diff --git a/ChangeLog b/ChangeLog index 7494ca3..6af8cf7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ Easy-RSA 3 ChangeLog 3.1.6 (2023-10-13) + * New commands: 'inline' and 'x509-eku' (#993) + inline: Build an inline file for a commonName + x509-eku: Extract X509v3 extended key usage from a certificate * Expose serial-check, display-dn, display-san and default-san to command line. (#980) (Debugging functions, which remain undocumented) * Expand default status to include vars-file and CA status (#973) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 36d173f..4f57a8e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -33,6 +33,7 @@ A list of commands is shown below: build-client-full [ cmd-opts ] build-server-full [ cmd-opts ] build-serverClient-full [ cmd-opts ] + inline revoke [ cmd-opts ] renew revoke-renewed [ cmd-opts ] @@ -182,6 +183,15 @@ cmd_help() { * nopass - Do not encrypt the private key (Default: encrypted) (Equivalent to global option '--nopass|--no-pass')" ;; + inline) + text=" +* inline + + Print inline data for , with key and CA. + + * NOTE: To create an inline-file the output must be redirected. + If the output is incomplete then an error is retruned." + ;; revoke) text=" * revoke [reason] @@ -1325,7 +1335,7 @@ and initialize a fresh PKI here." fi # new dirs: - for i in private reqs; do + for i in private reqs inline; do mkdir -p "$EASYRSA_PKI/$i" || \ die "\ Failed to create PKI file structure (permissions?)" @@ -1646,7 +1656,7 @@ current CA. To start a new CA, run init-pki first." # create necessary dirs: err_msg="\ Unable to create necessary PKI files (permissions?)" - for i in issued inline certs_by_serial \ + for i in issued certs_by_serial \ revoked/certs_by_serial revoked/private_by_serial \ revoked/reqs_by_serial do @@ -2589,27 +2599,81 @@ Inline file created: * $inline_out" else warn "\ -Failed to write inline file: +INCOMPLETE Inline file created: * $inline_out" fi return 0 } # => build_full() -# Create inline credentials file for this node -inline_creds () -{ - [ "$1" ] || die "inline_creds - Name missing" - printf "%s\n\n" "# $crt_type: $1" - printf "%s\n" "" - cat "$crt_out" - printf "%s\n\n" "" - printf "%s\n" "" - [ -e "$key_out" ] && cat "$key_out" - printf "%s\n\n" "" - printf "%s\n" "" - cat "$EASYRSA_PKI/ca.crt" - printf "%s\n\n" "" +# Print inline data for file_name_base +inline_creds () { + [ "$1" ] || die "inline_creds - Missing file_name_base" + + # Source files + crt_source="${EASYRSA_PKI}/issued/${1}.crt" + key_source="${EASYRSA_PKI}/private/${1}.key" + ca_source="$EASYRSA_PKI/ca.crt" + incomplete=0 + + # Generate data + if [ -e "$crt_source" ]; then + # Get EasyRSA cert type + ssl_cert_x509v3_eku "$crt_source" type_data + + crt_data="\ + +$(cat "$crt_source") +" + else + # Set EasyRSA cert type to 'undefined' + type_data=undefined + incomplete=1 + crt_data="\ + +* Paste your user certificate here * +" + fi + + if [ -e "$key_source" ]; then + key_data="\ + +$(cat "$key_source") +" + else + incomplete=1 + key_data="\ + +* Paste your private key here * +" + fi + + if [ -e "$ca_source" ]; then + ca_data="\ + +$(cat "$ca_source") +" + else + incomplete=1 + ca_data="\ + +* Paste your CA certificate here * +" + fi + + # Print data + print "\ +# Easy-RSA Type: ${type_data} +# Name: ${1} + +$crt_data + +$key_data + +$ca_data +" + # If inline file is incomplete then return error + return "$incomplete" } # => inline_creds () # revoke backend @@ -2907,23 +2971,7 @@ Cannot renew this certificate, a conflicting file exists: die "Failed to create inline directoy." # Extract certificate usage from old cert - cert_ext_key_usage="$( - easyrsa_openssl x509 -in "$crt_in" -noout -text | - sed -n "/X509v3 Extended Key Usage:/{n;s/^ *//g;p;}" - )" - - case "$cert_ext_key_usage" in - "TLS Web Client Authentication") - cert_type=client - ;; - "TLS Web Server Authentication") - cert_type=server - ;; - "TLS Web Server Auth"*", TLS Web Client Auth"*) - cert_type=serverClient - ;; - *) die "Unknown key usage: $cert_ext_key_usage" - esac + ssl_cert_x509v3_eku "$crt_in" cert_type # Use SAN from --san if set else use SAN from old cert if echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName @@ -2992,7 +3040,7 @@ Inline file created: * $inline_in" else warn "\ -Failed to write inline file: +INCOMPLETE Inline file created: * $inline_in" fi @@ -4352,6 +4400,57 @@ Showing details for CA certificate, at: die "OpenSSL failure to process the input" } # => show_ca() +# Certificate X509v3 Extended Key Usage +ssl_cert_x509v3_eku() { + [ "$1" ] || die "ssl_cert_x509v3_eku - Missing input" + + # check input file name + if [ -e "$1" ]; then + __crt="$1" + else + __crt="${EASYRSA_PKI}/issued/${1}.crt" + [ -e "$__crt" ] || \ + die "ssl_cert_x509v3_eku - Missing cert '$__crt'" + fi + + # Set output variable + __var="$2" + shift "$#" + + # required variables + __pattern="X509v3 Extended Key Usage:" + __cli="TLS Web Client Authentication" + __srv="TLS Web Server Authentication" + __srv_cli="${__srv}, ${__cli}" + + # Extract certificate usage from old cert + __eku="$( + easyrsa_openssl x509 -in "${__crt}" -noout -text | \ + sed -n "/${__pattern}/{n;s/^ *//g;p;}" + )" + + case "$__eku" in + "$__cli") + __type=client + ;; + "$__srv") + __type=server + ;; + "$__srv_cli") + __type=serverClient + ;; + *) die "Unknown key usage: $__eku" + esac + + # Set variable to return + if [ "$__var" ]; then + force_set_var "$__var" "$__type" + else + information "${NL}* EasyRSA Certificate type: $__type" + fi + unset -v __crt __var __pattern __eku __type +} # => ssl_cert_x509v3_eku() + # get the serial number of the certificate -> serial=XXXX ssl_cert_serial() { [ "$#" = 2 ] || die "ssl_cert_serial - input error" @@ -7105,7 +7204,7 @@ case "$cmd" in require_pki=1 case "$cmd" in gen-req|gen-dh|build-ca|show-req| \ - make-safe-ssl|export-p*) + make-safe-ssl|export-p*|inline) unset -v require_ca ;; *) @@ -7198,6 +7297,11 @@ case "$cmd" in verify_working_env import_req "$@" ;; + inline) + verify_working_env + inline_creds "$@" || \ + easyrsa_exit_with_error=1 + ;; export-p12) verify_working_env export_pkcs p12 "$@" @@ -7296,6 +7400,10 @@ case "$cmd" in verify_working_env default_server_san "$@" ;; + x509-eku) + verify_working_env + ssl_cert_x509v3_eku "$@" + ;; upgrade) verify_working_env up23_manage_upgrade_23 "$@"