From 6104c39bbda1cf1cb0670b4aa0fa79610cdfdf94 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 20:11:35 +0100 Subject: [PATCH 1/8] x509-eku: Add support for x509-types/code-signing Rewrite command x509-eku to allow easy inclusion for new EKU types. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 56 +++++++++++++++++++++++++++++++++++++----------- 1 file changed, 44 insertions(+), 12 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c26d21c4f..0d56429a4 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2627,8 +2627,8 @@ inline_creds () { # Generate data if [ -e "$crt_source" ]; then - # Get EasyRSA cert type - ssl_cert_x509v3_eku "$crt_source" type_data + # Get EasyRSA cert type, ignore error + ssl_cert_x509v3_eku "$crt_source" type_data || : crt_data="\ @@ -2980,7 +2980,8 @@ Cannot renew this certificate, a conflicting file exists: die "Failed to create inline directoy." # Extract certificate usage from old cert - ssl_cert_x509v3_eku "$crt_in" cert_type + ssl_cert_x509v3_eku "$crt_in" cert_type || \ + die "Unknown EKU: $cert_type" # Use SAN from --san if set else use SAN from old cert if echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName @@ -4446,33 +4447,63 @@ ssl_cert_x509v3_eku() { __cli="TLS Web Client Authentication" __srv="TLS Web Server Authentication" __srv_cli="${__srv}, ${__cli}" + __codeSign="Code Signing" + unset -v __known - # Extract certificate usage from old cert + # Extract certificate Extended Key Usage __eku="$( - easyrsa_openssl x509 -in "${__crt}" -noout -text | \ - sed -n "/${__pattern}/{n;s/^ *//g;p;}" + OPENSSL_CONF=/dev/null + "$EASYRSA_OPENSSL" x509 -in "${__crt}" -noout \ + -ext extendedKeyUsage | \ + sed -e /"${__pattern}"/d -e s/^\ *// )" + # Match EKU with supported usage case "$__eku" in + "$__srv_cli") + __known=1 + __type=serverClient + ;; "$__cli") + __known=1 __type=client ;; "$__srv") + __known=1 __type=server ;; - "$__srv_cli") - __type=serverClient + "$__codeSign") + __known=1 + __type=codeSign + ;; + '') + __type=undefined ;; - *) die "Unknown key usage: $__eku" + *) + __type="'$__eku'" esac # Set variable to return if [ "$__var" ]; then + verbose "ssl_cert_x509v3_eku - EKU: $__type" force_set_var "$__var" "$__type" + elif [ "$__known" ]; then + information " +* Known X509v3 Extended Key Usage: $__type" else - information "${NL}* EasyRSA Certificate type: $__type" + information " +* Unknown X509v3 Extended Key Usage: $__type" + fi + + unset -v __crt __var __pattern __srv_cli __cli __srv \ + __codeSign __eku __type + + if [ "$__known" ]; then + unset -v __known + return fi - unset -v __crt __var __pattern __eku __type + + return 1 } # => ssl_cert_x509v3_eku() # get the serial number of the certificate -> serial=XXXX @@ -7420,7 +7451,8 @@ case "$cmd" in ;; x509-eku) verify_working_env - ssl_cert_x509v3_eku "$@" + ssl_cert_x509v3_eku "$@" || \ + easyrsa_exit_with_error=1 ;; upgrade) verify_working_env From f88c08a38a5f09cf49aec8b5412e488b78b73b45 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 20:22:34 +0100 Subject: [PATCH 2/8] create_x509_type(): Return error, do not die Due to output redirection, errors must only return an error, not use die. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0d56429a4..70ab0809e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6028,8 +6028,7 @@ create_x509_type() { X509_TYPE_CA ;; *) - # Unknown type: User MUST supply the X509 file - die "create_x509_type - Unknown X509 type: '$1'" + return 1 esac } # => create_x509_type() From 5f6111a8a67883a3bb293b179ba4f1467cbf6f24 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 20:38:35 +0100 Subject: [PATCH 3/8] clean_up(): Move file-restore tasks before temp-dir removal Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 70ab0809e..ace108f40 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -858,6 +858,15 @@ cleanup() { print fi + # undo changes BEFORE delete temp-dir + # Remove files when build_full()->sign_req() is interrupted + [ "$error_build_full_cleanup" ] && \ + rm -f "$crt_out" "$req_out" "$key_out" + # Restore files when renew is interrupted + [ "$error_undo_renew_move" ] && renew_restore_move + # Restore files when rebuild is interrupted + [ "$error_undo_rebuild_move" ] && rebuild_restore_move + if [ "${secured_session%/*}" ] && \ [ -d "$secured_session" ] then @@ -878,22 +887,12 @@ Temporary session not preserved." mv -f "$secured_session" "$keep_tmp" print "Temp session preserved: $keep_tmp" fi - else - # remove temp-session - remove_secure_session || \ - warn "cleanup - remove_secure_session failed" fi - fi - # These cleanup routines must be called after die() - # because the relate commands can die in subshells. - # Remove files when build_full()->sign_req() is interrupted - [ "$error_build_full_cleanup" ] && \ - rm -f "$crt_out" "$req_out" "$key_out" - # Restore files when renew is interrupted - [ "$error_undo_renew_move" ] && renew_restore_move - # Restore files when rebuild is interrupted - [ "$error_undo_rebuild_move" ] && rebuild_restore_move + # remove temp-session + remove_secure_session || \ + warn "cleanup - remove_secure_session failed" + fi # shellcheck disable=SC3040 # In POSIX sh, set option [name] is undefined From 361ac95a16f6dcc5fb74e74058c3ad1dc7ca87c5 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 20:40:40 +0100 Subject: [PATCH 4/8] renew: On sign-req error, restore files once and clear flag Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ace108f40..dd9a7dbf8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3033,9 +3033,9 @@ with the following subject: then unset -v error_undo_renew_move else - # If renew failed then restore cert. - # Otherwise, issue a warning + # If sign_req failed then restore cert. renew_restore_move + unset -v error_undo_renew_move die "\ Renewal has failed to build a new certificate." fi From 607baafa344020d0fb852ce75c0c35eb627e2f02 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 21:06:35 +0100 Subject: [PATCH 5/8] easyrsa_openssl(), verify_working_env(): Improve verbose messages Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index dd9a7dbf8..ea279d1a5 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1105,6 +1105,7 @@ easyrsa_mktemp safe_ssl_cnf_tmp" # sign-req or gen-req. easyrsa_openssl() { openssl_command="$1"; shift + verbose "> easyrsa_openssl - BEGIN $openssl_command" # Do not allow 'rand' here, see easyrsa_random() case "$openssl_command" in @@ -1126,15 +1127,16 @@ easyrsa_openssl() { # VERIFY safe temp-file exists if [ -e "$safe_ssl_cnf_tmp" ]; then verbose "\ -easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp" +> easyrsa_openssl: Safe SSL conf OK: $safe_ssl_cnf_tmp" export OPENSSL_CONF="$safe_ssl_cnf_tmp" else verbose "\ -easyrsa_openssl: No Safe SSL conf, FALLBACK to default" +> easyrsa_openssl: No Safe SSL conf, FALLBACK to default" export OPENSSL_CONF="$EASYRSA_SSL_CONF" fi # Execute command - Return on success + verbose "> easyrsa_openssl - EXEC $openssl_command $*" if [ "$openssl_command" = "makesafeconf" ]; then # COPY temp-file to safessl-easyrsa.cnf unset -v makesafeconf @@ -5953,7 +5955,7 @@ Temporary directory does not exist: * $EASYRSA_TEMP_DIR" fi fi - verbose "verify_working_env: COMPLETED" + verbose "verify_working_env: COMPLETED Handover-to: $cmd" } # => verify_working_env() # variable assignment by indirection. From 257af5021b59cb9ba4c9bf88e30952e4a6799c76 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 25 Oct 2023 21:40:02 +0100 Subject: [PATCH 6/8] create_x509_type(): Add type: codeSign Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ea279d1a5..8070063e0 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6028,6 +6028,15 @@ create_x509_type() { keyUsage = cRLSign, keyCertSign X509_TYPE_CA ;; + codeSign) + cat <<- "X509_CODE_SIGNING" + basicConstraints = CA:FALSE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + extendedKeyUsage = codeSigning + keyUsage = digitalSignature + X509_CODE_SIGNING + ;; *) return 1 esac From d249eebed26059da708ab0f7fd16dc508252cc91 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 27 Oct 2023 20:39:03 +0100 Subject: [PATCH 7/8] easyrsa_openssl(): Use 'case' for command selection Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 8070063e0..aec0f887b 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1137,24 +1137,26 @@ easyrsa_openssl() { # Execute command - Return on success verbose "> easyrsa_openssl - EXEC $openssl_command $*" - if [ "$openssl_command" = "makesafeconf" ]; then + + case "$openssl_command" in + makesafeconf) # COPY temp-file to safessl-easyrsa.cnf unset -v makesafeconf cp -f "$safe_ssl_cnf_tmp" "$EASYRSA_SAFE_CONF" && \ - return - die "easyrsa_openssl: makesafeconf FAILED" - fi - - # Exec SSL - if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] - then - "$EASYRSA_OPENSSL" "$openssl_command" "$@" \ - 2>/dev/null && \ - return - else - "$EASYRSA_OPENSSL" "$openssl_command" "$@" && \ - return - fi + return + ;; + *) + # Exec SSL + if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] + then + "$EASYRSA_OPENSSL" "$openssl_command" "$@" \ + 2>/dev/null && \ + return + else + "$EASYRSA_OPENSSL" "$openssl_command" "$@" && \ + return + fi + esac # Always fail here die "\ From 6ab01d83c36a8a7ee0b312f1d995aa59e35a0fe0 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 27 Oct 2023 22:12:09 +0100 Subject: [PATCH 8/8] ChangeLog: Expand renewable cert-types to include code-signing Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index d42f2bf99..24545ab1b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Expand renewable certificate types to include code-signing (#1039) 3.1.7 (2023-10-13) * Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md (#1029)