nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'v3.0.5' of https://github.com/OpenVPN/easy-rsa into v3.0.5

Browse Source 
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
This commit is contained in:
Eric F Crist 2018-09-14 23:18:31 -05:00
commit 4152244bae
5 changed files with 63 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
easyrsa3/pki/* easyrsa3/pki/*
easyrsa3/vars easyrsa3/vars
dist-staging dist-staging
easyrsa3/safessl-easyrsa.cnf

1
.travis.yml
View File

@ -11,6 +11,7 @@ addons:
env: env:
- PATH=/usr/bin:/bin:./ - PATH=/usr/bin:/bin:./
script: script:
- which shellcheck
- bash -c 'export SHELLCHECK_OPTS="-e SC2006"; shopt -s globstar; shellcheck **/*.sh easyrsa3/easyrsa' - bash -c 'export SHELLCHECK_OPTS="-e SC2006"; shopt -s globstar; shellcheck **/*.sh easyrsa3/easyrsa'
- bash -c 'pwd' - bash -c 'pwd'
- bash -c 'ls -la' - bash -c 'ls -la'

3
build/build-dist.sh
View File

@ -78,6 +78,8 @@ stage_unix() {
cp -R "$SRC_ROOT/doc" "$DIST_ROOT/unix/$PV/" || die "failed to copy unix doc" cp -R "$SRC_ROOT/doc" "$DIST_ROOT/unix/$PV/" || die "failed to copy unix doc"
sed -i -e "s/~~~/$VERSION/" "$DIST_ROOT/unix/$PV/easyrsa"
# files not included # files not included
rm -rf "$DIST_ROOT/unix/$PV/doc/TODO" || die "failed rm TODO" rm -rf "$DIST_ROOT/unix/$PV/doc/TODO" || die "failed rm TODO"
} }
@ -92,6 +94,7 @@ stage_win() {
for f in $SRC_ROOT/doc/*.md; for f in $SRC_ROOT/doc/*.md;
do do
fname=$(basename "$f" .md) fname=$(basename "$f" .md)
sed -i -e "s/~~~/$VERSION/" "$SRC_ROOT/$f"
python -m markdown "$f" > "$DIST_ROOT/windows/$PV/doc/$fname.html" python -m markdown "$f" > "$DIST_ROOT/windows/$PV/doc/$fname.html"
done done

