nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'wrap-build-ca' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-wrap-build-ca

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-01-22 19:12:00 +00:00
commit 6842fb2273
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 88 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

169
easyrsa3/easyrsa
View File

@ -1300,7 +1300,7 @@ build_ca() {
x509=1 x509=1
fi fi
# If encrypted then create the CA key using AES256 cipher # If encrypted then create the CA key with AES256 cipher
if [ "$EASYRSA_NO_PASS" ]; then if [ "$EASYRSA_NO_PASS" ]; then
unset -v cipher unset -v cipher
else else
@ -1314,14 +1314,16 @@ Unable to create a CA as you already seem to have one set up.
If you intended to start a new CA, run init-pki first." If you intended to start a new CA, run init-pki first."
fi fi
# If a private key exists here, a intermediate ca was created but not signed. # If a private key exists, an intermediate ca was created
# Notify the user and require a signed ca.crt or a init-pki: # but not signed.
[ -f "$out_key" ] && \ # Notify user and require a signed ca.crt or a init-pki:
if [ -f "$out_key" ]; then
die "\ die "\
A CA private key exists but no ca.crt is found in your PKI dir of: A CA private key exists but no ca.crt is found in your PKI:
$EASYRSA_PKI $EASYRSA_PKI
Refusing to create a new CA keypair as this operation would overwrite your Refusing to create a new CA as this would overwrite your
current CA keypair. If you intended to start a new CA, run init-pki first." current CA. To start a new CA, run init-pki first."
fi
# Cert type must exist under the EASYRSA_EXT_DIR # Cert type must exist under the EASYRSA_EXT_DIR
[ -e "$EASYRSA_EXT_DIR/ca" ] || die "\ [ -e "$EASYRSA_EXT_DIR/ca" ] || die "\
@ -1333,27 +1335,34 @@ Missing X509-type 'COMMON'"
if grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' \ if grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' \
"$EASYRSA_SSL_CONF" "$EASYRSA_SSL_CONF"
then then
[ "$EASYRSA_BATCH" ] || print : # [ "$EASYRSA_BATCH" ] || print
else else
warn "\ warn "\
The openssl config file in use does not support X509-type 'ca'. This openssl config file does not support X509-type 'ca'.
* $EASYRSA_SSL_CONF * $EASYRSA_SSL_CONF
Please update openssl-easyrsa.cnf to the latest official release." Please update openssl-easyrsa.cnf to the latest release."
fi fi
# create necessary files and dirs: # create necessary files and dirs:
err_file="Unable to create necessary PKI files (permissions?)" err_msg="\
for i in issued inline certs_by_serial revoked/certs_by_serial \ Unable to create necessary PKI files (permissions?)"
revoked/private_by_serial revoked/reqs_by_serial for i in issued inline certs_by_serial \
revoked/certs_by_serial revoked/private_by_serial \
revoked/reqs_by_serial
do do
mkdir -p "$EASYRSA_PKI/$i" || die "$err_file" mkdir -p "$EASYRSA_PKI/$i" || die "$err_msg"
done done
printf "" > "$EASYRSA_PKI/index.txt" || die "$err_file" printf "" > "$EASYRSA_PKI/index.txt" || \
printf "" > "$EASYRSA_PKI/index.txt.attr" || die "$err_file" die "$err_msg"
printf '%s\n' "01" > "$EASYRSA_PKI/serial" || die "$err_file" printf "" > "$EASYRSA_PKI/index.txt.attr" || \
die "$err_msg"
printf '%s\n' "01" > "$EASYRSA_PKI/serial" || \
die "$err_msg"
unset -v err_msg
# Set ssl batch mode, as required # Set ssl batch mode, as required
# --req-cn must be used with --batch, otherwise use default # --req-cn must be used with --batch,
# otherwise use default
if [ "$EASYRSA_BATCH" ]; then if [ "$EASYRSA_BATCH" ]; then
ssl_batch=1 ssl_batch=1
else else
@ -1376,10 +1385,14 @@ Please update openssl-easyrsa.cnf to the latest official release."
