From b3e4c638bfada816ce13b163737e7d1c2b55d37c Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 20 Jan 2023 15:48:28 +0000 Subject: [PATCH 1/3] Re-order output messages and subsequent newlines for aesthetics Remove unused EASYRSA_ININE, satisfy shellcheck. Wrap long lines. Minor improvements to comments and error messages. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 78 +++++++++++++++++++++++++++--------------------- 1 file changed, 44 insertions(+), 34 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 18a096d..3575d15 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -69,8 +69,8 @@ Here is the list of commands available with a short syntax reminder. Use the DIRECTORY STATUS (commands would take effect on these locations) EASYRSA: $work_dir PKI: $pki_dir - x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined} -" + x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined}" + } # => usage() # Detailed command help @@ -576,7 +576,7 @@ confirm() { value="$2" msg="$3" input="" - print " + print "\ $msg Type the word '$value' to continue, or any other input to abort." @@ -720,12 +720,7 @@ Temporary session not preserved." *) warn "Host OS undefined." esac - if [ "$EASYRSA_BATCH" ] || [ "$EASYRSA_SILENT" ] - then - : # ok - else - print # To get a clean line - fi + [ "$EASYRSA_SILENT" ] || print # Get a clean line # Clear traps trap - 0 1 2 3 6 15 @@ -891,6 +886,7 @@ easyrsa_openssl() { verify_ssl_lib() { # Run once only [ "$EASYRSA_SSL_OK" ] && die "verify_ssl_lib - Overloaded" + EASYRSA_SSL_OK=1 # redirect std-err to ignore missing etc/ssl/openssl.cnf file val="$("$EASYRSA_OPENSSL" version 2>/dev/null)" @@ -929,13 +925,7 @@ $error_msg" ;; *) die "Unsupported SSL library: $osslv_major" esac - information "Using SSL: $EASYRSA_OPENSSL ${val}" - EASYRSA_SSL_OK=1 - - # Verify EASYRSA_SSL_CONF file exists - [ -f "$EASYRSA_SSL_CONF" ] || die "\ -The OpenSSL config file cannot be found. -Expected location: $EASYRSA_SSL_CONF" + ssl_version="$val" } # => verify_ssl_lib() # Basic sanity-check of PKI init and complain if missing @@ -1049,7 +1039,7 @@ and initialize a fresh PKI here." ecparams certs_by_serial do # # # shellcheck disable=SC2115 # Use "${var:?}" - rm -rf "$EASYRSA_PKI/${i}" || \ + rm -rf "$EASYRSA_PKI/$i" || \ die "init-pki soft reset failed." done ;; @@ -1213,6 +1203,9 @@ install_data_to_pki() { "${EASYRSA_PKI}/${vars_file}" && \ new_vars_true=1 fi + + # Use set_var to set vars, do not clobber $vars + set_var vars "${EASYRSA_PKI}/${vars_file}" ;; vars-setup) : ;; # No change to current 'vars' required @@ -1571,7 +1564,7 @@ at: $out_file" # gen-req and key backend: gen_req() { - # pull filename base and use as default interactive CommonName: + # pull filename base and use as default interactive CommonName [ "$1" ] || die "\ Error: gen-req must have a file base as the first argument. Run easyrsa without commands for usage and commands." @@ -1582,9 +1575,13 @@ Run easyrsa without commands for usage and commands." # Set ssl batch mode and Default commonName, as required if [ "$EASYRSA_BATCH" ]; then ssl_batch=1 - [ "$EASYRSA_REQ_CN" = ChangeMe ] && export EASYRSA_REQ_CN="$1" + # If EASYRSA_REQ_CN is set to something other than + # ChangeMe then keep user defined value + [ "$EASYRSA_REQ_CN" = ChangeMe ] && \ + export EASYRSA_REQ_CN="$1" else - # --req-cn must be used with --batch, otherwise use default + # --req-cn must be used with --batch + # otherwise use file-name export EASYRSA_REQ_CN="$1" fi @@ -1604,7 +1601,7 @@ Run easyrsa without commands for usage and commands." nopass) [ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1 ;; - # batch flag supports internal callers needing silent operation + # batch flag supports internal caller build_full() batch) ssl_batch=1 ;; *) warn "Ignoring unknown command option: '$1'" esac @@ -1619,14 +1616,18 @@ WARNING!!! An existing private key was found at $key_out Continuing with key generation will replace this key." - # When EASYRSA_EXTRA_EXTS is defined, append it to openssl's [req] section: + # When EASYRSA_EXTRA_EXTS is defined, + # append it to openssl's [req] section: if [ "$EASYRSA_EXTRA_EXTS" ]; then # Check for insert-marker in ssl config file - if ! grep -q '^#%EXTRA_EXTS%' "$EASYRSA_SSL_CONF"; then + if ! grep -q '^#%EXTRA_EXTS%' "$EASYRSA_SSL_CONF" + then die "\ -The copy of openssl-easyrsa.cnf in use does