Skip to content

Commit

Permalink
Merge branch 'export-p12-use-new-algos'
Browse files Browse the repository at this point in the history
Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Mar 5, 2024
2 parents 70bb7ec + 93544ec commit f35d8d6
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 7 deletions.
2 changes: 2 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ Easy-RSA 3 ChangeLog

3.2.0 (TBD)

* export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a)
(#1084 - Based on #1081)
* Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
* LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
* Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)
Expand Down
31 changes: 24 additions & 7 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -333,10 +333,10 @@ Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]"
(Equivalent to global option '--nopass|--no-pass')
* noca - Do not include the ca.crt file in the PKCS12 output
* nokey - Do not include the private key in the PKCS12 output
* nofn - Do not set 'freindlyName'
* nofn - Do not set 'friendlyName'
For more, see: 'easyrsa help friendly'
* legacy - Use legacy encryption algorithm RC2_CBC or 3DES_CBC
OpenSSL V3 ONLY: Default algorithm is AES-256-CBC"
* legacy - Use legacy algorithm: RC2_CBC or 3DES_CBC + MAC: SHA1
(Default algorithm: AES-256-CBC + MAC: SHA256)"
;;
friendly)
text_only=1
Expand Down Expand Up @@ -3274,6 +3274,19 @@ Run easyrsa without commands for usage and command help."
want_ca=1
want_key=1
unset -v nokeys legacy

# Under OpenSSL 1.1, use the PBE/MAC algorithms OpenSSL 3.0 uses,
# unless "legacy" is set. This makes the .p12 files readable by
# OpenSSL 3.0 without needing '-legacy'.
if [ "$openssl_v3" ]; then
# No cipher opts required
p12_cipher_opts=""
else
# Upgrade PBE & MAC opts - Reset by option 'legacy'
p12_cipher_opts="-keypbe AES-256-CBC -certpbe AES-256-CBC"
p12_cipher_opts="${p12_cipher_opts} -macalg sha256"
fi

while [ "$1" ]; do
case "$1" in
noca)
Expand All @@ -3290,12 +3303,15 @@ Run easyrsa without commands for usage and command help."
[ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1
;;
nofn)
unset friendly_name
friendly_name=""
;;
legacy)
[ "$openssl_v3" ] || \
user_error "Option 'legacy' requires SSL version 3"
legacy=-legacy
if [ "$openssl_v3" ]; then
legacy=-legacy
else
# Downgrade PBE & MAC opts
p12_cipher_opts=""
fi
;;
*)
warn "Ignoring unknown option: '$1'"
Expand Down Expand Up @@ -3421,6 +3437,7 @@ Missing User Certificate, expected at:
-inkey "$key_in" \
${nokeys} \
${legacy} \
${p12_cipher_opts} \
${friendly_name:+ -name "$friendly_name"} \
${want_ca:+ -certfile "$crt_ca"} \
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
Expand Down

0 comments on commit f35d8d6

Please sign in to comment.