Fixed broken nopass option in build-ca subcommand

2018-02-26 15:42:05 +01:00 · 2018-02-26 15:42:05 +01:00 · a6be9e9df7
commit a6be9e9df7
parent 02532b2311
1 changed files with 32 additions and 22 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -417,11 +417,13 @@ Your newly created PKI dir is: $EASYRSA_PKI
 build_ca() {
 	opts=""
 	sub_ca=""
 	nopass=""
 	crypto="-aes256"
 	crypto_opts=""
 	while [ -n "$1" ]; do
 		case "$1" in
 			nopass) opts="$opts -nodes " ;;
 			subca) sub_ca=1 ;;
 			nopass) nopass=1 ;;
 			*) warn "Ignoring unknown command option: '$1'" ;;
 		esac
 		shift
@ -466,9 +468,10 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	[ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"
 	out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp"
 	# shellcheck disable=SC2154
 	out_key_pass_tmp="$(mktemp "$out_key_pass.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_key_pass_tmp"
 	out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp"
 	# Get password from user if necessary
 	if [ ! $nopass ]; then
 		out_key_pass_tmp="$(mktemp)"; EASYRSA_TEMP_FILE_3="$out_key_pass_tmp"
 		printf "Enter New CA Key Passphrase: "
 		stty -echo
 		read -r kpass
@ -485,21 +488,28 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		else
 			die "Passphrases do not match."
 		fi
 	fi
 	# create the CA key using AES256
 	[ ! $nopass ] && crypto_opts="$crypto -passout file:$out_key_pass_tmp"
 	if [ "$EASYRSA_ALGO" = "rsa" ]; then
-		"$EASYRSA_OPENSSL" genrsa "$crypto" -out "$out_key_tmp" -passout file:"$out_key_pass_tmp" "$EASYRSA_ALGO_PARAMS"
+		#shellcheck disable=SC2086
 		"$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts "$EASYRSA_ALGO_PARAMS"
 	elif [ "$EASYRSA_ALGO" = "ec" ]; then
-		"$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | "$EASYRSA_OPENSSL" ec "$crypto" -out "$out_key_tmp" -passout file:"$out_key_pass_tmp"
+		#shellcheck disable=SC2086
 		"$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \
 			"$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts
 	fi
 	# create the CA keypair:
 	[ ! $nopass ] && crypto_opts="-passin file:$out_key_pass_tmp"
 	#shellcheck disable=SC2086
 	"$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \
-		-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" -passin file:"$out_key_pass_tmp" $opts || \
+		-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \
 		die "Failed to build the CA"
 	mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
 	mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_3=
-	rm "$out_key_pass_tmp"
+	[ -f "$out_key_pass_tmp" ] && rm "$out_key_pass_tmp"
 	# Success messages
 	if [ $sub_ca ]; then