Merge branch 'temp_dir' of https://github.com/luizluca/easy-rsa into luizluca-temp_dir

2019-05-06 22:26:03 -05:00 · 2019-05-06 22:26:03 -05:00 · 59f4923078
commit 59f4923078
parent 9d78538d30 4ede9bf103
2 changed files with 111 additions and 80 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -304,38 +304,73 @@ Type the word '$value' to continue, or any other input to abort."
 	exit 9
 } # => confirm()

+# mktemp wrapper
+easyrsa_mktemp() {
+	[ -n "$EASYRSA_TEMP_DIR_session" ] || die "EASYRSA_TEMP_DIR_session not initialized!"
+	[ -d "$EASYRSA_TEMP_DIR_session" ] || mkdir -p "$EASYRSA_TEMP_DIR_session" ||
+	       die "Could not create temporary directory '$EASYRSA_TEMP_DIR_session'. Permission or concurrency problem?"
+	mktemp "$EASYRSA_TEMP_DIR_session/tmp.XXXXXX"
+} # => easyrsa_mktemp
+
 # remove temp files and do terminal cleanups
 cleanup() {
-	for f in "$EASYRSA_TEMP_CONF" "$EASYRSA_TEMP_EXT" \
-		"$EASYRSA_TEMP_FILE_2" "$EASYRSA_TEMP_FILE_3" "$EASYRSA_TEMP_FILE_4"
-	do	[ -f "$f" ] && rm "$f" 2>/dev/null
-	done
+	[ -z "$EASYRSA_TEMP_DIR_session" ] || rm -rf "$EASYRSA_TEMP_DIR_session"
 	(stty echo 2>/dev/null) || set -o echo
 	echo "" # just to get a clean line
 } # => cleanup()

