Introduce global option '--nopass|--no-pass'
Squashed commit of the following:
commit 3bff869d3058b2d8d2e21b572dfed6bac773ffe8
Merge: dbb8517 1652f20
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 3 19:55:34 2022 +0000
Merge branch 'new-global-opt-nopass' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-new-global-opt-nopass
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 1652f20e88ae72e731d8e6001d561d10aebdb780
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 2 17:46:54 2022 +0000
Introduce global option '--nopass|--no-pass' (#752)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 7817324cbb31baf922724e46d5a50947b0b649d6
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 2 17:29:41 2022 +0000
Introduce global option '--nopass|--no-pass'
This change forces all commands where passwords are not desired,
to internally rely on the specific EasyRSA variable 'EASYRSA_NO_PASS'.
Current use of 'nopass' as a command option, is unchanged.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme
parent
dbb851736a
commit
c905f0929a
@ -1,6 +1,7 @@
|
|||||||
Easy-RSA 3 ChangeLog
|
Easy-RSA 3 ChangeLog
|
||||||
|
|
||||||
3.1.2 (TBD)
|
3.1.2 (TBD)
|
||||||
|
* Introduce global option '--nopass|--no-pass' (#752)
|
||||||
* Introduce global option '--notext|--no-text' (#745)
|
* Introduce global option '--notext|--no-text' (#745)
|
||||||
* Command 'help': For unknown command, exit with error (#737)
|
* Command 'help': For unknown command, exit with error (#737)
|
||||||
* Find data-files in the correct order (#727 - Reported #725)
|
* Find data-files in the correct order (#727 - Reported #725)
|
||||||
|
|||||||
@ -459,6 +459,7 @@ General options:
|
|||||||
--sbatch : Combined --silent and --batch operating mode
|
--sbatch : Combined --silent and --batch operating mode
|
||||||
-q|--quiet : Quiet mode, disable information messages only
|
-q|--quiet : Quiet mode, disable information messages only
|
||||||
|
|
||||||
|
--nopass : Do not use passwords, over-rides --passin and --passout
|
||||||
--passin=ARG : set -passin ARG for openssl (eg: pass:xEasyRSAy)
|
--passin=ARG : set -passin ARG for openssl (eg: pass:xEasyRSAy)
|
||||||
--passout=ARG : set -passout ARG for openssl (eg: pass:xEasyRSAy)
|
--passout=ARG : set -passout ARG for openssl (eg: pass:xEasyRSAy)
|
||||||
--ssl-conf=FILE : define a specific OpenSSL config file for Easy-RSA to use
|
--ssl-conf=FILE : define a specific OpenSSL config file for Easy-RSA to use
|
||||||
@ -1240,11 +1241,11 @@ hide_read_pass()
|
|||||||
# build-ca backend:
|
# build-ca backend:
|
||||||
build_ca() {
|
build_ca() {
|
||||||
cipher="-aes256"
|
cipher="-aes256"
|
||||||
unset -v nopass sub_ca ssl_batch date_stamp x509
|
unset -v sub_ca ssl_batch date_stamp x509
|
||||||
while [ "$1" ]; do
|
while [ "$1" ]; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
intca|subca) sub_ca=1 ;;
|
intca|subca) sub_ca=1 ;;
|
||||||
nopass) nopass=1 ;;
|
nopass) EASYRSA_NO_PASS=1 ;;
|
||||||
*) warn "Ignoring unknown command option: '$1'"
|
*) warn "Ignoring unknown command option: '$1'"
|
||||||
esac
|
esac
|
||||||
shift
|
shift
|
||||||
@ -1266,7 +1267,7 @@ build_ca() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# If encrypted then create the CA key using AES256 cipher
|
# If encrypted then create the CA key using AES256 cipher
|
||||||
if [ "$nopass" ]; then
|
if [ "$EASYRSA_NO_PASS" ]; then
|
||||||
unset -v cipher
|
unset -v cipher
|
||||||
else
|
else
|
||||||
unset -v no_password
|
unset -v no_password
|
||||||
@ -1334,9 +1335,11 @@ Please update openssl-easyrsa.cnf to the latest official release."
