export[[:blank:]]*' \ + -e '[[:blank:]]unset[[:blank:]]*' \ "$target_file" then - user_error "\ -One or more of these problems has been found in your 'vars' file: -* $target_file - -* Use of 'EASYRSA_PASSIN' or 'EASYRSA_PASSOUT': -Storing password information in the 'vars' file is not permitted. + # here we go .. + err_msg="\ +These problems have been found in your 'vars' settings:${NL}" + + # No passwords! + if grep -q \ + -e 'EASYRSA_PASSIN' -e 'EASYRSA_PASSOUT' \ + "$target_file" + then + err_msg="${err_msg} + Use of 'EASYRSA_PASSIN' or 'EASYRSA_PASSOUT': + Storing password information in the 'vars' file is not permitted." + fi -* Use of unsupported characters: -These characters are not supported: \` backtick + # No backticks + if grep -q \ + -e '[^(]`[^)]' \ + "$target_file" + then + err_msg="${err_msg} + Use of unsupported characters: + These characters are not supported: \` backtick" + fi -Please, correct these errors and try again." - fi + # No export + if grep -q \ + -e '[[:blank:]]export[[:blank:]]*' \ + "$target_file" + then + err_msg="${err_msg} + Use of 'export': + Remove 'export' or replace it with 'set_var'." + fi - # Sanitize vars - if grep -q \ - -e '[[:blank:]]export[[:blank:]]*' \ - -e '[[:blank:]]unset[[:blank:]]*' \ - "$target_file" - then - user_error "\ -One or more of these problems has been found in your 'vars' file: -* $target_file + # No unset + if grep -q \ + -e '[[:blank:]]unset[[:blank:]]*' \ + "$target_file" + then + err_msg="${err_msg} + Use of 'unset': + Remove 'unset' ('force_set_var' may also work)." + fi -* Use of 'export': -Remove 'export' or replace it with 'set_var'. + # Fatal error + user_error "${err_msg}${NL} +Please, correct these errors and try again." -* Use of 'unset': -Remove 'unset' ('force_set_var' may also work)." + else + verbose "source_vars: CLEAN '$target_file'" fi # Enable sourcing 'vars' From 294dace7fbcb4edf51366bdd5ff3628b25613039 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 19 Oct 2023 21:36:04 +0100 Subject: [PATCH 11/27] Standardise function definition syntax Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 48 ++++++++++++++++-------------------------------- 1 file changed, 16 insertions(+), 32 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index f3669eaae..d248141f1 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1468,8 +1468,7 @@ install_data_to_pki: $context - Missing: '$x509_types_dir'" } # => install_data_to_pki () # Disable terminal echo, if possible, otherwise warn -hide_read_pass() -{ +hide_read_pass() { # 3040 - In POSIX sh, set option [name] is undefined # 3045 - In POSIX sh, some-command-with-flag is undefined # shellcheck disable=SC3040,SC3045 @@ -6243,8 +6242,7 @@ SSL_CONFIG # -------------------------------------------------------------------------- # -up23_fail_upgrade () -{ +up23_fail_upgrade () { # Replace die() unset -v EASYRSA_BATCH notice " @@ -6263,14 +6261,12 @@ Easyrsa3 upgrade FAILED exit 9 } #=> up23_fail_upgrade () -up23_verbose () -{ +up23_verbose () { [ "$VERBOSE" ] || return 0 printf "%s\n" "$1" } #=> up23_verbose () -up23_verify_new_pki () -{ +up23_verify_new_pki () { # Fail now, before any changes are made up23_verbose "> Verify DEFAULT NEW PKI does not exist .." @@ -6298,8 +6294,7 @@ up23_verify_new_pki () } #=> up23_verify_new_pki () # shellcheck disable=SC2154 -up23_verify_current_pki () -{ +up23_verify_current_pki () { up23_verbose "> Verify CURRENT PKI vars .." # This can probably be improved @@ -6324,8 +6319,7 @@ up23_verify_current_pki () } #=> up23_verify_current_pki () # shellcheck disable=SC2154 -up23_verify_current_ca () -{ +up23_verify_current_ca () { up23_verbose "> Find CA .." # $KEY_DIR is assigned in up23_verify_current_pki () [ -f "$KEY_DIR/ca.crt" ] \ @@ -6388,8 +6382,7 @@ up23_verify_current_ca () CURRENT_CA_IS_VERIFIED="$in_file" } #=> up23_verify_current_ca () -up23_show_current_ca () -{ +up23_show_current_ca () { name_opts="utf8,sep_multiline,space_eq,lname,align" printf "%s\n" "-------------------------------------------------------------------------" # $opts is always set here @@ -6400,8 +6393,7 @@ up23_show_current_ca () printf "%s\n" "-------------------------------------------------------------------------" } #=> up23_show_current_ca () -up23_backup_current_pki () -{ +up23_backup_current_pki () { up23_verbose "> Backup current PKI .." mkdir -p "$EASYRSA_SAFE_PKI" \ @@ -6418,8 +6410,7 @@ up23_backup_current_pki () up23_verbose " Current PKI backup created in: $EASYRSA_SAFE_PKI" } #=> up23_backup_current_pki () -up23_create_new_pki () -{ +up23_create_new_pki () { # Dirs: renewed and revoked are created when used. up23_verbose "> Create NEW PKI .." up23_verbose ">> Create NEW PKI dirs .." @@ -6460,8 +6451,7 @@ up23_create_new_pki () up23_verbose " New PKI created in: $EASYRSA_PKI" } #=> up23_create_new_pki () -up23_upgrade_ca () -{ +up23_upgrade_ca () { [ -d "$EASYRSA_PKI" ] || return 0 up23_verbose "> Confirm that index.txt.attr exists and 'unique_subject = no'" if [ -f "$EASYRSA_PKI/index.txt.attr" ] @@ -6485,8 +6475,7 @@ up23_upgrade_ca () up23_verbose " Upgraded index.txt.attr to v306+" } #=> up23_upgrade_index_txt_attr () -up23_create_openssl_cnf () -{ +up23_create_openssl_cnf () { up23_verbose "> OpenSSL config .." EASYRSA_PKI_SSL_CNFFILE="$EASYRSA_PKI/openssl-easyrsa.cnf" EASYRSA_PKI_SAFE_CNFFILE="$EASYRSA_PKI/safessl-easyrsa.cnf" @@ -6514,8 +6503,7 @@ up23_create_openssl_cnf () fi } #=> up23_create_openssl_cnf () -up23_move_easyrsa2_programs () -{ +up23_move_easyrsa2_programs () { # These files may not exist here up23_verbose "> Move easyrsa2 programs to SAFE PKI .." for i in build-ca build-dh build-inter build-key build-key-pass \ @@ -6556,8 +6544,7 @@ up23_move_easyrsa2_programs () } #=> up23_move_easyrsa2_programs () # shellcheck disable=SC2154 -up23_build_v3_vars () -{ +up23_build_v3_vars () { up23_verbose "> Build v3 vars file .." EASYRSA_EXT="easyrsa-upgrade-23" @@ -6621,8 +6608,7 @@ up23_build_v3_vars () } #=> up23_build_v3_vars () # shellcheck disable=SC2154 -up23_do_upgrade_23 () -{ +up23_do_upgrade_23 () { up23_verbose "============================================================================" up23_verbose "Begin ** $1 ** upgrade process .." up23_verbose "" @@ -6656,8 +6642,7 @@ up23_do_upgrade_23 () rm -f "$EASYRSA_VARS_LIVEBKP" } #= up23_do_upgrade_23 () -up23_manage_upgrade_23 () -{ +up23_manage_upgrade_23 () { EASYRSA_UPGRADE_VERSION="v1.0a (2020/01/08)" EASYRSA_UPGRADE_TYPE="$1" EASYRSA_FOUND_VARS=0 @@ -6835,8 +6820,7 @@ return 0 } # => up23_manage_upgrade_23 () -print_version() -{ +print_version() { ssl_version="$( OPENSSL_CONF=/dev/null \ "${EASYRSA_OPENSSL:-openssl}" version From 0d12f4ea550788f8d841783fcab4f5b0b451d531 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 22 Oct 2023 12:35:17 +0100 Subject: [PATCH 12/27] Refactor moving temp-files to target-files Because different commands have different cleanup requirements, this code reduces the success check to an if-then per command. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 54 ++++++++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d248141f1..ab40439ad 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1850,14 +1850,13 @@ build_ca: CA certificate password created via RAW" build_ca: CA certificate password created via temp-files" fi - # Move temp-files to output files - mv "$out_key_tmp" "$out_key" || { - die "Failed to move key temp-file" - } - mv "$out_file_tmp" "$out_file" || { - rm -f "$out_key" # Also remove the key - die "Failed to move cert temp-file" - } + # Move temp-files to target-files + mv "$out_key_tmp" "$out_key" || mv_temp_error=1 + mv "$out_file_tmp" "$out_file" || mv_temp_error=1 + if [ "$mv_temp_error" ]; then + rm -f "$out_key" "$out_file" + die "Failed to move new CA files." + fi # Success messages if [ "$sub_ca" ]; then @@ -1915,8 +1914,12 @@ at: $out_file" -check -noout || \ die "Failed to validate DH params" - mv -f "$tmp_dh_file" "$out_file" || \ - die "Failed to move temp DH file" + # Move temp-files to target-files + mv "$tmp_dh_file" "$out_file" || mv_temp_error=1 + if [ "$mv_temp_error" ]; then + rm -f "$out_file" + die "Failed to move temp DH file." + fi notice " DH parameters of size $EASYRSA_KEY_SIZE created at: @@ -2060,13 +2063,12 @@ $EASYRSA_EXTRA_EXTS" fi # Move temp-files to target-files - mv "$key_out_tmp" "$key_out" || { - die "Failed to move key temp-file" - } - mv "$req_out_tmp" "$req_out" || { - rm -f "$key_out" # Also remove the key - die "Failed to move req temp-file" - } + mv "$key_out_tmp" "$key_out" || mv_temp_error=1 + mv "$req_out_tmp" "$req_out" || mv_temp_error=1 + if [ "$mv_temp_error" ]; then + rm -f "$key_out" "$req_out" + die "Failed to move temp key/req file." + fi # Success messages notice "\ @@ -2369,8 +2371,12 @@ $(display_dn req "$req_in")" # => confirm end Signing failed (openssl output above may have more detail)" verbose "sign_req: signed cert '$file_name_base' OK" - mv "$crt_out_tmp" "$crt_out" || \ - die "Failed to move temp-file to certificate." + # Move temp-files to target-files + mv "$crt_out_tmp" "$crt_out" || mv_temp_error=1 + if [ "$mv_temp_error" ]; then + rm -f "$crt_out" + die "Failed to move temp certificate file." + fi # Success messages notice "\ @@ -3650,8 +3656,12 @@ gen_crl() { ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} || \ die "CRL Generation failed." - mv ${EASYRSA_BATCH:+ -f} "$out_file_tmp" "$out_file" || \ - die "Failed to update CRL file." + # Move temp-files to target-files + mv "$out_file_tmp" "$out_file" || mv_temp_error=1 + if [ "$mv_temp_error" ]; then + #rm -f "$out_file" + die "Failed to move temp CRL file." + fi notice "\ An updated CRL has been created: @@ -6869,7 +6879,7 @@ unset -v \ prohibit_no_pass \ invalid_vars \ do_build_full error_build_full_cleanup \ - internal_batch \ + internal_batch mv_temp_error \ easyrsa_exit_with_error error_info # Used by build-ca->cleanup to restore prompt From 27336227439973b80abdf36c5e8fe82c697e37f9 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 23 Oct 2023 00:38:49 +0100 Subject: [PATCH 13/27] Add alias 'show-eku', for original command 'x509-eku' Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ab40439ad..2f0f3c356 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -485,7 +485,7 @@ cmd_help() { default-san Display EKU of certificate: - x509-eku " + show-eku " ;; opts|options) opt_usage @@ -7326,7 +7326,7 @@ case "$cmd" in verify_working_env default_server_san "$@" ;; - x509-eku) + x509-eku|show-eku) verify_working_env ssl_cert_x509v3_eku "$@" ;; From 6104c39bbda1cf1cb0670b4aa0fa79610cdfdf94 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 20:11:35 +0100 Subject: [PATCH 14/27] x509-eku: Add support for x509-types/code-signing Rewrite command x509-eku to allow easy inclusion for new EKU types. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 56 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 44 insertions(+), 12 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c26d21c4f..0d56429a4 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2627,8 +2627,8 @@ inline_creds () { # Generate data if [ -e "$crt_source" ]; then - # Get EasyRSA cert type - ssl_cert_x509v3_eku "$crt_source" type_data + # Get EasyRSA cert type, ignore error + ssl_cert_x509v3_eku "$crt_source" type_data || : crt_data="\ @@ -2980,7 +2980,8 @@ Cannot renew this certificate, a conflicting file exists: die "Failed to create inline directoy." # Extract certificate usage from old cert - ssl_cert_x509v3_eku "$crt_in" cert_type + ssl_cert_x509v3_eku "$crt_in" cert_type || \ + die "Unknown EKU: $cert_type" # Use SAN from --san if set else use SAN from old cert if echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName @@ -4446,33 +4447,63 @@ ssl_cert_x509v3_eku() { __cli="TLS Web Client Authentication" __srv="TLS Web Server Authentication" __srv_cli="${__srv}, ${__cli}" + __codeSign="Code Signing" + unset -v __known - # Extract certificate usage from old cert + # Extract certificate Extended Key Usage __eku="$( - easyrsa_openssl x509 -in "${__crt}" -noout -text | \ - sed -n "/${__pattern}/{n;s/^ *//g;p;}" + OPENSSL_CONF=/dev/null + "$EASYRSA_OPENSSL" x509 -in "${__crt}" -noout \ + -ext extendedKeyUsage | \ + sed -e /"${__pattern}"/d -e s/^\ *// )" + # Match EKU with supported usage case "$__eku" in + "$__srv_cli") + __known=1 + __type=serverClient + ;; "$__cli") + __known=1 __type=client ;; "$__srv") + __known=1 __type=server ;; - "$__srv_cli") - __type=serverClient + "$__codeSign") + __known=1 + __type=codeSign + ;; + '') + __type=undefined ;; - *) die "Unknown key usage: $__eku" + *) + __type="'$__eku'" esac # Set variable to return if [ "$__var" ]; then + verbose "ssl_cert_x509v3_eku - EKU: $__type" force_set_var "$__var" "$__type" + elif [ "$__known" ]; then + information " +* Known X509v3 Extended Key Usage: $__type" else - information "${NL}* EasyRSA Certificate type: $__type" + information " +* Unknown X509v3 Extended Key Usage: $__type" + fi + + unset -v __crt __var __pattern __srv_cli __cli __srv \ + __codeSign __eku __type + + if [ "$__known" ]; then + unset -v __known + return fi - unset -v __crt __var __pattern __eku __type + + return 1 } # => ssl_cert_x509v3_eku() # get the serial number of the certificate -> serial=XXXX @@ -7420,7 +7451,8 @@ case "$cmd" in ;; x509-eku) verify_working_env - ssl_cert_x509v3_eku "$@" + ssl_cert_x509v3_eku "$@" || \ + easyrsa_exit_with_error=1 ;; upgrade) verify_working_env From f88c08a38a5f09cf49aec8b5412e488b78b73b45 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 20:22:34 +0100 Subject: [PATCH 15/27] create_x509_type(): Return error, do not die Due to output redirection, errors must only return an error, not use die. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0d56429a4..70ab0809e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6028,8 +6028,7 @@ create_x509_type() { X509_TYPE_CA ;; *) - # Unknown type: User MUST supply the X509 file - die "create_x509_type - Unknown X509 type: '$1'" + return 1 esac } # => create_x509_type() From 5f6111a8a67883a3bb293b179ba4f1467cbf6f24 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 20:38:35 +0100 Subject: [PATCH 16/27] clean_up(): Move file-restore tasks before temp-dir removal Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 70ab0809e..ace108f40 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -858,6 +858,15 @@ cleanup() { print fi + # undo changes BEFORE delete temp-dir + # Remove files when build_full()->sign_req() is interrupted + [ "$error_build_full_cleanup" ] && \ + rm -f "$crt_out" "$req_out" "$key_out" + # Restore files when renew is interrupted + [ "$error_undo_renew_move" ] && renew_restore_move + # Restore files when rebuild is interrupted + [ "$error_undo_rebuild_move" ] && rebuild_restore_move + if [ "${secured_session%/*}" ] && \ [ -d "$secured_session" ] then @@ -878,22 +887,12 @@ Temporary session not preserved." mv -f "$secured_session" "$keep_tmp" print "Temp session preserved: $keep_tmp" fi - else - # remove temp-session - remove_secure_session || \ - warn "cleanup - remove_secure_session failed" fi - fi - # These cleanup routines must be called after die() - # because the relate commands can die in subshells. - # Remove files when build_full()->sign_req() is interrupted - [ "$error_build_full_cleanup" ] && \ - rm -f "$crt_out" "$req_out" "$key_out" - # Restore files when renew is interrupted - [ "$error_undo_renew_move" ] && renew_restore_move - # Restore files when rebuild is interrupted - [ "$error_undo_rebuild_move" ] && rebuild_restore_move + # remove temp-session + remove_secure_session || \ + warn "cleanup - remove_secure_session failed" + fi # shellcheck disable=SC3040 # In POSIX sh, set option [name] is undefined From 361ac95a16f6dcc5fb74e74058c3ad1dc7ca87c5 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 20:40:40 +0100 Subject: [PATCH 17/27] renew: On sign-req error, restore files once and clear flag Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ace108f40..dd9a7dbf8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3033,9 +3033,9 @@ with the following subject: then unset -v error_undo_renew_move else - # If renew failed then restore cert. - # Otherwise, issue a warning + # If sign_req failed then restore cert. renew_restore_move + unset -v error_undo_renew_move die "\ Renewal has failed to build a new certificate." fi From 607baafa344020d0fb852ce75c0c35eb627e2f02 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 21:06:35 +0100 Subject: [PATCH 18/27] easyrsa_openssl(), verify_working_env(): Improve verbose messages Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index dd9a7dbf8..ea279d1a5 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1105,6 +1105,7 @@ easyrsa_mktemp safe_ssl_cnf_tmp" # sign-req or gen-req. easyrsa_openssl() { openssl_command="$1"; shift + verbose "> easyrsa_openssl - BEGIN $openssl_command" # Do not allow 'rand' here, see easyrsa_random() case "$openssl_command" in @@ -1126,15 +1127,16 @@ easyrsa_openssl() { # VERIFY safe temp-file exists if [ -e "$safe_ssl_cnf_tmp" ]; then verbose "\ -easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp" +> easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp" export OPENSSL_CONF="$safe_ssl_cnf_tmp" else verbose "\ -easyrsa_openssl: No Safe SSL conf, FALLBACK to default" +> easyrsa_openssl: No Safe SSL conf, FALLBACK to default" export OPENSSL_CONF="$EASYRSA_SSL_CONF" fi # Execute command - Return on success + verbose "> easyrsa_openssl - EXEC $openssl_command $*" if [ "$openssl_command" = "makesafeconf" ]; then # COPY temp-file to safessl-easyrsa.cnf unset -v makesafeconf @@ -5953,7 +5955,7 @@ Temporary directory does not exist: * $EASYRSA_TEMP_DIR" fi fi - verbose "verify_working_env: COMPLETED" + verbose "verify_working_env: COMPLETED Handover-to: $cmd" } # => verify_working_env() # variable assignment by indirection. From 257af5021b59cb9ba4c9bf88e30952e4a6799c76 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 21:40:02 +0100 Subject: [PATCH 19/27] create_x509_type(): Add type: codeSign Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ea279d1a5..8070063e0 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6028,6 +6028,15 @@ create_x509_type() { keyUsage = cRLSign, keyCertSign X509_TYPE_CA ;; + codeSign) + cat <<- "X509_CODE_SIGNING" + basicConstraints = CA:FALSE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + extendedKeyUsage = codeSigning + keyUsage = digitalSignature + X509_CODE_SIGNING + ;; *) return 1 esac From d249eebed26059da708ab0f7fd16dc508252cc91 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 27 Oct 2023 20:39:03 +0100 Subject: [PATCH 20/27] easyrsa_openssl(): Use 'case' for command selection Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 8070063e0..aec0f887b 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1137,24 +1137,26 @@ easyrsa_openssl() { # Execute command - Return on success verbose "> easyrsa_openssl - EXEC $openssl_command $*" - if [ "$openssl_command" = "makesafeconf" ]; then + + case "$openssl_command" in + makesafeconf) # COPY temp-file to safessl-easyrsa.cnf unset -v makesafeconf cp -f "$safe_ssl_cnf_tmp" "$EASYRSA_SAFE_CONF" && \ - return - die "easyrsa_openssl: makesafeconf FAILED" - fi - - # Exec SSL - if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] - then - "$EASYRSA_OPENSSL" "$openssl_command" "$@" \ - 2>/dev/null && \ - return - else - "$EASYRSA_OPENSSL" "$openssl_command" "$@" && \ - return - fi + return + ;; + *) + # Exec SSL + if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] + then + "$EASYRSA_OPENSSL" "$openssl_command" "$@" \ + 2>/dev/null && \ + return + else + "$EASYRSA_OPENSSL" "$openssl_command" "$@" && \ + return + fi + esac # Always fail here die "\ From 6ab01d83c36a8a7ee0b312f1d995aa59e35a0fe0 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 27 Oct 2023 22:12:09 +0100 Subject: [PATCH 21/27] ChangeLog: Expand renewable cert-types to include code-signing Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index d42f2bf99..24545ab1b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Expand renewable certificate types to include code-signing (#1039) 3.1.7 (2023-10-13) * Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md (#1029) From f8702fefb9a9e18be55a246b5aa10c9af101ffbf Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 29 Oct 2023 01:36:00 +0100 Subject: [PATCH 22/27] sign-req, SAN extention: Move set $san above output command group Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e68bf07b2..12e83f791 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2271,6 +2271,25 @@ basicConstraints is not defined, cannot use 'pathlen'" unset -v ns_cert_type esac + # Add user SAN from --subject-alt-name + unset -v san + if [ "$EASYRSA_EXTRA_EXTS" ]; then + san="$EASYRSA_EXTRA_EXTS" + else + # or default server SAN + # If type is server and no subjectAltName was + # requested then add one to the extensions file + case "$crt_type" in server|serverClient) + # req san or default server SAN + san="$(display_san req "$req_in")" + if [ "$san" ]; then + san="subjectAltName = $san" + else + san="$(default_server_san "$req_in")" + fi + esac + fi + # Generate the extensions file for this cert: ext_tmp="" easyrsa_mktemp ext_tmp || \ @@ -2292,24 +2311,9 @@ basicConstraints is not defined, cannot use 'pathlen'" print "nsComment = \"$EASYRSA_NS_COMMENT\"" fi - # Add user SAN from --subject-alt-name - if [ "$EASYRSA_EXTRA_EXTS" ]; then - print "$EASYRSA_EXTRA_EXTS" - else - # or default server SAN - # If type is server and no subjectAltName was - # requested then add one to the extensions file - if [ "$crt_type" = 'server' ] || \ - [ "$crt_type" = 'serverClient' ]; - then - # req san or default server SAN - san="$(display_san req "$req_in")" - if [ "$san" ]; then - print "subjectAltName = $san" - else - default_server_san "$req_in" - fi - fi + # Add SAN + if [ "$san" ]; then + print "$san" fi } > "$ext_tmp" || die "\ Error message: $error_msg From de8051a7618e40f5e843bd0174953a2f1b508a72 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 29 Oct 2023 14:05:51 +0000 Subject: [PATCH 23/27] sign-req: Simplify code for EASYRSA_EXTRA_EXTS vs auto-SAN EASYRSA_EXTRA_EXTS, as set by command line ALWAYS takes priority. For a server or serverClient certificate: If not set then EASYRSA_EXTRA_EXTS is set to a Server-Alt-Name [SAN], from either the certificate request file or the cerificate commonName. For all other certificates types, no default SAN is set. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 12e83f791..d2bebd831 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2271,22 +2271,22 @@ basicConstraints is not defined, cannot use 'pathlen'" unset -v ns_cert_type esac - # Add user SAN from --subject-alt-name - unset -v san - if [ "$EASYRSA_EXTRA_EXTS" ]; then - san="$EASYRSA_EXTRA_EXTS" - else - # or default server SAN - # If type is server and no subjectAltName was - # requested then add one to the extensions file - case "$crt_type" in server|serverClient) + # If type is server and no subjectAltName was + # requested then add one to the extensions file + if [ -z "$EASYRSA_EXTRA_EXTS" ]; then + # default server SAN + case "$crt_type" in + server|serverClient) # req san or default server SAN - san="$(display_san req "$req_in")" - if [ "$san" ]; then - san="subjectAltName = $san" + __san="$(display_san req "$req_in")" + if [ "$__san" ]; then + __san="subjectAltName = $__san" else - san="$(default_server_san "$req_in")" + __san="$(default_server_san "$req_in")" fi + [ "$__san" ] || die "No default server SAN!" + export EASYRSA_EXTRA_EXTS="$__san" + unset -v __san esac fi @@ -2311,9 +2311,10 @@ basicConstraints is not defined, cannot use 'pathlen'" print "nsComment = \"$EASYRSA_NS_COMMENT\"" fi - # Add SAN - if [ "$san" ]; then - print "$san" + # Add user supplied extra extensions + # and/or SAN extension + if [ "$EASYRSA_EXTRA_EXTS" ]; then + print "$EASYRSA_EXTRA_EXTS" fi } > "$ext_tmp" || die "\ Error message: $error_msg From 5571aacf49445fb70edbc8e4832e9b210b167217 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 29 Oct 2023 14:49:00 +0000 Subject: [PATCH 24/27] display-san: Replace '&&' with 'if/then' to avoid hanging error exit Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d2bebd831..c91e5c0a9 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -4102,7 +4102,9 @@ display_san - input error" )" # Print auto SAN - [ "$san" ] && print "$san" + if [ "$san" ]; then + print "$san" + fi fi } # => display_san() From 4fec8a76b1c92cbe949222d48a6c135e6cd143bf Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 2 Nov 2023 00:43:02 +0000 Subject: [PATCH 25/27] New diagnostic command 'display-cn' Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + easyrsa3/easyrsa | 84 ++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 83 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 24545ab1b..ccc83b574 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * New diagnostic command 'display-cn' (#1040) * Expand renewable certificate types to include code-signing (#1039) 3.1.7 (2023-10-13) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c91e5c0a9..ec4e2ef75 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -475,6 +475,9 @@ cmd_help() { Check number is unique: serial|check-serial + Display CN of certificate:
= req|x509 + display-cn + Display DN of certificate: display-dn @@ -615,9 +618,9 @@ Easy-RSA error: $1 " - # error_info is currently unused + # error_info is for hard-to-spot errors! if [ "$error_info" ]; then - print "${error_info}${NL}" + print " * $cmd: ${error_info}${NL}" fi # show host info @@ -4077,6 +4080,79 @@ update_db() { die "Failed to perform update-db." } # => update_db() +# Display commonName +display_cn() { + format="$1" + path="$2" + var_name="$3" + shift "$#" + + case "$format" in + req) + def_dir=reqs + dot_3=req + ;; + x509) + def_dir=issued + dot_3=crt + ;; + '') + user_error "display_cn - Unspecified format" + ;; + *) + user_error "display_cn - Unknown format: '$format'" + esac + + # Check for absolute or relative file name + if [ -e "$path" ]; then + : # ok + else + in_file="${EASYRSA_PKI}/${def_dir}/${path}.