From 6131cbf9a9a403e39ca4c107e183c9e50ecfa66c Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 18:09:53 +0000 Subject: [PATCH 01/26] New Command 'rand': 'Expose easyrsa_random() to the command line Usage: 'easyrsa rand ' Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + easyrsa3/easyrsa | 24 +++++++++++++++++------- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9f0bce7e6..881e1e52e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * New Command 'rand': 'Expose easyrsa_random() to the command line (#1046) * Remove function 'set_pass_legacy()' (#1045) * Remove command 'rewind-renew' (#1045) * Remove command 'rebuild' (#1045) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 3d4fc0a24..9b98042f4 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -453,7 +453,10 @@ cmd_help() { default-san Display EKU of certificate: - show-eku " + show-eku + + Generate random hex: + rand " ;; opts|options) opt_usage @@ -669,7 +672,6 @@ easyrsa_random() { die "easyrsa_random - input" esac - unset -v rand_hex if rand_hex="$( OPENSSL_CONF=/dev/null \ "$EASYRSA_OPENSSL" rand -hex "$1" @@ -677,8 +679,11 @@ easyrsa_random() { then if [ "$2" ]; then force_set_var "$2" "$rand_hex" + else + print "$rand_hex" fi - return + unset -v rand_hex + return 0 fi die "easyrsa_random failed" @@ -6057,20 +6062,21 @@ cmd="$1" # Establish PKI and CA initialisation requirements # This avoids unnecessary warnings and notices +unset -v require_pki require_ca ignore_vars case "$cmd" in - ''|help|-h|--help|--usage|version|show-host) - unset -v require_pki require_ca + ''|help|-h|--help|--usage| \ + version|show-host|rand|random) ignore_vars=1 ;; init-pki|clean-all) - unset -v require_pki require_ca + : # No change ;; *) require_pki=1 case "$cmd" in gen-req|gen-dh|build-ca|show-req| \ make-safe-ssl|export-p*|inline) - unset -v require_ca + : # No change ;; *) require_ca=1 @@ -6275,6 +6281,10 @@ case "$cmd" in ssl_cert_x509v3_eku "$@" || \ easyrsa_exit_with_error=1 ;; + rand|random) + easyrsa_random "$1" + cleanup ok + ;; ""|help|-h|--help|--usage) verify_working_env cmd_help "$1" From 3a4dcd284639580167108f737c0ef3e971eb7f4e Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 18:15:06 +0000 Subject: [PATCH 02/26] Correct 'trap' command for 'SIGTERM' Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 9b98042f4..eea5f3f36 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5828,7 +5828,7 @@ trap "exit 1" 1 trap "exit 2" 2 trap "exit 3" 3 trap "exit 6" 6 -trap "exit 14" 15 +trap "exit 15" 15 # Get host details - No configurable input allowed detect_host From ac8407d332aeaaeab1087cea8c05ad69313d4980 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 18:22:44 +0000 Subject: [PATCH 03/26] Remove unsupported option --fix-offset from option parsing Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 5 ----- 1 file changed, 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index eea5f3f36..7363fdb6a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6019,11 +6019,6 @@ subjectAltName = $val" set -- "$@" "version" break ;; - # Unsupported options - --fix-offset) - user_error "Option $opt is not supported. -Use options --startdate and --enddate for fixed dates." - ;; -*) user_error "\ Unknown option '$opt'. From 81b381fbb810323db085f45cb6ac343de4b76676 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 18:36:59 +0000 Subject: [PATCH 04/26] Reorder initial setup commands Place selecting and sourcing vars-file before assigning PKI and CA requirements to the command to be executed. This is more logical because the command requirements are assigned directly before handing off to the requested command, while external variables have already been assigned. Move 'make-vars' to the standard 'case' command selection list. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 46 +++++++++++++++++++++------------------------- 1 file changed, 21 insertions(+), 25 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 7363fdb6a..71a6cab4f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6055,6 +6055,23 @@ done cmd="$1" [ "$1" ] && shift # scrape off command +# Intelligent env-var detection and auto-loading: +# Select vars file as EASYRSA_VARS_FILE +# then source the vars file, if found +# otherwise, ignore no vars file +select_vars && source_vars "$EASYRSA_VARS_FILE" + +# then set defaults +default_vars + +# Check for unexpected changes to EASYRSA or EASYRSA_PKI +# This will be resolved in v3.2.0 +# https://github.com/OpenVPN/easy-rsa/issues/1006 +validate_default_vars + +# Check for conflicting input options +mutual_exclusions + # Establish PKI and CA initialisation requirements # This avoids unnecessary warnings and notices unset -v require_pki require_ca ignore_vars @@ -6078,31 +6095,6 @@ case "$cmd" in esac esac -# Run these commands with NO setup -case "$cmd" in - make-vars) - create_vars_example - cleanup ok - ;; -esac - -# Intelligent env-var detection and auto-loading: -# Select vars file as EASYRSA_VARS_FILE -# then source the vars file, if found -# otherwise, ignore no vars file -select_vars && source_vars "$EASYRSA_VARS_FILE" - -# then set defaults -default_vars - -# Check for unexpected changes to EASYRSA or EASYRSA_PKI -# This will be resolved in v3.2.0 -# https://github.com/OpenVPN/easy-rsa/issues/1006 -validate_default_vars - -# Check for conflicting input options -mutual_exclusions - # Hand off to the function responsible # ONLY verify_working_env() for valid commands case "$cmd" in @@ -6247,6 +6239,10 @@ case "$cmd" in verify_working_env make_safe_ssl "$@" ;; + make-vars) + # verify_working_env - Not required + create_vars_example + ;; serial|check-serial) verify_working_env # Called with --batch, this will return error From e1a065540f3623b3b2e68b7c5b8e2762b954671b Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 21:18:14 +0000 Subject: [PATCH 05/26] Introduce write_easyrsa_ssl_cnf_tmp(): Verify/create EASYRSA_SSL_CONF Replace use of copy_data_to_pki(), which copies an existing file to the PKI, by verifying that EASYRSA_SSL_CONF points to a file or create a temp-file to be used in place. This allows removing openssl-easyrsa.cnf file from the repository. