Merge branch 'TinCanTech-inline-v2'

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
2023-08-05 16:55:29 +01:00 · 2023-08-05 16:55:29 +01:00 · 41d4b4bed2
commit 41d4b4bed2
parent 7332ae01d9 87ac22dcf8
2 changed files with 147 additions and 36 deletions
--- a/3
+++ b/3
@ -1,6 +1,9 @@
 Easy-RSA 3 ChangeLog
 3.1.6 (2023-10-13)
   * New commands: 'inline' and 'x509-eku' (#993)
     inline: Build an inline file for a commonName
     x509-eku: Extract X509v3 extended key usage from a certificate
   * Expose serial-check, display-dn, display-san and default-san to
     command line. (#980) (Debugging functions, which remain undocumented)
   * Expand default status to include vars-file and CA status (#973)
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -33,6 +33,7 @@ A list of commands is shown below:
  build-client-full <file_name_base> [ cmd-opts ]
  build-server-full <file_name_base> [ cmd-opts ]
  build-serverClient-full <file_name_base> [ cmd-opts ]
  inline <file_name_base>
  revoke <file_name_base> [ cmd-opts ]
  renew <file_name_base>
  revoke-renewed <file_name_base> [ cmd-opts ]
@ -182,6 +183,15 @@ cmd_help() {
      * nopass  - Do not encrypt the private key (Default: encrypted)
                  (Equivalent to global option '--nopass|--no-pass')"
 	;;
 	inline)
 		text="
 * inline <file_name_base>
      Print inline data for <file_name_base>, with key and CA.
  * NOTE: To create an inline-file the output must be redirected.
          If the output is incomplete then an error is retruned."
 	;;
 	revoke)
 		text="
 * revoke <file_name_base> [reason]
@ -1325,7 +1335,7 @@ and initialize a fresh PKI here."
 	fi
 	# new dirs:
-	for i in private reqs; do
+	for i in private reqs inline; do
 		mkdir -p "$EASYRSA_PKI/$i" || \
 			die "\
 Failed to create PKI file structure (permissions?)"
@ -1646,7 +1656,7 @@ current CA. To start a new CA, run init-pki first."
 	# create necessary dirs:
 	err_msg="\
 Unable to create necessary PKI files (permissions?)"
-	for i in issued inline certs_by_serial \
+	for i in issued certs_by_serial \
 		revoked/certs_by_serial revoked/private_by_serial \
 		revoked/reqs_by_serial
 	do
@ -2589,27 +2599,81 @@ Inline file created:
 * $inline_out"
 	else
 		warn "\
-Failed to write inline file:
+INCOMPLETE Inline file created:
 * $inline_out"
 	fi
 	return 0
 } # => build_full()
-# Create inline credentials file for this node
+# Print inline data for file_name_base
-inline_creds ()
+inline_creds () {
-{
+	[ "$1" ] || die "inline_creds - Missing file_name_base"
-	[ "$1" ] || die "inline_creds - Name missing"
+
-	printf "%s\n\n" "# $crt_type: $1"
+	# Source files
-	printf "%s\n" "<cert>"
+	crt_source="${EASYRSA_PKI}/issued/${1}.crt"
-	cat "$crt_out"
+	key_source="${EASYRSA_PKI}/private/${1}.key"
-	printf "%s\n\n" "</cert>"
+	ca_source="$EASYRSA_PKI/ca.crt"
-	printf "%s\n" "<key>"
+	incomplete=0
-	[ -e "$key_out" ] && cat "$key_out"
+
-	printf "%s\n\n" "</key>"
+	# Generate data
-	printf "%s\n" "<ca>"
+	if [ -e "$crt_source" ]; then
-	cat "$EASYRSA_PKI/ca.crt"
+		# Get EasyRSA cert type
-	printf "%s\n\n" "</ca>"
+		ssl_cert_x509v3_eku "$crt_source" type_data
 		crt_data="\
 <cert>
 $(cat "$crt_source")
 </cert>"
 	else
 		# Set EasyRSA cert type to 'undefined'
 		type_data=undefined
 		incomplete=1
 		crt_data="\
 <cert>
 * Paste your user certificate here *
 </cert>"
 	fi
 	if [ -e "$key_source" ]; then
 		key_data="\
 <key>
 $(cat "$key_source")
 </key>"
 	else
 		incomplete=1
 		key_data="\
 <key>
 * Paste your private key here *
 </key>"
 	fi
 	if [ -e "$ca_source" ]; then
 		ca_data="\
 <ca>
 $(cat "$ca_source")
 </ca>"
 	else
 		incomplete=1
 		ca_data="\
 <ca>
 * Paste your CA certificate here *
 </ca>"
 	fi
 	# Print data
 	print "\
 # Easy-RSA Type: ${type_data}
 # Name: ${1}
 $crt_data
 $key_data
 $ca_data
 "
 	# If inline file is incomplete then return error
 	return "$incomplete"
 } # => inline_creds ()
 # revoke backend
@ -2907,23 +2971,7 @@ Cannot renew this certificate, a conflicting file exists:
 			die "Failed to create inline directoy."