${dot_3}" + in_file_1="${EASYRSA_PKI}/${def_dir}/${path}" + if [ -e "$in_file" ]; then + path="$in_file" + elif [ -e "$in_file_1" ]; then + path="$in_file_1" + else + user_error "\ +display_cn - Type '$format', missing: '$path'" + fi + fi + + # Extract commonName + error_info="Certs require form 'x509'; Reqs require form 'req'" + if ssl_cn="$( + export OPENSSL_CONF=/dev/null + "$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject \ + -nameopt utf8,sep_multiline,space_eq,lname,align | \ + grep '^[[:blank:]]*commonName' + )" + then + unset -v error_info + else + die "display_cn - ssl_cn: Not found 'commonName'" + fi + + # Return commonName + if [ "$internal_batch" ] || [ "$EASYRSA_BATCH" ]; then + # Remove the label + ssl_cn="${ssl_cn#*= }" + # if set then return CN via variable + if [ "$var_name" ]; then + verbose "display_cn - force_set_var '$var_name' '$ssl_cn'" + force_set_var "$var_name" "$ssl_cn" || \ + die "display_cn - force_set_var '$var_name' '$ssl_cn'" + else + print "$ssl_cn" + fi + else + print "$ssl_cn" + fi + + unset -v ssl_cn var_name in_file in_file_1 \ + def_dir dot_3 path format internal_batch +} # => display_cn() + # Display subjectAltName display_san() { [ "$#" = 2 ] || die "\ @@ -7376,6 +7452,10 @@ case "$cmd" in check_serial_unique "$@" || \ easyrsa_exit_with_error=1 ;; + display-cn) + verify_working_env + display_cn "$@" + ;; display-dn) verify_working_env display_dn "$@" From 4d317284c39875ea34d35b25646b18a936f33bd3 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 2 Nov 2023 01:33:09 +0000 Subject: [PATCH 26/27] Reorder functions: Move display_dn() above display_san() Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 50 ++++++++++++++++++++++++------------------------ 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ec4e2ef75..dde06e14d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -4153,6 +4153,31 @@ display_cn - Type '$format', missing: '$path'" def_dir dot_3 path format internal_batch } # => display_cn() +# display cert DN info on a req/X509, passed by full pathname +display_dn() { + [ "$#" = 2 ] || die "\ +display_dn - input error" + + format="$1" + path="$2" + shift 2 + + # Display DN + name_opts="utf8,sep_multiline,space_eq,lname,align" + print "$( + easyrsa_openssl "$format" -in "$path" -noout -subject \ + -nameopt "$name_opts" + )" + + # Display SAN, if present + san="$(display_san "$format" "$path")" + if [ "$san" ]; then + print "" + print "X509v3 Subject Alternative Name:" + print " $san" + fi +} # => display_dn() + # Display subjectAltName display_san() { [ "$#" = 2 ] || die "\ @@ -4184,31 +4209,6 @@ display_san - input error" fi } # => display_san() -# display cert DN info on a req/X509, passed by full pathname -display_dn() { - [ "$#" = 2 ] || die "\ -display_dn - input error" - - format="$1" - path="$2" - shift 2 - - # Display DN - name_opts="utf8,sep_multiline,space_eq,lname,align" - print "$( - easyrsa_openssl "$format" -in "$path" -noout -subject \ - -nameopt "$name_opts" - )" - - # Display SAN, if present - san="$(display_san "$format" "$path")" - if [ "$san" ]; then - print "" - print "X509v3 Subject Alternative Name:" - print " $san" - fi -} # => display_dn() - # generate default SAN from req/X509, passed by full pathname default_server_san() { [ "$#" = 1 ] || die "\ From 16b382fecad8424e36800048f9a2f1c4879f5e76 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 2 Nov 2023 01:38:16 +0000 Subject: [PATCH 27/27] display_dn: Remove unwanted variable $name_opts Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index dde06e14d..7739b871b 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -4163,10 +4163,9 @@ display_dn - input error" shift 2 # Display DN - name_opts="utf8,sep_multiline,space_eq,lname,align" print "$( easyrsa_openssl "$format" -in "$path" -noout -subject \ - -nameopt "$name_opts" + -nameopt utf8,sep_multiline,space_eq,lname,align )" # Display SAN, if present