From cf9e4731b8f2170e529e8b18d64f8f21883ecb85 Mon Sep 17 00:00:00 2001 From: keros Date: Wed, 13 May 2015 10:23:31 +0000 Subject: [PATCH 1/7] changed default encrpytion algorithmus for keyfiles from des3 to aes256 --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a7d6345..3411d9a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -861,7 +861,7 @@ See help output for usage details." # parse command options shift 2 - local crypto="-des3" + local crypto="-aes256" while [ -n "$1" ]; do case "$1" in nopass) crypto= ;; From bd8583b9585a2a1ed3d3188b01a89ce6a80ba409 Mon Sep 17 00:00:00 2001 From: keros Date: Wed, 13 May 2015 11:29:42 +0000 Subject: [PATCH 2/7] added passin and passout option to set-rsa-pass, set-ec-pass and export-p12 to allow passowrd scripting --- easyrsa3/easyrsa | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 3411d9a..d67579d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -131,7 +131,9 @@ cmd_help() { Export a PKCS#12 file with the keypair specified by " opts=" noca - do not include the ca.crt file in the PKCS12 output - nokey - do not include the private key in the PKCS12 output" ;; + nokey - do not include the private key in the PKCS12 output + passin arg - (advanced) See PASS PHRASE ARGUMENTS in openssl + passout arg - (advanced) See PASS PHRASE ARGUMENTS in openssl" ;; export-p7) text=" export-p7 [ cmd-opts ] Export a PKCS#7 file with the pubkey specified by " @@ -143,7 +145,9 @@ cmd_help() { Set a new passphrase on an RSA or EC key for the listed ." opts=" nopass - use no password and leave the key unencrypted - file - (advanced) treat the file as a raw path, not a short-name" ;; + file - (advanced) treat the file as a raw path, not a short-name + passin arg - (advanced) See PASS PHRASE ARGUMENTS in openssl + passout arg - (advanced) See PASS PHRASE ARGUMENTS in openssl" ;; altname|subjectaltname|san) text=" --subject-alt-name=SAN_FORMAT_STRING This global option adds a subjectAltName to the request or issued @@ -788,10 +792,14 @@ Run easyrsa without commands for usage and command help." # opts support local want_ca=1 local want_key=1 + local passin="" + local passout="" while [ -n "$1" ]; do case "$1" in - noca) want_ca= ;; - nokey) want_key= ;; + noca) want_ca= ;; + nokey) want_key= ;; + passin) shift; passin="-passin $1" ;; + passout) shift; passout="-passout $1" ;; *) warn "Ignoring unknown command option: '$1'" ;; esac shift @@ -825,7 +833,7 @@ Missing key expected at: $key_in" # export the p12: "$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \ - -out "$pkcs_out" $pkcs_opts || die "\ + -out "$pkcs_out" $pkcs_opts $passin $passout || die "\ Export of p12 failed: see above for related openssl errors." ;; p7) @@ -862,10 +870,14 @@ See help output for usage details." # parse command options shift 2 local crypto="-aes256" + local passin="" + local passout="" while [ -n "$1" ]; do case "$1" in - nopass) crypto= ;; - file) file="$raw_file" ;; + nopass) crypto= ;; + file) file="$raw_file" ;; + passin) shift; passin="-passin $1" ;; + passout) shift; passout="-passout $1" ;; *) warn "Ignoring unknown command option: '$1'" ;; esac shift @@ -879,7 +891,7 @@ $file" If the key is currently encrypted you must supply the decryption passphrase. ${crypto:+You will then enter a new PEM passphrase for this key.