not support request extensions. +The copy of openssl-easyrsa.cnf in use \ +does not support request extensions. * $EASYRSA_SSL_CONF -Please update openssl-easyrsa.cnf to the latest official release." +Please update openssl-easyrsa.cnf \ +to the latest official release." fi # Setup & insert the extra ext data keyed by a magic line @@ -1634,24 +1635,28 @@ Please update openssl-easyrsa.cnf to the latest official release." req_extensions = req_extra [ req_extra ] $EASYRSA_EXTRA_EXTS" - # shellcheck disable=SC2016 # vars don't expand in single quote + # vars don't expand in single quote + # shellcheck disable=SC2016 awkscript=' {if ( match($0, "^#%EXTRA_EXTS%") ) { while ( getline<"/dev/stdin" ) {print} next } {print} }' - conf_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" + conf_tmp="$(easyrsa_mktemp)" || die "\ +gen_req - easyrsa_mktemp - conf_tmp" print "$extra_exts" | \ awk "$awkscript" "$EASYRSA_SSL_CONF" \ > "$conf_tmp" \ - || die "Copying SSL config to temp file failed" - # Use this new SSL config for the rest of this function + || die "Writing SSL config to temp file failed" + # Use this SSL config for the rest of this function EASYRSA_SSL_CONF="$conf_tmp" fi # Name temp files - key_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" - req_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" + key_out_tmp="$(easyrsa_mktemp)" || die "\ +gen_req - easyrsa_mktemp - key_out_tmp" + req_out_tmp="$(easyrsa_mktemp)" || die "\ +gen_req - easyrsa_mktemp - req_out_tmp" # Set Edwards curve name or elliptic curve parameters file algo_opts="" @@ -1677,8 +1682,8 @@ $EASYRSA_EXTRA_EXTS" # Success messages notice "\ Keypair and certificate request completed. Your files are: -req: $req_out -key: $key_out" +* req: $req_out +* key: $key_out${build_full+ $NL}" return 0 } # => gen_req() @@ -1917,7 +1922,6 @@ Run easyrsa without commands for usage and commands." nopass) [ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1 ;; - inline) EASYRSA_INLINE=1 ;; *) warn "Ignoring unknown command option: '$1'" esac shift @@ -1954,6 +1958,7 @@ Option conflict: EASYRSA_REQ_CN="$name" # create request + build_full=1 gen_req "$name" batch # Sign it @@ -4650,6 +4655,11 @@ Sourcing the vars file and building certificates will probably fail ..' # Verify selected algorithm and parameters verify_algo_params + # Last setup msg + information "\ +Using SSL: $EASYRSA_OPENSSL $ssl_version +" + else # If the directory does not exist then we have not run init-pki # The temp-dir is ALWAYS verified by secure_session() From e6aa6f63933a642e8e66a1376be7fb446919c0c7 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 20 Jan 2023 16:23:04 +0000 Subject: [PATCH 2/3] gen_dh(): Wrap long lines Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 28 ++++++++++++++++------------ 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 3575d15..cc826e8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1534,30 +1534,34 @@ gen_dh() { DH parameters file already exists at: $out_file" else - # warn the user, give them a chance to force overwrite + # warn the user, allow to force overwrite confirm "Overwrite? " "yes" "\ DH parameters file already exists at: $out_file" fi fi - # Create a temp file, otherwise user abort leaves an incomplete dh.pem - tmp_dh_file="$(easyrsa_mktemp)" || die "Failed to create temp DH file" + # Create a temp file + # otherwise user abort leaves an incomplete dh.pem + tmp_dh_file="$(easyrsa_mktemp)" || \ + die "Failed to create temp DH file" # Generate dh.pem - "$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" "$EASYRSA_KEY_SIZE" || \ - die "Failed to generate DH params" + "$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" \ + "$EASYRSA_KEY_SIZE" || \ + die "Failed to generate DH params" # Validate dh.pem - "$EASYRSA_OPENSSL" dhparam -in "$tmp_dh_file" -check -noout || \ - die "Failed to validate DH params" + "$EASYRSA_OPENSSL" dhparam -in "$tmp_dh_file" \ + -check -noout || \ + die "Failed to validate DH params" - mv -f "$tmp_dh_file" "$out_file" || die "Failed to move temp DH file" + mv -f "$tmp_dh_file" "$out_file" || \ + die "Failed to move temp DH file" - notice "\ - -DH parameters of size $EASYRSA_KEY_SIZE created -at: $out_file" + notice " +DH parameters of size $EASYRSA_KEY_SIZE created at: +* $out_file" return 0 } # => gen_dh() From 00d7a69788afd0d0db0891338c7d11c97f681d73 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 20 Jan 2023 17:21:52 +0000 Subject: [PATCH 3/3] sign_req(): Wrap long lines, improve error messages and comments Add extra check for successfully moving of temp-file to certificate. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 127 +++++++++++++++++++++++++++++------------------ 1 file changed, 78 insertions(+), 49 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cc826e8..b5c19e3 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1568,7 +1568,7 @@ DH parameters of size $EASYRSA_KEY_SIZE created at: # gen-req and key backend: gen_req() { - # pull filename base and use as default interactive CommonName + # pull filename, use as default interactive CommonName [ "$1" ] || die "\ Error: gen-req must have a file base as the first argument. Run easyrsa without commands for usage and commands." @@ -1709,13 +1709,16 @@ sign_req() { easyrsa_random 16 )" || die "sign_req - easyrsa_random" - # Print random $serial to pki/serial file for use by SSL config - print "$serial" > "$EASYRSA_PKI/serial" || die "sign_req - serial" + # Print random $serial to pki/serial file + # for use by SSL config + print "$serial" > "$EASYRSA_PKI/serial" || \ + die "sign_req - serial" # Check for duplicate serial in CA db + # Always errors out - Do not capture error check_serial="$( easyrsa_openssl ca -status "$serial" 2>&1 - )" # Always errors out - Do not capture error + )" || : case "$check_serial" in *"not present in db"*) @@ -1755,13 +1758,14 @@ Expected to find the request at: $req_in" # Certificate file must NOT exist [ ! -e "$crt_out" ] || die "\ -Cannot sign this request for '$2', a certificate already exists -at: $crt_out" +Cannot sign this request for '$2'. +Conflicting certificate already exists at: +* $crt_out" # Confirm input is a cert req verify_file req "$req_in" || die "\ -The certificate request file is not in a valid X509 request format. -File Path: $req_in" +The certificate request file is not in a valid X509 format: +* $req_in" # Get fixed dates by --fix-offset if [ "$EASYRSA_FIX_OFFSET" ]; then @@ -1769,49 +1773,59 @@ File Path: $req_in" start_fixdate end_fixdate fi - # When EASYRSA_CP_EXT is defined, adjust openssl's [default_ca] section: + # When EASYRSA_CP_EXT is defined, + # adjust openssl's [default_ca] section: if [ "$EASYRSA_CP_EXT" ]; then # Check for insert-marker in ssl config file - if ! grep -q '^#%COPY_EXTS%' "$EASYRSA_SSL_CONF"; then + if ! grep -q '^#%COPY_EXTS%' "$EASYRSA_SSL_CONF" + then die "\ -The copy of openssl-easyrsa.cnf in use does not support --copy-ext. +The copy of openssl-easyrsa.cnf in use \ +does not support --copy-ext. * $EASYRSA_SSL_CONF -Please update openssl-easyrsa.cnf to the latest official release." +Please update openssl-easyrsa.cnf \ +to the latest official release." fi - # Setup & insert the copy_extensions data keyed by a magic line + # Setup & insert the copy_extensions data + # keyed by a magic line copy_exts="copy_extensions = copy" - # shellcheck disable=SC2016 # vars don't expand in single quote + # shellcheck disable=SC2016 # vars don't expand '' awkscript=' {if ( match($0, "^#%COPY_EXTS%") ) { while ( getline<"/dev/stdin" ) {print} next } {print} }' - conf_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" + conf_tmp="$(easyrsa_mktemp)" || \ + die "sign_req - easyrsa_mktemp - conf_tmp" print "$copy_exts" | \ awk "$awkscript" "$EASYRSA_SSL_CONF" \ > "$conf_tmp" \ - || die "Copying SSL config to temp file failed" - # Use this new SSL config for the rest of this function + || die "Writing SSL config to temp file failed" + # Use this SSL config for the rest of this function EASYRSA_SSL_CONF="$conf_tmp" fi # Generate the extensions file for this cert: - ext_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" + ext_tmp="$(easyrsa_mktemp)" || \ + die "sign_req - easyrsa_mktemp - ext_tmp" { - # Append first any COMMON file (if present) then the cert-type extensions + # Append COMMON and cert-type extensions cat "$EASYRSA_EXT_DIR/COMMON" || \ die "Failed to read X509-type COMMON" cat "$EASYRSA_EXT_DIR/$crt_type" || \ die "Failed to read X509-type $crt_type" # Support a dynamic CA path length when present: - if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ]; then - # Print the last occurence of basicContraints in x509-types/ca - # If basicContraints not defined then bail - # shellcheck