diff --git a/.travis.yml b/.travis.yml index c8c00b1..ee78c60 100644 --- a/.travis.yml +++ b/.travis.yml @@ -19,4 +19,3 @@ matrix: script: - openssl version - sh op_test.sh -vv - diff --git a/ChangeLog b/ChangeLog index 1ad201d..359f30c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -82,11 +82,11 @@ Easy-RSA 3 ChangeLog * 8b42eea Make aes256 default, replacing 3des (keros: Github) - + * f2f4ac8 Make -utf8 default (roubert: Github) - + 3.0.0-rc2 (2014/07/27) * 1551e5f docs: fix typo diff --git a/Licensing/gpl-2.0.txt b/Licensing/gpl-2.0.txt index 1f963da..d159169 100644 --- a/Licensing/gpl-2.0.txt +++ b/Licensing/gpl-2.0.txt @@ -337,4 +337,3 @@ proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. - diff --git a/README.md b/README.md index b846238..6130c19 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Overview easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, -this means to create a root certificate authority, and request and sign +this means to create a root certificate authority, and request and sign certificates, including intermediate CAs and certificate revocation lists (CRL). # Downloads @@ -25,13 +25,13 @@ seek help using Easy-RSA: The [openvpn-users mailing list](https://lists.sourceforge.net/lists/listinfo/openvpn-users) is a good place to post usage or help questions. -You can also try IRC at Freenode/#openvpn for general support or Freenode/#easyrsa for development discussion. +You can also try libera.chat IRC network, in channels #openvpn for general support or #easyrsa for development discussion. # Branch structure The easy-rsa master branch is currently tracking development for the 3.x release -cycle. Please note that, at any given time, master may be broken. Feel free to -create issues against master, but have patience when using the master branch. It +cycle. Please note that, at any given time, master may be broken. Feel free to +create issues against master, but have patience when using the master branch. It is recommended to use a release, and priority will be given to bugs identified in the most recent release. diff --git a/build/build-dist.sh b/build/build-dist.sh index eeb762f..b152da1 100755 --- a/build/build-dist.sh +++ b/build/build-dist.sh @@ -39,7 +39,7 @@ note() { echo "build-dist NOTE: $1"; } # ask before dangerous things confirm() { - [ "$2" ] && return + [ -n "$2" ] && return printf "%s y/n: " "$1" read r [ "$r" = "y" ] || die "user abort" @@ -70,14 +70,14 @@ dist_clean() { stage_unix() { # make our unix stage if it doesn't exist mkdir -p "$DIST_ROOT/unix/$PV" - + # Copy files into $PV, starting with easyrsa3 as the initial root dir src_files="easyrsa3/. Licensing/. COPYING.md ChangeLog README.md README.quickstart.md doc" for f in $src_files do cp -R "$SRC_ROOT/$f" "$DIST_ROOT/unix/$PV/" || die "failed to copy $f" done - + # FreeBSD does not accept -i without argument in a way also acceptable by GNU sed sed -i.tmp -e "s/~VER~/$VERSION/" \ -e "s/~DATE~/$(date)/" \ @@ -95,7 +95,7 @@ stage_win() { do # make our windows stage if it doesn't exist mkdir -p "$DIST_ROOT/$win/$PV" - + # make doc dir mkdir -p "$DIST_ROOT/$win/$PV/doc" @@ -106,28 +106,28 @@ stage_win() { rm -f "$SRC_ROOT/$f.tmp" python -m markdown "$SRC_ROOT/$f" > "$DIST_ROOT/$win/$PV/${f%.md}.html" || die "Failed to convert markdown to HTML" done - + # Copy files into $PV, starting with easyrsa3 as the initial root dir src_files="easyrsa3/. ChangeLog COPYING.md Licensing distro/windows/Licensing distro/windows/bin distro/windows/$win/lib* distro/windows/$win/openssl.exe" for f in $src_files do cp -R "$SRC_ROOT/$f" "$DIST_ROOT/$win/$PV/" || die "failed to copy $f" done - + src_files="README-Windows.txt EasyRSA-Start.bat" for f in $src_files do cp -R "$SRC_ROOT/distro/windows/$f" "$DIST_ROOT/$win/$PV/" || die "failed to copy $f" unix2dos "$DIST_ROOT/$win/$PV/$f" || die "unix2dos conversion failed for $f" done - + sed -i.tmp -e "s/~VER~/$VERSION/" \ -e "s/~DATE~/$(date)/" \ -e "s/~HOST~/$(hostname -s)/" \ -e "s/~GITHEAD~/$(git rev-parse HEAD)/" \ "$DIST_ROOT/$win/$PV/easyrsa" || die "Cannot update easyrsa version data" rm -f "$DIST_ROOT/$win/$PV/easyrsa.tmp" - + # files not included rm -rf "$DIST_ROOT/$win/$PV/doc/TODO" || die "failed rm TODO" done @@ -135,14 +135,14 @@ stage_win() { make_tar() { (cd "$DIST_ROOT/unix/"; tar -czf "../${PV}.tgz" "$PV") || die "tar failed" - note "tarball created at: $DIST_ROOT/${PV}.tgz" + note "tarball created at: $DIST_ROOT/${PV}.tgz" } make_zip() { for win in win32 win64; do (cd "$DIST_ROOT/$win/"; zip -qr "../${PV}-$win.zip" "$PV") || die "zip failed" - note "zip file created at: $DIST_ROOT/${PV}-$win.zip" + note "zip file created at: $DIST_ROOT/${PV}-$win.zip" done } diff --git a/distro/README b/distro/README index a74711f..a767be2 100644 --- a/distro/README +++ b/distro/README @@ -2,4 +2,3 @@ This distro/ directory contains distro/platform specific tools. Components that are not platform neutral end up here, sorted into further dirs based on the platform. - diff --git a/distro/windows/EasyRSA-Start.bat b/distro/windows/EasyRSA-Start.bat index 5bd117c..1983751 100644 --- a/distro/windows/EasyRSA-Start.bat +++ b/distro/windows/EasyRSA-Start.bat @@ -1,2 +1,2 @@ -@echo OFF -bin\sh.exe bin\easyrsa-shell-init.sh \ No newline at end of file +@echo OFF +bin\sh.exe bin\easyrsa-shell-init.sh diff --git a/distro/windows/README-OpenSSL.txt b/distro/windows/README-OpenSSL.txt index 2cd8e63..103f46a 100644 --- a/distro/windows/README-OpenSSL.txt +++ b/distro/windows/README-OpenSSL.txt @@ -1,4 +1,3 @@ ----------------------------------------------------------------------- -OpenSSL v1.1.1g from https://bintray.com/vszakats/generic/openssl +OpenSSL v1.1.1g from https://bintray.com/vszakats/generic/openssl ----------------------------------------------------------------------- - diff --git a/distro/windows/README-Windows.txt b/distro/windows/README-Windows.txt index 5be84fa..4c3dfac 100644 --- a/distro/windows/README-Windows.txt +++ b/distro/windows/README-Windows.txt @@ -3,7 +3,7 @@ Easy-RSA 3 Windows README Easy-RSA 3 runs POSIX shell code, so use on Windows has some additional requirements: an OpenSSL installation, and a usable shell environment. -The Windows packages of EasyRSA 3.0.7+ include an OpenSSL binary and +The Windows packages of EasyRSA 3.0.7+ include an OpenSSL binary and libraries that will be used by default. If you want to use a system binary instead, remove the openssl.exe and the lib*.dll files from