Merge branch 'TinCanTech-update-ns-support'

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
2022-09-28 16:39:04 +01:00 · 2022-09-28 16:39:04 +01:00 · 4a04e5a5d9
commit 4a04e5a5d9
parent e21ab73ba6 10485ab70d
1 changed files with 16 additions and 21 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -494,7 +494,7 @@ Certificate & Request options: (these impact cert/req field values)
 --use-algo=ALG  : crypto alg to use: choose rsa (default), ec or ed
 --curve=NAME    : for elliptic curve, sets the named curve to use

--subca-len=#   : path length of signed intermediate CA certs; must be >= 0 if used
+--subca-len=#   : Path length of signed intermediate CA certificates
 --copy-ext      : Copy included request X509 extensions (namely subjAltName)
 --san|--subject-alt-name
                : Add a subjectAltName.
@ -517,8 +517,8 @@ Distinguished Name mode:

 Deprecated features:

--ns-cert=YES/NO      : yes or no to including deprecated NS extensions
--ns-comment=COMMENT  : NS comment to include (value may be blank)
+--ns-cert             : Include deprecated Netscape extensions
+--ns-comment=COMMENT  : Include deprecated Netscape comment (may be blank)
 "
 } # => opt_usage()

@ -575,19 +575,6 @@ verbose() {
 	print "$1"
 } # => verbose()

-# yes/no case-insensitive match (operates on stdin pipe)
-# Returns 0 when input contains yes, 1 for no, 2 for no match
-# If both strings are present, returns 1; first matching line returns.
-awk_yesno() {
-	# shellcheck disable=SC2016 # vars don't expand in single quotes
-	awkscript='
-BEGIN {IGNORECASE=1; r=2}
-{       if(match($0,"no")) {r=1; exit}
-        if(match($0,"yes")) {r=0; exit}
-} END {exit r}'
-	awk "$awkscript"
-} # => awk_yesno()
-
 # intent confirmation helper func
 # returns without prompting in EASYRSA_BATCH
 confirm() {
@ -1761,9 +1748,9 @@ basicConstraints is not defined, cannot use 'pathlen'"
 		fi

 		# Deprecated Netscape extension support, if enabled
-		if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then
-			[ "$EASYRSA_NS_COMMENT" ] && \
-				print "nsComment = \"$EASYRSA_NS_COMMENT\""
+		case "$EASYRSA_NS_SUPPORT" in
+		[yY][eE][sS])
+			# Netscape extension
 			case "$crt_type" in
 				serverClient) print "nsCertType = serverClient" ;;
 				server) print "nsCertType = server" ;;
@ -1771,7 +1758,13 @@ basicConstraints is not defined, cannot use 'pathlen'"
 				ca) print "nsCertType = sslCA" ;;
 				*) die "Unknown certificate type: $crt_type"
 			esac
-		fi
+			# Netscape comment
+			[ "$EASYRSA_NS_COMMENT" ] && \
+				print "nsComment = \"$EASYRSA_NS_COMMENT\""
+		;;
+		*)
+			: # ok No NS support required
+		esac

 		# Add user SAN from --subject-alt-name
 		if [ "$user_san_true" ]; then
@ -5032,7 +5025,9 @@ while :; do
 		empty_ok=1
 		export EASYRSA_REQ_SERIAL="$val" ;;
 	--ns-cert)
-		export EASYRSA_NS_SUPPORT="$val" ;;
+		empty_ok=1
+		[ "$is_empty" ] && unset -v val
+		export EASYRSA_NS_SUPPORT="${val:-yes}" ;;
 	--ns-comment)
 		empty_ok=1
 		export EASYRSA_NS_COMMENT="$val" ;;