disable=SC2016 # vars don't expand in '' - awkscript='/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 } - END { if (length(bC) == 0 ) exit 1; print bC }' + if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ] + then + # Print the last occurence of basicContraints in + # x509-types/ca + # If basicContraints is not defined then bail + # shellcheck disable=SC2016 # vars don't expand '' + awkscript='\ +/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 } +END { if (length(bC) == 0 ) exit 1; print bC }' basicConstraints="$( awk "$awkscript" "$EASYRSA_EXT_DIR/$crt_type" )" || die "\ @@ -1820,17 +1834,24 @@ basicConstraints is not defined, cannot use 'pathlen'" unset -v basicConstraints fi - # Deprecated Netscape extension support, if enabled + # Deprecated Netscape extension support case "$EASYRSA_NS_SUPPORT" in [yY][eE][sS]) + # Netscape extension case "$crt_type" in - serverClient) print "nsCertType = serverClient" ;; - server) print "nsCertType = server" ;; - client) print "nsCertType = client" ;; - ca) print "nsCertType = sslCA" ;; - *) die "Unknown certificate type: $crt_type" + serverClient) + print "nsCertType = serverClient" ;; + server) + print "nsCertType = server" ;; + client) + print "nsCertType = client" ;; + ca) + print "nsCertType = sslCA" ;; + *) + die "Unknown certificate type: $crt_type" esac + # Netscape comment [ "$EASYRSA_NS_COMMENT" ] && \ print "nsComment = \"$EASYRSA_NS_COMMENT\"" @@ -1844,9 +1865,10 @@ basicConstraints is not defined, cannot use 'pathlen'" print "$EASYRSA_EXTRA_EXTS" else # or default server SAN - # If type is server and no subjectAltName was requested, - # add one to the extensions file - if [ "$crt_type" = 'server' ] || [ "$crt_type" = 'serverClient' ]; + # If type is server and no subjectAltName was + # requested then add one to the extensions file + if [ "$crt_type" = 'server' ] || \ + [ "$crt_type" = 'serverClient' ]; then # req san or default server SAN san="$(display_san req "$req_in")" @@ -1856,33 +1878,41 @@ basicConstraints is not defined, cannot use 'pathlen'" default_server_san "$req_in" fi fi - # or externally set EASYRSA_EXTRA_EXTS - # Add any advanced extensions supplied by env-var: - [ -z "$EASYRSA_EXTRA_EXTS" ] || print "$EASYRSA_EXTRA_EXTS" + + # Add user set EASYRSA_EXTRA_EXTS + [ -z "$EASYRSA_EXTRA_EXTS" ] || \ + print "$EASYRSA_EXTRA_EXTS" fi } > "$ext_tmp" || die "\ Failed to create temp extension file (bad permissions?) at: -$ext_tmp" +* $ext_tmp" # Display the request subject in an easy-to-read format # Confirm the user wishes to sign this request # Support batch by internal caller: - #[ "$3" = "batch" ] || confirm "Confirm request details: " "yes" "\ You are about to sign the following certificate. -Please check over the details shown below for accuracy. Note that this request -has not been cryptographically verified. Please be sure it came from a trusted -source or that you have verified the request checksum with the sender. +Please check over the details shown below for accuracy. \ +Note that this request +has not been cryptographically verified. Please be sure \ +it came from a trusted +source or that you have verified the request checksum \ +with the sender. -Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days: +Request subject, to be signed as a $crt_type certificate \ +for $EASYRSA_CERT_EXPIRE days: $(display_dn req "$req_in") " # => confirm end + # Assign temp cert file + crt_out_tmp="$(easyrsa_mktemp)" || \ + die "sign_req - easyrsa_mktemp - crt_out_tmp" + # sign request - crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" - easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \ - -extfile "$ext_tmp" -days "$EASYRSA_CERT_EXPIRE" -batch \ + easyrsa_openssl ca -utf8 -in "$req_in" \ + -out "$crt_out_tmp" -extfile "$ext_tmp" \ + -days "$EASYRSA_CERT_EXPIRE" -batch \ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \ ${EASYRSA_NO_TEXT:+-notext} \ ${EASYRSA_FIX_OFFSET+ -startdate "$start_fixdate"} \ @@ -1890,11 +1920,10 @@ $(display_dn req "$req_in") || die "\ Signing failed (openssl output above may have more detail)" - mv "$crt_out_tmp" "$crt_out" - #rm -f "$ext_tmp" + mv "$crt_out_tmp" "$crt_out" || \ + die "Failed to move temp-file to certificate." # Success messages - #unset -v EASYRSA_BATCH # This is why batch mode should not silence output notice "\ Certificate created at: * $crt_out"