 	# Extract certificate usage from old cert
-	cert_ext_key_usage="$(
+	ssl_cert_x509v3_eku "$crt_in" cert_type
 		easyrsa_openssl x509 -in "$crt_in" -noout -text |
 		sed -n "/X509v3 Extended Key Usage:/{n;s/^ *//g;p;}"
 		)"
 	case "$cert_ext_key_usage" in
 		"TLS Web Client Authentication")
 			cert_type=client
 		;;
 		"TLS Web Server Authentication")
 			cert_type=server
 		;;
 		"TLS Web Server Auth"*", TLS Web Client Auth"*)
 			cert_type=serverClient
 		;;
 		*) die "Unknown key usage: $cert_ext_key_usage"
 	esac
 	# Use SAN from --san if set else use SAN from old cert
 	if echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName
@ -2992,7 +3040,7 @@ Inline file created:
 * $inline_in"
 	else
 		warn "\
-Failed to write inline file:
+INCOMPLETE Inline file created:
 * $inline_in"
 	fi
@ -4352,6 +4400,57 @@ Showing details for CA certificate, at:
 			die "OpenSSL failure to process the input"
 } # => show_ca()
 # Certificate X509v3 Extended Key Usage
 ssl_cert_x509v3_eku() {
 	[ "$1" ] || die "ssl_cert_x509v3_eku - Missing input"
 	# check input file name
 	if [ -e "$1" ]; then
 		__crt="$1"
 	else
 		__crt="${EASYRSA_PKI}/issued/${1}.crt"
 		[ -e "$__crt" ] || \
 			die "ssl_cert_x509v3_eku - Missing cert '$__crt'"
 	fi
 	# Set output variable
 	__var="$2"
 	shift "$#"
 	# required variables
 	__pattern="X509v3 Extended Key Usage:"
 	__cli="TLS Web Client Authentication"
 	__srv="TLS Web Server Authentication"
 	__srv_cli="${__srv}, ${__cli}"
 	# Extract certificate usage from old cert
 	__eku="$(
 		easyrsa_openssl x509 -in "${__crt}" -noout -text | \
 			sed -n "/${__pattern}/{n;s/^ *//g;p;}"
 		)"
 	case "$__eku" in
 	"$__cli")
 		__type=client
 	;;
 	"$__srv")
 		__type=server
 	;;
 	"$__srv_cli")
 		__type=serverClient
 	;;
 	*) die "Unknown key usage: $__eku"
 	esac
 	# Set variable to return
 	if [ "$__var" ]; then
 		force_set_var "$__var" "$__type"
 	else
 		information "${NL}* EasyRSA Certificate type: $__type"
 	fi
 	unset -v __crt __var __pattern __eku __type
 } # => ssl_cert_x509v3_eku()
 # get the serial number of the certificate -> serial=XXXX
 ssl_cert_serial() {
 	[ "$#" = 2 ] || die "ssl_cert_serial - input error"
@ -7105,7 +7204,7 @@ case "$cmd" in
 		require_pki=1
 		case "$cmd" in
 			gen-req|gen-dh|build-ca|show-req| \
-			make-safe-ssl|export-p*)
+			make-safe-ssl|export-p*|inline)
 				unset -v require_ca
 			;;
 			*)
@ -7198,6 +7297,11 @@ case "$cmd" in
 		verify_working_env
 		import_req "$@"
 		;;
 	inline)
 		verify_working_env
 		inline_creds "$@" || \
 			easyrsa_exit_with_error=1
 		;;
 	export-p12)
 		verify_working_env
 		export_pkcs p12 "$@"
@ -7296,6 +7400,10 @@ case "$cmd" in
 		verify_working_env
 		default_server_san "$@"
 		;;
 	x509-eku)
 		verify_working_env
 		ssl_cert_x509v3_eku "$@"
 		;;
 	upgrade)
 		verify_working_env
 		up23_manage_upgrade_23 "$@"