nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixes issues #395 and #412

Browse Source 
The openssl call relied on word splitting for $crypto_ops
but $crypto_opts consists of a path which could contain spaces.
Now path is stored in $pass_opts which is quoted when using in
openssl call.
This commit is contained in:
Markus Tillinger 2021-01-22 12:25:39 +01:00
parent c064d3bc66
commit 432d93ec94
1 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
easyrsa3/easyrsa
View File

@ -664,42 +664,45 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
# create the CA key using AES256 # create the CA key using AES256
crypto_opts="" crypto_opts=""
pass_opts=""
if [ ! $nopass ]; then if [ ! $nopass ]; then
crypto_opts="$crypto" crypto_opts="$crypto"
if [ -z "$EASYRSA_PASSOUT" ]; then pass_opts="file:$out_key_pass_tmp"
if [ "ed" = "$EASYRSA_ALGO" ]; then fi
crypto_opts="$crypto_opts -pass file:$out_key_pass_tmp" if [ ! -z "$EASYRSA_PASSOUT" ]; then
else pass_opts="$EASYRSA_PASSOUT"
crypto_opts="$crypto_opts -passout file:$out_key_pass_tmp"
fi
fi
fi fi
if [ "$EASYRSA_ALGO" = "rsa" ]; then if [ "$EASYRSA_ALGO" = "rsa" ]; then
#shellcheck disable=SC2086 #shellcheck disable=SC2086
"$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} "$EASYRSA_ALGO_PARAMS" || \ "$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts ${pass_opts:+-passout "${pass_opts}"} "$EASYRSA_ALGO_PARAMS" || \
die "Failed create CA private key" die "Failed create CA private key"
elif [ "$EASYRSA_ALGO" = "ec" ]; then elif [ "$EASYRSA_ALGO" = "ec" ]; then
#shellcheck disable=SC2086 #shellcheck disable=SC2086
"$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \ "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \
"$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || \ "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts ${pass_opts:+-passout "${pass_opts}"} || \
die "Failed create CA private key" die "Failed create CA private key"
elif [ "ed" = "$EASYRSA_ALGO" ]; then elif [ "ed" = "$EASYRSA_ALGO" ]; then
if [ "ed25519" = "$EASYRSA_CURVE" ]; then if [ "ed25519" = "$EASYRSA_CURVE" ]; then
"$EASYRSA_OPENSSL" genpkey -algorithm ED25519 -out $out_key_tmp $crypto_opts ${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \ "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 -out "$out_key_tmp" $crypto_opts ${pass_opts:+-pass "${pass_opts}"} || \
die "Failed create CA private key" die "Failed create CA private key"
elif [ "ed448" = "$EASYRSA_CURVE" ]; then elif [ "ed448" = "$EASYRSA_CURVE" ]; then
"$EASYRSA_OPENSSL" genpkey -algorithm ED448 -out $out_key_tmp $crypto_opts ${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \ "$EASYRSA_OPENSSL" genpkey -algorithm ED448 -out "$out_key_tmp" $crypto_opts ${pass_opts:+-pass "${pass_opts}"} || \
die "Failed create CA private key" die "Failed create CA private key"
fi fi
fi fi
# create the CA keypair: # create the CA keypair:
crypto_opts="" pass_opts=""
[ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ] && crypto_opts="-passin file:$out_key_pass_tmp" if [ ! $nopass ]; then
pass_opts="file:$out_key_pass_tmp"
fi
if [ ! -z "$EASYRSA_PASSIN" ]; then
pass_opts="$EASYRSA_PASSIN"
fi
#shellcheck disable=SC2086 #shellcheck disable=SC2086
easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \ easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
-keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \ -keyout "$out_key_tmp" -out "$out_file_tmp" $opts ${pass_opts:+-passin "$pass_opts"} || \
die "Failed to build the CA" die "Failed to build the CA"
mv "$out_key_tmp" "$out_key" mv "$out_key_tmp" "$out_key"