nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'TinCanTech-reorder-output'

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-01-20 21:14:10 +00:00
commit bff759d48f
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 137 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

231
easyrsa3/easyrsa
View File

@ -69,8 +69,8 @@ Here is the list of commands available with a short syntax reminder. Use the
DIRECTORY STATUS (commands would take effect on these locations) DIRECTORY STATUS (commands would take effect on these locations)
EASYRSA: $work_dir EASYRSA: $work_dir
PKI: $pki_dir PKI: $pki_dir
x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined} x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined}"
"
} # => usage() } # => usage()
# Detailed command help # Detailed command help
@ -576,7 +576,7 @@ confirm() {
value="$2" value="$2"
msg="$3" msg="$3"
input="" input=""
print " print "\
$msg $msg
Type the word '$value' to continue, or any other input to abort." Type the word '$value' to continue, or any other input to abort."
@ -720,12 +720,7 @@ Temporary session not preserved."
*) warn "Host OS undefined." *) warn "Host OS undefined."
esac esac
if [ "$EASYRSA_BATCH" ] || [ "$EASYRSA_SILENT" ] [ "$EASYRSA_SILENT" ] || print # Get a clean line
then
: # ok
else
print # To get a clean line
fi
# Clear traps # Clear traps
trap - 0 1 2 3 6 15 trap - 0 1 2 3 6 15
@ -891,6 +886,7 @@ easyrsa_openssl() {
verify_ssl_lib() { verify_ssl_lib() {
# Run once only # Run once only
[ "$EASYRSA_SSL_OK" ] && die "verify_ssl_lib - Overloaded" [ "$EASYRSA_SSL_OK" ] && die "verify_ssl_lib - Overloaded"
EASYRSA_SSL_OK=1
# redirect std-err to ignore missing etc/ssl/openssl.cnf file # redirect std-err to ignore missing etc/ssl/openssl.cnf file
val="$("$EASYRSA_OPENSSL" version 2>/dev/null)" val="$("$EASYRSA_OPENSSL" version 2>/dev/null)"
@ -929,13 +925,7 @@ $error_msg"
;; ;;
*) die "Unsupported SSL library: $osslv_major" *) die "Unsupported SSL library: $osslv_major"
esac esac
information "Using SSL: $EASYRSA_OPENSSL ${val}" ssl_version="$val"
EASYRSA_SSL_OK=1
# Verify EASYRSA_SSL_CONF file exists
[ -f "$EASYRSA_SSL_CONF" ] || die "\
The OpenSSL config file cannot be found.
Expected location: $EASYRSA_SSL_CONF"
} # => verify_ssl_lib() } # => verify_ssl_lib()
# Basic sanity-check of PKI init and complain if missing # Basic sanity-check of PKI init and complain if missing
@ -1049,7 +1039,7 @@ and initialize a fresh PKI here."
ecparams certs_by_serial ecparams certs_by_serial
do do
# # # shellcheck disable=SC2115 # Use "${var:?}" # # # shellcheck disable=SC2115 # Use "${var:?}"
rm -rf "$EASYRSA_PKI/${i}" || \ rm -rf "$EASYRSA_PKI/$i" || \
die "init-pki soft reset failed." die "init-pki soft reset failed."
done done
;; ;;
@ -1213,6 +1203,9 @@ install_data_to_pki() {
"${EASYRSA_PKI}/${vars_file}" && \ "${EASYRSA_PKI}/${vars_file}" && \
new_vars_true=1 new_vars_true=1
fi fi
# Use set_var to set vars, do not clobber $vars
set_var vars "${EASYRSA_PKI}/${vars_file}"
;; ;;
vars-setup) vars-setup)
: ;; # No change to current 'vars' required : ;; # No change to current 'vars' required
@ -1541,37 +1534,41 @@ gen_dh() {
DH parameters file already exists DH parameters file already exists
at: $out_file" at: $out_file"
else else
# warn the user, give them a chance to force overwrite # warn the user, allow to force overwrite
confirm "Overwrite? " "yes" "\ confirm "Overwrite? " "yes" "\
DH parameters file already exists DH parameters file already exists
at: $out_file" at: $out_file"
fi fi
fi fi
# Create a temp file, otherwise user abort leaves an incomplete dh.pem # Create a temp file
tmp_dh_file="$(easyrsa_mktemp)" || die "Failed to create temp DH file" # otherwise user abort leaves an incomplete dh.pem
tmp_dh_file="$(easyrsa_mktemp)" || \
die "Failed to create temp DH file"
# Generate dh.pem # Generate dh.pem
"$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" "$EASYRSA_KEY_SIZE" || \ "$EASYRSA_OPENSSL" dhparam -out "$tmp_dh_file" \
die "Failed to generate DH params" "$EASYRSA_KEY_SIZE" || \
die "Failed to generate DH params"
# Validate dh.pem # Validate dh.pem
"$EASYRSA_OPENSSL" dhparam -in "$tmp_dh_file" -check -noout || \ "$EASYRSA_OPENSSL" dhparam -in "$tmp_dh_file" \
die "Failed to validate DH params" -check -noout || \
die "Failed to validate DH params"
mv -f "$tmp_dh_file" "$out_file" || die "Failed to move temp DH file" mv -f "$tmp_dh_file" "$out_file" || \
die "Failed to move temp DH file"
notice "\ notice "
DH parameters of size $EASYRSA_KEY_SIZE created at:
DH parameters of size $EASYRSA_KEY_SIZE created * $out_file"
at: $out_file"
return 0 return 0
} # => gen_dh() } # => gen_dh()
# gen-req and key backend: # gen-req and key backend:
gen_req() { gen_req() {
# pull filename base and use as default interactive CommonName: # pull filename, use as default interactive CommonName
[ "$1" ] || die "\ [ "$1" ] || die "\
Error: gen-req must have a file base as the first argument. Error: gen-req must have a file base as the first argument.