-# Make LibreSSL safe config file from OpenSSL config file
-make_ssl_config() {
-sed \
-       -e "s\`ENV::EASYRSA\`EASYRSA\`g" \
-       -e "s\`\$dir\`$EASYRSA_PKI\`g" \
-       -e "s\`\$EASYRSA_PKI\`$EASYRSA_PKI\`g" \
-       -e "s\`\$EASYRSA_CERT_EXPIRE\`$EASYRSA_CERT_EXPIRE\`g" \
-       -e "s\`\$EASYRSA_CRL_DAYS\`$EASYRSA_CRL_DAYS\`g" \
-       -e "s\`\$EASYRSA_DIGEST\`$EASYRSA_DIGEST\`g" \
-       -e "s\`\$EASYRSA_KEY_SIZE\`$EASYRSA_KEY_SIZE\`g" \
-       -e "s\`\$EASYRSA_DIGEST\`$EASYRSA_DIGEST\`g" \
-       -e "s\`\$EASYRSA_DN\`$EASYRSA_DN\`g" \
-       -e "s\`\$EASYRSA_REQ_COUNTRY\`$EASYRSA_REQ_COUNTRY\`g" \
-       -e "s\`\$EASYRSA_REQ_PROVINCE\`$EASYRSA_REQ_PROVINCE\`g" \
-       -e "s\`\$EASYRSA_REQ_CITY\`$EASYRSA_REQ_CITY\`g" \
-       -e "s\`\$EASYRSA_REQ_ORG\`$EASYRSA_REQ_ORG\`g" \
-       -e "s\`\$EASYRSA_REQ_OU\`$EASYRSA_REQ_OU\`g" \
-       -e "s\`\$EASYRSA_REQ_CN\`$EASYRSA_REQ_CN\`g" \
-       -e "s\`\$EASYRSA_REQ_EMAIL\`$EASYRSA_REQ_EMAIL\`g" \
-	"$EASYRSA_SSL_CONF" > "$EASYRSA_SAFE_CONF" || die "\
-Failed to update $EASYRSA_SAFE_CONF"
-} # => make_ssl_config()
+easyrsa_openssl() {
+	openssl_command=$1; shift
+
+	case $openssl_command in
+		ca|req|srp|ts) has_config=true;;
+		*) has_config=false;;
+	esac
+
+	if ! $has_config; then
+		"$EASYRSA_OPENSSL" "$openssl_command" "$@"
+		return
+	fi
+
+	easyrsa_openssl_conf=$(easyrsa_mktemp)
+	easyrsa_extra_exts=
+	if [ -n "$EASYRSA_EXTRA_EXTS" ]; then
+		easyrsa_extra_exts=$(easyrsa_mktemp)
+		cat >"$easyrsa_extra_exts" <<-EOF
+			req_extensions = req_extra
+			[ req_extra ]
+			$EASYRSA_EXTRA_EXTS
+		EOF
+	fi
+
+	# Make LibreSSL safe config file from OpenSSL config file
+	sed \
+		-e "s\`ENV::EASYRSA\`EASYRSA\`g" \
+		-e "s\`\$dir\`$EASYRSA_PKI\`g" \
+		-e "s\`\$EASYRSA_PKI\`$EASYRSA_PKI\`g" \
+		-e "s\`\$EASYRSA_CERT_EXPIRE\`$EASYRSA_CERT_EXPIRE\`g" \
+		-e "s\`\$EASYRSA_CRL_DAYS\`$EASYRSA_CRL_DAYS\`g" \
+		-e "s\`\$EASYRSA_DIGEST\`$EASYRSA_DIGEST\`g" \
+		-e "s\`\$EASYRSA_KEY_SIZE\`$EASYRSA_KEY_SIZE\`g" \
+		-e "s\`\$EASYRSA_DIGEST\`$EASYRSA_DIGEST\`g" \
+		-e "s\`\$EASYRSA_DN\`$EASYRSA_DN\`g" \
+		-e "s\`\$EASYRSA_REQ_COUNTRY\`$EASYRSA_REQ_COUNTRY\`g" \
+		-e "s\`\$EASYRSA_REQ_PROVINCE\`$EASYRSA_REQ_PROVINCE\`g" \
+		-e "s\`\$EASYRSA_REQ_CITY\`$EASYRSA_REQ_CITY\`g" \
+		-e "s\`\$EASYRSA_REQ_ORG\`$EASYRSA_REQ_ORG\`g" \
+		-e "s\`\$EASYRSA_REQ_OU\`$EASYRSA_REQ_OU\`g" \
+		-e "s\`\$EASYRSA_REQ_CN\`$EASYRSA_REQ_CN\`g" \
+		-e "s\`\$EASYRSA_REQ_EMAIL\`$EASYRSA_REQ_EMAIL\`g" \
+		${EASYRSA_EXTRA_EXTS:+-e "/^#%EXTRA_EXTS%/r $easyrsa_extra_exts"} \
+		"$EASYRSA_SSL_CONF" > "$easyrsa_openssl_conf" ||
+		die "Failed to update $easyrsa_openssl_conf"
+
+	"$EASYRSA_OPENSSL" "$openssl_command" -config "$easyrsa_openssl_conf" "$@"
+	err=$?
+	rm -f "$easyrsa_openssl_conf"
+	rm -f "$easyrsa_extra_exts"
+	return $err
+} # => easyrsa_openssl

 vars_source_check() {
 	# Check for defined EASYRSA_PKI
@ -368,9 +403,6 @@ $out"
 }

 verify_ssl_lib () {
-	# make safessl-easyrsa.cnf
-	make_ssl_config
-
 	# Verify EASYRSA_OPENSSL command gives expected output
 	if [ -z "$EASYRSA_SSL_OK" ]; then
 		val="$("$EASYRSA_OPENSSL" version)"
@ -542,11 +574,11 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	# shellcheck disable=SC2015
 	[ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"

-	out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp"
-	out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp"
+	out_key_tmp="$(easyrsa_mktemp)"
+	out_file_tmp="$(easyrsa_mktemp)"
 	# Get password from user if necessary
 	if [ ! $nopass ]; then
-		out_key_pass_tmp="$(mktemp)"; EASYRSA_TEMP_FILE_4="$out_key_pass_tmp"
+		out_key_pass_tmp="$(easyrsa_mktemp)"
 		echo
 		printf "Enter New CA Key Passphrase: "
 		hide_read_pass kpass
@ -577,13 +609,13 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	# create the CA keypair:
 	[ ! $nopass ] && crypto_opts="-passin file:$out_key_pass_tmp"
 	#shellcheck disable=SC2086
-	"$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \
-		-config "$EASYRSA_SAFE_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \
+	easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
+		-keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \
 		die "Failed to build the CA"

