nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Opt. --subca-len: basicConstraints CA extension, Append 'pathlen:N'

Browse Source 
When signing a request for an intermediate CA using --subca-len=N:

For a Sub-CA, the current method to apply 'pathlen:N' to CA basicConstraints
over-writes all user set basicConstraints.

Replace that with an awk script which reads the current x509-types/ca file;
selects the last occurence of 'basicConstraints' (As does OpenSSL) and then
prints that line, with ", pathlen:$EASYRSA_SUBCA_LEN" appended, into the
temporary x509-types/ca file.

If no CA basicConstraint is found then exit with an error. Reason:

Easy-RSA default CA basicConstrain will always be defined. If that is changed
by the user, who then attempts to use Easy-RSA to append 'pathlen' then that
is an error. Easy-RSA must not insert a default when the default has been
deliberately removed.

Closes: #691 - Original bug report.
Closes: #692 - First use of awk as a solution. [Credit]

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-09-24 15:37:37 +01:00
parent 027a3e432f
commit 4f9e32fc7c
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 25 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
easyrsa3/easyrsa
View File

@ -1684,21 +1684,6 @@ at: $crt_out"
The certificate request file is not in a valid X509 request format. The certificate request file is not in a valid X509 request format.
File Path: $req_in" File Path: $req_in"
# Display the request subject in an easy-to-read format
# Confirm the user wishes to sign this request
# Support batch by internal caller:
#[ "$3" = "batch" ] ||
confirm "Confirm request details: " "yes" "\
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:
$(display_dn req "$req_in")
" # => confirm end
# Get fixed dates by --fix-offset # Get fixed dates by --fix-offset
if [ "$EASYRSA_FIX_OFFSET" ]; then if [ "$EASYRSA_FIX_OFFSET" ]; then
fixed_dates="$( # subshell for debug fixed_dates="$( # subshell for debug
@ -1749,8 +1734,16 @@ Please update openssl-easyrsa.cnf to the latest official release."
die "Failed to read X509-type $crt_type" die "Failed to read X509-type $crt_type"
# Support a dynamic CA path length when present: # Support a dynamic CA path length when present:
[ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ] && \ if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ]; then
print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBCA_LEN" # Print the last occurence of basicContraints in x509-types/ca
# If basicContraints not defined then bail
awkscript='/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 }
END { if (length(bC) == 0 ) exit 1; print bC }'
basicConstraints="$(awk "$awkscript" "$ext_tmp")" || die "\
basicConstraints is not defined, cannot use 'pathlen'"
print "$basicConstraints, pathlen:$EASYRSA_SUBCA_LEN"
unset -v basicConstraints
fi
# Deprecated Netscape extension support, if enabled # Deprecated Netscape extension support, if enabled
if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then
@ -1790,6 +1783,21 @@ Please update openssl-easyrsa.cnf to the latest official release."
Failed to create temp extension file (bad permissions?) at: Failed to create temp extension file (bad permissions?) at:
$ext_tmp" $ext_tmp"
# Display the request subject in an easy-to-read format
# Confirm the user wishes to sign this request
# Support batch by internal caller:
#[ "$3" = "batch" ] ||
confirm "Confirm request details: " "yes" "\
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:
$(display_dn req "$req_in")
" # => confirm end
# sign request # sign request
crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \ easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \