diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e164fcff7..51f8edc0e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -13,7 +13,7 @@ # Help/usage output to stdout usage() { # command help: - print " + information " Easy-RSA 3 usage and overview $easyrsa_help_title @@ -63,21 +63,6 @@ A list of commands is shown below: work_dir="${EASYRSA:-undefined}" pki_dir="${EASYRSA_PKI:-undefined}" - # CA Status - if verify_ca_init test; then - CA_cert="$EASYRSA_PKI/ca.crt" - CA_status=" CA status: OK" - CA_subject="$( - "$EASYRSA_OPENSSL" x509 -in "$CA_cert" \ - -noout -subject -nameopt multiline \ - 2>/dev/null - )" - CA_subject=" CA subject: ${CA_subject#subject=}" - CA_status="${CA_status}${NL}${CA_subject}" - else - CA_status=" CA status: CA has not been built" - fi - # check for vars changing PKI unexpectedly! if [ "$invalid_vars" ]; then ivmsg=" @@ -88,22 +73,32 @@ Invalid vars setting for EASYRSA and/or EASYRSA_PKI${NL}" fi # Print details - print " + information " DIRECTORY STATUS (commands would take effect on these locations) EASYRSA: $work_dir PKI: $pki_dir - vars-file: ${EASYRSA_VARS_FILE:-Missing or undefined}${ivmsg} -$CA_status${NL}" + vars-file: ${EASYRSA_VARS_FILE:-Missing or undefined}${ivmsg}" + + # CA Status + if verify_ca_init test; then + if [ -z "$EASYRSA_SILENT" ]; then + # Show SSL output directly, with easyrsa header + printf '%s' " CA status: OK${NL}${NL} " + "$EASYRSA_OPENSSL" x509 -in "$EASYRSA_PKI/ca.crt" \ + -noout -subject -nameopt utf8,multiline + print "" # for a clean line + fi + else + information " CA status: CA has not been built${NL}" + fi # verbose info verbose "ssl-cnf: ${EASYRSA_SSL_CONF:-built-in}" verbose "x509-types: ${EASYRSA_EXT_DIR:-built-in}" if [ -d "$EASYRSA_TEMP_DIR" ]; then verbose "temp-dir: Found: $EASYRSA_TEMP_DIR" - elif [ "$EASYRSA_TEMP_DIR" ]; then - verbose "temp-dir: Missing: $EASYRSA_TEMP_DIR" else - verbose "temp-dir: undefined" + verbose "temp-dir: Missing: ${EASYRSA_TEMP_DIR:-undefined}" fi } # => usage() @@ -565,7 +560,7 @@ ${opts:- # Options usage opt_usage() { text_only=1 - print " + information " Easy-RSA Global Option Flags The following global-options may be provided before the command. @@ -701,7 +696,7 @@ $1${NL}" # verbose information verbose() { [ "$EASYRSA_VERBOSE" ] || return 0 - printf '%s\n' " > $*" + printf '%s\n' " # $*" } # => verbose() # non-fatal warning output @@ -1226,12 +1221,16 @@ easyrsa_openssl() { # Exec SSL if [ "$EASYRSA_SILENT_SSL" ] && [ "$EASYRSA_BATCH" ] then - "$EASYRSA_OPENSSL" "$openssl_command" "$@" \ - 2>/dev/null && \ - return + if "$EASYRSA_OPENSSL" "$openssl_command" "$@" \ + 2>/dev/null + then + return + fi else - "$EASYRSA_OPENSSL" "$openssl_command" "$@" && \ - return + if "$EASYRSA_OPENSSL" "$openssl_command" "$@" + then + return + fi fi esac @@ -1469,21 +1468,6 @@ locate_support_files() { x509_types_dir='x509-types' easyrsa_tools='easyrsa-tools.lib' - # "$EASYRSA_PKI" - Preferred - # "$EASYRSA" - Old default and Windows - # "$PWD" - Usually the same as above, avoid - # "${0%/*}" - Usually the same as above, avoid - # '/usr/local/share/easy-rsa' - Default user installed - # '/usr/share/easy-rsa' - Default system installed - # Room for more.. - # '/etc/easy-rsa' - Last resort - - # Not currently used: - # Set EASYRSA_PKI only flag - #is_in_pki=1 - #x509_dir_in_pki="" - #ssl_cnf_in_pki="" - # Find