diff --git a/ChangeLog b/ChangeLog index 6d66ea99a..55fb3c3a3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Restrict use of --req-cn to build-ca (0a46164) (#1098) * Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#1096) * help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#1096) * Allow --san to be used multiple times (5a06f94) (#1096) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0d04a8a18..7e20f118e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -464,13 +464,12 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" text=" * Option: --req-cn=NAME - This specific option can set the CSR commonName. + This global option can be used to set the CA commonName. - Can only be used in BATCH mode for the following commands: * To build a new CA [or Sub-CA]: eg: '--batch --req-cn=NAME build-ca [subca]' - * To generate a certificate signing request: - eg: '--batch --req-cn=NAME gen-req '" + + Can only be used in BATCH mode." ;; tool*|util*|more) # Test features @@ -610,7 +609,7 @@ Distinguished Name mode: --dn-mode=MODE : Distinguished Name mode to use 'cn_only' (Default) or 'org' ---req-cn=NAME : Set CSR commonName to NAME. For details, see: 'help req-cn' +--req-cn=NAME : Set CA commonName. For details, see: 'help req-cn' Distinguished Name Organizational options: (only used with '--dn-mode=org') --req-c=CC : Country code (2-letters) @@ -1918,20 +1917,19 @@ Run easyrsa without commands for usage and commands." # Initialisation unset -v text ssl_batch - # Set ssl batch mode and Default commonName, as required + # Set ssl batch mode as required if [ "$EASYRSA_BATCH" ]; then ssl_batch=1 - # If EASYRSA_REQ_CN is set to something other than - # 'ChangeMe' then keep user defined value - if [ "$EASYRSA_REQ_CN" = ChangeMe ]; then - export EASYRSA_REQ_CN="$file_name_base" - fi - else - # --req-cn must be used with --batch - # otherwise use file-name - export EASYRSA_REQ_CN="$file_name_base" fi + # Prohibit --req-cn + [ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\ +Option conflict --req-cn: +* '$cmd' does not support setting an external commonName" + + # Enforce commonName + export EASYRSA_REQ_CN="$file_name_base" + # Output files key_out="$EASYRSA_PKI/private/${file_name_base}.key" req_out="$EASYRSA_PKI/reqs/${file_name_base}.req" @@ -2074,6 +2072,14 @@ expected 2, got $# (see command help for usage)" crt_out="$EASYRSA_PKI/issued/$file_name_base.crt" shift 2 + # Prohibit --req-cn + [ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\ +Option conflict --req-cn: +* '$cmd' does not support setting an external commonName" + + # Enforce commonName + export EASYRSA_REQ_CN="$file_name_base" + # Check for preserve-dn while [ "$1" ]; do case "$1" in @@ -2494,17 +2500,21 @@ An inline file for name '$name' already exists: # Set commonName [ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\ -Option conflict: +Option conflict --req-cn: * '$cmd' does not support setting an external commonName" - EASYRSA_REQ_CN="$name" - # create request + # Set to modify sign-req confirmation message do_build_full=1 + + # create request gen_req "$name" batch # Require --copy-ext export EASYRSA_CP_EXT=1 + # Must be reset for nested commmands + export EASYRSA_REQ_CN=ChangeMe + # Sign it error_build_full_cleanup=1 if sign_req "$crt_type" "$name"; then @@ -2942,19 +2952,13 @@ This certificate cannot be renewed due to inconsistent Subject." die "renew: display_dn" confirm_sn=" serial-number = $cert_serial" - # Get SAN from cert - # capture complete cert - crt_text="$( - easyrsa_openssl x509 -in "$crt_in" -noout -text - )" || die "renew: openssl: crt_text" - # Check cert for SAN - if echo "$crt_text" | \ - grep -s 'X509v3 Subject Alternative Name' + if easyrsa_openssl x509 -in "$crt_in" -noout -text | \ + grep -q '^[[:blank:]]*X509v3 Subject Alternative Name:' then # extract cert SAN crt_x509_san_full="$( - echo "$crt_text" | \ + easyrsa_openssl x509 -in "$crt_in" -noout -text | \ grep -A 1 'X509v3 Subject Alternative Name' )" || die "renew: crt_x509_san_full: grep -A 1"