|
|||||||
out_file_tmp="$(easyrsa_mktemp)" || die "Failed to create temp-cert file"
|
out_file_tmp="$(easyrsa_mktemp)" || die "Failed to create temp-cert file"
|
||||||
|
|
||||||
# Get password from user if necessary
|
# Get password from user if necessary
|
||||||
if [ -z "$nopass" ] &&
|
if [ "$EASYRSA_NO_PASS" ]; then
|
||||||
{ [ -z "$EASYRSA_PASSOUT" ] || [ -z "$EASYRSA_PASSIN" ]; }
|
: # No password required
|
||||||
then
|
elif [ "$EASYRSA_PASSOUT" ] && [ "$EASYRSA_PASSIN" ]; then
|
||||||
|
: # Password defined
|
||||||
|
else
|
||||||
out_key_pass_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
|
out_key_pass_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
|
||||||
echo
|
echo
|
||||||
printf "Enter New CA Key Passphrase: "
|
printf "Enter New CA Key Passphrase: "
|
||||||
@ -1417,7 +1420,7 @@ Please update openssl-easyrsa.cnf to the latest official release."
|
|||||||
${x509+ -x509} \
|
${x509+ -x509} \
|
||||||
${date_stamp+ -days "$EASYRSA_CA_EXPIRE"} \
|
${date_stamp+ -days "$EASYRSA_CA_EXPIRE"} \
|
||||||
${EASYRSA_DIGEST+ -"$EASYRSA_DIGEST"} \
|
${EASYRSA_DIGEST+ -"$EASYRSA_DIGEST"} \
|
||||||
${no_password+ "$no_password"} \
|
${EASYRSA_NO_PASS+ "$no_password"} \
|
||||||
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
|
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
|
||||||
${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
|
${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
|
||||||
${out_key_pass_tmp:+ -passin file:"$out_key_pass_tmp"} \
|
${out_key_pass_tmp:+ -passin file:"$out_key_pass_tmp"} \
|
||||||
@ -1497,7 +1500,7 @@ Error: gen-req must have a file base as the first argument.
|
|||||||
Run easyrsa without commands for usage and commands."
|
Run easyrsa without commands for usage and commands."
|
||||||
|
|
||||||
# Initialisation
|
# Initialisation
|
||||||
unset -v text nopass ssl_batch
|
unset -v text ssl_batch
|
||||||
|
|
||||||
# Set ssl batch mode and Default commonName, as required
|
# Set ssl batch mode and Default commonName, as required
|
||||||
if [ "$EASYRSA_BATCH" ]; then
|
if [ "$EASYRSA_BATCH" ]; then
|
||||||
@ -1521,7 +1524,7 @@ Run easyrsa without commands for usage and commands."
|
|||||||
while [ "$1" ]; do
|
while [ "$1" ]; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
text) text=1 ;;
|
text) text=1 ;;
|
||||||
nopass) nopass=1 ;;
|
nopass) EASYRSA_NO_PASS=1 ;;
|
||||||
# batch flag supports internal callers needing silent operation
|
# batch flag supports internal callers needing silent operation
|
||||||
batch) ssl_batch=1 ;;
|
batch) ssl_batch=1 ;;
|
||||||
*) warn "Ignoring unknown command option: '$1'"
|
*) warn "Ignoring unknown command option: '$1'"
|
||||||
@ -1582,7 +1585,7 @@ $EASYRSA_EXTRA_EXTS"
|
|||||||
# Generate request
|
# Generate request
|
||||||
easyrsa_openssl req -utf8 -new -newkey "$algo_opts" \
|
easyrsa_openssl req -utf8 -new -newkey "$algo_opts" \
|
||||||
-keyout "$key_out_tmp" -out "$req_out_tmp" \
|
-keyout "$key_out_tmp" -out "$req_out_tmp" \
|
||||||
${nopass+ "$no_password"} \
|
${EASYRSA_NO_PASS+ "$no_password"} \
|
||||||
${text+ -text} \
|
${text+ -text} \
|
||||||
${ssl_batch+ -batch} \
|
${ssl_batch+ -batch} \
|
||||||
${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
|
${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
|
||||||
@ -1828,7 +1831,7 @@ Run easyrsa without commands for usage and commands."
|
|||||||
# function opts support
|
# function opts support
|
||||||
while [ "$1" ]; do
|
while [ "$1" ]; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
nopass) nopass=1 ;;
|
nopass) EASYRSA_NO_PASS=1 ;;
|
||||||
inline) EASYRSA_INLINE=1 ;;
|
inline) EASYRSA_INLINE=1 ;;
|
||||||
*) warn "Ignoring unknown command option: '$1'"
|
*) warn "Ignoring unknown command option: '$1'"
|
||||||
esac
|
esac
|
||||||
@ -1850,7 +1853,7 @@ Option conflict: '$cmd' does not support setting an external commonName"
|
|||||||
EASYRSA_REQ_CN="$name"
|
EASYRSA_REQ_CN="$name"
|
||||||
|
|
||||||
# create request
|
# create request
|
||||||
gen_req "$name" batch ${nopass+ nopass}
|
gen_req "$name" batch
|
||||||
|
|
||||||
# Sign it
|
# Sign it
|
||||||
on_error_build_full_cleanup=1
|
on_error_build_full_cleanup=1
|
||||||
@ -2104,7 +2107,6 @@ Run easyrsa without commands for usage and command help."
|
|||||||
up23_upgrade_ca || die "Failed to upgrade CA to support renewal."
|
up23_upgrade_ca || die "Failed to upgrade CA to support renewal."
|
||||||
|
|
||||||
# Set 'nopass'
|
# Set 'nopass'
|
||||||
unset -v opt_nopass
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
nopass)
|
nopass)
|
||||||
warn "\
|
warn "\
|
||||||
@ -2590,9 +2592,8 @@ Run easyrsa without commands for usage and command help."
|
|||||||
up23_upgrade_ca || die "Failed to upgrade CA to support renewal."
|
up23_upgrade_ca || die "Failed to upgrade CA to support renewal."
|
||||||
|
|
||||||
# Set 'nopass'
|
# Set 'nopass'
|
||||||
unset -v opt_nopass
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
nopass) opt_nopass="$1"; shift ;;
|
nopass) EASYRSA_NO_PASS=1; shift ;;
|
||||||
'') : ;; # Empty ok
|
'') : ;; # Empty ok
|
||||||
*) die "Unknown option: $1"
|
*) die "Unknown option: $1"
|
||||||
esac
|
esac
|
||||||
@ -2692,7 +2693,7 @@ These files will be DELETED:
|
|||||||
* The inline credentials file : $creds_in
|
* The inline credentials file : $creds_in
|
||||||
* The duplicate certificate : $duplicate_crt_by_serial
|
* The duplicate certificate : $duplicate_crt_by_serial
|
||||||
|
|
||||||
IMPORTANT: The new key will${opt_nopass+ NOT} be password protected."
|
IMPORTANT: The new key will${EASYRSA_NO_PASS+ NOT} be password protected."
|
||||||
|
|
||||||
confirm " Continue with rebuild: " "yes" "\
|
confirm " Continue with rebuild: " "yes" "\
|
||||||
Please confirm you wish to renew the certificate
|
Please confirm you wish to renew the certificate
|
||||||
@ -2707,7 +2708,7 @@ with the following subject:
|
|||||||
on_error_undo_rebuild_move=1
|
on_error_undo_rebuild_move=1
|
||||||
|
|
||||||
# rebuild certificate
|
# rebuild certificate
|
||||||
if EASYRSA_BATCH=1 build_full "$cert_type" "$file_name_base" "$opt_nopass"; then
|
if EASYRSA_BATCH=1 build_full "$cert_type" "$file_name_base"; then
|
||||||
unset on_error_undo_rebuild_move
|
unset on_error_undo_rebuild_move
|
||||||
else
|
else
|
||||||
# If rebuild failed then restore cert, key and req. Otherwise,
|
# If rebuild failed then restore cert, key and req. Otherwise,
|
||||||
@ -2913,13 +2914,12 @@ Run easyrsa without commands for usage and command help."
