From 4f9e32fc7ce883768a6a85af81870e4ecc425339 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 24 Sep 2022 15:37:37 +0100 Subject: [PATCH] Opt. --subca-len: basicConstraints CA extension, Append 'pathlen:N' When signing a request for an intermediate CA using --subca-len=N: For a Sub-CA, the current method to apply 'pathlen:N' to CA basicConstraints over-writes all user set basicConstraints. Replace that with an awk script which reads the current x509-types/ca file; selects the last occurence of 'basicConstraints' (As does OpenSSL) and then prints that line, with ", pathlen:$EASYRSA_SUBCA_LEN" appended, into the temporary x509-types/ca file. If no CA basicConstraint is found then exit with an error. Reason: Easy-RSA default CA basicConstrain will always be defined. If that is changed by the user, who then attempts to use Easy-RSA to append 'pathlen' then that is an error. Easy-RSA must not insert a default when the default has been deliberately removed. Closes: #691 - Original bug report. Closes: #692 - First use of awk as a solution. [Credit] Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 42 +++++++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 122d92e..4044df7 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1684,21 +1684,6 @@ at: $crt_out" The certificate request file is not in a valid X509 request format. File Path: $req_in" - # Display the request subject in an easy-to-read format - # Confirm the user wishes to sign this request - # Support batch by internal caller: - #[ "$3" = "batch" ] || - confirm "Confirm request details: " "yes" "\ -You are about to sign the following certificate. -Please check over the details shown below for accuracy. Note that this request -has not been cryptographically verified. Please be sure it came from a trusted -source or that you have verified the request checksum with the sender. - -Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days: - -$(display_dn req "$req_in") -" # => confirm end - # Get fixed dates by --fix-offset if [ "$EASYRSA_FIX_OFFSET" ]; then fixed_dates="$( # subshell for debug @@ -1749,8 +1734,16 @@ Please update openssl-easyrsa.cnf to the latest official release." die "Failed to read X509-type $crt_type" # Support a dynamic CA path length when present: - [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ] && \ - print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBCA_LEN" + if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ]; then + # Print the last occurence of basicContraints in x509-types/ca + # If basicContraints not defined then bail + awkscript='/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 } + END { if (length(bC) == 0 ) exit 1; print bC }' + basicConstraints="$(awk "$awkscript" "$ext_tmp")" || die "\ +basicConstraints is not defined, cannot use 'pathlen'" + print "$basicConstraints, pathlen:$EASYRSA_SUBCA_LEN" + unset -v basicConstraints + fi # Deprecated Netscape extension support, if enabled if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then @@ -1790,6 +1783,21 @@ Please update openssl-easyrsa.cnf to the latest official release." Failed to create temp extension file (bad permissions?) at: $ext_tmp" + # Display the request subject in an easy-to-read format + # Confirm the user wishes to sign this request + # Support batch by internal caller: + #[ "$3" = "batch" ] || + confirm "Confirm request details: " "yes" "\ +You are about to sign the following certificate. +Please check over the details shown below for accuracy. Note that this request +has not been cryptographically verified. Please be sure it came from a trusted +source or that you have verified the request checksum with the sender. + +Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days: + +$(display_dn req "$req_in") +" # => confirm end + # sign request crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \