From 15429df9fdd5c63c6e33dba141ff2e9a77ed0855 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 10 Jun 2022 21:36:14 +0100 Subject: [PATCH] Minor improvements: Debugging and sign_req() Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 15a550c..2347add 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -663,23 +663,29 @@ make_safe_ssl_copy() { # Escape hazardous characters escape_hazard() { # escape '&' and '$' and write free form fields to org temp-file - print "\ + ( # subshell for local debug + # debug log on + if [ "$EASYRSA_DEBUG" ]; then print "<< DEBUG-ON >>"; set -x; fi + print "\ export EASYRSA_REQ_COUNTRY=\"$EASYRSA_REQ_COUNTRY\" export EASYRSA_REQ_PROVINCE=\"$EASYRSA_REQ_PROVINCE\" export EASYRSA_REQ_CITY=\"$EASYRSA_REQ_CITY\" export EASYRSA_REQ_ORG=\"$EASYRSA_REQ_ORG\" export EASYRSA_REQ_OU=\"$EASYRSA_REQ_OU\" export EASYRSA_REQ_EMAIL=\"$EASYRSA_REQ_EMAIL\" -" | sed -e s\`'&'\`'\\\&'\`g \ +" | sed -e s\`'&'\`'\\\&'\`g \ -e s\`'\$'\`'\\\$'\`g > "$easyrsa_openssl_conf_org" || \ die "Failed to write 'easyrsa_openssl_conf_org' temp file" + # debug log off + if [ "$EASYRSA_DEBUG" ]; then set +x; print ">> DEBUG-OFF <<"; fi + ) # Close subshell # Reload fields from fully escaped org temp-file # shellcheck disable=SC1090 # can't follow non-constant source. . "$easyrsa_openssl_conf_org" || die "escape_hazard - Failed to source 'org'" # Clean up - [ ! -e "$easyrsa_openssl_conf_org" ] || rm -rf "$easyrsa_openssl_conf_org" + rm -f "$easyrsa_openssl_conf_org" } # => escape_hazard() # Easy-RSA meta-wrapper for SSL @@ -760,24 +766,24 @@ easyrsa_openssl() { fi else # debug log on - if [ "$EASYRSA_DEBUG" ]; then set -x; fi + [ "$EASYRSA_DEBUG" ] && echo "<< DEBUG-ON >>" && set -x # Exec SSL with -config temp-file "$EASYRSA_OPENSSL" "$openssl_command" \ -config "$easyrsa_openssl_conf" "$@" || return # debug log off - if [ "$EASYRSA_DEBUG" ]; then set +x; fi + [ "$EASYRSA_DEBUG" ] && set +x && echo ">> DEBUG-OFF <<" fi else # debug log on - if [ "$EASYRSA_DEBUG" ]; then set -x; fi + [ "$EASYRSA_DEBUG" ] && echo "<< DEBUG-ON >>" && set -x # Exec SSL without -config temp-file "$EASYRSA_OPENSSL" "$openssl_command" "$@" || return # debug log off - if [ "$EASYRSA_DEBUG" ]; then set +x; fi + [ "$EASYRSA_DEBUG" ] && set +x && echo ">> DEBUG-OFF <<" fi } # => easyrsa_openssl() @@ -981,6 +987,9 @@ install_data_to_pki () { # # Copying 'vars' to the PKI is complicated, code is included but DISABLED. + # debug log on + [ "$EASYRSA_DEBUG" ] && echo "<< DEBUG-ON >>" && set -x + context="$1" shift @@ -1614,10 +1623,12 @@ Matching file found at: " gen_req "$name" batch ${nopass+ nopass} # Sign it - ( sign_req "$crt_type" "$name" batch ) || { + if sign_req "$crt_type" "$name" batch; then + : # ok + else rm -f "$req_out" "$key_out" die "Failed to sign '$name' - See error messages above for details." - } + fi # inline it if [ "$EASYRSA_INLINE" ]; then @@ -1989,8 +2000,8 @@ Renewal has failed to build a new certificate/key pair." # Success messages notice " * IMPORTANT * -Renew was successful. To revoke the old certificate, once the new one -has been deployed, use 'revoke-renewed $file_name_base'" +Renew was successful. To revoke the old certificate, once the new one has +been deployed, use 'revoke-renewed $file_name_base reason' ('reason' is optional)" return 0 } # => renew() @@ -4214,7 +4225,8 @@ Version: $EASYRSA_version Generated: ~DATE~ SSL Lib: $ssl_version Git Commit: ~GITHEAD~ -Source Repo: https://github.com/OpenVPN/easy-rsa +Source Repo: https://github.com/OpenVPN/easy-rsa${EASYRSA_DEBUG+ +* debug enabled} VERSION_TEXT } # => print_version ()