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 71a6cab4f..6449225ab 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1425,17 +1425,6 @@ install_data_to_pki: $context - COMPLETED" return fi - # Check PKI is updated - Omit unnecessary checks - if [ -e "${EASYRSA_PKI}/${ssl_cnf_file}" ]; then - : # ok - else - create_openssl_easyrsa_cnf > \ - "${EASYRSA_PKI}/${ssl_cnf_file}" || die "\ -install_data_to_pki - Missing: '$ssl_cnf_file'" - verbose "\ -install_data_to_pki: $context - create_openssl_easyrsa_cnf OK" - fi - [ -d "$EASYRSA_EXT_DIR" ] || verbose "\ install_data_to_pki: $context - Missing: '$x509_types_dir'" verbose "install_data_to_pki: $context - COMPLETED" @@ -5121,6 +5110,7 @@ select_vars() { [ "$require_pki" ] && information "\ No Easy-RSA 'vars' configuration file exists!" # select_vars failed to find a vars file + verbose "select_vars: No vars" return 1 fi } # => select_vars() @@ -5347,6 +5337,9 @@ verify_working_env() { secure_session || die "\ verify_working_env - secure-session failed" + # Verify or create: EASYRSA_SSL_CONF + write_easyrsa_ssl_cnf_tmp + # Install data-files into ALL PKIs # This will find x509-types # and export EASYRSA_EXT_DIR or die. @@ -5641,6 +5634,26 @@ fi VARS_EXAMPLE } # => create_vars_example() +# Verify: $EASYRSA_SSL_CONF pki/openssl-easyrsa.cnf +# or create temp-file +write_easyrsa_ssl_cnf_tmp() { + [ -f "$EASYRSA_SSL_CONF" ] && return + + # Create temp-file + ssl_cnf_tmp= + easyrsa_mktemp ssl_cnf_tmp || die "\ +write_easyrsa_ssl_cnf_tmp - easyrsa_mktemp" + + # Write SSL cnf to temp-file + create_openssl_easyrsa_cnf > "$ssl_cnf_tmp" || die "\ +write_easyrsa_ssl_cnf_tmp - create_openssl_easyrsa_cnf" + + # export SSL cnf tmp + export EASYRSA_SSL_CONF="$ssl_cnf_tmp" + verbose "\ +write_easyrsa_ssl_cnf_tmp: create_openssl_easyrsa_cnf OK" +} # => write_easyrsa_ssl_cnf_tmp() + # Create openssl-easyrsa.cnf create_openssl_easyrsa_cnf() { cat << "SSL_CONFIG" From 66e39c8e6a17c0f44581e01c1f622992717a757f Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 22:06:31 +0000 Subject: [PATCH 06/26] Replace copy_data_to_pki() with locate_support_files() locate_support_files() will find the support files and assign variables accordingly: * openssl_easyrsa.cnf - Assigned to EASYRSA_SSL_CONF * /x509-types - Assigned to EASYRSA_EXT_DIR If the files are not found then no variables are assigned and the files are created seprately as temp-files, when required. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 90 +++++++++--------------------------------------- 1 file changed, 17 insertions(+), 73 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 6449225ab..557ec0e5b 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1325,11 +1325,7 @@ and initialize a fresh PKI here." Failed to create PKI file structure (permissions?)" done - # Install data-files into ALL new PKIs - install_data_to_pki init-pki || \ - warn "\ -Failed to install required data-files to PKI. (init)" - + # User notice notice "\ 'init-pki' complete; you may now create a CA or requests. @@ -1342,25 +1338,14 @@ Your newly created PKI dir is: information " Using Easy-RSA configuration: * ${EASYRSA_VARS_FILE:-undefined}" - - verbose "\ -init_pki: x509-types dir ${EASYRSA_EXT_DIR:-Not found}" } # => init_pki() -# Copy data-files from various sources -install_data_to_pki() { -# -# Explicitly find and optionally copy data-files to the PKI. -# During 'init-pki' this is the new default. -# During all other functions these requirements are tested for -# and files will be copied to the PKI, if they do not already -# exist there. -# -# One reason for this is to make packaging work. - - context="$1" - shift - +# Find support files from various sources +# Declare in preferred order, first wins +# beaten by command line. +# If these files are not found here then they +# will be built on-demand by the selected command. +locate_support_files() { # Set required sources ssl_cnf_file='openssl-easyrsa.cnf' x509_types_dir='x509-types' @@ -1374,7 +1359,7 @@ install_data_to_pki() { # Room for more.. # '/etc/easy-rsa' - Last resort - # Find and optionally copy data-files, in specific order + # Find data-files for area in \ "$EASYRSA_PKI" \ "$EASYRSA" \ @@ -1385,50 +1370,16 @@ install_data_to_pki() { '/etc/easy-rsa' \ # EOL do - if [ "$context" = x509-types-only ]; then - # Find x509-types ONLY - # Declare in preferred order, first wins - # beaten by command line. - [ -e "${area}/${x509_types_dir}" ] && set_var \ - EASYRSA_EXT_DIR "${area}/${x509_types_dir}" - else - # Find x509-types ALSO - # Declare in preferred order, first wins - # beaten by command line. + # Find x509-types [ -e "${area}/${x509_types_dir}" ] && set_var \ EASYRSA_EXT_DIR "${area}/${x509_types_dir}" - # Find other files - Omitting "$vars_file" - # shellcheck disable=2066 # Loop will only run once - for source in \ - "$ssl_cnf_file" \ - # EOL - do - # Find each item - [ -e "${area}/${source}" ] || continue - - # If source does not exist in PKI then copy it - if [ -e "${EASYRSA_PKI}/${source}" ]; then - continue - else - cp "${area}/${source}" "$EASYRSA_PKI" || warn \ - "Failed to copy to PKI: ${area}/${source}" - fi - done - fi + # Find openssl-easyrsa.cnf + [ -e "${area}/${ssl_cnf_file}" ] && set_var \ + EASYRSA_SSL_CONF "${area}/${ssl_cnf_file}" done - - # Short circuit for x509-types-only - if [ "$context" = x509-types-only ]; then - verbose "\ -install_data_to_pki: $context - COMPLETED" - return - fi - - [ -d "$EASYRSA_EXT_DIR" ] || verbose "\ -install_data_to_pki: $context - Missing: '$x509_types_dir'" - verbose "install_data_to_pki: $context - COMPLETED" -} # => install_data_to_pki() + verbose "locate_support_files: COMPLETED" +} # => locate_support_files() # Disable terminal echo, if possible, otherwise warn hide_read_pass() { @@ -5324,9 +5275,9 @@ verify_working_env() { # Verify SSL Lib - One time ONLY verify_ssl_lib - # Find x509-types but do not fail - # Not fatal here, used by 'help' - install_data_to_pki x509-types-only + # Find x509-types and openssl_easyrsa.cnf + # used by 'help' + locate_support_files # For commands which 'require a PKI' and PKI exists if [ "$require_pki" ]; then @@ -5340,13 +5291,6 @@ verify_working_env - secure-session failed" # Verify or create: EASYRSA_SSL_CONF write_easyrsa_ssl_cnf_tmp - # Install data-files into ALL PKIs - # This will find x509-types - # and export EASYRSA_EXT_DIR or die. - # Other errors only require warning. - install_data_to_pki vars-setup || warn "\ -verify_working_env - install_data_to_pki vars-setup failed" - # Verify selected algorithm and parameters verify_algo_params From 75cbe03433f1a684dfe851935a01f2cb9c550995 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 22:32:40 +0000 Subject: [PATCH 07/26] Move call to locate_support_files() to invocation layer (Simplify) Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 557ec0e5b..a789d8f4f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5275,10 +5275,6 @@ verify_working_env() { # Verify SSL Lib - One time ONLY verify_ssl_lib - # Find x509-types and openssl_easyrsa.cnf - # used by 'help' - locate_support_files - # For commands which 'require a PKI' and PKI exists if [ "$require_pki" ]; then # Verify PKI is initialised @@ -6029,6 +6025,10 @@ validate_default_vars # Check for conflicting input options mutual_exclusions +# Find x509-types and openssl_easyrsa.cnf +# used by 'help' +locate_support_files + # Establish PKI and CA initialisation requirements # This avoids unnecessary warnings and notices unset -v require_pki require_ca ignore_vars From 1756e7aaf2b127d424ba0170553062af44bec6dc Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 22:39:38 +0000 Subject: [PATCH 08/26] Move call to verify_ssl_lib() to invocation layer (Simplify) Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a789d8f4f..cb3be4413 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5272,9 +5272,6 @@ ${unexpected_error}" # Verify working environment verify_working_env() { - # Verify SSL Lib - One time ONLY - verify_ssl_lib - # For commands which 'require a PKI' and PKI exists if [ "$require_pki" ]; then # Verify PKI is initialised @@ -6029,6 +6026,9 @@ mutual_exclusions # used by 'help' locate_support_files +# Verify SSL Lib - One time ONLY +verify_ssl_lib + # Establish PKI and CA initialisation requirements # This avoids unnecessary warnings and notices unset -v require_pki require_ca ignore_vars From dcb19b2ce34f079d8af080d670a8a2ca5295a5f3 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 23:06:13 +0000 Subject: [PATCH 09/26] Move call to write_easyrsa_ssl_cnf_tmp() to secure_session() This is necessary for status reports read_db(), which recreates the secure session for each record. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cb3be4413..8811705b7 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -717,6 +717,10 @@ secure_session() { OPENSSL_CONF safe_ssl_cnf_tmp \ working_safe_ssl_conf easyrsa_err_log="$secured_session/error.log" + + # Verify or create: EASYRSA_SSL_CONF + write_easyrsa_ssl_cnf_tmp + verbose "\ secure_session: CREATED: $secured_session" return @@ -5281,9 +5285,6 @@ verify_working_env() { secure_session || die "\ verify_working_env - secure-session failed" - # Verify or create: EASYRSA_SSL_CONF - write_easyrsa_ssl_cnf_tmp - # Verify selected algorithm and parameters verify_algo_params From 6b6568d975620cf8d4dfdf90304ee84853a1af5e Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 23:23:04 +0000 Subject: [PATCH 10/26] Move check for $working_safe_ssl_conf to invocation layer (Simplify) Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 8811705b7..5328bed30 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5288,13 +5288,6 @@ verify_working_env - secure-session failed" # Verify selected algorithm and parameters verify_algo_params - # Check $working_safe_ssl_conf, to build - # a fully configured safe ssl conf, on the - # next invocation of easyrsa_openssl() - if [ "$working_safe_ssl_conf" ]; then - die "working_safe_ssl_conf must not be set!" - fi - # Verify CA is initialised if [ "$require_ca" ]; then verify_ca_init @@ -6030,8 +6023,16 @@ locate_support_files # Verify SSL Lib - One time ONLY verify_ssl_lib +# Check $working_safe_ssl_conf, to build +# a fully configured safe ssl conf, on the +# next invocation of easyrsa_openssl() +if [ "$working_safe_ssl_conf" ]; then + die "working_safe_ssl_conf must not be set!" +fi + # Establish PKI and CA initialisation requirements # This avoids unnecessary warnings and notices +# Used by verify_working_env() unset -v require_pki require_ca ignore_vars case "$cmd" in ''|help|-h|--help|--usage| \ From a617f79f5f485cbf598d7ad04e09439ca760b0b2 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 23:35:17 +0000 Subject: [PATCH 11/26] Move OpenSSL Version message to verify_ssl_lib() at verbose level Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5328bed30..cec28367f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1188,6 +1188,11 @@ $error_msg" ;; *) die "Unexpected SSL version: $osslv_major" esac + + # Message + verbose " +Using SSL: +* $EASYRSA_OPENSSL $ssl_version" } # => verify_ssl_lib() # Basic sanity-check of PKI init and complain if missing @@ -5293,11 +5298,6 @@ verify_working_env - secure-session failed" verify_ca_init fi - # Last setup msg - information " -Using SSL: -* $EASYRSA_OPENSSL $ssl_version" - fi verbose "verify_working_env: COMPLETED Handover-to: $cmd" } # => verify_working_env() From ca62e662ec1f31c1cfc1d79c5e3054e98dacdd0b Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 8 Dec 2023 23:44:00 +0000 Subject: [PATCH 12/26] verify_working_env(): Minor clean up Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cec28367f..b4c66ba8e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5286,9 +5286,8 @@ verify_working_env() { # Verify PKI is initialised verify_pki_init - # Temp dir session - secure_session || die "\ -verify_working_env - secure-session failed" + # Temp dir session and default SSL conf file + secure_session # Verify selected algorithm and parameters verify_algo_params @@ -5297,7 +5296,6 @@ verify_working_env - secure-session failed" if [ "$require_ca" ]; then verify_ca_init fi - fi verbose "verify_working_env: COMPLETED Handover-to: $cmd" } # => verify_working_env() From a8503dd289787f504f34ffb9468d235393490c48 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 9 Dec 2023 01:02:52 +0000 Subject: [PATCH 13/26] Make shellcheck directives searchable, add function name to comment Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 40 +++++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b4c66ba8e..687acca39 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -573,7 +573,7 @@ Deprecated features: # Wrapper around printf - clobber print since it's not POSIX anyway # print() is used