$NL}" - "$EASYRSA_OPENSSL" $key_type -in "$file" -out "$file" $crypto || die "\ + "$EASYRSA_OPENSSL" $key_type -in "$file" -out "$file" $crypto $passin $passout || die "\ Failed to change the private key passphrase. See above for possible openssl error messages." From 550fb40868966bce63e66311c22ee74836eb0efd Mon Sep 17 00:00:00 2001 From: keros Date: Wed, 13 May 2015 11:42:47 +0000 Subject: [PATCH 3/7] revoked files will be moved to subfolders --- easyrsa3/easyrsa | 66 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d67579d..b02b451 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -372,7 +372,7 @@ $help_note" [ "$1" = "test" ] && return 0 # verify expected CA-specific dirs: - for i in issued certs_by_serial; do + for i in issued certs_by_serial revoked/certs_by_serial revoked/private_by_serial revoked/reqs_by_serial; do [ -d "$EASYRSA_PKI/$i" ] || die "\ Missing expected CA dir: $i (perhaps you need to run build-ca?) $help_note" @@ -450,7 +450,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." # create necessary files and dirs: local err_file="Unable to create necessary PKI files (permissions?)" - for i in issued certs_by_serial; do + for i in issued certs_by_serial revoked/certs_by_serial revoked/private_by_serial revoked/reqs_by_serial; do mkdir -p "$EASYRSA_PKI/$i" || die "$err_file" done printf "" > "$EASYRSA_PKI/index.txt" || die "$err_file" @@ -715,6 +715,9 @@ at: $crt_in" "$EASYRSA_OPENSSL" ca -revoke "$crt_in" -config "$EASYRSA_SSL_CONF" || die "\ Failed to revoke certificate: revocation command failed." + # move revoked files so we can reissue certificates with the same name + move_revoked $1 + notice "\ IMPORTANT!!! @@ -724,6 +727,65 @@ infrastructure in order to prevent the revoked cert from being accepted. return 0 } #= revoke() +# move-revoked +# moves revoked certificates to an alternative folder +# allows reissuing certificates with the same name +move_revoked() { + verify_ca_init + + [ -n "$1" ] || die "\ +Error: didn't find a file base name as the first argument. +Run easyrsa without commands for usage and command help." + + local crt_in="$EASYRSA_PKI/issued/$1.crt" + local key_in="$EASYRSA_PKI/private/$1.key" + local req_in="$EASYRSA_PKI/reqs/$1.req" + + verify_file x509 "$crt_in" || die "\ +Unable to move revoked input file. The file is not a valid certificate. Unexpected +input in file: $crt_in" + + verify_file req "$req_in" || die "\ +Unable to move request. The file is not a valid request. Unexpected +input in file: $req_in" + + # get the serial number of the certificate -> serial=XXXX + local cert_serial="$($EASYRSA_OPENSSL x509 -in $crt_in -noout -serial)" + # remove the serial= part -> we only need the XXXX part + local cert_serial=${cert_serial##*=} + + local crt_by_serial="$EASYRSA_PKI/certs_by_serial/$cert_serial.pem" + local crt_by_serial_revoked="$EASYRSA_PKI/revoked/certs_by_serial/$cert_serial.crt" + local key_by_serial_revoked="$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.key" + local req_by_serial_revoked="$EASYRSA_PKI/revoked/reqs_by_serial/$cert_serial.req" + + + # move crt, key and req file to revoked folders + mv "$crt_in" "$crt_by_serial_revoked" + mv "$req_in" "$req_by_serial_revoked" + + # only move the key if we have it + if [ -e "$key_in" ] + then + mv "$key_in" "$key_by_serial_revoked" + fi + + # move the rest of the files (p12, p7, ...) + for file in $EASYRSA_PKI/private/$1\.??? + do + # get file extension + file_ext="${file##*.}" + + mv $file "$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.$file_ext" + done + + # remove the dublicate certificate in the certs_by_serial folder + rm "$crt_by_serial" + + return 0 + +} #= move_revoked() + # gen-crl backend gen_crl() { verify_ca_init From 8534e0687215385009d31f8e735f78d34c029fec Mon Sep 17 00:00:00 2001 From: keros Date: Wed, 13 May 2015 12:10:41 +0000 Subject: [PATCH 4/7] Revert "revoked files will be moved to subfolders" This reverts commit 550fb40868966bce63e66311c22ee74836eb0efd. --- easyrsa3/easyrsa | 66 ++---------------------------------------------- 1 file changed, 2 insertions(+), 64 