69
easyrsa3/easyrsa
View File

@ -2,7 +2,7 @@
# Easy-RSA 3 -- A Shell-based CA Utility # Easy-RSA 3 -- A Shell-based CA Utility
# #
# Copyright (C) 2013 by the Open-Source OpenVPN development community. # Copyright (C) 2018 by the Open-Source OpenVPN development community.
# A full list of contributors can be found in the ChangeLog. # A full list of contributors can be found in the ChangeLog.
# #
# This code released under version 2 of the GNU GPL; see COPYING and the # This code released under version 2 of the GNU GPL; see COPYING and the
@ -287,19 +287,46 @@ clean_temp() {
done done
} # => clean_temp() } # => clean_temp()
# Make LibreSSL safe config file from OpenSSL config file
make_ssl_config() {
sed -e "s,ENV::,,g" \
-e "s,\$dir,$EASYRSA_PKI,g" \
-e "s,\$EASYRSA_PKI,$EASYRSA_PKI,g" \
-e "s,\$EASYRSA_CERT_EXPIRE,$EASYRSA_CERT_EXPIRE,g" \
-e "s,\$EASYRSA_CRL_DAYS,$EASYRSA_CRL_DAYS,g" \
-e "s,\$EASYRSA_DIGEST,$EASYRSA_DIGEST,g" \
-e "s,\$EASYRSA_KEY_SIZE,$EASYRSA_KEY_SIZE,g" \
-e "s,\$EASYRSA_DIGEST,$EASYRSA_DIGEST,g" \
-e "s,\$EASYRSA_DN,$EASYRSA_DN,g" \
-e "s,\$EASYRSA_REQ_COUNTRY,$EASYRSA_REQ_COUNTRY,g" \
-e "s,\$EASYRSA_REQ_PROVINCE,$EASYRSA_REQ_PROVINCE,g" \
-e "s,\$EASYRSA_REQ_CITY,$EASYRSA_REQ_CITY,g" \
-e "s,\$EASYRSA_REQ_ORG,$EASYRSA_REQ_ORG,g" \
-e "s,\$EASYRSA_REQ_OU,$EASYRSA_REQ_OU,g" \
-e "s,\$EASYRSA_REQ_CN,$EASYRSA_REQ_CN,g" \
-e "s,\$EASYRSA_REQ_EMAIL,$EASYRSA_REQ_EMAIL,g" \
"$EASYRSA_SSL_CONF" > "$EASYRSA_SAFE_CONF" || die "\
Failed to update $EASYRSA_SAFE_CONF"
} # => make_ssl_config()
vars_source_check() { vars_source_check() {
# Check for defined EASYRSA_PKI # Check for defined EASYRSA_PKI
[ -n "$EASYRSA_PKI" ] || die "\ [ -n "$EASYRSA_PKI" ] || die "\
EASYRSA_PKI env-var undefined" EASYRSA_PKI env-var undefined"
# make safessl-easyrsa.cnf
make_ssl_config
# Verify EASYRSA_OPENSSL command gives expected output # Verify EASYRSA_OPENSSL command gives expected output
if [ -z "$EASYRSA_SSL_OK" ]; then if [ -z "$EASYRSA_SSL_OK" ]; then
val="$("$EASYRSA_OPENSSL" version)" val="$("$EASYRSA_OPENSSL" version)"
case "${val%% *}" in case "${val%% *}" in
OpenSSL|LibreSSL) ;; OpenSSL|LibreSSL)
notice "\
Using SSL: $EASYRSA_OPENSSL $("$EASYRSA_OPENSSL" version)" ;;
*) die "\ *) die "\
Missing or invalid OpenSSL Missing or invalid OpenSSL
Expected to find openssl command at: $EASYRSA_OPENSSL" Expected to find openssl command at: $EASYRSA_OPENSSL" ;;
esac esac
fi fi
EASYRSA_SSL_OK=1 EASYRSA_SSL_OK=1
@ -500,11 +527,15 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
"$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \ "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \
"$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts
fi fi
# make safessl-easyrsa.cnf
make_ssl_config
# create the CA keypair: # create the CA keypair:
[ ! $nopass ] && crypto_opts="-passin file:$out_key_pass_tmp" [ ! $nopass ] && crypto_opts="-passin file:$out_key_pass_tmp"
#shellcheck disable=SC2086 #shellcheck disable=SC2086
"$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \ "$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \
-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \ -config "$EASYRSA_SAFE_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \
die "Failed to build the CA" die "Failed to build the CA"
mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2= mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
@ -595,13 +626,16 @@ $EASYRSA_EXTRA_EXTS"
EASYRSA_SSL_CONF="$EASYRSA_TEMP_CONF" EASYRSA_SSL_CONF="$EASYRSA_TEMP_CONF"
fi fi
# make safessl-easyrsa.cnf
make_ssl_config
key_out_tmp="$(mktemp "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key_out_tmp" key_out_tmp="$(mktemp "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key_out_tmp"
req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp" req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp"
# generate request # generate request
[ $EASYRSA_BATCH ] && opts="$opts -batch" [ $EASYRSA_BATCH ] && opts="$opts -batch"
# shellcheck disable=SC2086 # shellcheck disable=SC2086
"$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \ "$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
-config "$EASYRSA_SSL_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \ -config "$EASYRSA_SAFE_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \
|| die "Failed to generate request" || die "Failed to generate request"
mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2= mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2=
mv "$req_out_tmp" "$req_out"; EASYRSA_TEMP_FILE_3= mv "$req_out_tmp" "$req_out"; EASYRSA_TEMP_FILE_3=
@ -711,10 +745,13 @@ $(display_dn req "$req_in")
Failed to create temp extension file (bad permissions?) at: Failed to create temp extension file (bad permissions?) at:
$EASYRSA_TEMP_EXT" $EASYRSA_TEMP_EXT"
# make safessl-easyrsa.cnf
make_ssl_config
# sign request # sign request
# shellcheck disable=SC2086 # shellcheck disable=SC2086
crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp" crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
