Fixes issues #395 and #412

The openssl call relied on word splitting for $crypto_ops but $crypto_opts consists of a path which could contain spaces. Now path is stored in $pass_opts which is quoted when using in openssl call.
2021-01-22 12:25:39 +01:00 · 2021-01-22 12:25:39 +01:00 · 432d93ec94
commit 432d93ec94
parent c064d3bc66
1 changed files with 17 additions and 14 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -664,42 +664,45 @@ current CA keypair. If you intended to start a new CA, run init-pki first."

 	# create the CA key using AES256
 	crypto_opts=""
+	pass_opts=""
 	if [ ! $nopass ]; then
 		crypto_opts="$crypto"
-		if [ -z "$EASYRSA_PASSOUT" ]; then
-		    if [ "ed" = "$EASYRSA_ALGO" ]; then
-                crypto_opts="$crypto_opts -pass file:$out_key_pass_tmp"
-            else
-                crypto_opts="$crypto_opts -passout file:$out_key_pass_tmp"
-            fi
-        fi
+		pass_opts="file:$out_key_pass_tmp"
+	fi
+	if [ ! -z "$EASYRSA_PASSOUT" ]; then
+		pass_opts="$EASYRSA_PASSOUT"
 	fi
 	if [ "$EASYRSA_ALGO" = "rsa" ]; then
 		#shellcheck disable=SC2086
-		"$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} "$EASYRSA_ALGO_PARAMS" || \
+		"$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts ${pass_opts:+-passout "${pass_opts}"} "$EASYRSA_ALGO_PARAMS" || \
 			die "Failed create CA private key"
 	elif [ "$EASYRSA_ALGO" = "ec" ]; then
 		#shellcheck disable=SC2086
 		"$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \
-			"$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || \
+			"$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${pass_opts:+-passout "${pass_opts}"} || \
 			die "Failed create CA private key"
 	elif [ "ed" = "$EASYRSA_ALGO" ]; then
 		if [ "ed25519" = "$EASYRSA_CURVE" ]; then
-			"$EASYRSA_OPENSSL" genpkey -algorithm ED25519 -out $out_key_tmp $crypto_opts ${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \
+			"$EASYRSA_OPENSSL" genpkey -algorithm ED25519 -out "$out_key_tmp" $crypto_opts ${pass_opts:+-pass "${pass_opts}"} || \
 			die "Failed create CA private key"
 		elif [ "ed448" = "$EASYRSA_CURVE" ]; then
-			"$EASYRSA_OPENSSL" genpkey -algorithm ED448 -out $out_key_tmp $crypto_opts ${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \
+			"$EASYRSA_OPENSSL" genpkey -algorithm ED448 -out "$out_key_tmp" $crypto_opts ${pass_opts:+-pass "${pass_opts}"} || \
 			die "Failed create CA private key"
 		fi
 	fi

 	# create the CA keypair:
-	crypto_opts=""
-	[ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ] && crypto_opts="-passin file:$out_key_pass_tmp"
+	pass_opts=""
+	if [ ! $nopass ]; then
+		pass_opts="file:$out_key_pass_tmp"
+	fi
+	if [ ! -z "$EASYRSA_PASSIN" ]; then
+		pass_opts="$EASYRSA_PASSIN"
+	fi

 	#shellcheck disable=SC2086
 	easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
-		-keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \
+		-keyout "$out_key_tmp" -out "$out_file_tmp" $opts ${pass_opts:+-passin "$pass_opts"} || \
 		die "Failed to build the CA"

 	mv "$out_key_tmp" "$out_key"