internally, so MUST NOT be silenced. -# shellcheck disable=SC1117 +# shellcheck disable=SC1117 # printf format - print() print() { printf '%s\n' "$*" } # => print() @@ -653,7 +653,7 @@ $msg Type the word '$value' to continue, or any other input to abort." printf %s " $prompt" - # shellcheck disable=SC2162 # read without -r will mangle .. + # shellcheck disable=SC2162 # read without -r - confirm() read input printf '\n' [ "$input" = "$value" ] && return @@ -870,8 +870,7 @@ Temporary session not preserved." warn "cleanup - remove_secure_session failed" fi - # shellcheck disable=SC3040 - # In POSIX sh, set option [name] is undefined + # shellcheck disable=SC3040 # POSIX set - cleanup() case "$prompt_restore" in 0) : ;; # Not required 1) [ -t 1 ] && stty echo ;; @@ -1010,7 +1009,7 @@ expand_ssl_config - \ easyrsa_mktemp safe_ssl_cnf_tmp" # Rewrite - # shellcheck disable=SC2016 # No expansion inside '' + # shellcheck disable=SC2016 # No expand '' - expand_ssl_config() if sed \ \ -e s\`'$dir'\`\ @@ -1394,7 +1393,7 @@ locate_support_files() { hide_read_pass() { # 3040 - In POSIX sh, set option [name] is undefined # 3045 - In POSIX sh, some-command-with-flag is undefined - # shellcheck disable=SC3040,SC3045 + # shellcheck disable=SC3040,SC3045 # POSIX - hide_read_pass() if stty -echo 2>/dev/null; then prompt_restore=1 read -r "$@" @@ -1627,7 +1626,7 @@ Raw CA mode die "build_ca - easyrsa_mktemp adjusted_ssl_cnf_tmp" # Assign awkscript to insert EASYRSA_EXTRA_EXTS - # shellcheck disable=SC2016 # vars don't expand in '' + # shellcheck disable=SC2016 # No expand '' - build_ca() awkscript='\ {if ( match($0, "^#%CA_X509_TYPES_EXTRA_EXTS%") ) { while ( getline<"/dev/stdin" ) {print} next } @@ -1895,8 +1894,7 @@ to the latest Easy-RSA release." req_extensions = req_extra [ req_extra ] $EASYRSA_EXTRA_EXTS" - # vars don't expand in single quote - # shellcheck disable=SC2016 + # shellcheck disable=SC2016 # No expand '' - gen_req() awkscript=' {if ( match($0, "^#%EXTRA_EXTS%") ) { while ( getline<"/dev/stdin" ) {print} next } @@ -2064,7 +2062,7 @@ to the latest Easy-RSA release." # Setup & insert the copy_extensions data # keyed by a magic line copy_exts="copy_extensions = copy" - # shellcheck disable=SC2016 # vars don't expand '' + # shellcheck disable=SC2016 # No expand '' - sign_req() awkscript=' {if ( match($0, "^#%COPY_EXTS%") ) { while ( getline<"/dev/stdin" ) {print} next } @@ -2112,7 +2110,7 @@ Writing 'copy_exts' to SSL config temp-file failed" # Print the last occurence of basicContraints in # x509-types/ca # If basicContraints is not defined then bail - # shellcheck disable=SC2016 # vars don't expand '' + # shellcheck disable=SC2016 # No expand '' - sign_req() awkscript='\ /^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 } END { if (length(bC) == 0 ) exit 1; print bC }' @@ -3933,7 +3931,7 @@ ssl_cert_serial() { } # => ssl_cert_serial() # Get certificate start date -# shellcheck disable=2317 # Unreachable code .. +# shellcheck disable=2317 # Unreach - ssl_cert_not_before_date() ssl_cert_not_before_date() { verbose "DEPRECATED: ssl_cert_not_before_date()" [ "$#" = 2 ] || die "\ @@ -3976,7 +3974,7 @@ ssl_cert_not_after_date - failed to set var '$*'" } # => ssl_cert_not_after_date() # SSL -- v3 -- startdate iso_8601 -# shellcheck disable=2317 # Unreachable code .. +# shellcheck disable=2317 # Unreach - iso_8601_cert_startdate() iso_8601_cert_startdate() { verbose "NEW: iso_8601_cert_startdate" [ "$#" = 2 ] || die "\ @@ -4326,7 +4324,7 @@ db_date_to_iso_8601_date: force_set_var - $2 - $out_date" # Convert default SSL date to iso_8601 date # This may not be feasible, due to different languages # Alow the caller to assess those errors (eg. Fall-back) -# shellcheck disable=2317 # Unreachable code .. +# shellcheck disable=2317 # Unreach - cert_date_to_iso_8601_date() cert_date_to_iso_8601_date() { verbose "iso_8601-WIP: cert_date_to_iso_8601_date" die "BLOCKED: cert_date_to_iso_8601_date" @@ -4400,7 +4398,7 @@ cert_date_to_iso_8601: force_set_var - $2 - $out_date" # Try in sh.exe: t=' '; s="a${t}b${t}c"; echo "${s%%"${t}"*}" # Read db -# shellcheck disable=SC2295 +# shellcheck disable=SC2295 # nested expand - read_db() read_db() { TCT=' ' # tab character db_in="$EASYRSA_PKI/index.txt" @@ -4850,7 +4848,7 @@ detect_host() { # Detect Windows [ "${OS}" ] && easyrsa_host_test="${OS}" - # shellcheck disable=SC2016 # expansion inside '' blah + # shellcheck disable=SC2016 # No expand '' - detect_host() easyrsa_ksh=\ '@(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $' @@ -5156,17 +5154,17 @@ Please, correct these errors and try again." fi # Enable sourcing 'vars' - # shellcheck disable=SC2034 # appears unused + # shellcheck disable=SC2034 # appears unused - source_vars() EASYRSA_CALLER=1 easyrsa_path="$PATH" - # shellcheck disable=SC2123 # PATH is the shell .. + # shellcheck disable=SC2123 # PATH is - source_vars() PATH=./ # Test sourcing 'vars' in a subshell - # shellcheck disable=1090 # can't follow .. vars + # shellcheck disable=1090 # can't follow - source_vars() if ( . "$target_file" ); then # Source 'vars' now - # shellcheck disable=1090 # can't follow .. vars + # shellcheck disable=1090 # can't follow - source_vars() . "$target_file" || \ die "Failed to source the '$target_file' file." else @@ -6246,7 +6244,7 @@ Unknown command '$cmd'. Run without commands for usage help." esac # Check for untrapped errors -# shellcheck disable=SC2181 +# shellcheck disable=SC2181 # Quote expand - pre-cleanup $? if [ $? = 0 ]; then # Do 'cleanup ok' on successful completion #print "mktemp_counter: $mktemp_counter uses" From 0d68ccb7a2ac8d2bae3350b082aad385d8423b85 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 9 Dec 2023 01:50:19 +0000 Subject: [PATCH 14/26] Add 'email' and 'kdc' to create_x509_type() Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 687acca39..f4cbbe042 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5395,6 +5395,38 @@ create_x509_type() { keyUsage = digitalSignature X509_CODE_SIGNING ;; + email) + cat <<- "X509_EMAIL" + basicConstraints = CA:FALSE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + extendedKeyUsage = emailProtection + keyUsage = digitalSignature,keyEncipherment,nonRepudiation + X509_EMAIL + ;; + kdc) + cat <<- "X509_KDC" +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +extendedKeyUsage = 1.3.6.1.5.2.3.5 +keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement +issuerAltName = issuer:copy +subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name + +[kdc_princ_name] +realm = EXP:0,GeneralString:${ENV::EASYRSA_KDC_REALM} +principal_name = EXP:1,SEQUENCE:kdc_principal_seq + +[kdc_principal_seq] +name_type = EXP:0,INTEGER:1 +name_string = EXP:1,SEQUENCE:kdc_principals + +[kdc_principals] +princ1 = GeneralString:krbtgt +princ2 = GeneralString:${ENV::EASYRSA_KDC_REALM} + X509_KDC + ;; *) return 1 esac From c814e0ae6cb85325455945c2c0c72dd22bd1a545 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 12 Dec 2023 22:11:13 +0000 Subject: [PATCH 15/26] Introduce command 'write' - Write support files This allows creating all support files. Usage: 'easyrsa write ' * must be specified. * is optional. If specified then files are created. Otherwise, data is sent to stdout. Types: * ssl-cnf - Write openssl-easyrsa.cnf file. * COMMON|ca|server|serverCleint|client|codeSigning|email|kdc - Write x509-type file. * lecacy - Write ALL files above to . Default is EASYRSA_PKI or EASYRSA. Will create /x509-types directory. * safe-ssl - Expand Easy-RSA SSL config for LibreSSL. * vars - Write vars.example file. Replaces command 'make-safe-ssl' and 'make-vars'. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 298 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 208 insertions(+), 90 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index f4cbbe042..46d0da09f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -24,8 +24,8 @@ To get detailed usage and help for a command, use: For a list of global-options, use: ./easyrsa help options -For a list of extra test commands, use: - ./easyrsa help more +For a list of utility commands, use: + ./easyrsa help util A list of commands is shown below: init-pki [ cmd-opts ] @@ -55,7 +55,8 @@ A list of commands is shown below: export-p7 [ cmd-opts ] export-p8 [ cmd-opts ] export-p12 [ cmd-opts ] - set-pass [ cmd-opts ]" + set-pass [ cmd-opts ] + write [ cmd-opts ]" # collect/show dir status: text_only=1 @@ -381,6 +382,26 @@ cmd_help() { (Equivalent to global option '--nopass|--no-pass') * file - (Advanced) Treat the file as a raw path, not a short-name" ;; + write) + text=" +* write + + Write data to stdout or + + Types: + * ssl-cnf - Write openssl-easyrsa.cnf file. + * COMMON|ca|server|serverClient|client|codeSigning|email|kdc + Write x509-type file. + * legacy - Write ALL support files (above) to . + Will create /x509-types directory. + Default is EASYRSA_PKI or EASYRSA. + * safe-ssl - Expand EasyRSA SSL config file for LibreSSL. + * vars - Write vars.example file." + opts=" + * - If is specified then files are created. + Otherwise, the data is sent to stdout, except + for 'legacy', which always creates files." + ;; altname|subjectaltname|san) text_only=1 text=" @@ -427,15 +448,12 @@ cmd_help() { * To generate a certificate signing request: eg: '--batch --req-cn=NAME gen-req '" ;; - more|test|xtra|extra|ext) + util|more) # Test features text_only=1 text=" - Print vars.example here-doc to stdout: - make-vars - - Make safessl-easyrsa.cnf file: - mss|make-safe-ssl +NOTE: +These commands are safe to test and will NOT effect your PKI. Check number is unique: serial|check-serial @@ -1189,7 +1207,7 @@ $error_msg" esac # Message - verbose " + verbose "verify_ssl_lib(): Using SSL: * $EASYRSA_OPENSSL $ssl_version" } # => verify_ssl_lib() @@ -4672,7 +4690,7 @@ expire_status: Verify cert expire date EXCESS mismatch!" expire_status: cert_date_to_timestamp_s: comparison complete" else - verbose "\ + verbose "\ expire_status: ACCEPTED ERROR-2: \ iso_8601_timestamp_to_seconds" verbose "\ @@ -5224,8 +5242,10 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" set_var EASYRSA_REQ_CN ChangeMe set_var EASYRSA_DIGEST sha256 + # verified or created by secure_session() set_var EASYRSA_SSL_CONF \ "$EASYRSA_PKI/openssl-easyrsa.cnf" + # created as required set_var EASYRSA_SAFE_CONF \ "$EASYRSA_PKI/safessl-easyrsa.cnf" @@ -5333,9 +5353,25 @@ force_set_var() { -############################################################################ -# -# Create X509-type files +# Verify: $EASYRSA_SSL_CONF pki/openssl-easyrsa.cnf +# or create temp-file +write_easyrsa_ssl_cnf_tmp() { + [ -f "$EASYRSA_SSL_CONF" ] && return + + # Create temp-file + ssl_cnf_tmp= + easyrsa_mktemp ssl_cnf_tmp || die "\ +write_easyrsa_ssl_cnf_tmp - easyrsa_mktemp" + + # Write SSL cnf to temp-file + write ssl-cnf > "$ssl_cnf_tmp" || die "\ +write_easyrsa_ssl_cnf_tmp - write ssl-cnf" + + # export SSL cnf tmp + export EASYRSA_SSL_CONF="$ssl_cnf_tmp" + verbose "\ +write_easyrsa_ssl_cnf_tmp: create_openssl_easyrsa_cnf OK" +} # => write_easyrsa_ssl_cnf_tmp() # Write x509 type file to a temp file write_x509_type_tmp() { @@ -5347,65 +5383,175 @@ write_x509_type_tmp() { easyrsa_mktemp x509_tmp || \ die "write_x509_type_tmp - easyrsa_mktemp x509_tmp" - create_x509_type "$type" > "$x509_tmp" || \ - die "write_x509_type_tmp - create_x509_type $type" + write "$type" > "$x509_tmp" || \ + die "write_x509_type_tmp - write $type" verbose "write_x509_type_tmp: $type COMPLETE" } # => write_x509_type_tmp() +############################################################################ +# +# Create legacy files +# +# Directories are user configurable, File names are fixed + +# Write ALL legacy files to $1 or default +legacy_files() { + legacy_out_d="${1:-$EASYRSA_PKI}" + legacy_out_d="${legacy_out_d:-$EASYRSA}" + [ -d "$legacy_out_d" ] || \ + user_error "Missing directory '$legacy_out_d'" + + EASYRSA_LEGACY_OVERWRITE=1 + if write ssl-cnf "$legacy_out_d" + then + x509_d="$legacy_out_d"/x509-types + mkdir -p "$x509_d" || die "legacy_files - x509_d" + + write COMMON "$x509_d" + write ca "$x509_d" + write server "$x509_d" + write serverClient "$x509_d" + write client "$x509_d" + write codeSigning "$x509_d" + write email "$x509_d" + write kdc "$x509_d" + else + user_error "legacy_files - write ssl-cnf" + fi + + unset -v legacy_out_d x509_dir + verbose "legacy_files: OK $x509_d" +} # => legacy_files() + +# write legacy files to stdout or to $folder +write() { + write_type="$1" + write_dir="$2" + write_file= + + case "$write_type" in + safe-ssl) + # Only write to EASYRSA_PKI + [ -z "$write_dir" ] || \ + user_error "Unsupported option: '$write_dir'" + verify_working_env + make_safe_ssl || die "write failed" + return + ;; + ssl-cnf) + # write to stdout or $write_dir/openssl-easyrsa.cnf + if [ "$write_dir" ]; then + write_file="$write_dir"/openssl-easyrsa.cnf + fi + ;; + vars) + # write to stdout or $write_dir/vars.example + if [ "$write_dir" ]; then + write_file="$write_dir"/vars.example + fi + ;; + # This correctly renames 'code-signing' to 'codeSigning' + COMMON|ca|server|serverClient|client|codeSigning|email|kdc) + # write to stdout or $write_dir/$write_type [x509-type] + if [ "$write_dir" ]; then + write_file="$write_dir/$write_type" + fi + ;; + *) + user_error "write - unknown type '$type'" + esac + + # Check for output directory and file-name + if [ "$write_dir" ]; then + [ -d "$write_dir" ] || \ + user_error "Missing directory '$write_dir'" + + if [ -f "$write_file" ]; then + [ "$EASYRSA_LEGACY_OVERWRITE" ] || \ + user_error "File exists: $write_file" + fi + fi + + # write legacy data stream to stdout or $write_file + if [ "$write_file" ]; then + create_legacy_stream "$write_type" >"$write_file" || \ + die "write failed" + else + create_legacy_stream "$write_type" + fi +} #= write() + # Create x509 type -create_x509_type() { +create_legacy_stream() { case "$1" in COMMON) - cat <<- "X509_TYPE_COMMON" - X509_TYPE_COMMON + # COMMON is not very useful + cat <<- "CREATE_X509_TYPE_COMMON" + CREATE_X509_TYPE_COMMON + ;; + easyrsa) + # This could be COMMON but not is not suitable for a CA + cat <<- "CREATE_X509_TYPE_EASYRSA" + basicConstraints = CA:FALSE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = digitalSignature,keyEncipherment + CREATE_X509_TYPE_EASYRSA ;; serverClient) - create_x509_type_easyrsa - cat <<- "X509_TYPE_SERV_CLI" + # serverClient + create_legacy_stream easyrsa + cat <<- "CREATE_X509_TYPE_SERV_CLI" extendedKeyUsage = serverAuth,clientAuth - X509_TYPE_SERV_CLI + CREATE_X509_TYPE_SERV_CLI ;; server) - create_x509_type_easyrsa - cat <<- "X509_TYPE_SERV" + # server + create_legacy_stream easyrsa + cat <<- "CREATE_X509_TYPE_SERV" extendedKeyUsage = serverAuth - X509_TYPE_SERV + CREATE_X509_TYPE_SERV ;; client) - create_x509_type_easyrsa - cat <<- "X509_TYPE_CLI" + # client + create_legacy_stream easyrsa + cat <<- "CREATE_X509_TYPE_CLI" extendedKeyUsage = clientAuth - X509_TYPE_CLI + CREATE_X509_TYPE_CLI ;; ca) - cat <<- "X509_TYPE_CA" + # ca + cat <<- "CREATE_X509_TYPE_CA" basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = cRLSign, keyCertSign - X509_TYPE_CA + CREATE_X509_TYPE_CA ;; - codeSign) - cat <<- "X509_CODE_SIGNING" + codeSigning) + # codeSigning + cat <<- "CREATE_X509_CODE_SIGNING" basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = codeSigning keyUsage = digitalSignature - X509_CODE_SIGNING + CREATE_X509_CODE_SIGNING ;; email) - cat <<- "X509_EMAIL" + # email + cat <<- "CREATE_X509_TYPE_EMAIL" basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = emailProtection keyUsage = digitalSignature,keyEncipherment,nonRepudiation - X509_EMAIL + CREATE_X509_TYPE_EMAIL ;; kdc) - cat <<- "X509_KDC" + # kdc + cat <<- "CREATE_X509_TYPE_KDC" basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always @@ -5425,27 +5571,11 @@ name_string = EXP:1,SEQUENCE:kdc_principals [kdc_principals] princ1 = GeneralString:krbtgt princ2 = GeneralString:${ENV::EASYRSA_KDC_REALM} - X509_KDC +CREATE_X509_TYPE_KDC ;; - *) - return 1 - esac -} # => create_x509_type() - -# Create x509-type/easyrsa -# This could be COMMON but not is not suitable for a CA -create_x509_type_easyrsa() { - cat <<- "X509_TYPE_EASYRSA" - basicConstraints = CA:FALSE - subjectKeyIdentifier = hash - authorityKeyIdentifier = keyid,issuer:always - keyUsage = digitalSignature,keyEncipherment - X509_TYPE_EASYRSA -} # => create_x509_type_easyrsa() - -# Create vars.example - Minimum settings only -create_vars_example() { - cat << "VARS_EXAMPLE" + vars) + # vars + cat << "CREATE_VARS_EXAMPLE" # Easy-RSA 3 parameter settings # NOTE: If you installed Easy-RSA from your package manager, do not edit @@ -5590,32 +5720,11 @@ fi # Define directory for temporary subdirectories. # #set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" -VARS_EXAMPLE -} # => create_vars_example() - -# Verify: $EASYRSA_SSL_CONF pki/openssl-easyrsa.cnf -# or create temp-file -write_easyrsa_ssl_cnf_tmp() { - [ -f "$EASYRSA_SSL_CONF" ] && return - - # Create temp-file - ssl_cnf_tmp= - easyrsa_mktemp ssl_cnf_tmp || die "\ -write_easyrsa_ssl_cnf_tmp - easyrsa_mktemp" - - # Write SSL cnf to temp-file - create_openssl_easyrsa_cnf > "$ssl_cnf_tmp" || die "\ -write_easyrsa_ssl_cnf_tmp - create_openssl_easyrsa_cnf" - - # export SSL cnf tmp - export EASYRSA_SSL_CONF="$ssl_cnf_tmp" - verbose "\ -write_easyrsa_ssl_cnf_tmp: create_openssl_easyrsa_cnf OK" -} # => write_easyrsa_ssl_cnf_tmp() - -# Create openssl-easyrsa.cnf -create_openssl_easyrsa_cnf() { - cat << "SSL_CONFIG" +CREATE_VARS_EXAMPLE + ;; + ssl-cnf) + # SSL config + cat << "CREATE_SSL_CONFIG" # For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL #################################################################### @@ -5762,8 +5871,12 @@ keyUsage = cRLSign, keyCertSign # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always -SSL_CONFIG -} # => create_openssl_easyrsa_cnf() +CREATE_SSL_CONFIG + ;; + *) + die "create_legacy_stream: unknown type '$1'" + esac +} # => create_legacy_stream() # Version information print_version() { @@ -6222,13 +6335,18 @@ case "$cmd" in verify_cert "$@" || \ easyrsa_exit_with_error=1 ;; - mss|make-safe-ssl) - verify_working_env - make_safe_ssl "$@" - ;; - make-vars) + write) # verify_working_env - Not required - create_vars_example + case "$1" in + legacy) + # Write legacy files to write_dir + # or EASYRSA_PKI or EASYRSA + shift + legacy_files "$@" + ;; + *) + write "$@" + esac ;; serial|check-serial) verify_working_env From 058d3ebb7ce1a98cdcc50f2e0e58fbdaad177f25 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 12 Dec 2023 22:57:24 +0000 Subject: [PATCH 16/26] ChangeLog: Add new command 'write' Signed-off-by: Richard T Bonhomme --- ChangeLog | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 881e1e52e..086f8b438 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,12 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) - * New Command 'rand': 'Expose easyrsa_random() to the command line (#1046) + * New command 'write': Write 'legacy' files to stdout or files (#1046) c814e0a + EasyRSA is now capable of running without openssl-easyrsa.cnf and x509-types. + Necessary files are created on demand as temp-files and removed on completion. + These files will be retained for downstream packaging compatibility. + Also, files vars.example and safessl-easyrsa.cnf can be generated. + * New Command 'rand': Expose easyrsa_random() to the command line (#1046) 6131cbf * Remove function 'set_pass_legacy()' (#1045) * Remove command 'rewind-renew' (#1045) * Remove command 'rebuild' (#1045) From fbd8a45172e490991cf12a2fb2051853212a4d23 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 13 Dec 2023 01:43:46 +0000 Subject: [PATCH 17/26] Add command option 'legacy-hard' (Over-write files) to command 'write' Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 46d0da09f..396f8f189 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -395,6 +395,8 @@ cmd_help() { * legacy - Write ALL support files (above) to . Will create /x509-types directory. Default is EASYRSA_PKI or EASYRSA. + * legacy-hard + Same as 'legacy' plus OVER-WRITE files. * safe-ssl - Expand EasyRSA SSL config file for LibreSSL. * vars - Write vars.example file." opts=" @@ -5402,7 +5404,6 @@ legacy_files() { [ -d "$legacy_out_d" ] || \ user_error "Missing directory '$legacy_out_d'" - EASYRSA_LEGACY_OVERWRITE=1 if write ssl-cnf "$legacy_out_d" then x509_d="$legacy_out_d"/x509-types @@ -5468,8 +5469,9 @@ write() { user_error "Missing directory '$write_dir'" if [ -f "$write_file" ]; then - [ "$EASYRSA_LEGACY_OVERWRITE" ] || \ - user_error "File exists: $write_file" + # If the file exists then do not over write + # unless explicitly instructed + [ "$legacy_file_over_write" ] || return 0 fi fi @@ -5929,7 +5931,8 @@ unset -v \ invalid_vars \ do_build_full error_build_full_cleanup \ internal_batch mv_temp_error \ - easyrsa_exit_with_error error_info + easyrsa_exit_with_error error_info \ + legacy_file_over_write # Used by build-ca->cleanup to restore prompt # after user interrupt when using manual password @@ -6337,13 +6340,20 @@ case "$cmd" in ;; write) # verify_working_env - Not required + # Write legacy files to write_dir + # or EASYRSA_PKI or EASYRSA case "$1" in legacy) - # Write legacy files to write_dir - # or EASYRSA_PKI or EASYRSA + # over-write NO shift legacy_files "$@" ;; + legacy-hard) + # over-write YES + shift + legacy_file_over_write=1 + legacy_files "$@" + ;; *) write "$@" esac From 468a9e0a8f53dbaf67d7880806f1da9ddc84cdcb Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 13 Dec 2023 01:44:56 +0000 Subject: [PATCH 18/26] Update doc/EasyRSA-Advanced.md: Add 'Advanced configuration files' New section 'Advanced configuration files' gives further details on how to use command 'write'. Signed-off-by: Richard T Bonhomme --- doc/EasyRSA-Advanced.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md index 1a6b3b7f2..a15aae3d7 100644 --- a/doc/EasyRSA-Advanced.md +++ b/doc/EasyRSA-Advanced.md @@ -85,6 +85,40 @@ Additionally, the contents of the env-var `EASYRSA_EXTRA_EXTS` is appended with its raw text added to the OpenSSL extensions. The contents are appended as-is to the cert extensions; invalid OpenSSL configs will usually result in failure. +Advanced configuration files +---------------------------- + +The following files are used by Easy-RSA to configure the SSL library: +* openssl-easyrsa.cnf - Configuration for Certificate Authority [CA] +* x509-types: COMMON, ca, server, serverClient, client, codeSigning, email, kdc. + Each type is used to define an X509 purpose. + +Since Easy-RSA version 3.2.0, these files are created on-demand by each command +that requires them. However, if these files are found in one of the supported +locations then those files are used instead, no temporary files are created. + +The supported locations are listed, in order of preference, as follows: +* `EASYRSA_PKI` - Always preferred. +* `EASYRSA` - For Windows. +* `PWD` - For Windows. +* `easyrsa` script directory - DEPRECATED, will be removed. Only for Windows. +* `/usr/local/share/easy-rsa` +* `/usr/share/easy-rsa` +* `/etc/easy-rsa` + +The files above can all be created by using command: `easyrsa write legacy ` +To OVER-WRITE any existing files use command: `eaysrsa write legacy-hard ` +`` is optional, the default is `EASYRSA_PKI`. This will create the files in +the current PKI or ``. If created then these new files may take priority +over system wide versions of the same files. See `help write` for further details. + +Note, Over-writing files: +Only command `write legacy-hard` will over-write files. All other uses of `write` +will leave an existing file intact, without error. If you want to over-write an +existing file using `write` then you must redirect `>foo` the output manually. + +Example command: `easyrsa write vars >vars` - This will over-write `./vars`. + Environmental Variables Reference --------------------------------- From 4c5c9d928f5cbafddbe01ecd26d654d0aa04691d Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 13 Dec 2023 02:12:13 +0000 Subject: [PATCH 19/26] Add 'confirm' to command 'write legacy-hard': Confirm file OVERWRITE Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 3 +++ 1 file changed, 3 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 396f8f189..9081c2312 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6350,6 +6350,9 @@ case "$cmd" in ;; legacy-hard) # over-write YES + confirm "${NL} Confirm OVER-WRITE files ? " yes " +'legacy-hard' will OVER-WRITE all legacy files to default settings. +Legacy files: openssl-easyrsa.cnf and x509-types/ directory." shift legacy_file_over_write=1 legacy_files "$@" From 66a8f3e80544f9f3a4e5b403e167014ed3396d7a Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 14 Dec 2023 01:25:51 +0000 Subject: [PATCH 20/26] init-pki: Always write vars.example file to fresh PKI Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 3 +++ 1 file changed, 3 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 9081c2312..86adbc305 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1353,6 +1353,9 @@ and initialize a fresh PKI here." Failed to create PKI file structure (permissions?)" done + # pki/vars.example + write vars "$EASYRSA_PKI" || die "init-pki - write vars" + # User notice notice "\ 'init-pki' complete; you may now create a CA or requests. From 784ad812907316c56c659a7e7f5caaec5dabc07b Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 14 Dec 2023 01:34:33 +0000 Subject: [PATCH 21/26] ChangeLog: init-pki: Always write vars.example file to fresh PKI Signed-off-by: Richard T Bonhomme --- ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ChangeLog b/ChangeLog index 086f8b438..cace06a80 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,11 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Important note: As of Easy-RSA version 3.2.0-beta1, the configuration files + `vars.example`, `openssl-eayrsa.cnf` and all files in `x509-types` directory + are no longer required. Package maintainers can omit these files in the future. + All files are created as required and deleted upon command completion. + `vars.example` is created during `init-pki` and placed in the fresh PKI. 66a8f3e * New command 'write': Write 'legacy' files to stdout or files (#1046) c814e0a EasyRSA is now capable of running without openssl-easyrsa.cnf and x509-types. Necessary files are created on demand as temp-files and removed on completion. From 009ea1f7beaa2a44186e9b37381101867f53e883 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 14 Dec 2023 12:18:23 +0000 Subject: [PATCH 22/26] build-ca: Do not export CA password to environment In default mode, build-ca exports the CA password to the environment, via function force_set_var(). Replace use of force_set_var() with a here-doc. Also, make verbose openssl command output debug only. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 86adbc305..8c0c19ea6 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1126,7 +1126,8 @@ easyrsa_openssl() { fi # Execute command - Return on success - verbose "> easyrsa_openssl - EXEC $openssl_command $*" + [ -z "$EASYRSA_DEBUG" ] || \ + verbose "> easyrsa_openssl - EXEC $openssl_command $*" case "$openssl_command" in makesafeconf) @@ -1449,7 +1450,10 @@ get_passphrase() { printf '\n%s\n' \ "Passphrase must be at least 4 characters!" else - force_set_var "$t" "$r" || die "Passphrase error!" + read -r "$t" <<- SECRET + $r + SECRET + unset -v r t print return 0 From 3c3423bfb7887562dd99efce373b3306306f9c06 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 14 Dec 2023 17:37:21 +0000 Subject: [PATCH 23/26] ChangeLog: Remove duplicated information Signed-off-by: Richard T Bonhomme --- ChangeLog | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index cace06a80..082ebb5da 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,12 +5,9 @@ Easy-RSA 3 ChangeLog `vars.example`, `openssl-eayrsa.cnf` and all files in `x509-types` directory are no longer required. Package maintainers can omit these files in the future. All files are created as required and deleted upon command completion. - `vars.example` is created during `init-pki` and placed in the fresh PKI. 66a8f3e - * New command 'write': Write 'legacy' files to stdout or files (#1046) c814e0a - EasyRSA is now capable of running without openssl-easyrsa.cnf and x509-types. - Necessary files are created on demand as temp-files and removed on completion. + `vars.example` is created during `init-pki` and placed in the fresh PKI. 66a8f3e These files will be retained for downstream packaging compatibility. - Also, files vars.example and safessl-easyrsa.cnf can be generated. + * New command 'write': Write 'legacy' files to stdout or files (#1046) c814e0a * New Command 'rand': Expose easyrsa_random() to the command line (#1046) 6131cbf * Remove function 'set_pass_legacy()' (#1045) * Remove command 'rewind-renew' (#1045) From 1c6b31a1957ac0f2a6379892349c21a2c34237ca Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 14 Dec 2023 18:43:27 +0000 Subject: [PATCH 24/26] ChangeLog: Rename X509-type file 'code-signing' to 'codeSigning' Signed-off-by: Richard T Bonhomme --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 082ebb5da..65c52fb1b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Rename X509-type file `code-signing` to `codeSigning` (Part of #1046) + The original file will be retained as `code-signing`, however, the automatic + X509-types creation will name the file `codeSigning`. This effectively means + that both are valid X509-types, until `code-signing` is dropped. * Important note: As of Easy-RSA version 3.2.0-beta1, the configuration files `vars.example`, `openssl-eayrsa.cnf` and all files in `x509-types` directory are no longer required. Package maintainers can omit these files in the future. From 8fc2f89ad9a18b841864dda41e9878b0753e8846 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 14 Dec 2023 22:12:47 +0000 Subject: [PATCH 25/26] write: Use verify_working_env(), require a PKI Command 'write' requires a PKI for 'legacy' and 'safe-ssl'. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 8c0c19ea6..fe2e1497e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6197,7 +6197,7 @@ case "$cmd" in require_pki=1 case "$cmd" in gen-req|gen-dh|build-ca|show-req| \ - make-safe-ssl|export-p*|inline) + make-safe-ssl|export-p*|inline|write) : # No change ;; *) @@ -6353,6 +6353,7 @@ case "$cmd" in legacy) # over-write NO shift + verify_working_env legacy_files "$@" ;; legacy-hard) @@ -6361,6 +6362,7 @@ case "$cmd" in 'legacy-hard' will OVER-WRITE all legacy files to default settings. Legacy files: openssl-easyrsa.cnf and x509-types/ directory." shift + verify_working_env legacy_file_over_write=1 legacy_files "$@" ;; From 01ede8aff2aca6a004102e61d24331379f8ab419 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 14 Dec 2023 22:17:03 +0000 Subject: [PATCH 26/26] cleanup(): Only print a clean line after restoring a hidden prompt Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index fe2e1497e..b6aa434dd 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -893,14 +893,17 @@ Temporary session not preserved." # shellcheck disable=SC3040 # POSIX set - cleanup() case "$prompt_restore" in 0) : ;; # Not required - 1) [ -t 1 ] && stty echo ;; - 2) set -o echo ;; + 1) + [ -t 1 ] && stty echo + [ "$EASYRSA_SILENT" ] || print + ;; + 2) + set -o echo + [ "$EASYRSA_SILENT" ] || print + ;; *) warn "prompt_restore: '$prompt_restore'" esac - # Get a clean line - [ "$EASYRSA_SILENT" ] || print - # Clear traps trap - 0 1 2 3 6 15