export-p12: Always set 'friendlyName' to file-name-base

This changes default behavior from NEVER setting a friendlyName to ALWAYS setting friendlyName to the file-name-base. The friendlyName is "typically displayed in list boxes by software importing the file". Having Easy-RSA populate this field with known values, which do not leak excess information, is considered to be appropriate. An alternate friendlyName can be configured by using: * Global option '--usefn=<friendlyName>' Fallback to previous behavior can be configured by using: * Command option 'nofn' ('friendlyname' will not be set) Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Jan 2, 2024 · da9e594 · da9e594
1 parent 3f6d6bb
commit da9e594
Showing 1 changed file with 14 additions and 6 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -3238,11 +3238,15 @@ Run easyrsa without commands for usage and command help."
 	key_in="$EASYRSA_PKI/private/$file_name_base.key"
 	crt_ca="$EASYRSA_PKI/ca.crt"
 
+	# Always set a friendly_name
+	set_var EASYRSA_P12_FR_NAME "$file_name_base"
+	friendly_name="$EASYRSA_P12_FR_NAME"
+
 	# opts support
 	cipher=-aes256
 	want_ca=1
 	want_key=1
-	unset -v nokeys friendly_name
+	unset -v nokeys
 	while [ "$1" ]; do
 		case "$1" in
 			noca)
@@ -3258,10 +3262,11 @@ Run easyrsa without commands for usage and command help."
 			nopass)
 				[ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1
 			;;
-			usefn)
-				friendly_name="$file_name_base"
+			nofn)
+				unset friendly_name
 			;;
-			*) warn "Ignoring unknown command option: '$1'"
+			*)
+				warn "Ignoring unknown option: '$1'"
 		esac
 		shift
 	done
@@ -3378,10 +3383,10 @@ Missing User Certificate, expected at:
 		easyrsa_openssl pkcs12 -export \
 			-in "$crt_in" \
 			-out "$pkcs_out" \
-			${nokeys} \
 			-inkey "$key_in" \
-			${want_ca:+ -certfile "$crt_ca"} \
+			${nokeys} \
 			${friendly_name:+ -name "$friendly_name"} \
+			${want_ca:+ -certfile "$crt_ca"} \
 			${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
 			${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
 				|| die "Failed to export PKCS#12"
@@ -6112,6 +6117,9 @@ while :; do
 $EASYRSA_EXTRA_EXTS
 subjectAltName = $val"
 		;;
+	--usefn)
+		export EASYRSA_P12_FR_NAME="$val"
+		;;
 	--version)
 		shift "$#"
 		set -- "$@" "version"