the bin directory. @@ -107,8 +107,8 @@ Contents of this file: 4.1: mksh/Win32 A special thanks is in order to the mksh/Win32 project and its primary - maintainer, Michael Langguth . This shell offers featurs + maintainer, Michael Langguth . This shell offers features that allow Easy-RSA to run smoothly under Windows; by using mksh/Win32, Easy-RSA can deliver the same PKI flexibility to all major platforms. - + vim: wrap tw=80 expandtab diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md index 3e4d87b..5aca35d 100644 --- a/doc/EasyRSA-Advanced.md +++ b/doc/EasyRSA-Advanced.md @@ -120,5 +120,5 @@ possible terse description is shown below: password using any openssl password options like pass:1234 or env:var * `EASYRSA_PASSOUT` (CLI: `--passout`) - allows to specify a source for password using any openssl password options like pass:1234 or env:var - + **NOTE:** the global options need to be provided before the actual commands. diff --git a/doc/EasyRSA-Readme.md b/doc/EasyRSA-Readme.md index b47ff36..070f8d9 100644 --- a/doc/EasyRSA-Readme.md +++ b/doc/EasyRSA-Readme.md @@ -236,4 +236,3 @@ In order to obtain a signed certificate, the request file must be sent to the CA for signing; this step is obviously not required if a single PKI is used as both the CA and keypair/request generation as the generated request is already "imported." - diff --git a/doc/TODO b/doc/TODO index f3c3b6d..d7dc456 100644 --- a/doc/TODO +++ b/doc/TODO @@ -9,7 +9,7 @@ Feature support: * Keep platform-specific tools separate from platform-neutral code * add detection for duplicate CN prior to OpenSSL failure * This gets tricky if `updatedb` requires a CA passphrase - * It would help to warn users before OpenSSL throws errors + * It would help to warn users before OpenSSL throws errors Longer term wishlist: * Support openssl's -password source mechanism: diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cfbfd06..617ed6f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -106,8 +106,8 @@ cmd_help() { inline - create an inline credentials file for this node" ;; revoke) text=" revoke [reason] - Revoke a certificate specified by the filename_base, with an optional - revocation reason that is one of: + Revoke a certificate specified by the filename_base, with an optional + revocation reason that is one of: unspecified keyCompromise CACompromise @@ -542,7 +542,7 @@ $help_note" # init-pki backend: init_pki() { - # If EASYRSA_PKI exists, confirm before we rm -rf (skiped with EASYRSA_BATCH) + # If EASYRSA_PKI exists, confirm before we rm -rf (skipped with EASYRSA_BATCH) if [ -e "$EASYRSA_PKI" ]; then confirm "Confirm removal: " "yes" " WARNING!!! @@ -557,7 +557,7 @@ and initialize a fresh PKI here." for i in private reqs; do mkdir -p "$EASYRSA_PKI/$i" || die "Failed to create PKI file structure (permissions?)" done - + # Create $EASYRSA_SAFE_CONF ($OPENSSL_CONF) prevents bogus warnings (especially useful on win32) if [ ! -f "$EASYRSA_SSL_CONF" ] && [ -f "$EASYRSA/openssl-easyrsa.cnf" ]; then @@ -1032,7 +1032,7 @@ $(display_dn req "$req_in") # Add any advanced extensions supplied by env-var: [ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS" - : # needed to keep die from inherting the above test + : # needed to keep die from inheriting the above test } > "$ext_tmp" || die "\ Failed to create temp extension file (bad permissions?) at: $ext_tmp" @@ -1139,7 +1139,7 @@ Run easyrsa without commands for usage and command help." if [ "$2" ]; then opts="$opts -crl_reason $2" fi - + verify_file x509 "$crt_in" || die "\ Unable to revoke as the input file is not a valid certificate. Unexpected input in file: $crt_in" @@ -1232,7 +1232,7 @@ input in file: $req_in" [ -f "$file" ] && mv "$file" "$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.$file_ext" done - # remove the dublicate certificate in the certs_by_serial folder + # remove the duplicate certificate in the certs_by_serial folder rm "$crt_by_serial" return 0 @@ -1429,7 +1429,7 @@ import_req() { # pull passed paths in_req="$1" short_name="$2" - out_req="$EASYRSA_PKI/reqs/$2.req" + out_req="$EASYRSA_PKI/reqs/$2.req" [ -n "$short_name" ] || die "\ Unable to import: incorrect command syntax. @@ -1444,7 +1444,7 @@ File Path: $in_req" Unable to import the request as the destination file already exists. Please choose a different name for your imported request file. Existing file at: $out_req" - + # now import it cp "$in_req" "$out_req" @@ -1654,7 +1654,7 @@ default_server_san() { # verify a file seems to be a valid req/X509 verify_file() { - format="$1" + format="$1" path="$2" easyrsa_openssl "$format" -in "$path" -noout 2>/dev/null || return 1 return 0 @@ -1663,8 +1663,8 @@ verify_file() { # show-* command backend # Prints req/cert details in a readable format show() { - type="$1" - name="$2" + type="$1" + name="$2" in_file="" format="" [ -n "$name" ] || die "\ @@ -1676,11 +1676,11 @@ Run easyrsa without commands for usage help." opts="-${type}opt no_pubkey,no_sigdump" while [ -n "$1" ]; do case "$1" in - full) + full) opts="" ;; - *) - warn "Ignoring unknown command option: '$1'" + *) + warn "Ignoring unknown command option: '$1'" ;; esac shift @@ -1786,7 +1786,7 @@ vars_setup() { elif [ -f "$prog_vars" ]; then vars="$prog_vars" fi - + # If a vars file was located, source it # If $EASYRSA_NO_VARS is defined (not blank) this is skipped if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then @@ -1797,13 +1797,13 @@ file. Storing sensitive information in the configuration file is not \ recommended - please remove it from there before continuing." fi #shellcheck disable=SC2034 - EASYRSA_CALLER=1 + EASYRSA_CALLER=1 # shellcheck disable=SC1090 . "$vars" notice "\ Note: using Easy-RSA configuration from: $vars" fi - + # Set defaults, preferring existing env-vars if present set_var EASYRSA "$prog_dir" set_var EASYRSA_OPENSSL openssl @@ -1820,7 +1820,7 @@ Note: using Easy-RSA configuration from: $vars" set_var EASYRSA_CURVE secp384r1 set_var EASYRSA_EC_DIR "$EASYRSA_PKI/ecparams" set_var EASYRSA_CA_EXPIRE 3650 - set_var EASYRSA_CERT_EXPIRE 825 # new default of 36 months + set_var EASYRSA_CERT_EXPIRE 825 # new default of 36 months set_var EASYRSA_CERT_RENEW 30 set_var EASYRSA_CRL_DAYS 180 set_var EASYRSA_NS_SUPPORT no @@ -1835,7 +1835,7 @@ Note: using Easy-RSA configuration from: $vars" # Same as above for the x509-types extensions dir if [ -d "$EASYRSA_PKI/x509-types" ]; then set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types" - else + else #TODO: This should be removed. Not really suitable for packaging. set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" fi @@ -1889,7 +1889,7 @@ set_var() { # You can report problems on the normal openvpn support channels: # -------------------------------------------------------------------------- # 1. The Openvpn Forum: https://forums.openvpn.net/viewforum.php?f=31 -# 2. The #easyrsa IRC channel at freenode +# 2. The #easyrsa IRC channel at libera.chat # 3. Info: https://community.openvpn.net/openvpn/wiki/easyrsa-upgrade # -------------------------------------------------------------------------- # @@ -2123,7 +2123,7 @@ up23_upgrade_ca () # Otherwise this is required for all easyrsa v3 #confirm "Set 'unique_subject = no' in index.txt.attr for your current CA: " \ #"yes" "This version of easyrsa requires that 'unique_subject = no' is set correctly" - + printf "%s\n" "unique_subject = no" > "$EASYRSA_PKI/index.txt.attr" up23_verbose "> OK" up23_verbose " Upgraded index.txt.attr to v306+" diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf index 5798bd9..cef658d 100644 --- a/easyrsa3/openssl-easyrsa.cnf +++ b/easyrsa3/openssl-easyrsa.cnf @@ -135,4 +135,3 @@ keyUsage = cRLSign, keyCertSign # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always - diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example index f62f4b1..3108fe4 100644 --- a/easyrsa3/vars.example +++ b/easyrsa3/vars.example @@ -27,7 +27,7 @@ # "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" # A little housekeeping: DON'T EDIT THIS SECTION -# +# # Easy-RSA 3.x doesn't source into the environment directly. # Complain if a user tries to do this: if [ -z "$EASYRSA_CALLER" ]; then @@ -218,4 +218,3 @@ fi # or most output. Setting this to any non-blank string enables batch mode. #set_var EASYRSA_BATCH "" - diff --git a/easyrsa3/x509-types/ca b/easyrsa3/x509-types/ca index ef525b6..0eeeb20 100644 --- a/easyrsa3/x509-types/ca +++ b/easyrsa3/x509-types/ca @@ -10,4 +10,3 @@ basicConstraints = CA:TRUE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = cRLSign, keyCertSign - diff --git a/easyrsa3/x509-types/client b/easyrsa3/x509-types/client index a7d81af..aed0065 100644 --- a/easyrsa3/x509-types/client +++ b/easyrsa3/x509-types/client @@ -5,4 +5,3 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = clientAuth keyUsage = digitalSignature - diff --git a/easyrsa3/x509-types/code-signing b/easyrsa3/x509-types/code-signing index 05de2a5..9a2115b 100644 --- a/easyrsa3/x509-types/code-signing +++ b/easyrsa3/x509-types/code-signing @@ -5,4 +5,3 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = codeSigning keyUsage = digitalSignature - diff --git a/easyrsa3/x509-types/email b/easyrsa3/x509-types/email index 7daa88e..bc8f39e 100644 --- a/easyrsa3/x509-types/email +++ b/easyrsa3/x509-types/email @@ -5,4 +5,3 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = emailProtection keyUsage = digitalSignature,keyEncipherment,nonRepudiation - diff --git a/easyrsa3/x509-types/server b/easyrsa3/x509-types/server index bc024be..8c4d537 100644 --- a/easyrsa3/x509-types/server +++ b/easyrsa3/x509-types/server @@ -5,4 +5,3 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = serverAuth