nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow build_ca() to accept OpenSSL '-addext' as raw data

Browse Source 
Set env:var:
EASYRSA_EXTRA_EXTS="-addext foo,a:b -addext bah,c:d -addext baz e:f,g"

The value of EASYRSA_EXTRA_EXTS is passed as-is to the SSL command.

Creating a CA does not allow for an arbitrary extensions file, therefore
extensions must be added via the config file (#526) or via SSL Library
option '-addext' (Can be specified to SSL multiple times).

Option '-addext' is allowed to be specified multiple times to SSL,
therefore, this string must be syntactically correct for SSL not EasyRSA.

Finally, rename EASYRSA_EXTRA_EXTS to EASYRSA_CA_EXTRA_EXTS to avoid
triggering EASYRSA_EXTRA_EXTS code buried inside of easyrsa_openssl().

Closes: #54

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-04-03 03:13:39 +01:00
parent bce4dadc43
commit 6f138abb5b
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
easyrsa3/easyrsa
View File

@ -843,6 +843,15 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
# Use this new SSL config for the rest of this function # Use this new SSL config for the rest of this function
EASYRSA_SSL_CONF="$conf_tmp" EASYRSA_SSL_CONF="$conf_tmp"
# When EASYRSA_EXTRA_EXTS is defined, pass it as-is to SSL -addext
if [ -n "$EASYRSA_EXTRA_EXTS" ]; then
# example: "-addext foo,a:b -addext bah,c:d -addext baz e:f,g"
[ "${EASYRSA_EXTRA_EXTS%% *}" = '-addext' ] || \
die "EASYRSA_EXTRA_EXTS: $EASYRSA_EXTRA_EXTS"
EASYRSA_CA_EXTRA_EXTS="$EASYRSA_EXTRA_EXTS"
unset -v EASYRSA_EXTRA_EXTS
fi
# Choose SSL Library version (1 or 3) and build CA # Choose SSL Library version (1 or 3) and build CA
case "$osslv_major" in # => BEGIN SSL lib version case "$osslv_major" in # => BEGIN SSL lib version
@ -903,6 +912,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
# shellcheck disable=SC2086 # shellcheck disable=SC2086
easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \ easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
-out "$out_file_tmp" ${opts} ${crypto_opts} \ -out "$out_file_tmp" ${opts} ${crypto_opts} \
${EASYRSA_CA_EXTRA_EXTS} \
${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \
die "Failed to build the CA" die "Failed to build the CA"
;; ;;
@ -963,6 +973,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
#shellcheck disable=SC2086 #shellcheck disable=SC2086
easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \ easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
-keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \ -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \
${EASYRSA_CA_EXTRA_EXTS} \
${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
|| die "Failed to build the CA" || die "Failed to build the CA"
;; ;;