New branch win-write-access: Initial commit

easyrsa3/easyrsa

@@ -10,6 +10,8 @@
 # and the Licensing/ directory of this project for full licensing
 # details.
 
+set -x
+
 # Help/usage output to stdout
 usage() {
 	# command help:
@@ -755,6 +757,7 @@ secure_session() {
 	session=
 	for i in 1 2 3; do
 		easyrsa_random 4 session
+		#session="$$"
 		secured_session="${EASYRSA_TEMP_DIR}/${session}"
 
 		# atomic:
@@ -1375,8 +1378,14 @@ and initialize a fresh PKI here."
 	fi
 
 	# new dirs:
+	mkdir "$EASYRSA_PKI"
+	[ -d "$EASYRSA_PKI" ] || \
+		die "\
+Failed to create PKI directory (permissions?)"
+
 	for i in issued private reqs inline; do
-		mkdir -p "$EASYRSA_PKI/$i" || \
+		mkdir "$EASYRSA_PKI/$i"
+		[ -d "$EASYRSA_PKI/$i" ] || \
 			die "\
 Failed to create PKI file structure (permissions?)"
 	done
@@ -1576,11 +1585,16 @@ current CA. To start a new CA, run init-pki first."
 	# create necessary dirs:
 	err_msg="\
 Unable to create necessary PKI files (permissions?)"
+
+	mkdir "$EASYRSA_PKI"/revoked
+	[ -d "$EASYRSA_PKI"/revoked ] || die "$err_msg (1)"
+
 	for i in certs_by_serial \
 		revoked/certs_by_serial revoked/private_by_serial \
 		revoked/reqs_by_serial
 	do
-		mkdir -p "$EASYRSA_PKI/$i" || die "$err_msg"
+		mkdir "$EASYRSA_PKI/$i"
+		[ -d "$EASYRSA_PKI/$i" ] || die "$err_msg (2)"
 	done
 
 	# create necessary files:
@@ -5680,6 +5694,7 @@ write() {
 
 # set heredoc variables for openssl-esyrsa.cnf
 # shellcheck disable=SC2016 # (info): $ don't expand in ''
+# shellcheck disable=SC2034 # appears unused
 set_openssl_easyrsa_cnf_vars(){
 	case "$1" in
 	expanded)
@@ -5722,6 +5737,7 @@ set_openssl_easyrsa_cnf_vars(){
 } # => set_openssl_easyrsa_cnf_vars()
 
 # Create x509 type
+# shellcheck disable=SC2317 # appears to be unreachable.
 create_legacy_stream() {
 	case "$1" in
 	COMMON)
@@ -5814,308 +5830,20 @@ CREATE_X509_TYPE_KDC
 	;;
 	vars)
 	# vars
+		return 1
 		cat << "CREATE_VARS_EXAMPLE"
 # Easy-RSA 3 parameter settings
 
-# NOTE: If you installed Easy-RSA from your package manager, do not edit
-# this file in place -- instead, you should copy the entire easy-rsa directory
-# to another location so future upgrades do not wipe out your changes.
-
-# HOW TO USE THIS FILE
-#
-# vars.example contains built-in examples to Easy-RSA settings. You MUST name
-# this file "vars" if you want it to be used as a configuration file. If you
-# do not, it WILL NOT be automatically read when you call easyrsa commands.
-#
-# It is not necessary to use this config file unless you wish to change
-# operational defaults. These defaults should be fine for many uses without
-# the need to copy and edit the "vars" file.
-#
-# All of the editable settings are shown commented and start with the command
-# "set_var" -- this means any set_var command that is uncommented has been
-# modified by the user. If you are happy with a default, there is no need to
-# define the value to its default.
-
-# NOTES FOR WINDOWS USERS
-#
-# Paths for Windows  *MUST* use forward slashes, or optionally double-escaped
-# backslashes (single forward slashes are recommended.) This means your path
-# to the openssl binary might look like this:
-# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
-
-# A little housekeeping: DO NOT EDIT THIS SECTION
-#
-# Easy-RSA 3.x does not source into the environment directly.
-# Complain if a user tries to do this:
-if [ -z "$EASYRSA_CALLER" ]; then
-	echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2
-	echo "no longer necessary and is disallowed. See the section called" >&2
-	echo "*How to use this file* near the top comments for more details." >&2
-	return 1
-fi
-
-# DO YOUR EDITS BELOW THIS POINT
-
-# If your OpenSSL command is not in the system PATH, you will need to define
-# the path here. Normally this means a full path to the executable, otherwise
-# you could have left it undefined here and the shown default would be used.
-#
-# Windows users, remember to use paths with forward-slashes (or escaped
-# back-slashes.) Windows users should declare the full path to the openssl
-# binary here if it is not in their system PATH.
-#
-#set_var EASYRSA_OPENSSL	"openssl"
-#
-# This sample is in Windows syntax -- edit it for your path if not using PATH:
-#set_var EASYRSA_OPENSSL	"C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
-
-# Define X509 DN mode.
-#
-# This is used to adjust which elements are included in the Subject field
-# as the DN ("Distinguished Name"). Note that in 'cn_only' mode the
-# Organizational fields, listed further below, are not used.
-#
-# Choices are:
-#   cn_only  - Use just a commonName value.
-#   org      - Use the "traditional" format:
-#              Country/Province/City/Org/Org.Unit/email/commonName
-#
-#set_var EASYRSA_DN	"cn_only"
-
-# Organizational fields (used with "org" mode and ignored in "cn_only" mode).
-# These are the default values for fields which will be placed in the
-# certificate.  Do not leave any of these fields blank, although interactively
-# you may omit any specific field by typing the "." symbol (not valid for
-# email).
-#
-# NOTE: The following characters are not supported
-#       in these "Organizational fields" by Easy-RSA:
-#       back-tick (`)
-#
-#set_var EASYRSA_REQ_COUNTRY	"US"
-#set_var EASYRSA_REQ_PROVINCE	"California"
-#set_var EASYRSA_REQ_CITY	"San Francisco"
-#set_var EASYRSA_REQ_ORG	"Copyleft Certificate Co"
-#set_var EASYRSA_REQ_EMAIL	"[email protected]"
-#set_var EASYRSA_REQ_OU		"My Organizational Unit"
-
-# Preserve the Distinguished Name field order
-# of the certificate signing request
-# *Only* effective in --dn-mode=org
-#
-#set_var EASYRSA_PRESERVE_DN	1
-
-# Set no password mode - This will create the entire PKI without passwords.
-# This can be better managed by choosing which entity private keys should be
-# encrypted with the following command line options:
-# Global option '--no-pass' or command option 'nopass'.
-#
-#set_var EASYRSA_NO_PASS	1
-
-# Choose a size in bits for your keypairs. The recommended value is 2048.
-# Using 2048-bit keys is considered more than sufficient for many years into
-# the future. Larger keysizes will slow down TLS negotiation and make key/DH
-# param generation take much longer. Values up to 4096 should be accepted by
-# most software. Only used when the crypto alg is rsa, see below.
-#
-#set_var EASYRSA_KEY_SIZE	2048
-
-# The default crypto mode is rsa; ec can enable elliptic curve support.
-# Note that not all software supports ECC, so use care when enabling it.
-# Choices for crypto alg are: (each in lower-case)
-#  * rsa
-#  * ec
-#  * ed
-#
-#set_var EASYRSA_ALGO		rsa
-
-# Define the named curve, used in ec & ed modes:
-#
-#set_var EASYRSA_CURVE		secp384r1
-
-# In how many days should the root CA key expire?
-#
-#set_var EASYRSA_CA_EXPIRE	3650
-
-# In how many days should certificates expire?
-#
-#set_var EASYRSA_CERT_EXPIRE	825
-
-# How many days until the next CRL publish date?  Note that the CRL can still
-# be parsed after this timeframe passes. It is only used for an expected next
-# publication date.
-#
-#set_var EASYRSA_CRL_DAYS	180
-
-# Random serial numbers by default.
-# Set to 'no' for the old incremental serial numbers.
-#
-#set_var EASYRSA_RAND_SN	"yes"
-
-# Cut-off window for checking expiring certificates.
-#
-#set_var EASYRSA_PRE_EXPIRY_WINDOW	90
-
-# Define directory for temporary subdirectories.
-#
-#set_var EASYRSA_TEMP_DIR	"$EASYRSA_PKI"
+*** DISABLED ***
 CREATE_VARS_EXAMPLE
 	;;
 	ssl-cnf|safe-cnf)
 	# SSL config v3.2.0-1
-	cat << CREATE_SSL_CONFIG
+		return 1
+		cat << CREATE_SSL_CONFIG
 # For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
 