die "Failed to create temp-cert file" die "Failed to create temp-cert file"
# Get passphrase from user if necessary # Get passphrase from user if necessary
if [ "$EASYRSA_NO_PASS" ]; then if [ "$EASYRSA_NO_PASS" ]
then
: # No passphrase required : # No passphrase required
elif [ "$EASYRSA_PASSOUT" ] && [ "$EASYRSA_PASSIN" ]; then
elif [ "$EASYRSA_PASSOUT" ] && [ "$EASYRSA_PASSIN" ]
then
: # passphrase defined : # passphrase defined
else else
# Assign passphrase vars and temp file # Assign passphrase vars and temp file
in_key_pass_tmp="$(easyrsa_mktemp)" || \ in_key_pass_tmp="$(easyrsa_mktemp)" || \
@ -1420,9 +1433,9 @@ Please update openssl-easyrsa.cnf to the latest official release."
fi fi
fi fi
# Insert x509-types COMMON and 'ca' and EASYRSA_EXTRA_EXTS, if defined. # Insert x509-types COMMON and 'ca' and EASYRSA_EXTRA_EXTS
# shellcheck disable=SC2016 # vars don't expand in single quote # shellcheck disable=SC2016 # vars don't expand in ''
awkscript=' awkscript='\
{if ( match($0, "^#%CA_X509_TYPES_EXTRA_EXTS%") ) {if ( match($0, "^#%CA_X509_TYPES_EXTRA_EXTS%") )
{ while ( getline<"/dev/stdin" ) {print} next } { while ( getline<"/dev/stdin" ) {print} next }
{print} {print}
@ -1439,61 +1452,52 @@ Please update openssl-easyrsa.cnf to the latest official release."
# Use this new SSL config for the rest of this function # Use this new SSL config for the rest of this function
EASYRSA_SSL_CONF="$conf_tmp" EASYRSA_SSL_CONF="$conf_tmp"
# Choose SSL Library version (1, 2(LibreSSL) or 3) and build CA # Generate CA Key
case "$osslv_major" in case "$EASYRSA_ALGO" in
rsa)
# Version agnostic CA generation easyrsa_openssl genpkey -algorithm "$EASYRSA_ALGO" \
# The only remaining option which is version dependent is -nodes/-noenc -pkeyopt rsa_keygen_bits:"$EASYRSA_ALGO_PARAMS" \
1|2|3) -out "$out_key_tmp" \
# Generate CA Key ${cipher+ "$cipher"} \
case "$EASYRSA_ALGO" in ${EASYRSA_PASSOUT:+ -pass "$EASYRSA_PASSOUT"} \
rsa) ${out_key_pass_tmp:+ -pass file:"$out_key_pass_tmp"} \
easyrsa_openssl genpkey -algorithm "$EASYRSA_ALGO" \ || die "Failed create CA private key"
-pkeyopt rsa_keygen_bits:"$EASYRSA_ALGO_PARAMS" \
-out "$out_key_tmp" \
${cipher+ "$cipher"} \
${EASYRSA_PASSOUT:+ -pass "$EASYRSA_PASSOUT"} \
${out_key_pass_tmp:+ -pass file:"$out_key_pass_tmp"} \
|| die "Failed create CA private key"
;;
ec)
easyrsa_openssl genpkey -paramfile "$EASYRSA_ALGO_PARAMS" \
-out "$out_key_tmp" \
${cipher+ "$cipher"} \
${EASYRSA_PASSOUT:+ -pass "$EASYRSA_PASSOUT"} \
${out_key_pass_tmp:+ -pass file:"$out_key_pass_tmp"} \
|| die "Failed create CA private key"
;;
ed)
easyrsa_openssl genpkey -algorithm "$EASYRSA_CURVE" \
-out "$out_key_tmp" \
${cipher+ "$cipher"} \
${EASYRSA_PASSOUT:+ -pass "$EASYRSA_PASSOUT"} \
${out_key_pass_tmp:+ -pass file:"$out_key_pass_tmp"} \
|| die "Failed create CA private key"
;;
*) die "Unknown algorithm: $EASYRSA_ALGO"