Run easyrsa without commands for usage and commands." Run easyrsa without commands for usage and commands."
@ -1582,9 +1579,13 @@ Run easyrsa without commands for usage and commands."
# Set ssl batch mode and Default commonName, as required # Set ssl batch mode and Default commonName, as required
if [ "$EASYRSA_BATCH" ]; then if [ "$EASYRSA_BATCH" ]; then
ssl_batch=1 ssl_batch=1
[ "$EASYRSA_REQ_CN" = ChangeMe ] && export EASYRSA_REQ_CN="$1" # If EASYRSA_REQ_CN is set to something other than
# ChangeMe then keep user defined value
[ "$EASYRSA_REQ_CN" = ChangeMe ] && \
export EASYRSA_REQ_CN="$1"
else else
# --req-cn must be used with --batch, otherwise use default # --req-cn must be used with --batch
# otherwise use file-name
export EASYRSA_REQ_CN="$1" export EASYRSA_REQ_CN="$1"
fi fi
@ -1604,7 +1605,7 @@ Run easyrsa without commands for usage and commands."
nopass) nopass)
[ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1 [ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1
;; ;;
# batch flag supports internal callers needing silent operation # batch flag supports internal caller build_full()
batch) ssl_batch=1 ;; batch) ssl_batch=1 ;;
*) warn "Ignoring unknown command option: '$1'" *) warn "Ignoring unknown command option: '$1'"
esac esac
@ -1619,14 +1620,18 @@ WARNING!!!
An existing private key was found at $key_out An existing private key was found at $key_out
Continuing with key generation will replace this key." Continuing with key generation will replace this key."
# When EASYRSA_EXTRA_EXTS is defined, append it to openssl's [req] section: # When EASYRSA_EXTRA_EXTS is defined,
# append it to openssl's [req] section:
if [ "$EASYRSA_EXTRA_EXTS" ]; then if [ "$EASYRSA_EXTRA_EXTS" ]; then
# Check for insert-marker in ssl config file # Check for insert-marker in ssl config file
if ! grep -q '^#%EXTRA_EXTS%' "$EASYRSA_SSL_CONF"; then if ! grep -q '^#%EXTRA_EXTS%' "$EASYRSA_SSL_CONF"
then
die "\ die "\
The copy of openssl-easyrsa.cnf in use does not support request extensions. The copy of openssl-easyrsa.cnf in use \
does not support request extensions.
* $EASYRSA_SSL_CONF * $EASYRSA_SSL_CONF
Please update openssl-easyrsa.cnf to the latest official release." Please update openssl-easyrsa.cnf \
to the latest official release."
fi fi
# Setup & insert the extra ext data keyed by a magic line # Setup & insert the extra ext data keyed by a magic line
@ -1634,24 +1639,28 @@ Please update openssl-easyrsa.cnf to the latest official release."
