From bce4dadc43a51a2f5cb6b2f3ab3c07abe9e10db8 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 3 Apr 2022 00:10:09 +0100 Subject: [PATCH 1/2] Use x509-types 'ca' and COMMON when building a CA To sign a request, easyrsa uses 'openssl ca', which does support -extfile. To create a CA, easyrsa uses 'openssl req', which does not support -extfile. Therefore, the x509-types 'ca' and COMMON files cannot be specified using -extfile to create a CA. Instead, they must be included within the SSL config file, which 'openssl req' does support. Using the same awk script from gen_req(), with New Token '#%X509_TYPES%', the x509-types files 'ca' and COMMON are inserted into the SSL config file. Closes: #525 Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 15 +++++++++++++++ easyrsa3/openssl-easyrsa.cnf | 3 +++ 2 files changed, 18 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 523cb31..21112db 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -828,6 +828,21 @@ current CA keypair. If you intended to start a new CA, run init-pki first." fi fi + # Insert x509-types COMMON and 'ca' + #shellcheck disable=SC2016 + awkscript=' +{if ( match($0, "^#%X509_TYPES%") ) + { while ( getline<"/dev/stdin" ) {print} next } + {print} +}' + conf_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" + cat "${EASYRSA_EXT_DIR}/ca" "${EASYRSA_EXT_DIR}/COMMON" | \ + awk "$awkscript" "$EASYRSA_SSL_CONF" \ + > "$conf_tmp" \ + || die "Copying SSL config to temp file failed" + # Use this new SSL config for the rest of this function + EASYRSA_SSL_CONF="$conf_tmp" + # Choose SSL Library version (1 or 3) and build CA case "$osslv_major" in # => BEGIN SSL lib version diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf index cef658d..bee05b1 100644 --- a/easyrsa3/openssl-easyrsa.cnf +++ b/easyrsa3/openssl-easyrsa.cnf @@ -128,6 +128,9 @@ keyUsage = cRLSign, keyCertSign # nsCertType omitted by default. Let's try to let the deprecated stuff die. # nsCertType = sslCA +# A placeholder to handle the $X509_TYPES: +#%X509_TYPES% # Do NOT remove or change this line as $X509_TYPES demands it + # CRL extensions. [ crl_ext ] From 6f138abb5b091fe7715fa7c8c6369d7704b6f177 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 3 Apr 2022 03:13:39 +0100 Subject: [PATCH 2/2] Allow build_ca() to accept OpenSSL '-addext' as raw data Set env:var: EASYRSA_EXTRA_EXTS="-addext foo,a:b -addext bah,c:d -addext baz e:f,g" The value of EASYRSA_EXTRA_EXTS is passed as-is to the SSL command. Creating a CA does not allow for an arbitrary extensions file, therefore extensions must be added via the config file (#526) or via SSL Library option '-addext' (Can be specified to SSL multiple times). Option '-addext' is allowed to be specified multiple times to SSL, therefore, this string must be syntactically correct for SSL not EasyRSA. Finally, rename EASYRSA_EXTRA_EXTS to EASYRSA_CA_EXTRA_EXTS to avoid triggering EASYRSA_EXTRA_EXTS code buried inside of easyrsa_openssl(). Closes: #54 Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 21112db..e51f8eb 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -843,6 +843,15 @@ current CA keypair. If you intended to start a new CA, run init-pki first." # Use this new SSL config for the rest of this function EASYRSA_SSL_CONF="$conf_tmp" + # When EASYRSA_EXTRA_EXTS is defined, pass it as-is to SSL -addext + if [ -n "$EASYRSA_EXTRA_EXTS" ]; then + # example: "-addext foo,a:b -addext bah,c:d -addext baz e:f,g" + [ "${EASYRSA_EXTRA_EXTS%% *}" = '-addext' ] || \ + die "EASYRSA_EXTRA_EXTS: $EASYRSA_EXTRA_EXTS" + EASYRSA_CA_EXTRA_EXTS="$EASYRSA_EXTRA_EXTS" + unset -v EASYRSA_EXTRA_EXTS + fi + # Choose SSL Library version (1 or 3) and build CA case "$osslv_major" in # => BEGIN SSL lib version @@ -903,6 +912,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." # shellcheck disable=SC2086 easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \ -out "$out_file_tmp" ${opts} ${crypto_opts} \ + ${EASYRSA_CA_EXTRA_EXTS} \ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \ die "Failed to build the CA" ;; @@ -963,6 +973,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." #shellcheck disable=SC2086 easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \ -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \ + ${EASYRSA_CA_EXTRA_EXTS} \ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \ || die "Failed to build the CA" ;;