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b02b451..d67579d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -372,7 +372,7 @@ $help_note" [ "$1" = "test" ] && return 0 # verify expected CA-specific dirs: - for i in issued certs_by_serial revoked/certs_by_serial revoked/private_by_serial revoked/reqs_by_serial; do + for i in issued certs_by_serial; do [ -d "$EASYRSA_PKI/$i" ] || die "\ Missing expected CA dir: $i (perhaps you need to run build-ca?) $help_note" @@ -450,7 +450,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." # create necessary files and dirs: local err_file="Unable to create necessary PKI files (permissions?)" - for i in issued certs_by_serial revoked/certs_by_serial revoked/private_by_serial revoked/reqs_by_serial; do + for i in issued certs_by_serial; do mkdir -p "$EASYRSA_PKI/$i" || die "$err_file" done printf "" > "$EASYRSA_PKI/index.txt" || die "$err_file" @@ -715,9 +715,6 @@ at: $crt_in" "$EASYRSA_OPENSSL" ca -revoke "$crt_in" -config "$EASYRSA_SSL_CONF" || die "\ Failed to revoke certificate: revocation command failed." - # move revoked files so we can reissue certificates with the same name - move_revoked $1 - notice "\ IMPORTANT!!! @@ -727,65 +724,6 @@ infrastructure in order to prevent the revoked cert from being accepted. return 0 } #= revoke() -# move-revoked -# moves revoked certificates to an alternative folder -# allows reissuing certificates with the same name -move_revoked() { - verify_ca_init - - [ -n "$1" ] || die "\ -Error: didn't find a file base name as the first argument. -Run easyrsa without commands for usage and command help." - - local crt_in="$EASYRSA_PKI/issued/$1.crt" - local key_in="$EASYRSA_PKI/private/$1.key" - local req_in="$EASYRSA_PKI/reqs/$1.req" - - verify_file x509 "$crt_in" || die "\ -Unable to move revoked input file. The file is not a valid certificate. Unexpected -input in file: $crt_in" - - verify_file req "$req_in" || die "\ -Unable to move request. The file is not a valid request. Unexpected -input in file: $req_in" - - # get the serial number of the certificate -> serial=XXXX - local cert_serial="$($EASYRSA_OPENSSL x509 -in $crt_in -noout -serial)" - # remove the serial= part -> we only need the XXXX part - local cert_serial=${cert_serial##*=} - - local crt_by_serial="$EASYRSA_PKI/certs_by_serial/$cert_serial.pem" - local crt_by_serial_revoked="$EASYRSA_PKI/revoked/certs_by_serial/$cert_serial.crt" - local key_by_serial_revoked="$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.key" - local req_by_serial_revoked="$EASYRSA_PKI/revoked/reqs_by_serial/$cert_serial.req" - - - # move crt, key and req file to revoked folders - mv "$crt_in" "$crt_by_serial_revoked" - mv "$req_in" "$req_by_serial_revoked" - - # only move the key if we have it - if [ -e "$key_in" ] - then - mv "$key_in" "$key_by_serial_revoked" - fi - - # move the rest of the files (p12, p7, ...) - for file in $EASYRSA_PKI/private/$1\.??? - do - # get file extension - file_ext="${file##*.}" - - mv $file "$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.$file_ext" - done - - # remove the dublicate certificate in the certs_by_serial folder - rm "$crt_by_serial" - - return 0 - -} #= move_revoked() - # gen-crl backend gen_crl() { verify_ca_init From 127488692de9c42561720a0b17cdf11ff56581e5 Mon Sep 17 00:00:00 2001 From: keros Date: Wed, 13 May 2015 12:11:16 +0000 Subject: [PATCH 5/7] Revert "added passin and passout option to set-rsa-pass, set-ec-pass and export-p12 to allow passowrd scripting" This reverts commit bd8583b9585a2a1ed3d3188b01a89ce6a80ba409. --- easyrsa3/easyrsa | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d67579d..3411d9a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -131,9 +131,7 @@ cmd_help() { Export a PKCS#12 file