From 6f138abb5b091fe7715fa7c8c6369d7704b6f177 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun, 3 Apr 2022 03:13:39 +0100
Subject: [PATCH] Allow build_ca() to accept OpenSSL '-addext' as raw data

Set env:var:
EASYRSA_EXTRA_EXTS="-addext foo,a:b -addext bah,c:d -addext baz e:f,g"

The value of EASYRSA_EXTRA_EXTS is passed as-is to the SSL command.

Creating a CA does not allow for an arbitrary extensions file, therefore
extensions must be added via the config file (#526) or via SSL Library
option '-addext' (Can be specified to SSL multiple times).

Option '-addext' is allowed to be specified multiple times to SSL,
therefore, this string must be syntactically correct for SSL not EasyRSA.

Finally, rename EASYRSA_EXTRA_EXTS to EASYRSA_CA_EXTRA_EXTS to avoid
triggering EASYRSA_EXTRA_EXTS code buried inside of easyrsa_openssl().

Closes: #54

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 21112db..e51f8eb 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -843,6 +843,15 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	# Use this new SSL config for the rest of this function
 	EASYRSA_SSL_CONF="$conf_tmp"
 
+	# When EASYRSA_EXTRA_EXTS is defined, pass it as-is to SSL -addext
+	if [ -n "$EASYRSA_EXTRA_EXTS" ]; then
+		# example: "-addext foo,a:b -addext bah,c:d -addext baz e:f,g"
+		[ "${EASYRSA_EXTRA_EXTS%% *}" = '-addext' ] || \
+			die "EASYRSA_EXTRA_EXTS: $EASYRSA_EXTRA_EXTS"
+		EASYRSA_CA_EXTRA_EXTS="$EASYRSA_EXTRA_EXTS"
+		unset -v EASYRSA_EXTRA_EXTS
+	fi
+
 	# Choose SSL Library version (1 or 3) and build CA
 	case "$osslv_major" in # => BEGIN SSL lib version
 
@@ -903,6 +912,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		# shellcheck disable=SC2086
 		easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
 			-out "$out_file_tmp" ${opts} ${crypto_opts} \
+			${EASYRSA_CA_EXTRA_EXTS} \
 			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \
 				die "Failed to build the CA"
 	;;
@@ -963,6 +973,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		#shellcheck disable=SC2086
 		easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
 			-keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \
+			${EASYRSA_CA_EXTRA_EXTS} \
 			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
 				|| die "Failed to build the CA"
 	;;