nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

This breaks stuff (probably)

Browse Source 
Attempts at making shellcheck happy and a little bit of sanity checking
for travis-ci.  Going to try and get some basic easyrsa commands going
next, once I figure out what travis-ci's environment looks like.

Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
This commit is contained in:
Eric F Crist 2018-01-03 18:54:23 -06:00
parent 8fbc4eee53
commit 09e2c3b5c3
2 changed files with 32 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@ -11,3 +11,5 @@ addons:
script: script:
- bash -c 'export SHELLCHECK_OPTS="-e SC2006"; shopt -s globstar; shellcheck **/*.sh easyrsa3/easyrsa' - bash -c 'export SHELLCHECK_OPTS="-e SC2006"; shopt -s globstar; shellcheck **/*.sh easyrsa3/easyrsa'
- bash -c 'pwd'
- bash -c 'ls -la'

48
easyrsa3/easyrsa
View File

@ -229,19 +229,19 @@ die() {
Easy-RSA error: Easy-RSA error:
$1" 1>&2 $1" 1>&2
exit ${2:-1} exit "${2:-1}"
} # => die() } # => die()
# non-fatal warning output # non-fatal warning output
warn() { warn() {
[ ! $EASYRSA_BATCH ] && \ [ ! "$EASYRSA_BATCH" ] && \
print " print "
$1" 1>&2 $1" 1>&2
} # => warn() } # => warn()
# informational notices to stdout # informational notices to stdout
notice() { notice() {
[ ! $EASYRSA_BATCH ] && \ [ ! "$EASYRSA_BATCH" ] && \
print " print "
$1" $1"
} # => notice() } # => notice()
@ -250,6 +250,7 @@ $1"
# Returns 0 when input contains yes, 1 for no, 2 for no match # Returns 0 when input contains yes, 1 for no, 2 for no match
# If both strings are present, returns 1; first matching line returns. # If both strings are present, returns 1; first matching line returns.
awk_yesno() { awk_yesno() {
#shellcheck disable=SC2016
awkscript=' awkscript='
BEGIN {IGNORECASE=1; r=2} BEGIN {IGNORECASE=1; r=2}
{ if(match($0,"no")) {r=1; exit} { if(match($0,"no")) {r=1; exit}
@ -261,7 +262,7 @@ BEGIN {IGNORECASE=1; r=2}
# intent confirmation helper func # intent confirmation helper func
# returns without prompting in EASYRSA_BATCH # returns without prompting in EASYRSA_BATCH
confirm() { confirm() {
[ $EASYRSA_BATCH ] && return [ "$EASYRSA_BATCH" ] && return
prompt="$1" prompt="$1"
value="$2" value="$2"
msg="$3" msg="$3"
@ -271,6 +272,7 @@ $msg
Type the word '$value' to continue, or any other input to abort." Type the word '$value' to continue, or any other input to abort."
printf %s " $prompt" printf %s " $prompt"
#shellcheck disable=SC2162
read input read input
[ "$input" = "$value" ] && return [ "$input" = "$value" ] && return
notice "Aborting without confirmation." notice "Aborting without confirmation."
@ -458,12 +460,14 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
print "01" > "$EASYRSA_PKI/serial" || die "$err_file" print "01" > "$EASYRSA_PKI/serial" || die "$err_file"
# Default CN only when not in global EASYRSA_BATCH mode: # Default CN only when not in global EASYRSA_BATCH mode:
[ $EASYRSA_BATCH ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA" # shellcheck disable=SC2015
[ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"
out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp" out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp"
out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp" out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp"
# create the CA keypair: # create the CA keypair:
"$EASYRSA_OPENSSL" req -utf8 -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \ #shellcheck disable=SC2086
"$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $opts || \ -config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $opts || \
die "Failed to build the CA" die "Failed to build the CA"
mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2= mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
@ -490,7 +494,7 @@ gen_dh() {
verify_pki_init verify_pki_init
out_file="$EASYRSA_PKI/dh.pem" out_file="$EASYRSA_PKI/dh.pem"
"$EASYRSA_OPENSSL" dhparam -out "$out_file" $EASYRSA_KEY_SIZE || \ "$EASYRSA_OPENSSL" dhparam -out "$out_file" "$EASYRSA_KEY_SIZE" || \
die "Failed to build DH params" die "Failed to build DH params"
notice "\ notice "\
DH parameters of size $EASYRSA_KEY_SIZE created at $out_file DH parameters of size $EASYRSA_KEY_SIZE created at $out_file
@ -506,7 +510,7 @@ Error: gen-req must have a file base as the first argument.
Run easyrsa without commands for usage and commands." Run easyrsa without commands for usage and commands."
key_out="$EASYRSA_PKI/private/$1.key" key_out="$EASYRSA_PKI/private/$1.key"
req_out="$EASYRSA_PKI/reqs/$1.req" req_out="$EASYRSA_PKI/reqs/$1.req"
[ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1" [ ! "$EASYRSA_BATCH" ] && EASYRSA_REQ_CN="$1"
shift shift
# function opts support # function opts support
@ -539,6 +543,7 @@ Continuing with key generation will replace this key."
req_extensions = req_extra req_extensions = req_extra
[ req_extra ] [ req_extra ]
$EASYRSA_EXTRA_EXTS" $EASYRSA_EXTRA_EXTS"
#shellcheck disable=SC2016
awkscript=' awkscript='
{if ( match($0, "^#%EXTRA_EXTS%") ) {if ( match($0, "^#%EXTRA_EXTS%") )
{ while ( getline<"/dev/stdin" ) {print} next } { while ( getline<"/dev/stdin" ) {print} next }
@ -556,7 +561,8 @@ $EASYRSA_EXTRA_EXTS"
req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp" req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp"
# generate request # generate request
[ $EASYRSA_BATCH ] && opts="$opts -batch" [ $EASYRSA_BATCH ] && opts="$opts -batch"
"$EASYRSA_OPENSSL" req -utf8 -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \ # shellcheck disable=SC2086
"$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