req_extensions = req_extra req_extensions = req_extra
[ req_extra ] [ req_extra ]
$EASYRSA_EXTRA_EXTS" $EASYRSA_EXTRA_EXTS"
# shellcheck disable=SC2016 # vars don't expand in single quote # vars don't expand in single quote
# shellcheck disable=SC2016
awkscript=' awkscript='
{if ( match($0, "^#%EXTRA_EXTS%") ) {if ( match($0, "^#%EXTRA_EXTS%") )
{ while ( getline<"/dev/stdin" ) {print} next } { while ( getline<"/dev/stdin" ) {print} next }
{print} {print}
}' }'
conf_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" conf_tmp="$(easyrsa_mktemp)" || die "\
gen_req - easyrsa_mktemp - conf_tmp"
print "$extra_exts" | \ print "$extra_exts" | \
awk "$awkscript" "$EASYRSA_SSL_CONF" \ awk "$awkscript" "$EASYRSA_SSL_CONF" \
> "$conf_tmp" \ > "$conf_tmp" \
|| die "Copying SSL config to temp file failed" || die "Writing SSL config to temp file failed"
# Use this new SSL config for the rest of this function # Use this SSL config for the rest of this function
EASYRSA_SSL_CONF="$conf_tmp" EASYRSA_SSL_CONF="$conf_tmp"
fi fi
# Name temp files # Name temp files
key_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" key_out_tmp="$(easyrsa_mktemp)" || die "\
req_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" gen_req - easyrsa_mktemp - key_out_tmp"
req_out_tmp="$(easyrsa_mktemp)" || die "\
gen_req - easyrsa_mktemp - req_out_tmp"
# Set Edwards curve name or elliptic curve parameters file # Set Edwards curve name or elliptic curve parameters file
algo_opts="" algo_opts=""
@ -1677,8 +1686,8 @@ $EASYRSA_EXTRA_EXTS"
# Success messages # Success messages
notice "\ notice "\
Keypair and certificate request completed. Your files are: Keypair and certificate request completed. Your files are:
req: $req_out * req: $req_out
key: $key_out" * key: $key_out${build_full+ $NL}"
return 0 return 0
} # => gen_req() } # => gen_req()
@ -1700,13 +1709,16 @@ sign_req() {
easyrsa_random 16 easyrsa_random 16
)" || die "sign_req - easyrsa_random" )" || die "sign_req - easyrsa_random"
# Print random $serial to pki/serial file for use by SSL config # Print random $serial to pki/serial file
print "$serial" > "$EASYRSA_PKI/serial" || die "sign_req - serial" # for use by SSL config
print "$serial" > "$EASYRSA_PKI/serial" || \
die "sign_req - serial"
# Check for duplicate serial in CA db # Check for duplicate serial in CA db
# Always errors out - Do not capture error
check_serial="$( check_serial="$(
easyrsa_openssl ca -status "$serial" 2>&1 easyrsa_openssl ca -status "$serial" 2>&1
)" # Always errors out - Do not capture error )" || :
case "$check_serial" in case "$check_serial" in
*"not present in db"*) *"not present in db"*)
@ -1746,13 +1758,14 @@ Expected to find the request at: $req_in"
# Certificate file must NOT exist # Certificate file must NOT exist
[ ! -e "$crt_out" ] || die "\ [ ! -e "$crt_out" ] || die "\
Cannot sign this request for '$2', a certificate already exists Cannot sign this request for '$2'.
at: $crt_out" Conflicting certificate already exists at:
* $crt_out"
# Confirm input is a cert req # Confirm input is a cert req
verify_file req "$req_in" || die "\ verify_file req "$req_in" || die "\
The certificate request file is not in a valid X509 request format. The certificate request file is not in a valid X509 format:
File Path: $req_in" * $req_in"
# Get fixed dates by --fix-offset # Get fixed dates by --fix-offset
if [ "$EASYRSA_FIX_OFFSET" ]; then if [ "$EASYRSA_FIX_OFFSET" ]; then
@ -1760,49 +1773,59 @@ File Path: $req_in"
start_fixdate end_fixdate start_fixdate end_fixdate
fi fi
# When EASYRSA_CP_EXT is defined, adjust openssl's [default_ca] section: # When EASYRSA_CP_EXT is defined,
# adjust openssl's [default_ca] section:
if [ "$EASYRSA_CP_EXT" ]; then if [ "$EASYRSA_CP_EXT" ]; then
# Check for insert-marker in ssl config file # Check for insert-marker in ssl config file
if ! grep -q '^#%COPY_EXTS%' "$EASYRSA_SSL_CONF"; then if ! grep -q '^#%COPY_EXTS%' "$EASYRSA_SSL_CONF"
then
die "\ die "\
The copy of openssl-easyrsa.cnf in use does not support --copy-ext. The copy of openssl-easyrsa.cnf in use \
does not support --copy-ext.