|
|||||||
cipher=-aes256
|
cipher=-aes256
|
||||||
want_ca=1
|
want_ca=1
|
||||||
want_key=1
|
want_key=1
|
||||||
want_pass=1
|
|
||||||
unset -v pkcs_friendly_name
|
unset -v pkcs_friendly_name
|
||||||
while [ "$1" ]; do
|
while [ "$1" ]; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
noca) want_ca="" ;;
|
noca) want_ca="" ;;
|
||||||
nokey) want_key="" ;;
|
nokey) want_key="" ;;
|
||||||
nopass) want_pass="" ;;
|
nopass) EASYRSA_NO_PASS=1 ;;
|
||||||
usefn) pkcs_friendly_name="$short_name" ;;
|
usefn) pkcs_friendly_name="$short_name" ;;
|
||||||
*) warn "Ignoring unknown command option: '$1'"
|
*) warn "Ignoring unknown command option: '$1'"
|
||||||
esac
|
esac
|
||||||
@ -2940,7 +2940,7 @@ Unable to export $pkcs_type for short name '$short_name' without the certificate
|
|||||||
Missing cert expected at: $crt_in"
|
Missing cert expected at: $crt_in"
|
||||||
|
|
||||||
# For 'nopass' PKCS requires an explicit empty password 'pass:'
|
# For 'nopass' PKCS requires an explicit empty password 'pass:'
|
||||||
if [ -z "$want_pass" ]; then
|
if [ "$EASYRSA_NO_PASS" ]; then
|
||||||
EASYRSA_PASSIN=pass:
|
EASYRSA_PASSIN=pass:
|
||||||
EASYRSA_PASSOUT=pass:
|
EASYRSA_PASSOUT=pass:
|
||||||
unset -v cipher # pkcs#1 only
|
unset -v cipher # pkcs#1 only
|
||||||
@ -3033,7 +3033,7 @@ See help output for usage details."
|
|||||||
unset nopass
|
unset nopass
|
||||||
while [ "$1" ]; do
|
while [ "$1" ]; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
nopass) nopass=1 ;;
|
nopass) EASYRSA_NO_PASS=1 ;;
|
||||||
file) file="$raw_file" ;;
|
file) file="$raw_file" ;;
|
||||||
*) warn "Ignoring unknown command option: '$1'"
|
*) warn "Ignoring unknown command option: '$1'"
|
||||||
esac
|
esac
|
||||||
@ -3041,7 +3041,7 @@ See help output for usage details."
|
|||||||
done
|
done
|
||||||
|
|
||||||
# If nopass then do not encrypt else encrypt with password.
|
# If nopass then do not encrypt else encrypt with password.
|
||||||
if [ "$nopass" ]; then
|
if [ "$EASYRSA_NO_PASS" ]; then
|
||||||
unset -v cipher
|
unset -v cipher
|
||||||
else
|
else
|
||||||
unset -v no_password
|
unset -v no_password
|
||||||
@ -3059,7 +3059,7 @@ ${crypto:+You will then enter a new PEM passphrase for this key.$NL}"
|
|||||||
out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
|
out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
|
||||||
easyrsa_openssl "$key_type" -in "$file" -out "$out_key_tmp" \
|
easyrsa_openssl "$key_type" -in "$file" -out "$out_key_tmp" \
|
||||||
${cipher:+ "$cipher"} \
|
${cipher:+ "$cipher"} \
|
||||||
${no_password:+ "$no_password"} \
|
${EASYRSA_NO_PASS:+ "$no_password"} \
|
||||||
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
|
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
|
||||||
${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} || die "\
|
${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} || die "\
|
||||||
Failed to change the private key passphrase. See above for possible openssl
|
Failed to change the private key passphrase. See above for possible openssl
|
||||||
@ -5005,6 +5005,10 @@ while :; do
|
|||||||
empty_ok=1
|
empty_ok=1
|
||||||
export EASYRSA_VERBOSE=1
|
export EASYRSA_VERBOSE=1
|
||||||
;;
|
;;
|
||||||
|
--nopass|--no-pass)
|
||||||
|
empty_ok=1
|
||||||
|
export EASYRSA_NO_PASS=1
|
||||||
|
;;
|
||||||
--passin)
|
--passin)
|
||||||
export EASYRSA_PASSIN="$val"
|
export EASYRSA_PASSIN="$val"
|
||||||
;;
|
;;
|
||||||
@ -5076,6 +5080,14 @@ esac
|
|||||||
# Get host details - does not require vars_setup
|
# Get host details - does not require vars_setup
|
||||||
detect_host
|
detect_host
|
||||||
|
|
||||||
|
# Mutual exclusions
|
||||||
|
# --nopass cannot be used with --passin and --passout
|
||||||
|
if [ "$EASYRSA_NO_PASS" ] && \
|
||||||
|
{ [ "$EASYRSA_PASSIN" ] || [ "$EASYRSA_PASSOUT" ]; }
|
||||||
|
then
|
||||||
|
die "* Cannot use --nopass with --passin or --passout"
|
||||||
|
fi
|
||||||
|
|
||||||
# Intelligent env-var detection and auto-loading:
|
# Intelligent env-var detection and auto-loading:
|
||||||
vars_setup
|
vars_setup
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user