esac
# Generate the CA keypair:
# shellcheck disable=SC2086 # Double quote to prevent ..
easyrsa_openssl req -utf8 -new \
-key "$out_key_tmp" -keyout "$out_key_tmp" \
-out "$out_file_tmp" \
${ssl_batch+ -batch} \
${x509+ -x509} \
${date_stamp+ -days "$EASYRSA_CA_EXPIRE"} \
${EASYRSA_DIGEST+ -"$EASYRSA_DIGEST"} \
${EASYRSA_NO_PASS+ "$no_password"} \
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
${in_key_pass_tmp:+ -passin file:"$in_key_pass_tmp"} \
${out_key_pass_tmp:+ -passout file:"$out_key_pass_tmp"} \
|| die "Failed to build the CA certificate"
;; ;;
*) die "build-ca ssl lib: $osslv_major" ec)
easyrsa_openssl genpkey -paramfile "$EASYRSA_ALGO_PARAMS" \
-out "$out_key_tmp" \
${cipher+ "$cipher"} \
${EASYRSA_PASSOUT:+ -pass "$EASYRSA_PASSOUT"} \
${out_key_pass_tmp:+ -pass file:"$out_key_pass_tmp"} \
|| die "Failed create CA private key"
;;
ed)
easyrsa_openssl genpkey -algorithm "$EASYRSA_CURVE" \
-out "$out_key_tmp" \
${cipher+ "$cipher"} \
${EASYRSA_PASSOUT:+ -pass "$EASYRSA_PASSOUT"} \
${out_key_pass_tmp:+ -pass file:"$out_key_pass_tmp"} \
|| die "Failed create CA private key"
;;
*) die "Unknown algorithm: $EASYRSA_ALGO"
esac esac
# Generate the CA keypair:
# shellcheck disable=SC2086 # Double quote to prevent ..
easyrsa_openssl req -utf8 -new \
-key "$out_key_tmp" -keyout "$out_key_tmp" \
-out "$out_file_tmp" \
${ssl_batch+ -batch} \
${x509+ -x509} \
${date_stamp+ -days "$EASYRSA_CA_EXPIRE"} \
${EASYRSA_DIGEST+ -"$EASYRSA_DIGEST"} \
${EASYRSA_NO_PASS+ "$no_password"} \
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
${in_key_pass_tmp:+ -passin file:"$in_key_pass_tmp"} \
${out_key_pass_tmp:+ -passout file:"$out_key_pass_tmp"} \
|| die "Failed to build the CA certificate"
# Remove passphrase temp-file # Remove passphrase temp-file
if [ -f "$out_key_pass_tmp" ]; then if [ -f "$out_key_pass_tmp" ]; then
rm "$out_key_pass_tmp" || die "\ rm "$out_key_pass_tmp" || die "\
@ -1506,14 +1510,17 @@ Failed to remove the CA passphrase temp-file!"
# Success messages # Success messages
if [ "$sub_ca" ]; then if [ "$sub_ca" ]; then
notice "\ notice "\
NOTE: Your intermediate CA request is at $out_file Your intermediate CA request is at:
and now must be sent to your parent CA for signing. Place your resulting cert * $out_file
at $EASYRSA_PKI/ca.crt prior to signing operations." and now must be sent to your parent CA for signing.
Place your resulting cert at:
* $EASYRSA_PKI/ca.crt
prior to signing operations."
else else
notice "\ notice "\
CA creation complete and you may now import and sign cert requests. CA creation complete. Your new CA certificate is at:
Your new CA certificate file for publishing is at: * $out_file"
$out_file"
fi fi
return 0 return 0