From 3f4e77092d7aab44a70790f0fb173bc9e76e68d9 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 19:57:51 +0100 Subject: [PATCH 01/12] libressl: add esayrsa3/safessl-easyrsa.cnf to .gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 9101272..8e1f584 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ easyrsa3/pki/* easyrsa3/vars +easyrsa3/safessl-easyrsa.cnf From 000b47712add7a68cb50b5685978ba861f9af247 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 20:03:36 +0100 Subject: [PATCH 02/12] libressl: prepare openssl-easyrsa.cnf for use with libressl --- easyrsa3/openssl-easyrsa.cnf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/openssl-easyrsa.cnf b/easyrsa3/openssl-easyrsa.cnf index d9109b5..4167031 100644 --- a/easyrsa3/openssl-easyrsa.cnf +++ b/easyrsa3/openssl-easyrsa.cnf @@ -1,4 +1,4 @@ -# For use with Easy-RSA 3.0 and OpenSSL 1.0.* +# For use with Easy-RSA 3.1 and OpenSSL or LibreSSL RANDFILE = $ENV::EASYRSA_PKI/.rnd From b6472563130f98e9f5c38efbbcee16b888f7f966 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 20:12:55 +0100 Subject: [PATCH 03/12] libressl: introduce function make_ssl_config This function reads openssl-easyrsa.cnf and then removes "ENV::" and replaces "$vars" with value then writes the results to safessl-easyrsa.cnf --- easyrsa3/easyrsa | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cede5b1..467dc6d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -287,6 +287,28 @@ clean_temp() { done } # => clean_temp() +# Make LibreSSL safe config file from OpenSSL config file +make_ssl_config() { +sed -e "s,ENV::,,g" \ + -e "s,\$dir,$EASYRSA_PKI,g" \ + -e "s,\$EASYRSA_PKI,$EASYRSA_PKI,g" \ + -e "s,\$EASYRSA_CERT_EXPIRE,$EASYRSA_CERT_EXPIRE,g" \ + -e "s,\$EASYRSA_CRL_DAYS,$EASYRSA_CRL_DAYS,g" \ + -e "s,\$EASYRSA_DIGEST,$EASYRSA_DIGEST,g" \ + -e "s,\$EASYRSA_KEY_SIZE,$EASYRSA_KEY_SIZE,g" \ + -e "s,\$EASYRSA_DIGEST,$EASYRSA_DIGEST,g" \ + -e "s,\$EASYRSA_DN,$EASYRSA_DN,g" \ + -e "s,\$EASYRSA_REQ_COUNTRY,$EASYRSA_REQ_COUNTRY,g" \ + -e "s,\$EASYRSA_REQ_PROVINCE,$EASYRSA_REQ_PROVINCE,g" \ + -e "s,\$EASYRSA_REQ_CITY,$EASYRSA_REQ_CITY,g" \ + -e "s,\$EASYRSA_REQ_ORG,$EASYRSA_REQ_ORG,g" \ + -e "s,\$EASYRSA_REQ_OU,$EASYRSA_REQ_OU,g" \ + -e "s,\$EASYRSA_REQ_CN,$EASYRSA_REQ_CN,g" \ + -e "s,\$EASYRSA_REQ_EMAIL,$EASYRSA_REQ_EMAIL,g" \ + "$EASYRSA_SSL_CONF" > "$EASYRSA_SAFE_CONF" || die "\ +Failed to update $EASYRSA_SAFE_CONF" +} # => make_ssl_config() + vars_source_check() { # Check for defined EASYRSA_PKI [ -n "$EASYRSA_PKI" ] || die "\ From 6c171b7882c516faeaceea317024564a21f5ce0f Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 20:22:43 +0100 Subject: [PATCH 04/12] libressl: switch to using safessl-easyrsa.cnf Keep openssl-easyrsa.cnf but switch to using safessl-easyrsa.cnf Has the benefit of fixing easyrsa3 openssl version check for libressl --- easyrsa3/easyrsa | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 467dc6d..0aaec32 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1162,7 +1162,9 @@ Note: using Easy-RSA configuration from: $vars" # Detect openssl config, preferring EASYRSA_PKI over EASYRSA if [ -f "$EASYRSA_PKI/openssl-easyrsa.cnf" ]; then set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf" + set_var EASYRSA_SAFE_CONF "$EASYRSA_PKI/safessl-easyrsa.cnf" else set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" + set_var EASYRSA_SAFE_CONF "$EASYRSA/safessl-easyrsa.cnf" fi # Same as above for the x509-types extensions dir @@ -1181,7 +1183,7 @@ Note: using Easy-RSA configuration from: $vars" fi # Setting OPENSSL_CONF prevents bogus warnings (especially useful on win32) - export OPENSSL_CONF="$EASYRSA_SSL_CONF" + export OPENSSL_CONF="$EASYRSA_SAFE_CONF" } # vars_setup() # variable assignment by indirection when undefined; merely exports From 9fafe1c3524c67cdde1744799fc18a7e4472fffe Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 20:29:35 +0100 Subject: [PATCH 05/12] libressl: add notify SSL library in use --- easyrsa3/easyrsa | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0aaec32..5bb01ba 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -318,7 +318,9 @@ EASYRSA_PKI env-var undefined" if [ -z "$EASYRSA_SSL_OK" ]; then val="$("$EASYRSA_OPENSSL" version)" case "${val%% *}" in - OpenSSL|LibreSSL) ;; + OpenSSL|LibreSSL) + notice "\ +Using SSL: $EASYRSA_OPENSSL $("$EASYRSA_OPENSSL" version)" ;; *) die "\ Missing or invalid OpenSSL Expected to find openssl command at: $EASYRSA_OPENSSL" From af9b01944e1bbf1779210b50717fafdacb4ea6f1 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 20:36:48 +0100 Subject: [PATCH 06/12] libressl: use make_ssl_config() for easyrsa openssl version check --- easyrsa3/easyrsa | 3 +++ 1 file changed, 3 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5bb01ba..5d6ffd7 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -314,6 +314,9 @@ vars_source_check() { [ -n "$EASYRSA_PKI" ] || die "\ EASYRSA_PKI env-var undefined" + # make safessl-easyrsa.cnf + make_ssl_config + # Verify EASYRSA_OPENSSL command gives expected output if [ -z "$EASYRSA_SSL_OK" ]; then val="$("$EASYRSA_OPENSSL" version)" From 95871dca5e44464b0219f8562f23dda37d185422 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:05:26 +0100 Subject: [PATCH 07/12] libressl: use make_ssl_config and safessl-easyrsa.cnf for build_ca --- easyrsa3/easyrsa | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5d6ffd7..a325e73 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -527,11 +527,15 @@ current CA keypair. If you intended to start a new CA, run init-pki first." "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \ "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts fi + + # make safessl-easyrsa.cnf + make_ssl_config + # create the CA keypair: [ ! $nopass ] && crypto_opts="-passin file:$out_key_pass_tmp" #shellcheck disable=SC2086 "$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \ - -config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \ + -config "$EASYRSA_SAFE_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \ die "Failed to build the CA" mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2= From 247199489e72bd04f70b66d94b06cea6a479b1d0 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:10:57 +0100 Subject: [PATCH 08/12] libressl: use make_ssl_config and safessl-easyrsa.cnf for gen_req --- easyrsa3/easyrsa | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a325e73..c0ff406 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -626,13 +626,16 @@ $EASYRSA_EXTRA_EXTS" EASYRSA_SSL_CONF="$EASYRSA_TEMP_CONF" fi + # make safessl-easyrsa.cnf + make_ssl_config + key_out_tmp="$(mktemp "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key_out_tmp" req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp" # generate request [ $EASYRSA_BATCH ] && opts="$opts -batch" # shellcheck disable=SC2086 "$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \ - -config "$EASYRSA_SSL_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \ + -config "$EASYRSA_SAFE_CONF" -keyout "$key_out_tmp" -out "$req_out_tmp" $opts \ || die "Failed to generate request" mv "$key_out_tmp" "$key_out"; EASYRSA_TEMP_FILE_2= mv "$req_out_tmp" "$req_out"; EASYRSA_TEMP_FILE_3= From 185a5b671fc4cf4d09e088435ce9f3f121b80f3a Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:12:39 +0100 Subject: [PATCH 09/12] libressl: use make_ssl_config and safessl-easyrsa.cnf for sign_req --- easyrsa3/easyrsa | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c0ff406..871ca34 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -745,10 +745,13 @@ $(display_dn req "$req_in") Failed to create temp extension file (bad permissions?) at: $EASYRSA_TEMP_EXT" + # make safessl-easyrsa.cnf + make_ssl_config + # sign request # shellcheck disable=SC2086 crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp" - "$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \ + "$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SAFE_CONF" \ -extfile "$EASYRSA_TEMP_EXT" -days "$EASYRSA_CERT_EXPIRE" -batch $opts \ || die "signing failed (openssl output above may have more detail)" mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2= From 0d1c17a0e99b517636faa499554348b8fa7842d1 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:16:32 +0100 Subject: [PATCH 10/12] libressl: use make_ssl_config and safessl-easyrsa.cnf for gen_crl --- easyrsa3/easyrsa | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 871ca34..db6eb36 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -847,9 +847,12 @@ infrastructure in order to prevent the revoked cert from being accepted. gen_crl() { verify_ca_init + # make safessl-easyrsa.cnf + make_ssl_config + out_file="$EASYRSA_PKI/crl.pem" out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp" - "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SSL_CONF" || die "\ + "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SAFE_CONF" || die "\ CRL Generation failed. " mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_2= From 24913874f58844c580a000227af1b089f62d5a45 Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:20:53 +0100 Subject: [PATCH 11/12] libressl: use make_ssl_config and safessl-easyrsa.cnf for revoke --- easyrsa3/easyrsa | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index db6eb36..cef181e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -831,7 +831,10 @@ $(display_dn x509 "$crt_in") Unable to revoke as no certificate was found. Certificate was expected at: $crt_in" - "$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SSL_CONF" || die "\ + # make safessl-easyrsa.cnf + make_ssl_config + + "$EASYRSA_OPENSSL" ca -utf8 -revoke "$crt_in" -config "$EASYRSA_SAFE_CONF" || die "\ Failed to revoke certificate: revocation command failed." notice "\ From c14f3c6b169ea503894f5d4247ecd83bdae5d2eb Mon Sep 17 00:00:00 2001 From: Richard Bonhomme Date: Thu, 23 Aug 2018 21:26:30 +0100 Subject: [PATCH 12/12] libressl: minor style corrections --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cef181e..44475d6 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -321,12 +321,12 @@ EASYRSA_PKI env-var undefined" if [ -z "$EASYRSA_SSL_OK" ]; then val="$("$EASYRSA_OPENSSL" version)" case "${val%% *}" in - OpenSSL|LibreSSL) + OpenSSL|LibreSSL) notice "\ Using SSL: $EASYRSA_OPENSSL $("$EASYRSA_OPENSSL" version)" ;; *) die "\ Missing or invalid OpenSSL -Expected to find openssl command at: $EASYRSA_OPENSSL" +Expected to find openssl command at: $EASYRSA_OPENSSL" ;; esac fi EASYRSA_SSL_OK=1