keyUsage = digitalSignature,keyEncipherment - diff --git a/easyrsa3/x509-types/serverClient b/easyrsa3/x509-types/serverClient index 774fe51..8a8a58e 100644 --- a/easyrsa3/x509-types/serverClient +++ b/easyrsa3/x509-types/serverClient @@ -5,4 +5,3 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = serverAuth,clientAuth keyUsage = digitalSignature,keyEncipherment - diff --git a/wop_test.bat b/wop_test.bat index 1fd241f..507c3d2 100644 --- a/wop_test.bat +++ b/wop_test.bat @@ -1,36 +1,35 @@ -@echo off - -IF "%1"=="/SL" (set SAVE_LAYOUT=1) ELSE set SAVE_LAYOUT=0 - -set SYS_ARCH=test -IF %PROCESSOR_ARCHITECTURE%==x86 set SYS_ARCH=win32 -IF %PROCESSOR_ARCHITECTURE%==x86_64 set SYS_ARCH=win64 -IF %PROCESSOR_ARCHITECTURE%==AMD64 set SYS_ARCH=win64 -IF %SYS_ARCH%==test ( - echo Fatal Error: Unknown PROCESSOR_ARCHITECTURE - set SYS_ARCH= - exit /B 1 ) - -set WORK_DIR=%cd% -mkdir %WORK_DIR%\easyrsa3\bin -copy %WORK_DIR%\distro\windows\bin\* %WORK_DIR%\easyrsa3\bin -copy %WORK_DIR%\distro\windows\%SYS_ARCH%\* %WORK_DIR%\easyrsa3\bin -copy %WORK_DIR%\distro\windows\EasyRSA-Start.bat %WORK_DIR%\easyrsa3\EasyRSA-Start.bat -PATH=%PATH%;%WORK_DIR%\easyrsa3\bin;C:\PROGRA~1\openssl - -cmd /C "easyrsa3\bin\sh.exe wop_test.sh" -IF ERRORLEVEL 0 ( - IF %SAVE_LAYOUT% EQU 0 ( - echo rmdir /S /Q %WORK_DIR%\easyrsa3\bin - rmdir /S /Q %WORK_DIR%\easyrsa3\bin - echo del /Q %WORK_DIR%\easyrsa3\EasyRSA-Start.bat - del /Q %WORK_DIR%\easyrsa3\EasyRSA-Start.bat - echo rm %WORK_DIR%\easyrsa3\.rnd - rm %WORK_DIR%\easyrsa3\.rnd - ) ELSE echo NOTICE; Saved Layout -) ELSE echo Error occurred, no clean up - -set SAVE_LAYOUT= -set SYS_ARCH= -pause - +@echo off + +IF "%1"=="/SL" (set SAVE_LAYOUT=1) ELSE set SAVE_LAYOUT=0 + +set SYS_ARCH=test +IF %PROCESSOR_ARCHITECTURE%==x86 set SYS_ARCH=win32 +IF %PROCESSOR_ARCHITECTURE%==x86_64 set SYS_ARCH=win64 +IF %PROCESSOR_ARCHITECTURE%==AMD64 set SYS_ARCH=win64 +IF %SYS_ARCH%==test ( + echo Fatal Error: Unknown PROCESSOR_ARCHITECTURE + set SYS_ARCH= + exit /B 1 ) + +set WORK_DIR=%cd% +mkdir %WORK_DIR%\easyrsa3\bin +copy %WORK_DIR%\distro\windows\bin\* %WORK_DIR%\easyrsa3\bin +copy %WORK_DIR%\distro\windows\%SYS_ARCH%\* %WORK_DIR%\easyrsa3\bin +copy %WORK_DIR%\distro\windows\EasyRSA-Start.bat %WORK_DIR%\easyrsa3\EasyRSA-Start.bat +PATH=%PATH%;%WORK_DIR%\easyrsa3\bin;C:\PROGRA~1\openssl + +cmd /C "easyrsa3\bin\sh.exe wop_test.sh" +IF ERRORLEVEL 0 ( + IF %SAVE_LAYOUT% EQU 0 ( + echo rmdir /S /Q %WORK_DIR%\easyrsa3\bin + rmdir /S /Q %WORK_DIR%\easyrsa3\bin + echo del /Q %WORK_DIR%\easyrsa3\EasyRSA-Start.bat + del /Q %WORK_DIR%\easyrsa3\EasyRSA-Start.bat + echo rm %WORK_DIR%\easyrsa3\.rnd + rm %WORK_DIR%\easyrsa3\.rnd + ) ELSE echo NOTICE; Saved Layout +) ELSE echo Error occurred, no clean up + +set SAVE_LAYOUT= +set SYS_ARCH= +pause diff --git a/wop_test.sh b/wop_test.sh index 800102b..ab25bf5 100644 --- a/wop_test.sh +++ b/wop_test.sh @@ -6,7 +6,7 @@ # project; use with other POSIX shells for Windows may require modification to # this wrapper script. -cd easyrsa3 || { echo "ERROR: Cannot find easyrsa3 direcory"; exit 1; } +cd easyrsa3 || { echo "ERROR: Cannot find easyrsa3 directory"; exit 1; } setup_path="${EASYRSA:-$PWD}" export PATH="$setup_path;$setup_path/bin;$PATH"