-config "$EASYRSA_SSL_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \ -config "$EASYRSA_SSL_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \
|| die "Failed to generate request" || die "Failed to generate request"
mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2= mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2=
@ -633,7 +639,7 @@ $(display_dn req "$req_in")
cat "$EASYRSA_EXT_DIR/COMMON" cat "$EASYRSA_EXT_DIR/COMMON"
cat "$EASYRSA_EXT_DIR/$crt_type" cat "$EASYRSA_EXT_DIR/$crt_type"
# copy req extensions # copy req extensions
[ $EASYRSA_CP_EXT ] && print "copy_extensions = copy" [ "$EASYRSA_CP_EXT" ] && print "copy_extensions = copy"
# Support a dynamic CA path length when present: # Support a dynamic CA path length when present:
[ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \ [ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \
@ -655,7 +661,7 @@ $(display_dn req "$req_in")
if [ "$crt_type" = 'server' ]; then if [ "$crt_type" = 'server' ]; then
echo "$EASYRSA_EXTRA_EXTS" | echo "$EASYRSA_EXTRA_EXTS" |
grep -q subjectAltName || grep -q subjectAltName ||
default_server_san $req_in default_server_san "$req_in"
fi fi
# Add any advanced extensions supplied by env-var: # Add any advanced extensions supplied by env-var:
@ -667,9 +673,10 @@ Failed to create temp extension file (bad permissions?) at:
$EASYRSA_TEMP_EXT" $EASYRSA_TEMP_EXT"
# sign request # sign request
# shellcheck disable=SC2086
crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp" crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
"$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \ "$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \
-extfile "$EASYRSA_TEMP_EXT" -days $EASYRSA_CERT_EXPIRE -batch $opts \ -extfile "$EASYRSA_TEMP_EXT" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \
|| die "signing failed (openssl output above may have more detail)" || die "signing failed (openssl output above may have more detail)"
mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2= mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2=
notice "\ notice "\
@ -714,6 +721,7 @@ Matching file found at: "
# create request # create request
EASYRSA_REQ_CN="$name" EASYRSA_REQ_CN="$name"
#shellcheck disable=SC2086
gen_req "$name" batch $req_opts gen_req "$name" batch $req_opts
# Sign it # Sign it
@ -866,7 +874,7 @@ Missing key expected at: $key_in"
# export the p12: # export the p12:
"$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \ "$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \
-out "$pkcs_out" $pkcs_opts || die "\ -out "$pkcs_out" "$pkcs_opts" || die "\
Export of p12 failed: see above for related openssl errors." Export of p12 failed: see above for related openssl errors."
;; ;;
p7) p7)
@ -874,7 +882,7 @@ Export of p12 failed: see above for related openssl errors."
# export the p7: # export the p7:
"$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \ "$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \
-out "$pkcs_out" $pkcs_opts || die "\ -out "$pkcs_out" "$pkcs_opts" || die "\
Export of p7 failed: see above for related openssl errors." Export of p7 failed: see above for related openssl errors."
;; ;;
esac esac
@ -920,7 +928,7 @@ $file"
If the key is currently encrypted you must supply the decryption passphrase. If the key is currently encrypted you must supply the decryption passphrase.
${crypto:+You will then enter a new PEM passphrase for this key.$NL}" ${crypto:+You will then enter a new PEM passphrase for this key.$NL}"
"$EASYRSA_OPENSSL" $key_type -in "$file" -out "$file" $crypto || die "\ "$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" "$crypto" || die "\
Failed to change the private key passphrase. See above for possible openssl Failed to change the private key passphrase. See above for possible openssl
error messages." error messages."
@ -940,7 +948,7 @@ Failed to perform update-db: see above for related openssl errors."
# display cert DN info on a req/X509, passed by full pathname # display cert DN info on a req/X509, passed by full pathname
display_dn() { display_dn() {
format="$1" path="$2" format="$1" path="$2"
print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)" print "$("$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject -nameopt multiline)"
} # => display_dn() } # => display_dn()
# generate default SAN from req/X509, passed by full pathname # generate default SAN from req/X509, passed by full pathname
@ -951,6 +959,7 @@ default_server_san() {
awk -F'=' '/^ *CN=/{print $2}' awk -F'=' '/^ *CN=/{print $2}'
) )
echo "$cn" | grep -E -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$' echo "$cn" | grep -E -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
#shellcheck disable=SC2181
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
print "subjectAltName = IP:$cn" print "subjectAltName = IP:$cn"
else else
@ -962,7 +971,7 @@ default_server_san() {
verify_file() { verify_file() {
format="$1" format="$1"
path="$2" path="$2"
"$EASYRSA_OPENSSL" $format -in "$path" -noout 2>/dev/null || return 1 "$EASYRSA_OPENSSL" "$format" -in "$path" -noout 2>/dev/null || return 1
return 0 return 0
} # => verify_file() } # => verify_file()
@ -1052,7 +1061,10 @@ vars_setup() {
# If a vars file was located, source it # If a vars file was located, source it
# If $EASYRSA_NO_VARS is defined (not blank) this is skipped # If $EASYRSA_NO_VARS is defined (not blank) this is skipped
if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
EASYRSA_CALLER=1 . "$vars" #shellcheck disable=SC2034
EASYRSA_CALLER=1
# shellcheck source=easyrsa3/vars.example
. "$vars"
notice "\ notice "\
Note: using Easy-RSA configuration from: $vars" Note: using Easy-RSA configuration from: $vars"
fi fi