nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'TinCanTech-reorder-output'

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-01-20 21:14:10 +00:00
commit bff759d48f
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 137 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

231
easyrsa3/easyrsa
View File

@ -69,8 +69,8 @@ Here is the list of commands available with a short syntax reminder. Use the
DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: $work_dir
PKI: $pki_dir
x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined}
"
x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined}"
} # => usage()
# Detailed command help
@ -576,7 +576,7 @@ confirm() {
value="$2"
msg="$3"
input=""
print "
print "\
$msg
Type the word '$value' to continue, or any other input to abort."
@ -720,12 +720,7 @@ Temporary session not preserved."
*) warn "Host OS undefined."
esac
if [ "$EASYRSA_BATCH" ] || [ "$EASYRSA_SILENT" ]
then
: # ok
else
print # To get a clean line
fi
[ "$EASYRSA_SILENT" ] || print # Get a clean line
# Clear traps
trap - 0 1 2 3 6 15
@ -891,6 +886,7 @@ easyrsa_openssl() {
verify_ssl_lib() {
# Run once only
[ "$EASYRSA_SSL_OK" ] && die "verify_ssl_lib - Overloaded"
EASYRSA_SSL_OK=1
# redirect std-err to ignore missing etc/ssl/openssl.cnf file
val="$("$EASYRSA_OPENSSL" version 2>/dev/null)"
@ -929,13 +925,7 @@ $error_msg"
;;
*) die "Unsupported SSL library: $osslv_major"
esac
information "Using SSL: $EASYRSA_OPENSSL ${val}"
EASYRSA_SSL_OK=1
# Verify EASYRSA_SSL_CONF file exists
[ -f "$EASYRSA_SSL_CONF" ] || die "\
The OpenSSL config file cannot be found.
Expected location: $EASYRSA_SSL_CONF"
ssl_version="$val"
} # => verify_ssl_lib()
# Basic sanity-check of PKI init and complain if missing
@ -1049,7 +1039,7 @@ and initialize a fresh PKI here."
ecparams certs_by_serial
do
# # # shellcheck disable=SC2115 # Use "${var:?}"
rm -rf "$EASYRSA_PKI/${i}" || \
rm -rf "$EASYRSA_PKI/$i" || \
die "init-pki soft reset failed."
done
;;
@ -1213,6 +1203,9 @@ install_data_to_pki() {
"${EASYRSA_PKI}/${vars_file}" && \
new_vars_true=1
fi
# Use set_var to set vars, do not clobber $vars
set_var vars "${EASYRSA_PKI}/${vars_file}"
;;
vars-setup)
: ;; # No change to current 'vars' required
@ -1541,37 +1534,41 @@ gen_dh() {
DH parameters file already exists
at: $out_file"
else
# warn the user, give them a chance to force overwrite
# warn the user, allow to force overwrite
confirm "Overwrite? " "yes" "\
DH parameters file already exists
at: $out_file"
fi
fi
# Create a temp file, otherwise user abort leaves an incomplete dh.pem
tmp_dh_file="$(easyrsa_mktemp)" || die "Failed to create temp DH file"
# Create a temp file
# otherwise user abort leaves an incomplete dh.pem
tmp_dh_file="$(easyrsa_mktemp)" || \
die "Failed to create temp DH file"
# Generate dh.pem
"$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" "$EASYRSA_KEY_SIZE" || \
die "Failed to generate DH params"
"$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" \
"$EASYRSA_KEY_SIZE" || \
die "Failed to generate DH params"
# Validate dh.pem
"$EASYRSA_OPENSSL" dhparam -in "$tmp_dh_file" -check -noout || \
die "Failed to validate DH params"
"$EASYRSA_OPENSSL" dhparam -in "$tmp_dh_file" \
-check -noout || \
die "Failed to validate DH params"
mv -f "$tmp_dh_file" "$out_file" || die "Failed to move temp DH file"
mv -f "$tmp_dh_file" "$out_file" || \
die "Failed to move temp DH file"
notice "\
DH parameters of size $EASYRSA_KEY_SIZE created
at: $out_file"
notice "
DH parameters of size $EASYRSA_KEY_SIZE created at:
* $out_file"
return 0
} # => gen_dh()
# gen-req and key backend:
gen_req() {
# pull filename base and use as default interactive CommonName:
# pull filename, use as default interactive CommonName
[ "$1" ] || die "\
Error: gen-req must have a file base as the first argument.
Run easyrsa without commands for usage and commands."
@ -1582,9 +1579,13 @@ Run easyrsa without commands for usage and commands."
# Set ssl batch mode and Default commonName, as required
if [ "$EASYRSA_BATCH" ]; then
ssl_batch=1
[ "$EASYRSA_REQ_CN" = ChangeMe ] && export EASYRSA_REQ_CN="$1"
# If EASYRSA_REQ_CN is set to something other than
# ChangeMe then keep user defined value
[ "$EASYRSA_REQ_CN" = ChangeMe ] && \
export EASYRSA_REQ_CN="$1"
else
# --req-cn must be used with --batch, otherwise use default
# --req-cn must be used with --batch
# otherwise use file-name
export EASYRSA_REQ_CN="$1"
fi
@ -1604,7 +1605,7 @@ Run easyrsa without commands for usage and commands."
nopass)
[ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1
;;
# batch flag supports internal callers needing silent operation
# batch flag supports internal caller build_full()
batch) ssl_batch=1 ;;
*) warn "Ignoring unknown command option: '$1'"
esac
@ -1619,14 +1620,18 @@ WARNING!!!
An existing private key was found at $key_out
Continuing with key generation will replace this key."
# When EASYRSA_EXTRA_EXTS is defined, append it to openssl's [req] section:
# When EASYRSA_EXTRA_EXTS is defined,
# append it to openssl's [req] section:
if [ "$EASYRSA_EXTRA_EXTS" ]; then
# Check for insert-marker in ssl config file
if ! grep -q '^#%EXTRA_EXTS%' "$EASYRSA_SSL_CONF"; then
if ! grep -q '^#%EXTRA_EXTS%' "$EASYRSA_SSL_CONF"
then
die "\
The copy of openssl-easyrsa.cnf in use does not support request extensions.
The copy of openssl-easyrsa.cnf in use \
does not support request extensions.
* $EASYRSA_SSL_CONF
Please update openssl-easyrsa.cnf to the latest official release."
Please update openssl-easyrsa.cnf \
to the latest official release."
fi
# Setup & insert the extra ext data keyed by a magic line
@ -1634,24 +1639,28 @@ Please update openssl-easyrsa.cnf to the latest official release."
req_extensions = req_extra
[ req_extra ]
$EASYRSA_EXTRA_EXTS"
# shellcheck disable=SC2016 # vars don't expand in single quote
# vars don't expand in single quote
# shellcheck disable=SC2016
awkscript='
{if ( match($0, "^#%EXTRA_EXTS%") )
{ while ( getline<"/dev/stdin" ) {print} next }
{print}
}'
conf_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
conf_tmp="$(easyrsa_mktemp)" || die "\
gen_req - easyrsa_mktemp - conf_tmp"
print "$extra_exts" | \
awk "$awkscript" "$EASYRSA_SSL_CONF" \
> "$conf_tmp" \
|| die "Copying SSL config to temp file failed"
# Use this new SSL config for the rest of this function
|| die "Writing SSL config to temp file failed"
# Use this SSL config for the rest of this function
EASYRSA_SSL_CONF="$conf_tmp"
fi
# Name temp files
key_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
req_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
key_out_tmp="$(easyrsa_mktemp)" || die "\
gen_req - easyrsa_mktemp - key_out_tmp"
req_out_tmp="$(easyrsa_mktemp)" || die "\
gen_req - easyrsa_mktemp - req_out_tmp"
# Set Edwards curve name or elliptic curve parameters file
algo_opts=""
@ -1677,8 +1686,8 @@ $EASYRSA_EXTRA_EXTS"
# Success messages
notice "\
Keypair and certificate request completed. Your files are:
req: $req_out
key: $key_out"
* req: $req_out
* key: $key_out${build_full+ $NL}"
return 0
} # => gen_req()
@ -1700,13 +1709,16 @@ sign_req() {
easyrsa_random 16
)" || die "sign_req - easyrsa_random"
# Print random $serial to pki/serial file for use by SSL config
print "$serial" > "$EASYRSA_PKI/serial" || die "sign_req - serial"
# Print random $serial to pki/serial file
# for use by SSL config
print "$serial" > "$EASYRSA_PKI/serial" || \
die "sign_req - serial"
# Check for duplicate serial in CA db
# Always errors out - Do not capture error
check_serial="$(
easyrsa_openssl ca -status "$serial" 2>&1
)" # Always errors out - Do not capture error
)" || :
case "$check_serial" in
*"not present in db"*)
@ -1746,13 +1758,14 @@ Expected to find the request at: $req_in"
# Certificate file must NOT exist
[ ! -e "$crt_out" ] || die "\
Cannot sign this request for '$2', a certificate already exists
at: $crt_out"
Cannot sign this request for '$2'.
Conflicting certificate already exists at:
* $crt_out"
# Confirm input is a cert req
verify_file req "$req_in" || die "\
The certificate request file is not in a valid X509 request format.
File Path: $req_in"
The certificate request file is not in a valid X509 format:
* $req_in"
# Get fixed dates by --fix-offset
if [ "$EASYRSA_FIX_OFFSET" ]; then
@ -1760,49 +1773,59 @@ File Path: $req_in"
start_fixdate end_fixdate
fi
# When EASYRSA_CP_EXT is defined, adjust openssl's [default_ca] section:
# When EASYRSA_CP_EXT is defined,
# adjust openssl's [default_ca] section:
if [ "$EASYRSA_CP_EXT" ]; then
# Check for insert-marker in ssl config file
if ! grep -q '^#%COPY_EXTS%' "$EASYRSA_SSL_CONF"; then
if ! grep -q '^#%COPY_EXTS%' "$EASYRSA_SSL_CONF"
then
die "\
The copy of openssl-easyrsa.cnf in use does not support --copy-ext.
The copy of openssl-easyrsa.cnf in use \
does not support --copy-ext.
* $EASYRSA_SSL_CONF
Please update openssl-easyrsa.cnf to the latest official release."
Please update openssl-easyrsa.cnf \
to the latest official release."
fi
# Setup & insert the copy_extensions data keyed by a magic line
# Setup & insert the copy_extensions data
# keyed by a magic line
copy_exts="copy_extensions = copy"
# shellcheck disable=SC2016 # vars don't expand in single quote
# shellcheck disable=SC2016 # vars don't expand ''
awkscript='
{if ( match($0, "^#%COPY_EXTS%") )
{ while ( getline<"/dev/stdin" ) {print} next }
{print}
}'
conf_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
conf_tmp="$(easyrsa_mktemp)" || \
die "sign_req - easyrsa_mktemp - conf_tmp"
print "$copy_exts" | \
awk "$awkscript" "$EASYRSA_SSL_CONF" \
> "$conf_tmp" \
|| die "Copying SSL config to temp file failed"
# Use this new SSL config for the rest of this function
|| die "Writing SSL config to temp file failed"
# Use this SSL config for the rest of this function
EASYRSA_SSL_CONF="$conf_tmp"
fi
# Generate the extensions file for this cert:
ext_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
ext_tmp="$(easyrsa_mktemp)" || \
die "sign_req - easyrsa_mktemp - ext_tmp"
{
# Append first any COMMON file (if present) then the cert-type extensions
# Append COMMON and cert-type extensions
cat "$EASYRSA_EXT_DIR/COMMON" || \
die "Failed to read X509-type COMMON"
cat "$EASYRSA_EXT_DIR/$crt_type" || \
die "Failed to read X509-type $crt_type"
# Support a dynamic CA path length when present:
if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ]; then
# Print the last occurence of basicContraints in x509-types/ca
# If basicContraints not defined then bail
# shellcheck disable=SC2016 # vars don't expand in ''
awkscript='/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 }
END { if (length(bC) == 0 ) exit 1; print bC }'
if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ]
then
# Print the last occurence of basicContraints in
# x509-types/ca
# If basicContraints is not defined then bail
# shellcheck disable=SC2016 # vars don't expand ''
awkscript='\
/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 }
END { if (length(bC) == 0 ) exit 1; print bC }'
basicConstraints="$(
awk "$awkscript" "$EASYRSA_EXT_DIR/$crt_type"
)" || die "\
@ -1811,17 +1834,24 @@ basicConstraints is not defined, cannot use 'pathlen'"
unset -v basicConstraints
fi
# Deprecated Netscape extension support, if enabled
# Deprecated Netscape extension support
case "$EASYRSA_NS_SUPPORT" in
[yY][eE][sS])
# Netscape extension
case "$crt_type" in
serverClient) print "nsCertType = serverClient" ;;
server) print "nsCertType = server" ;;
client) print "nsCertType = client" ;;
ca) print "nsCertType = sslCA" ;;