-####################################################################
-[ ca ]
-default_ca	= CA_default		# The default ca section
-
-####################################################################
-[ CA_default ]
-
-dir		= $conf_EASYRSA_PKI	# Where everything is kept
-certs		= $conf_EASYRSA_dir			# Where the issued certs are kept
-crl_dir		= $conf_EASYRSA_dir			# Where the issued crl are kept
-database	= $conf_EASYRSA_dir/index.txt	# database index file.
-new_certs_dir	= $conf_EASYRSA_dir/certs_by_serial	# default place for new certs.
-
-certificate	= $conf_EASYRSA_dir/ca.crt		# The CA certificate
-serial		= $conf_EASYRSA_dir/serial		# The current serial number
-crl		= $conf_EASYRSA_dir/crl.pem		# The current CRL
-private_key	= $conf_EASYRSA_dir/private/ca.key	# The private key
-RANDFILE	= $conf_EASYRSA_dir/.rand		# private random number file
-
-x509_extensions	= basic_exts		# The extensions to add to the cert
-
-# A placeholder to handle the --copy-ext feature:
-#%COPY_EXTS%	# Do NOT remove or change this line as --copy-ext support requires it
-
-# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
-# is designed for will. In return, we get the Issuer attached to CRLs.
-crl_extensions	= crl_ext
-
-# These fields are always configured via the command line.
-# These fields are removed from this here-doc but retained
-# in 'openssl-easyrsa.cnf' file, in case something breaks.
-# default_days is no longer required by Easy-RSA
-#default_days	= \$ENV::EASYRSA_CERT_EXPIRE	# how long to certify for
-# default_crl_days is no longer required by Easy-RSA
-#default_crl_days	= \$ENV::EASYRSA_CRL_DAYS	# how long before next CRL
-
-default_md	= $conf_EASYRSA_DIGEST		# use public key default MD
-preserve	= no			# keep passed DN ordering
-
-# This allows to renew certificates which have not been revoked
-unique_subject	= no
-
-# A few different ways of specifying how similar the request should look
-# For type CA, the listed attributes must be the same, and the optional
-# and supplied fields are just that :-)
-policy		= policy_anything
-
-# For the 'anything' policy, which defines allowed DN fields
-[ policy_anything ]
-countryName		= optional
-stateOrProvinceName	= optional
-localityName		= optional
-organizationName	= optional
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
-serialNumber	= optional
-
-####################################################################
-# Easy-RSA request handling
-# We key off \$DN_MODE to determine how to format the DN
-[ req ]
-default_bits		= $conf_EASYRSA_KEY_SIZE
-default_keyfile	= privkey.pem
-default_md		= $conf_EASYRSA_DIGEST
-distinguished_name	= $conf_EASYRSA_DN
-x509_extensions		= easyrsa_ca	# The extensions to add to the self signed cert
-
-# A placeholder to handle the \$EXTRA_EXTS feature:
-#%EXTRA_EXTS%	# Do NOT remove or change this line as \$EXTRA_EXTS support requires it
-
-####################################################################
-# Easy-RSA DN (Subject) handling
-
-# Easy-RSA DN for cn_only support:
-[ cn_only ]
-commonName		= Common Name (eg: your user, host, or server name)
-commonName_max		= 64
-commonName_default	= $conf_EASYRSA_REQ_CN
-
-# Easy-RSA DN for org support:
-[ org ]
-countryName			= Country Name (2 letter code)
-countryName_default		= $conf_EASYRSA_REQ_COUNTRY
-countryName_min			= 2
-countryName_max			= 2
-
-stateOrProvinceName		= State or Province Name (full name)
-stateOrProvinceName_default	= $conf_EASYRSA_REQ_PROVINCE
-
-localityName			= Locality Name (eg, city)
-localityName_default		= $conf_EASYRSA_REQ_CITY
-
-0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= $conf_EASYRSA_REQ_ORG
-
-organizationalUnitName		= Organizational Unit Name (eg, section)
-organizationalUnitName_default	= $conf_EASYRSA_REQ_OU
-
-commonName			= Common Name (eg: your user, host, or server name)
-commonName_max			= 64
-commonName_default		= $conf_EASYRSA_REQ_CN
-
-emailAddress			= Email Address
-emailAddress_default		= $conf_EASYRSA_REQ_EMAIL
-emailAddress_max		= 64
-
-serialNumber		= Serial-number (eg, device serial-number)
-serialNumber_default	= $conf_EASYRSA_REQ_SERIAL
-
-####################################################################
-# Easy-RSA cert extension handling
-
-# This section is effectively unused as the main script sets extensions
-# dynamically. This core section is left to support the odd usecase where
-# a user calls openssl directly.
-[ basic_exts ]
-basicConstraints	= CA:FALSE
-subjectKeyIdentifier	= hash
-authorityKeyIdentifier	= keyid,issuer:always
-
-# The Easy-RSA CA extensions
-[ easyrsa_ca ]
-
-# PKIX recommendations:
-
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-
-# This could be marked critical, but it's nice to support reading by any
-# broken clients who attempt to do so.
-basicConstraints = CA:true
-
-# Limit key usage to CA tasks. If you really want to use the generated pair as
-# a self-signed cert, comment this out.
-keyUsage = cRLSign, keyCertSign
-
-# nsCertType omitted by default. Let's try to let the deprecated stuff die.
-# nsCertType = sslCA
-
-# A placeholder to handle the \$X509_TYPES and CA extra extensions \$EXTRA_EXTS:
-#%CA_X509_TYPES_EXTRA_EXTS%	# Do NOT remove or change this line as \$X509_TYPES and EXTRA_EXTS demands it
-
-# CRL extensions.
-[ crl_ext ]
-
-# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
-
-# issuerAltName=issuer:copy
-authorityKeyIdentifier=keyid:always,issuer:always
+*** DISABLED ***
 CREATE_SSL_CONFIG
 	;;
 	*)
@@ -6147,6 +5875,9 @@ EASYRSA_version="~VER~"
 NL='
 '
 
+print "DEBUG: EasyRSA: Windows protected write access"
+
+
 # Be secure with a restrictive umask
 [ "$EASYRSA_NO_UMASK" ] || umask "${EASYRSA_UMASK:=077}"