* $EASYRSA_SSL_CONF * $EASYRSA_SSL_CONF
Please update openssl-easyrsa.cnf to the latest official release." Please update openssl-easyrsa.cnf \
to the latest official release."
fi fi
# Setup & insert the copy_extensions data keyed by a magic line # Setup & insert the copy_extensions data
# keyed by a magic line
copy_exts="copy_extensions = copy" copy_exts="copy_extensions = copy"
# shellcheck disable=SC2016 # vars don't expand in single quote # shellcheck disable=SC2016 # vars don't expand ''
awkscript=' awkscript='
{if ( match($0, "^#%COPY_EXTS%") ) {if ( match($0, "^#%COPY_EXTS%") )
{ while ( getline<"/dev/stdin" ) {print} next } { while ( getline<"/dev/stdin" ) {print} next }
{print} {print}
}' }'
conf_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" conf_tmp="$(easyrsa_mktemp)" || \
die "sign_req - easyrsa_mktemp - conf_tmp"
print "$copy_exts" | \ print "$copy_exts" | \
awk "$awkscript" "$EASYRSA_SSL_CONF" \ awk "$awkscript" "$EASYRSA_SSL_CONF" \
> "$conf_tmp" \ > "$conf_tmp" \
|| die "Copying SSL config to temp file failed" || die "Writing SSL config to temp file failed"
# Use this new SSL config for the rest of this function # Use this SSL config for the rest of this function
EASYRSA_SSL_CONF="$conf_tmp" EASYRSA_SSL_CONF="$conf_tmp"
fi fi
# Generate the extensions file for this cert: # Generate the extensions file for this cert:
ext_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" ext_tmp="$(easyrsa_mktemp)" || \
die "sign_req - easyrsa_mktemp - ext_tmp"
{ {
# Append first any COMMON file (if present) then the cert-type extensions # Append COMMON and cert-type extensions
cat "$EASYRSA_EXT_DIR/COMMON" || \ cat "$EASYRSA_EXT_DIR/COMMON" || \
die "Failed to read X509-type COMMON" die "Failed to read X509-type COMMON"
cat "$EASYRSA_EXT_DIR/$crt_type" || \ cat "$EASYRSA_EXT_DIR/$crt_type" || \
die "Failed to read X509-type $crt_type" die "Failed to read X509-type $crt_type"
# Support a dynamic CA path length when present: # Support a dynamic CA path length when present:
if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ]; then if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ]
# Print the last occurence of basicContraints in x509-types/ca then
# If basicContraints not defined then bail # Print the last occurence of basicContraints in
# shellcheck disable=SC2016 # vars don't expand in '' # x509-types/ca
awkscript='/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 } # If basicContraints is not defined then bail
END { if (length(bC) == 0 ) exit 1; print bC }' # shellcheck disable=SC2016 # vars don't expand ''
awkscript='\
/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 }
END { if (length(bC) == 0 ) exit 1; print bC }'
basicConstraints="$( basicConstraints="$(
awk "$awkscript" "$EASYRSA_EXT_DIR/$crt_type" awk "$awkscript" "$EASYRSA_EXT_DIR/$crt_type"
)" || die "\ )" || die "\
@ -1811,17 +1834,24 @@ basicConstraints is not defined, cannot use 'pathlen'"
unset -v basicConstraints unset -v basicConstraints
fi fi
# Deprecated Netscape extension support, if enabled # Deprecated Netscape extension support
case "$EASYRSA_NS_SUPPORT" in case "$EASYRSA_NS_SUPPORT" in
[yY][eE][sS]) [yY][eE][sS])
# Netscape extension # Netscape extension
case "$crt_type" in case "$crt_type" in
serverClient) print "nsCertType = serverClient" ;; serverClient)
server) print "nsCertType = server" ;; print "nsCertType = serverClient" ;;
client) print "nsCertType = client" ;; server)
ca) print "nsCertType = sslCA" ;; print "nsCertType = server" ;;
*) die "Unknown certificate type: $crt_type" client)
print "nsCertType = client" ;;
ca)
print "nsCertType = sslCA" ;;
*)
die "Unknown certificate type: $crt_type"
esac esac
# Netscape comment # Netscape comment
[ "$EASYRSA_NS_COMMENT" ] && \ [ "$EASYRSA_NS_COMMENT" ] && \
print "nsComment = \"$EASYRSA_NS_COMMENT\"" print "nsComment = \"$EASYRSA_NS_COMMENT\""
@ -1835,9 +1865,10 @@ basicConstraints is not defined, cannot use 'pathlen'"
print "$EASYRSA_EXTRA_EXTS" print "$EASYRSA_EXTRA_EXTS"
else else
# or default server SAN # or default server SAN
# If type is server and no subjectAltName was requested, # If type is server and no subjectAltName was
# add one to the extensions file # requested then add one to the extensions file
if [ "$crt_type" = 'server' ] || [ "$crt_type" = 'serverClient' ]; if [ "$crt_type" = 'server' ] || \