*) die "Unknown certificate type: $crt_type"
serverClient)
print "nsCertType = serverClient" ;;
server)
print "nsCertType = server" ;;
client)
print "nsCertType = client" ;;
ca)
print "nsCertType = sslCA" ;;
*)
die "Unknown certificate type: $crt_type"
esac
# Netscape comment
[ "$EASYRSA_NS_COMMENT" ] && \
print "nsComment = \"$EASYRSA_NS_COMMENT\""
@ -1835,9 +1865,10 @@ basicConstraints is not defined, cannot use 'pathlen'"
print "$EASYRSA_EXTRA_EXTS"
else
# or default server SAN
# If type is server and no subjectAltName was requested,
# add one to the extensions file
if [ "$crt_type" = 'server' ] || [ "$crt_type" = 'serverClient' ];
# If type is server and no subjectAltName was
# requested then add one to the extensions file
if [ "$crt_type" = 'server' ] || \
[ "$crt_type" = 'serverClient' ];
then
# req san or default server SAN
san="$(display_san req "$req_in")"
@ -1847,33 +1878,41 @@ basicConstraints is not defined, cannot use 'pathlen'"
default_server_san "$req_in"
fi
fi
# or externally set EASYRSA_EXTRA_EXTS
# Add any advanced extensions supplied by env-var:
[ -z "$EASYRSA_EXTRA_EXTS" ] || print "$EASYRSA_EXTRA_EXTS"
# Add user set EASYRSA_EXTRA_EXTS
[ -z "$EASYRSA_EXTRA_EXTS" ] || \
print "$EASYRSA_EXTRA_EXTS"
fi
} > "$ext_tmp" || die "\
Failed to create temp extension file (bad permissions?) at:
$ext_tmp"
* $ext_tmp"
# Display the request subject in an easy-to-read format
# Confirm the user wishes to sign this request
# Support batch by internal caller:
#[ "$3" = "batch" ] ||
confirm "Confirm request details: " "yes" "\
You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.
Please check over the details shown below for accuracy. \
Note that this request
has not been cryptographically verified. Please be sure \
it came from a trusted
source or that you have verified the request checksum \
with the sender.
Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:
Request subject, to be signed as a $crt_type certificate \
for $EASYRSA_CERT_EXPIRE days:
$(display_dn req "$req_in")
" # => confirm end
# Assign temp cert file
crt_out_tmp="$(easyrsa_mktemp)" || \
die "sign_req - easyrsa_mktemp - crt_out_tmp"
# sign request
crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \
-extfile "$ext_tmp" -days "$EASYRSA_CERT_EXPIRE" -batch \
easyrsa_openssl ca -utf8 -in "$req_in" \
-out "$crt_out_tmp" -extfile "$ext_tmp" \
-days "$EASYRSA_CERT_EXPIRE" -batch \
${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
${EASYRSA_NO_TEXT:+-notext} \
${EASYRSA_FIX_OFFSET+ -startdate "$start_fixdate"} \
@ -1881,11 +1920,10 @@ $(display_dn req "$req_in")
|| die "\
Signing failed (openssl output above may have more detail)"
mv "$crt_out_tmp" "$crt_out"
#rm -f "$ext_tmp"
mv "$crt_out_tmp" "$crt_out" || \
die "Failed to move temp-file to certificate."
# Success messages
#unset -v EASYRSA_BATCH # This is why batch mode should not silence output
notice "\
Certificate created at:
* $crt_out"
@ -1917,7 +1955,6 @@ Run easyrsa without commands for usage and commands."
nopass)
[ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1
;;
inline) EASYRSA_INLINE=1 ;;
*) warn "Ignoring unknown command option: '$1'"
esac
shift
@ -1954,6 +1991,7 @@ Option conflict:
EASYRSA_REQ_CN="$name"
# create request
build_full=1
gen_req "$name" batch
# Sign it
@ -4650,6 +4688,11 @@ Sourcing the vars file and building certificates will probably fail ..'
# Verify selected algorithm and parameters
verify_algo_params
# Last setup msg
information "\
Using SSL: $EASYRSA_OPENSSL $ssl_version
"
else
# If the directory does not exist then we have not run init-pki
# The temp-dir is ALWAYS verified by secure_session()