-	mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
-	mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_3=
-	[ -f "$out_key_pass_tmp" ] && rm "$out_key_pass_tmp" && EASYRSA_TEMP_FILE_4=
+	mv "$out_key_tmp" "$out_key"
+	mv "$out_file_tmp" "$out_file"
+	[ -f "$out_key_pass_tmp" ] && rm "$out_key_pass_tmp"

 	# Success messages
 	if [ $sub_ca ]; then
@ -661,24 +693,25 @@ $EASYRSA_EXTRA_EXTS"
 	{ while ( getline<"/dev/stdin" ) {print} next }
 {print}
 }'
+		conf_tmp="$(easyrsa_mktemp)"
 		print "$extra_exts" | \
 			awk "$awkscript" "$EASYRSA_SSL_CONF" \
-			> "$EASYRSA_TEMP_CONF" \
+			> "$conf_tmp" \
 			|| die "Copying SSL config to temp file failed"
 		# Use this new SSL config for the rest of this function
-		EASYRSA_SSL_CONF="$EASYRSA_TEMP_CONF"
+		EASYRSA_SSL_CONF="$conf_tmp"
 	fi

-	key_out_tmp="$(mktemp "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key_out_tmp"
-	req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp"
+	key_out_tmp="$(easyrsa_mktemp)"
+	req_out_tmp="$(easyrsa_mktemp)"
 	# generate request
 	[ $EASYRSA_BATCH ] && opts="$opts -batch"
 	# shellcheck disable=2086,2148
-	"$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
-		-config "$EASYRSA_SAFE_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \
+	easyrsa_openssl req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
+		-keyout "$key_out_tmp" -out "$req_out_tmp" $opts \
 		|| die "Failed to generate request"
-	mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2=
-	mv "$req_out_tmp" "$req_out"; EASYRSA_TEMP_FILE_3=
+	mv "$key_out_tmp" "$key_out"
+	mv "$req_out_tmp" "$req_out"
 	notice "\
 Keypair and certificate request completed. Your files are:
 req: $req_out
@ -746,6 +779,7 @@ $(display_dn req "$req_in")
 "	# => confirm end

 	# Generate the extensions file for this cert:
+	ext_tmp="$(easyrsa_mktemp)"
 	{
 		# Append first any COMMON file (if present) then the cert-type extensions
 		cat "$EASYRSA_EXT_DIR/COMMON"
@ -782,17 +816,17 @@ $(display_dn req "$req_in")
 		[ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"

 		: # needed to keep die from inherting the above test
-	} > "$EASYRSA_TEMP_EXT" || die "\
+	} > "$ext_tmp" || die "\
 Failed to create temp extension file (bad permissions?) at:
-$EASYRSA_TEMP_EXT"
+$ext_tmp"

 	# sign request
-	# shellcheck disable=SC2086
-	crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp"
-	"$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SAFE_CONF" \
-		-extfile "$EASYRSA_TEMP_EXT" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \
+	crt_out_tmp="$(easyrsa_mktemp)"
+	easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \
+		-extfile "$ext_tmp" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \
 		|| die "signing failed (openssl output above may have more detail)"
-	mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2=
+	mv "$crt_out_tmp" "$crt_out"
+	rm -f "$ext_tmp"
 	notice "\
 Certificate created at: $crt_out
 "
@ -878,7 +912,7 @@ Unable to revoke as no certificate was found. Certificate was expected
 at: $crt_in"

 	# shellcheck disable=SC2086
-	"$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SAFE_CONF" $opts || die "\
+	easyrsa_openssl ca -utf8 -revoke "$crt_in" $opts || die "\
 Failed to revoke certificate: revocation command failed."