data-files for area in \ "$EASYRSA_PKI" \ @@ -1498,29 +1482,22 @@ locate_support_files() { # Find x509-types if [ -e "${area}/${x509_types_dir}" ]; then set_var EASYRSA_EXT_DIR "${area}/${x509_types_dir}" - #[ "$is_in_pki" ] && x509_dir_in_pki=1 - verbose "> Found x509 dir: ${area}/${x509_types_dir}" fi # Find openssl-easyrsa.cnf if [ -e "${area}/${ssl_cnf_file}" ]; then set_var EASYRSA_SSL_CONF "${area}/${ssl_cnf_file}" - #[ "$is_in_pki" ] && ssl_cnf_in_pki=1 - verbose "> Found SSL cnf: ${area}/${ssl_cnf_file}" fi # Find easyrsa-tools.lib if [ -e "${area}/${easyrsa_tools}" ]; then set_var EASYRSA_TOOLS_LIB "${area}/${easyrsa_tools}" - verbose "> Found tools.lib: ${area}/${easyrsa_tools}" fi - - # Clear EASYRSA_PKI only flag - #unset -v is_in_pki done - verbose "> EASYRSA_EXT_DIR: $EASYRSA_EXT_DIR" - verbose "> EASYRSA_SSL_CONF: $EASYRSA_SSL_CONF" + verbose "> EASYRSA_EXT_DIR: ${EASYRSA_EXT_DIR:-built-in}" + verbose "> EASYRSA_SSL_CONF: ${EASYRSA_SSL_CONF:-built-in}" + verbose "> EASYRSA_TOOLS_LIB: ${EASYRSA_TOOLS_LIB:-undefined}" verbose "locate_support_files: COMPLETED" } # => locate_support_files() @@ -2562,10 +2539,11 @@ Forced subject= grep -s 'X509v3 Subject Alternative Name' then # extract requested SAN + # 'grep -A' may not be strictly POSIX, die on error req_x509_san="$( echo "$req_text" | \ grep -A 1 'X509v3 Subject Alternative Name' - )" || die "sign-req: req_x509_san: grep -A 1 " + )" || die "sign-req: req_x509_san: grep -A 1 (POSIX)" else # No requested SAN req_x509_san= @@ -4450,9 +4428,9 @@ force_set_var() { die "force_set_var - set_var '$*'" } # => force_set_var() -# Verify: $EASYRSA_SSL_CONF pki/openssl-easyrsa.cnf -# If the existing file is default then delete it -# and create temp-file. Otherwise, leave in place. +# Create as needed: $EASYRSA_SSL_CONF pki/openssl-easyrsa.cnf +# If the existing file has a known hash then use temp-file. +# Otherwise, use the file in place. write_easyrsa_ssl_cnf_tmp() { if [ -f "$EASYRSA_SSL_CONF" ]; then verbose "write_easyrsa_ssl_cnf_tmp: SSL config EXISTS" @@ -4549,7 +4527,6 @@ write_easyrsa_ssl_cnf_tmp: SSL config using temp-file" # Write x509 type file to a temp file write_x509_type_tmp() { - # Use a temp file type="$1" shift @@ -4708,7 +4685,6 @@ set_openssl_easyrsa_cnf_vars(){ conf_EASYRSA_PKI="$EASYRSA_PKI" conf_EASYRSA_DIGEST="$EASYRSA_DIGEST" conf_EASYRSA_KEY_SIZE="$EASYRSA_KEY_SIZE" - conf_EASYRSA_DIGEST="$EASYRSA_DIGEST" conf_EASYRSA_DN="$EASYRSA_DN" conf_EASYRSA_REQ_CN="$EASYRSA_REQ_CN" conf_EASYRSA_REQ_COUNTRY="$EASYRSA_REQ_COUNTRY" @@ -4725,7 +4701,6 @@ set_openssl_easyrsa_cnf_vars(){ conf_EASYRSA_PKI='$ENV::EASYRSA_PKI' conf_EASYRSA_DIGEST='$ENV::EASYRSA_DIGEST' conf_EASYRSA_KEY_SIZE='$ENV::EASYRSA_KEY_SIZE' - conf_EASYRSA_DIGEST='$ENV::EASYRSA_DIGEST' conf_EASYRSA_DN='$ENV::EASYRSA_DN' conf_EASYRSA_REQ_CN='$ENV::EASYRSA_REQ_CN' conf_EASYRSA_REQ_COUNTRY='$ENV::EASYRSA_REQ_COUNTRY' @@ -5751,11 +5726,12 @@ Place a copy of easyrsa-tools.lib in a standard system location." Unknown command '$cmd'. Run without commands for usage help." esac +verbose "mktemp_counter: $mktemp_counter uses" + # Check for untrapped errors # shellcheck disable=SC2181 # Quote expand - pre-cleanup $? if [ $? = 0 ]; then # Do 'cleanup ok' on successful completion - #print "mktemp_counter: $mktemp_counter uses" cleanup ok fi