with the keypair specified by " opts=" noca - do not include the ca.crt file in the PKCS12 output - nokey - do not include the private key in the PKCS12 output - passin arg - (advanced) See PASS PHRASE ARGUMENTS in openssl - passout arg - (advanced) See PASS PHRASE ARGUMENTS in openssl" ;; + nokey - do not include the private key in the PKCS12 output" ;; export-p7) text=" export-p7 [ cmd-opts ] Export a PKCS#7 file with the pubkey specified by " @@ -145,9 +143,7 @@ cmd_help() { Set a new passphrase on an RSA or EC key for the listed ." opts=" nopass - use no password and leave the key unencrypted - file - (advanced) treat the file as a raw path, not a short-name - passin arg - (advanced) See PASS PHRASE ARGUMENTS in openssl - passout arg - (advanced) See PASS PHRASE ARGUMENTS in openssl" ;; + file - (advanced) treat the file as a raw path, not a short-name" ;; altname|subjectaltname|san) text=" --subject-alt-name=SAN_FORMAT_STRING This global option adds a subjectAltName to the request or issued @@ -792,14 +788,10 @@ Run easyrsa without commands for usage and command help." # opts support local want_ca=1 local want_key=1 - local passin="" - local passout="" while [ -n "$1" ]; do case "$1" in - noca) want_ca= ;; - nokey) want_key= ;; - passin) shift; passin="-passin $1" ;; - passout) shift; passout="-passout $1" ;; + noca) want_ca= ;; + nokey) want_key= ;; *) warn "Ignoring unknown command option: '$1'" ;; esac shift @@ -833,7 +825,7 @@ Missing key expected at: $key_in" # export the p12: "$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \ - -out "$pkcs_out" $pkcs_opts $passin $passout || die "\ + -out "$pkcs_out" $pkcs_opts || die "\ Export of p12 failed: see above for related openssl errors." ;; p7) @@ -870,14 +862,10 @@ See help output for usage details." # parse command options shift 2 local crypto="-aes256" - local passin="" - local passout="" while [ -n "$1" ]; do case "$1" in - nopass) crypto= ;; - file) file="$raw_file" ;; - passin) shift; passin="-passin $1" ;; - passout) shift; passout="-passout $1" ;; + nopass) crypto= ;; + file) file="$raw_file" ;; *) warn "Ignoring unknown command option: '$1'" ;; esac shift @@ -891,7 +879,7 @@ $file" If the key is currently encrypted you must supply the decryption passphrase. ${crypto:+You will then enter a new PEM passphrase for this key.$NL}" - "$EASYRSA_OPENSSL" $key_type -in "$file" -out "$file" $crypto $passin $passout || die "\ + "$EASYRSA_OPENSSL" $key_type -in "$file" -out "$file" $crypto || die "\ Failed to change the private key passphrase. See above for possible openssl error messages." From d89231ab2dae87887536e684b035f70407e52150 Mon Sep 17 00:00:00 2001 From: keros Date: Wed, 13 May 2015 12:11:31 +0000 Subject: [PATCH 6/7] Revert "changed default encrpytion algorithmus for keyfiles from des3 to aes256" This reverts commit cf9e4731b8f2170e529e8b18d64f8f21883ecb85. --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 3411d9a..a7d6345 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -861,7 +861,7 @@ See help output for usage details." # parse command options shift 2 - local crypto="-aes256" + local crypto="-des3" while [ -n "$1" ]; do case "$1" in nopass) crypto= ;; From 3124b419232554c620e9777cdd263152e1dded14 Mon Sep 17 00:00:00 2001 From: keros Date: Wed, 13 May 2015 12:14:05 +0000 Subject: [PATCH 7/7] changed default encrpytion algorithmus for keyfiles from des3 to aes256 --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a7d6345..3411d9a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -861,7 +861,7 @@ See help output for usage details." # parse command options shift 2 - local crypto="-des3" + local crypto="-aes256" while [ -n "$1" ]; do case "$1" in nopass) crypto= ;;