Skip to content

Commit

Permalink
Rearrange build-ca: Enforce check for X509-type CA insert marker
Browse files Browse the repository at this point in the history
Always check that insert marker '^#%CA_X509_TYPES_EXTRA_EXTS%' exists.

Rearrange: Bring related steps together for easy reading. (NFC)

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Jul 11, 2024
1 parent a9f710f commit 49723bd
Showing 1 changed file with 26 additions and 33 deletions.
59 changes: 26 additions & 33 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -1621,8 +1621,6 @@ Unable to create necessary PKI files (permissions?)"
unset -v err_msg

# Set ssl batch mode, as required
# --req-cn must be used with --batch,
# otherwise use default
if [ "$EASYRSA_BATCH" ]; then
ssl_batch=1
fi
Expand All @@ -1642,21 +1640,6 @@ Unable to create necessary PKI files (permissions?)"
# Ensure an SSL config exists for EASYRSA_SSL_CONF
[ -f "$EASYRSA_SSL_CONF" ] || die "Missing SSL config"

# Check for insert-marker in ssl config file
if [ "$EASYRSA_EXTRA_EXTS" ]; then
if ! grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' \
"$EASYRSA_SSL_CONF"
then
die "\
This openssl config file does \
not support X509-type 'ca'.
* $EASYRSA_SSL_CONF

Please update 'openssl-easyrsa.cnf' \
to the latest Easy-RSA release."
fi
fi

# Assign cert and key temp files
out_key_tmp=""
easyrsa_mktemp out_key_tmp || \
Expand Down Expand Up @@ -1725,19 +1708,6 @@ Raw CA mode
fi
fi

# Assign tmp-file for config
adjusted_ssl_cnf_tmp=""
easyrsa_mktemp adjusted_ssl_cnf_tmp || \
die "build_ca - easyrsa_mktemp adjusted_ssl_cnf_tmp"

# Assign awkscript to insert EASYRSA_EXTRA_EXTS
# shellcheck disable=SC2016 # No expand '' - build_ca()
awkscript='\
{if ( match($0, "^#%CA_X509_TYPES_EXTRA_EXTS%") )
{ while ( getline<"/dev/stdin" ) {print} next }
{print}
}'

# Find or create x509 CA file
if [ -f "$EASYRSA_EXT_DIR/ca" ]; then
# Use the x509-types/ca file
Expand Down Expand Up @@ -1786,6 +1756,30 @@ Raw CA mode
x509_COMMON_file="$write_x509_file_tmp"
fi

# Check for insert-marker in ssl config file
if ! grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' \
"$EASYRSA_SSL_CONF"
then
die "\
This openssl config file does not support X509-type 'ca'.
* $EASYRSA_SSL_CONF

Please update 'openssl-easyrsa.cnf' to the latest Easy-RSA release."
fi

# Assign awkscript to insert EASYRSA_EXTRA_EXTS
# shellcheck disable=SC2016 # No expand '' - build_ca()
awkscript='\
{if ( match($0, "^#%CA_X509_TYPES_EXTRA_EXTS%") )
{ while ( getline<"/dev/stdin" ) {print} next }
{print}
}'

# Assign tmp-file for config
adjusted_ssl_cnf_tmp=""
easyrsa_mktemp adjusted_ssl_cnf_tmp || \
die "build_ca - easyrsa_mktemp adjusted_ssl_cnf_tmp"

# Insert x509-types COMMON and 'ca' and EASYRSA_EXTRA_EXTS
{
# X509 files
Expand Down Expand Up @@ -1885,9 +1879,8 @@ Your intermediate CA request is at:
* $out_file
and now must be sent to your parent CA for signing.

Place your resulting cert at:
* $EASYRSA_PKI/ca.crt
prior to signing operations."
Prior to signing operations, place your resulting Sub-CA cert at:
* $EASYRSA_PKI/ca.crt"
else
notice "\
CA creation complete. Your new CA certificate is at:
Expand Down

0 comments on commit 49723bd

Please sign in to comment.