 	# move revoked files so we can reissue certificates with the same name
@ -919,7 +953,7 @@ input in file: $req_in"
 	fi

 	# get the serial number of the certificate -> serial=XXXX
-	cert_serial="$("$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -serial)"
+	cert_serial="$(easyrsa_openssl x509 -in "$crt_in" -noout -serial)"
 	# remove the serial= part -> we only need the XXXX part
 	cert_serial=${cert_serial##*=}

@ -993,7 +1027,7 @@ at: $crt_in"

 	# Check if old cert is expired or expires within 30 days
 	expire_date=$(
-		"$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -enddate |
+		easyrsa_openssl x509 -in "$crt_in" -noout -enddate |
 		sed 's/^notAfter=//'
 		)
        case $(uname 2>/dev/null) in
@ -1014,7 +1048,7 @@ Renewal not allowed."

 	# Extract certificate usage from old cert
 	cert_ext_key_usage=$(
-		"$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -text |
+		easyrsa_openssl x509 -in "$crt_in" -noout -text |
 		sed -n "/X509v3 Extended Key Usage:/{n;s/^ *//g;p;}"
 		)
 	case $cert_ext_key_usage in
@ -1033,7 +1067,7 @@ Renewal not allowed."
 	echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName || \
 	{
 		san=$(
-			"$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -text |
+			easyrsa_openssl x509 -in "$crt_in" -noout -text |
 			sed -n "/X509v3 Subject Alternative Name:/{n;s/ //g;p;}"
 			)
 		[ -n "$san" ] && export EASYRSA_EXTRA_EXTS="\
@ -1085,7 +1119,7 @@ input in file: $req_in"
 	fi

 	# get the serial number of the certificate -> serial=XXXX
-	cert_serial="$("$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -serial)"
+	cert_serial="$(easyrsa_openssl x509 -in "$crt_in" -noout -serial)"
 	# remove the serial= part -> we only need the XXXX part
 	cert_serial=${cert_serial##*=}

@ -1131,11 +1165,11 @@ gen_crl() {
 	verify_ca_init

 	out_file="$EASYRSA_PKI/crl.pem"
-	out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp"
-	"$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\
+	out_file_tmp="$(easyrsa_mktemp)"
+	easyrsa_openssl ca -utf8 -gencrl -out "$out_file_tmp" || die "\
 CRL Generation failed.
 "
-	mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2=
+	mv "$out_file_tmp" "$out_file"

 	notice "\
 An updated CRL has been created.
@ -1233,7 +1267,7 @@ Missing key expected at: $key_in"

 		# export the p12:
 		# shellcheck disable=SC2086
-		"$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \
+		easyrsa_openssl pkcs12 -in "$crt_in" -inkey "$key_in" -export \
 			-out "$pkcs_out" $pkcs_opts || die "\
 Export of p12 failed: see above for related openssl errors."
 	;;
@ -1242,7 +1276,7 @@ Export of p12 failed: see above for related openssl errors."

 		# export the p7:
 		# shellcheck disable=SC2086
-		"$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \
+		easyrsa_openssl crl2pkcs7 -nocrl -certfile "$crt_in" \
 			-out "$pkcs_out" $pkcs_opts || die "\
 Export of p7 failed: see above for related openssl errors."
 	;;
@ -1289,13 +1323,12 @@ $file"
 If the key is currently encrypted you must supply the decryption passphrase.
 ${crypto:+You will then enter a new PEM passphrase for this key.$NL}"

-	EASYRSA_TEMP_FILE_2="$file.temp"
-
-	"$EASYRSA_OPENSSL" "$key_type" -in "$file" -out "$EASYRSA_TEMP_FILE_2" $crypto || die "\
+	out_key_tmp="$(easyrsa_mktemp)"
+	easyrsa_openssl "$key_type" -in "$file" -out "$out_key_tmp" $crypto || die "\
 Failed to change the private key passphrase. See above for possible openssl
 error messages."

