build-ca: Revert manual CA password method to temp-files

Change the integration of the following: * build-ca: Replace password temp-file method with file-descriptors * commit 27870d695a324e278854146afdac5d6bdade9bba Instead of 'replacing' the standard temp-file method, the new 'stdin' method is offered as an alternative by using option '--ca-via-stdin' Discussion: Using EasyRSA temp-files means that these files can be written to specific places. In the case of the CA password, it is recommended to use a RAM-Disk to write CA password temp-files to. Using heredocs to pass data via file-descriptors, in all probability, will write the heredoc data to a temp-file managed by the shell in use. Thus, there are temp-files written in both methods. The difference being that, the EasyRSA managed temp-files can be written to specific places, while the shell managed temp-files are out of EasyRSA scope. In conclusion, both methods are offered, however, the default remains as EasyRSA temp-files for the CA password method. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
2023-05-22 23:08:42 +01:00 · 2023-05-22 23:08:42 +01:00 · 5d7ad1306d
commit 5d7ad1306d
parent 51cb520887
2 changed files with 33 additions and 17 deletions
--- a/7
+++ b/7
@ -1,7 +1,12 @@
 Easy-RSA 3 ChangeLog

-3.1.3 (ETA: 2023-05-19)
+3.1.4 (ETA: 2023-06-02)
+   * build-ca: Revert manual CA password method to temp-files (#959)
+     Supersedes #955
+
+3.1.3 (2023-05-19)
   * build-ca: Replace password temp-files with file-descriptors (#955)
+     Superseded by #959
   * Replace --fix-offset with --startdate, --enddate (#918)
   * Introduce option -S|--silent-ssl: Silence SSL output (#913)
   * Only create a random serial number file when expected (#896)
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -470,7 +470,7 @@ General options:
                  Can not be used with --passin or --passout
 --passin=ARG    : Set -passin ARG for openssl (eg: pass:xEasyRSAy)
 --passout=ARG   : Set -passout ARG for openssl (eg: pass:xEasyRSAy)
--ca-via-tf     : Build CA with password via temp-files (Old method)
+--ca-via-stdin  : Build CA with password via 'stdin' (New method)

 --vars=FILE     : Define a specific 'vars' file to use for Easy-RSA config
                  (Default vars file is in the EasyRSA PKI directory)
@ -542,6 +542,10 @@ Easy-RSA error:

 $1
 "
+	if [ "$error_info" ]; then
+		print "${error_info}${NL}"
+	fi
+
 	show_host
 	exit "${2:-1}"
 } # => die()
@ -1450,7 +1454,7 @@ get_passphrase() {
 # build-ca backend:
 build_ca() {
 	cipher="-aes256"
-	unset -v sub_ca ssl_batch date_stamp x509
+	unset -v sub_ca ssl_batch date_stamp x509 error_info
 	while [ "$1" ]; do
 		case "$1" in
 			intca|subca) sub_ca=1 ;;
@ -1606,7 +1610,20 @@ to the latest Easy-RSA release."

 		# Validate passphrase
 		if [ "$p" ] && [ "$p" = "$q" ]; then
-			if [ "$EASYRSA_CA_PASS_OLD" ]; then
+			if [ "$EASYRSA_CA_PASS_NEW" ]; then
+				# CA password via stdin
+				CA_key_pass="$p"
+
+				# To use stdin for -passin and -passout
+				# MUST use -batch
+				ssl_batch=1
+
+				# Helpful info, in case of failure
+				error_info="\
+  EasyRSA 'build-ca' has failed due to use of OpenSSL password
+  argument 'stdin'.  Please report this error to EasyRSA."
+
+			else
 				# CA password via temp-files
 				in_key_pass_tmp=""
 				easyrsa_mktemp in_key_pass_tmp || \
@ -1618,13 +1635,6 @@ to the latest Easy-RSA release."
 					die "in_key_pass_tmp: write"
 				printf "%s" "$p" > "$out_key_pass_tmp" || \
 					die "out_key_pass_tmp: write"
-			else
-				# CA password via file-descriptors
-				CA_key_pass="$p"
-
-				# To use stdin for -passin and -passout
-				# MUST use -batch
-				ssl_batch=1
 			fi
 			unset -v p q
 		else
@ -1658,7 +1668,7 @@ to the latest Easy-RSA release."
 	EASYRSA_SSL_CONF="$conf_tmp"

 	# Generate CA Key
-	if [ "$CA_key_pass" ]; then
+	if [ "$EASYRSA_CA_PASS_NEW" ]; then
 		case "$EASYRSA_ALGO" in
 		rsa)
 			if easyrsa_openssl genpkey \
@ -1755,7 +1765,7 @@ build_ca: CA key password created via temp-files"
 	fi

 	# Generate the CA keypair:
-	if [ "$CA_key_pass" ]; then
+	if [ "$EASYRSA_CA_PASS_NEW" ]; then
 		if easyrsa_openssl req -utf8 -new \
 			-key "$out_key_tmp" \
 			-out "$out_file_tmp" \
@ -1769,6 +1779,7 @@ build_ca: CA key password created via temp-files"
 				EOF
 		then
 			: # ok
+			unset -v error_info
 		else
 			die "Failed to build the CA keypair."
 		fi
@ -5091,8 +5102,8 @@ Your Easy-RSA PKI CA Private Key is WORLD readable.
 To correct this problem, it is recommended that you either:
 * Copy Easy-RSA to your User folders and run it from there, OR
 * Define your PKI to be in your User folders. EG:
-  'easyrsa --pki-dir=C:/Users/<your-user-name>/easy-rsa/pki\"'\
- <command>"
+  'easyrsa --pki-dir=\"C:/Users/<your-user-name>/easy-rsa/pki\"\
+ <command>'"
 		fi
 	fi

@ -6228,9 +6239,9 @@ while :; do
 	--passout)
 		export EASYRSA_PASSOUT="$val"
 		;;
-	--ca-via-textfile|--ca-via-tf)
+	--ca-via-stdin)
 		empty_ok=1
-		export EASYRSA_CA_PASS_OLD=1
+		export EASYRSA_CA_PASS_NEW=1
 		;;
 	--notext|--no-text)
 		empty_ok=1