[ "$crt_type" = 'serverClient' ];
then then
# req san or default server SAN # req san or default server SAN
san="$(display_san req "$req_in")" san="$(display_san req "$req_in")"
@ -1847,33 +1878,41 @@ basicConstraints is not defined, cannot use 'pathlen'"
default_server_san "$req_in" default_server_san "$req_in"
fi fi
fi fi
# or externally set EASYRSA_EXTRA_EXTS
# Add any advanced extensions supplied by env-var: # Add user set EASYRSA_EXTRA_EXTS
[ -z "$EASYRSA_EXTRA_EXTS" ] || print "$EASYRSA_EXTRA_EXTS" [ -z "$EASYRSA_EXTRA_EXTS" ] || \
print "$EASYRSA_EXTRA_EXTS"
fi fi
} > "$ext_tmp" || die "\ } > "$ext_tmp" || die "\
Failed to create temp extension file (bad permissions?) at: Failed to create temp extension file (bad permissions?) at:
$ext_tmp" * $ext_tmp"
# Display the request subject in an easy-to-read format # Display the request subject in an easy-to-read format
# Confirm the user wishes to sign this request # Confirm the user wishes to sign this request
# Support batch by internal caller: # Support batch by internal caller:
#[ "$3" = "batch" ] ||
confirm "Confirm request details: " "yes" "\ confirm "Confirm request details: " "yes" "\
You are about to sign the following certificate. You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request Please check over the details shown below for accuracy. \
has not been cryptographically verified. Please be sure it came from a trusted Note that this request
source or that you have verified the request checksum with the sender. has not been cryptographically verified. Please be sure \
it came from a trusted
source or that you have verified the request checksum \
with the sender.
Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days: Request subject, to be signed as a $crt_type certificate \
for $EASYRSA_CERT_EXPIRE days:
$(display_dn req "$req_in") $(display_dn req "$req_in")
" # => confirm end " # => confirm end
# Assign temp cert file
crt_out_tmp="$(easyrsa_mktemp)" || \
die "sign_req - easyrsa_mktemp - crt_out_tmp"
# sign request # sign request
crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" easyrsa_openssl ca -utf8 -in "$req_in" \
easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \ -out "$crt_out_tmp" -extfile "$ext_tmp" \
-extfile "$ext_tmp" -days "$EASYRSA_CERT_EXPIRE" -batch \ -days "$EASYRSA_CERT_EXPIRE" -batch \
${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
${EASYRSA_NO_TEXT:+-notext} \ ${EASYRSA_NO_TEXT:+-notext} \
${EASYRSA_FIX_OFFSET+ -startdate "$start_fixdate"} \ ${EASYRSA_FIX_OFFSET+ -startdate "$start_fixdate"} \
@ -1881,11 +1920,10 @@ $(display_dn req "$req_in")
|| die "\ || die "\
Signing failed (openssl output above may have more detail)" Signing failed (openssl output above may have more detail)"
mv "$crt_out_tmp" "$crt_out" mv "$crt_out_tmp" "$crt_out" || \
#rm -f "$ext_tmp" die "Failed to move temp-file to certificate."
# Success messages # Success messages
#unset -v EASYRSA_BATCH # This is why batch mode should not silence output
notice "\ notice "\
Certificate created at: Certificate created at:
* $crt_out" * $crt_out"
@ -1917,7 +1955,6 @@ Run easyrsa without commands for usage and commands."
nopass) nopass)
[ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1 [ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1
;; ;;
inline) EASYRSA_INLINE=1 ;;
*) warn "Ignoring unknown command option: '$1'" *) warn "Ignoring unknown command option: '$1'"
esac esac
shift shift
@ -1954,6 +1991,7 @@ Option conflict:
EASYRSA_REQ_CN="$name" EASYRSA_REQ_CN="$name"
# create request # create request
build_full=1
gen_req "$name" batch gen_req "$name" batch
# Sign it # Sign it
@ -4650,6 +4688,11 @@ Sourcing the vars file and building certificates will probably fail ..'
# Verify selected algorithm and parameters # Verify selected algorithm and parameters
verify_algo_params verify_algo_params
# Last setup msg
information "\
Using SSL: $EASYRSA_OPENSSL $ssl_version
"
else else
# If the directory does not exist then we have not run init-pki # If the directory does not exist then we have not run init-pki
# The temp-dir is ALWAYS verified by secure_session() # The temp-dir is ALWAYS verified by secure_session()