-	mv "$EASYRSA_TEMP_FILE_2" "$file" || die "\
+	mv "$out_key_tmp" "$file" || die "\
 Failed to change the private key passphrase. See above for error messages."

 	notice "Key passphrase successfully changed"
@ -1306,7 +1339,7 @@ Failed to change the private key passphrase. See above for error messages."
 update_db() {
 	verify_ca_init

-	"$EASYRSA_OPENSSL" ca -utf8 -updatedb -config "$EASYRSA_SSL_CONF" || die "\
+	easyrsa_openssl ca -utf8 -updatedb || die "\
 Failed to perform update-db: see above for related openssl errors."
 	return 0
 } # => update_db()
@ -1321,7 +1354,7 @@ display_dn() {
 default_server_san() {
 	path="$1"
 	cn=$(
-		"$EASYRSA_OPENSSL" req -in "$path" -noout -subject -nameopt sep_multiline |
+		easyrsa_openssl req -in "$path" -noout -subject -nameopt sep_multiline |
 		awk -F'=' '/^  *CN=/{print $2}'
 		)
 	echo "$cn" | grep -E -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
@ -1337,7 +1370,7 @@ default_server_san() {
 verify_file() {
 	format="$1" 
 	path="$2"
-	"$EASYRSA_OPENSSL" "$format" -in "$path" -noout 2>/dev/null || return 1
+	easyrsa_openssl "$format" -in "$path" -noout 2>/dev/null || return 1
 	return 0
 } # => verify_file()

@ -1392,7 +1425,7 @@ Showing $type details for '$name'.
 This file is stored at:
 $in_file
 "
-	"$EASYRSA_OPENSSL" $format -in "$in_file" -noout -text\
+	easyrsa_openssl $format -in "$in_file" -noout -text\
 		-nameopt multiline $opts || die "\
 OpenSSL failure to process the input"
 } # => show()
@ -1428,7 +1461,7 @@ Showing $type details for 'ca'.
 This file is stored at:
 $in_file
 "
-	"$EASYRSA_OPENSSL" $format -in "$in_file" -noout -text\
+	easyrsa_openssl $format -in "$in_file" -noout -text\
 		-nameopt multiline $opts || die "\
 OpenSSL failure to process the input"
 } # => show_ca()
@ -1496,15 +1529,10 @@ Note: using Easy-RSA configuration from: $vars"
 	set_var EASYRSA_CRL_DAYS	180
 	set_var EASYRSA_NS_SUPPORT	no
 	set_var EASYRSA_NS_COMMENT	"Easy-RSA (~VER~) Generated Certificate"
-	set_var EASYRSA_TEMP_CONF	"$EASYRSA_PKI/openssl-easyrsa.temp"
-	set_var EASYRSA_TEMP_EXT	"$EASYRSA_PKI/extensions.temp"
-	set_var EASYRSA_TEMP_FILE_2	""
-	set_var EASYRSA_TEMP_FILE_3	""
+	set_var EASYRSA_TEMP_DIR	"$EASYRSA_PKI"
 	set_var EASYRSA_REQ_CN		ChangeMe
 	set_var EASYRSA_DIGEST		sha256
-
 	set_var EASYRSA_SSL_CONF	"$EASYRSA_PKI/openssl-easyrsa.cnf"
-	set_var EASYRSA_SAFE_CONF	"$EASYRSA_PKI/safessl-easyrsa.cnf"

 	# Same as above for the x509-types extensions dir
 	if [ -d "$EASYRSA_PKI/x509-types" ]; then
@ -1523,8 +1551,7 @@ Note: using Easy-RSA configuration from: $vars"
 		die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa' or 'ec'"
 	fi

-	# Setting OPENSSL_CONF prevents bogus warnings (especially useful on win32)
-	export OPENSSL_CONF="$EASYRSA_SAFE_CONF"
+	[ -n "$EASYRSA_TEMP_DIR_session" ] || EASYRSA_TEMP_DIR_session="$(mktemp -ud "$EASYRSA_TEMP_DIR/easy-rsa-$$.XXXXXX")"
 } # vars_setup()

 # variable assignment by indirection when undefined; merely exports
--- a/easyrsa3/vars.example
+++ b/easyrsa3/vars.example
@ -71,6 +71,10 @@ fi

 #set_var EASYRSA_PKI		"$PWD/pki"

+# Define directory for temporary subdirectories.
+
+#set_var EASYRSA_TEMP_DIR	"$EASYRSA_PKI"
+
 # Define X509 DN mode.
 # This is used to adjust what elements are included in the Subject field as the DN
 # (this is the "Distinguished Name.")