"$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \ "$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SAFE_CONF" \
-extfile "$EASYRSA_TEMP_EXT" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \ -extfile "$EASYRSA_TEMP_EXT" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \
|| die "signing failed (openssl output above may have more detail)" || die "signing failed (openssl output above may have more detail)"
mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2= mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2=
@ -794,7 +831,10 @@ $(display_dn x509 "$crt_in")
Unable to revoke as no certificate was found. Certificate was expected Unable to revoke as no certificate was found. Certificate was expected
at: $crt_in" at: $crt_in"
"$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SSL_CONF" || die "\ # make safessl-easyrsa.cnf
make_ssl_config
"$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SAFE_CONF" || die "\
Failed to revoke certificate: revocation command failed." Failed to revoke certificate: revocation command failed."
notice "\ notice "\
@ -810,9 +850,12 @@ infrastructure in order to prevent the revoked cert from being accepted.
gen_crl() { gen_crl() {
verify_ca_init verify_ca_init
# make safessl-easyrsa.cnf
make_ssl_config
out_file="$EASYRSA_PKI/crl.pem" out_file="$EASYRSA_PKI/crl.pem"
out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp" out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp"
"$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SSL_CONF" || die "\ "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\
CRL Generation failed. CRL Generation failed.
" "
mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2= mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=
@ -969,7 +1012,7 @@ $file"
If the key is currently encrypted you must supply the decryption passphrase. If the key is currently encrypted you must supply the decryption passphrase.
${crypto:+You will then enter a new PEM passphrase for this key.$NL}" ${crypto:+You will then enter a new PEM passphrase for this key.$NL}"
"$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" "$crypto" || die "\ "$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$file" $crypto || die "\
Failed to change the private key passphrase. See above for possible openssl Failed to change the private key passphrase. See above for possible openssl
error messages." error messages."
@ -1126,10 +1169,10 @@ Note: using Easy-RSA configuration from: $vars"
set_var EASYRSA_CURVE secp384r1 set_var EASYRSA_CURVE secp384r1
set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams" set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams"
set_var EASYRSA_CA_EXPIRE 3650 set_var EASYRSA_CA_EXPIRE 3650
set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_CERT_EXPIRE 1080 # new default of 36 months
set_var EASYRSA_CRL_DAYS 180 set_var EASYRSA_CRL_DAYS 180
set_var EASYRSA_NS_SUPPORT no set_var EASYRSA_NS_SUPPORT no
set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" set_var EASYRSA_NS_COMMENT "Easy-RSA (~~~) Generated Certificate"
set_var EASYRSA_TEMP_CONF "$EASYRSA_PKI/openssl-easyrsa.temp" set_var EASYRSA_TEMP_CONF "$EASYRSA_PKI/openssl-easyrsa.temp"
set_var EASYRSA_TEMP_EXT "$EASYRSA_PKI/extensions.temp" set_var EASYRSA_TEMP_EXT "$EASYRSA_PKI/extensions.temp"
set_var EASYRSA_TEMP_FILE_2 "" set_var EASYRSA_TEMP_FILE_2 ""
@ -1140,7 +1183,9 @@ Note: using Easy-RSA configuration from: $vars"
# Detect openssl config, preferring EASYRSA_PKI over EASYRSA # Detect openssl config, preferring EASYRSA_PKI over EASYRSA
if [ -f "$EASYRSA_PKI/openssl-easyrsa.cnf" ]; then if [ -f "$EASYRSA_PKI/openssl-easyrsa.cnf" ]; then
set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf" set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf"
set_var EASYRSA_SAFE_CONF "$EASYRSA_PKI/safessl-easyrsa.cnf"
else set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" else set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf"
set_var EASYRSA_SAFE_CONF "$EASYRSA/safessl-easyrsa.cnf"
fi fi
# Same as above for the x509-types extensions dir # Same as above for the x509-types extensions dir
@ -1159,7 +1204,7 @@ Note: using Easy-RSA configuration from: $vars"
fi fi
# Setting OPENSSL_CONF prevents bogus warnings (especially useful on win32) # Setting OPENSSL_CONF prevents bogus warnings (especially useful on win32)
export OPENSSL_CONF="$EASYRSA_SSL_CONF" export OPENSSL_CONF="$EASYRSA_SAFE_CONF"
} # vars_setup() } # vars_setup()
# variable assignment by indirection when undefined; merely exports # variable assignment by indirection when undefined; merely exports

2
easyrsa3/openssl-easyrsa.cnf
View File

@ -1,4 +1,4 @@
# For use with Easy-RSA 3.0 and OpenSSL 1.0.* # For use with Easy-RSA 3.1 and OpenSSL or LibreSSL
RANDFILE = $ENV::EASYRSA_PKI/.rnd RANDFILE = $ENV::EASYRSA_PKI/.rnd