From 432d93ec94d0f8a2ee118694571b5daed6521d4d Mon Sep 17 00:00:00 2001 From: Markus Tillinger Date: Fri, 22 Jan 2021 12:25:39 +0100 Subject: [PATCH] Fixes issues #395 and #412 The openssl call relied on word splitting for $crypto_ops but $crypto_opts consists of a path which could contain spaces. Now path is stored in $pass_opts which is quoted when using in openssl call. --- easyrsa3/easyrsa | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 84e176d..37eb639 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -664,42 +664,45 @@ current CA keypair. If you intended to start a new CA, run init-pki first." # create the CA key using AES256 crypto_opts="" + pass_opts="" if [ ! $nopass ]; then crypto_opts="$crypto" - if [ -z "$EASYRSA_PASSOUT" ]; then - if [ "ed" = "$EASYRSA_ALGO" ]; then - crypto_opts="$crypto_opts -pass file:$out_key_pass_tmp" - else - crypto_opts="$crypto_opts -passout file:$out_key_pass_tmp" - fi - fi + pass_opts="file:$out_key_pass_tmp" + fi + if [ ! -z "$EASYRSA_PASSOUT" ]; then + pass_opts="$EASYRSA_PASSOUT" fi if [ "$EASYRSA_ALGO" = "rsa" ]; then #shellcheck disable=SC2086 - "$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} "$EASYRSA_ALGO_PARAMS" || \ + "$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts ${pass_opts:+-passout "${pass_opts}"} "$EASYRSA_ALGO_PARAMS" || \ die "Failed create CA private key" elif [ "$EASYRSA_ALGO" = "ec" ]; then #shellcheck disable=SC2086 "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \ - "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || \ + "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${pass_opts:+-passout "${pass_opts}"} || \ die "Failed create CA private key" elif [ "ed" = "$EASYRSA_ALGO" ]; then if [ "ed25519" = "$EASYRSA_CURVE" ]; then - "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 -out $out_key_tmp $crypto_opts ${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \ + "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 -out "$out_key_tmp" $crypto_opts ${pass_opts:+-pass "${pass_opts}"} || \ die "Failed create CA private key" elif [ "ed448" = "$EASYRSA_CURVE" ]; then - "$EASYRSA_OPENSSL" genpkey -algorithm ED448 -out $out_key_tmp $crypto_opts ${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \ + "$EASYRSA_OPENSSL" genpkey -algorithm ED448 -out "$out_key_tmp" $crypto_opts ${pass_opts:+-pass "${pass_opts}"} || \ die "Failed create CA private key" fi fi # create the CA keypair: - crypto_opts="" - [ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ] && crypto_opts="-passin file:$out_key_pass_tmp" + pass_opts="" + if [ ! $nopass ]; then + pass_opts="file:$out_key_pass_tmp" + fi + if [ ! -z "$EASYRSA_PASSIN" ]; then + pass_opts="$EASYRSA_PASSIN" + fi #shellcheck disable=SC2086 easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \ - -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \ + -keyout "$out_key_tmp" -out "$out_file_tmp" $opts ${pass_opts:+-passin "$pass_opts"} || \ die "Failed to build the CA" mv "$out_key_tmp" "$out_key"