Opt. --subca-len: basicConstraints CA extension, Append 'pathlen:N'

When signing a request for an intermediate CA using --subca-len=N:

For a Sub-CA, the current method to apply 'pathlen:N' to CA basicConstraints
over-writes all user set basicConstraints.

Replace that with an awk script which reads the current x509-types/ca file;
selects the last occurence of 'basicConstraints' (As does OpenSSL) and then
prints that line, with ", pathlen:$EASYRSA_SUBCA_LEN" appended, into the
temporary x509-types/ca file.

If no CA basicConstraint is found then exit with an error. Reason:

Easy-RSA default CA basicConstrain will always be defined. If that is changed
by the user, who then attempts to use Easy-RSA to append 'pathlen' then that
is an error. Easy-RSA must not insert a default when the default has been
deliberately removed.

Closes: #691 - Original bug report.
Closes: #692 - First use of awk as a solution. [Credit]

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>

easyrsa3/easyrsa

@@ -1684,21 +1684,6 @@ at: $crt_out"
 The certificate request file is not in a valid X509 request format.
 File Path: $req_in"
 
-	# Display the request subject in an easy-to-read format
-	# Confirm the user wishes to sign this request
-	# Support batch by internal caller:
-	#[ "$3" = "batch" ] ||
-	confirm "Confirm request details: " "yes" "\
-You are about to sign the following certificate.
-Please check over the details shown below for accuracy. Note that this request
-has not been cryptographically verified. Please be sure it came from a trusted
-source or that you have verified the request checksum with the sender.
-
-Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:
-
-$(display_dn req "$req_in")
-"	# => confirm end
-
 	# Get fixed dates by --fix-offset
 	if [ "$EASYRSA_FIX_OFFSET" ]; then
 		fixed_dates="$( # subshell for debug
@@ -1749,8 +1734,16 @@ Please update openssl-easyrsa.cnf to the latest official release."
 			die "Failed to read X509-type $crt_type"
 
 		# Support a dynamic CA path length when present:
-		[ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ] && \
-			print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBCA_LEN"
+		if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ]; then
+			# Print the last occurence of basicContraints in x509-types/ca
+			# If basicContraints not defined then bail
+			awkscript='/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 }
+				END { if (length(bC) == 0 ) exit 1;	print bC }'
+			basicConstraints="$(awk "$awkscript" "$ext_tmp")" || die "\
+basicConstraints is not defined, cannot use 'pathlen'"
+			print "$basicConstraints, pathlen:$EASYRSA_SUBCA_LEN"
+			unset -v basicConstraints
+		fi
 
 		# Deprecated Netscape extension support, if enabled
 		if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then
@@ -1790,6 +1783,21 @@ Please update openssl-easyrsa.cnf to the latest official release."
 Failed to create temp extension file (bad permissions?) at:
 $ext_tmp"
 
+	# Display the request subject in an easy-to-read format
+	# Confirm the user wishes to sign this request
+	# Support batch by internal caller:
+	#[ "$3" = "batch" ] ||
+	confirm "Confirm request details: " "yes" "\
+You are about to sign the following certificate.
+Please check over the details shown below for accuracy. Note that this request
+has not been cryptographically verified. Please be sure it came from a trusted
+source or that you have verified the request checksum with the sender.
+
+Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:
+
+$(display_dn req "$req_in")
+"	# => confirm end
+
 	# sign request
 	crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
 	easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \