From 5d7ad1306d5ebf1588aef77eb3445e70cf5b4ebc Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Mon, 22 May 2023 23:08:42 +0100
Subject: [PATCH] build-ca: Revert manual CA password method to temp-files

Change the integration of the following:
* build-ca: Replace password temp-file method with file-descriptors
* commit 27870d695a324e278854146afdac5d6bdade9bba

Instead of 'replacing' the standard temp-file method, the new 'stdin'
method is offered as an alternative by using option '--ca-via-stdin'

Discussion:

Using EasyRSA temp-files means that these files can be written to
specific places. In the case of the CA password, it is recommended
to use a RAM-Disk to write CA password temp-files to.

Using heredocs to pass data via file-descriptors, in all probability,
will write the heredoc data to a temp-file managed by the shell in use.

Thus, there are temp-files written in both methods.

The difference being that, the EasyRSA managed temp-files can be written to
specific places, while the shell managed temp-files are out of EasyRSA scope.

In conclusion, both methods are offered, however, the default remains
as EasyRSA temp-files for the CA password method.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 ChangeLog        |  7 ++++++-
 easyrsa3/easyrsa | 43 +++++++++++++++++++++++++++----------------
 2 files changed, 33 insertions(+), 17 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ed774a7..ddb11ed 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,12 @@
 Easy-RSA 3 ChangeLog
 
-3.1.3 (ETA: 2023-05-19)
+3.1.4 (ETA: 2023-06-02)
+   * build-ca: Revert manual CA password method to temp-files (#959)
+     Supersedes #955
+
+3.1.3 (2023-05-19)
    * build-ca: Replace password temp-files with file-descriptors (#955)
+     Superseded by #959
    * Replace --fix-offset with --startdate, --enddate (#918)
    * Introduce option -S|--silent-ssl: Silence SSL output (#913)
    * Only create a random serial number file when expected (#896)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 37731cb..b5463ee 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -470,7 +470,7 @@ General options:
                   Can not be used with --passin or --passout
 --passin=ARG    : Set -passin ARG for openssl (eg: pass:xEasyRSAy)
 --passout=ARG   : Set -passout ARG for openssl (eg: pass:xEasyRSAy)
---ca-via-tf     : Build CA with password via temp-files (Old method)
+--ca-via-stdin  : Build CA with password via 'stdin' (New method)
 
 --vars=FILE     : Define a specific 'vars' file to use for Easy-RSA config
                   (Default vars file is in the EasyRSA PKI directory)
@@ -542,6 +542,10 @@ Easy-RSA error:
 
 $1
 "
+	if [ "$error_info" ]; then
+		print "${error_info}${NL}"
+	fi
+
 	show_host
 	exit "${2:-1}"
 } # => die()
@@ -1450,7 +1454,7 @@ get_passphrase() {
 # build-ca backend:
 build_ca() {
 	cipher="-aes256"
-	unset -v sub_ca ssl_batch date_stamp x509
+	unset -v sub_ca ssl_batch date_stamp x509 error_info
 	while [ "$1" ]; do
 		case "$1" in
 			intca|subca) sub_ca=1 ;;
@@ -1606,7 +1610,20 @@ to the latest Easy-RSA release."
 
 		# Validate passphrase
 		if [ "$p" ] && [ "$p" = "$q" ]; then
-			if [ "$EASYRSA_CA_PASS_OLD" ]; then
+			if [ "$EASYRSA_CA_PASS_NEW" ]; then
+				# CA password via stdin
+				CA_key_pass="$p"
+
+				# To use stdin for -passin and -passout
+				# MUST use -batch
+				ssl_batch=1
+
+				# Helpful info, in case of failure
+				error_info="\
+  EasyRSA 'build-ca' has failed due to use of OpenSSL password
+  argument 'stdin'.  Please report this error to EasyRSA."
+
+			else
 				# CA password via temp-files
 				in_key_pass_tmp=""
 				easyrsa_mktemp in_key_pass_tmp || \
@@ -1618,13 +1635,6 @@ to the latest Easy-RSA release."
 					die "in_key_pass_tmp: write"
 				printf "%s" "$p" > "$out_key_pass_tmp" || \
 					die "out_key_pass_tmp: write"
-			else
-				# CA password via file-descriptors
-				CA_key_pass="$p"
-
-				# To use stdin for -passin and -passout
-				# MUST use -batch
-				ssl_batch=1
 			fi
 			unset -v p q
 		else
@@ -1658,7 +1668,7 @@ to the latest Easy-RSA release."
 	EASYRSA_SSL_CONF="$conf_tmp"
 
 	# Generate CA Key
-	if [ "$CA_key_pass" ]; then
+	if [ "$EASYRSA_CA_PASS_NEW" ]; then
 		case "$EASYRSA_ALGO" in
 		rsa)
 			if easyrsa_openssl genpkey \
@@ -1755,7 +1765,7 @@ build_ca: CA key password created via temp-files"
 	fi
 
 	# Generate the CA keypair:
-	if [ "$CA_key_pass" ]; then
+	if [ "$EASYRSA_CA_PASS_NEW" ]; then
 		if easyrsa_openssl req -utf8 -new \
 			-key "$out_key_tmp" \
 			-out "$out_file_tmp" \
@@ -1769,6 +1779,7 @@ build_ca: CA key password created via temp-files"
 				EOF
 		then
 			: # ok
+			unset -v error_info
 		else
 			die "Failed to build the CA keypair."
 		fi
@@ -5091,8 +5102,8 @@ Your Easy-RSA PKI CA Private Key is WORLD readable.
 To correct this problem, it is recommended that you either:
 * Copy Easy-RSA to your User folders and run it from there, OR
 * Define your PKI to be in your User folders. EG:
-  'easyrsa --pki-dir=C:/Users/<your-user-name>/easy-rsa/pki\"'\
- <command>"
+  'easyrsa --pki-dir=\"C:/Users/<your-user-name>/easy-rsa/pki\"\
+ <command>'"
 		fi
 	fi
 
@@ -6228,9 +6239,9 @@ while :; do
 	--passout)
 		export EASYRSA_PASSOUT="$val"
 		;;
-	--ca-via-textfile|--ca-via-tf)
+	--ca-via-stdin)
 		empty_ok=1
-		export EASYRSA_CA_PASS_OLD=1
+		export EASYRSA_CA_PASS_NEW=1
 		;;
 	--notext|--no-text)
 		empty_ok=1