From d0019deb25ca045d13bbf2140a6c299cadc6900d Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 10 Nov 2022 23:31:15 +0000 Subject: [PATCH] Current 'set-X-pass' commands do not support Edwards Curve cryptography. Replace all 'set-X-pass' commands with single 'set-pass' command. The new EasyRSA 'set-pass' command uses OpenSSL command 'pkey' to manipulate private keys. OpenSSL 'pkey' command supports all EasyRSA cryptography. Retain compatibility with old commands. Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + easyrsa3/easyrsa | 83 ++++++++++++++++++++++++++++++++++++++++++------ 2 files changed, 75 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index f02e376..5c422ad 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ Easy-RSA 3 ChangeLog 3.1.2 (TBD) + * Introduce command 'set-pass' (#756) * Introduce global option '--nopass|--no-pass' (#752) * Introduce global option '--notext|--no-text' (#745) * Command 'help': For unknown command, exit with error (#737) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 32e7c87..d49f3d2 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -337,16 +337,18 @@ cmd_help() { opts=" * nopass - do not encrypt the private key (default is encrypted)" ;; - set-rsa-pass|set-ec-pass) + set-pass|set-ed-pass|set-rsa-pass|set-ec-pass) text=" -* set-rsa-pass [ cmd-opts ] -* set-ec-pass [ cmd-opts ] +* set-pass [ cmd-opts ] +* set-rsa-pass [ cmd-opts ] (Deprecated) +* set-ec-pass [ cmd-opts ] (Deprecated) +* set-ed-pass [ cmd-opts ] (Deprecated) - Set a new passphrase on an RSA or EC key - for the key specified by ." + Set a new passphrase for the private key specified by " opts=" * nopass - use no password and leave the key unencrypted + (Equivalent to global option '--nopass|--no-pass') * file - (advanced) treat the file as a raw path, not a short-name" ;; upgrade) @@ -3010,7 +3012,7 @@ location: $pkcs_out" } # => export_pkcs() # set-pass backend -set_pass() { +set_pass_legacy() { # Verify PKI has been initialised verify_pki_init @@ -3053,7 +3055,7 @@ $file" notice "\ If the key is currently encrypted you must supply the decryption passphrase. -${crypto:+You will then enter a new PEM passphrase for this key.$NL}" +${cipher:+You will then enter a new PEM passphrase for this key.$NL}" # Set password out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" @@ -3073,6 +3075,65 @@ Failed to change the private key passphrase. See above for error messages." return 0 } # => set_pass() +# set-pass backend +set_pass() { + # Verify PKI has been initialised + verify_pki_init + + # values supplied by the user: + raw_file="$1" + file="$EASYRSA_PKI/private/$raw_file.key" + + if [ "$raw_file" ]; then + shift + else + die "\ +Missing argument: no name/file supplied." + fi + + # parse command options + cipher="-aes256" + while [ "$1" ]; do + case "$1" in + nopass) EASYRSA_NO_PASS=1 ;; + file) file="$raw_file" ;; + *) warn "Ignoring unknown command option: '$1'" + esac + shift + done + + # If nopass then do not encrypt else encrypt with password. + if [ "$EASYRSA_NO_PASS" ]; then + unset -v cipher + else + unset -v no_password + fi + + [ -e "$file" ] || die "\ +Missing private key: expected to find the private key component at: +$file" + + warn "\ +If the key is encrypted then you must supply the decryption pass phrase. +${cipher:+You will then enter and verify a new PEM pass phrase for this key.}" + + # Set password + out_key_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" + + easyrsa_openssl pkey -in "$file" -out "$out_key_tmp" \ + ${cipher:+ "$cipher"} \ + ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \ + ${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} || die "\ +Failed to change the private key passphrase." + + mv "$out_key_tmp" "$file" || die "\ +Failed to update the private key file." + + key_update=changed + [ "$EASYRSA_NO_PASS" ] && key_update=removed + notice "Key passphrase successfully $key_update" +} # => set_pass() + # update-db backend update_db() { verify_ca_init @@ -5160,10 +5221,14 @@ case "$cmd" in export_pkcs p1 "$@" ;; set-rsa-pass) - set_pass rsa "$@" + set_pass_legacy rsa "$@" ;; set-ec-pass) - set_pass ec "$@" + set_pass_legacy ec "$@" + ;; + # Allow shellcheck to complain, 'set-pass' irregularity is understood + set-pass|set-ed-pass|set-rsa-pass|set-ec-pass) + set_pass "$@" ;; update-db) update_db