nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Output only - Standardise message use of notice(), warn() and die

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-04-13 12:28:56 +01:00
parent 8c606c532c
commit d29aee3e1b
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 63 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
easyrsa3/easyrsa
View File

@ -461,7 +461,7 @@ verify_ssl_lib () {
*) die "Unsupported SSL library: $osslv_major" *) die "Unsupported SSL library: $osslv_major"
esac esac
notice "Using SSL: $EASYRSA_OPENSSL $val" ;; notice "Using SSL: $EASYRSA_OPENSSL $val" ;;
*) die " *) die "\
Missing or invalid OpenSSL Missing or invalid OpenSSL
Expected to find openssl command at: $EASYRSA_OPENSSL" ;; Expected to find openssl command at: $EASYRSA_OPENSSL" ;;
esac esac
@ -469,7 +469,7 @@ Expected to find openssl command at: $EASYRSA_OPENSSL" ;;
EASYRSA_SSL_OK=1 EASYRSA_SSL_OK=1
# Verify EASYRSA_SSL_CONF file exists # Verify EASYRSA_SSL_CONF file exists
[ -f "$EASYRSA_SSL_CONF" ] || die " [ -f "$EASYRSA_SSL_CONF" ] || die "\
The OpenSSL config file cannot be found. The OpenSSL config file cannot be found.
Expected location: $EASYRSA_SSL_CONF" Expected location: $EASYRSA_SSL_CONF"
} # => verify_ssl_lib () } # => verify_ssl_lib ()
@ -497,15 +497,16 @@ $help_note"
# verify ssl lib # verify ssl lib
verify_ssl_lib verify_ssl_lib
unset -v help_note
} # => verify_pki_init() } # => verify_pki_init()
# Verify core CA files present # Verify core CA files present
verify_ca_init() { verify_ca_init() {
help_note="Run without commands for usage and command help."
# First check the PKI has been initialized # First check the PKI has been initialized
verify_pki_init verify_pki_init
help_note="Run without commands for usage and command help."
# Verify expected files are present. Allow files to be regular files # Verify expected files are present. Allow files to be regular files
# (or symlinks), but also pipes, for flexibility with ca.key # (or symlinks), but also pipes, for flexibility with ca.key
for i in serial index.txt index.txt.attr ca.crt private/ca.key; do for i in serial index.txt index.txt.attr ca.crt private/ca.key; do
@ -530,8 +531,8 @@ $help_note"
done done
# explicitly return success for callers # explicitly return success for callers
unset -v help_note
return 0 return 0
} # => verify_ca_init() } # => verify_ca_init()
# init-pki backend: # init-pki backend:
@ -549,7 +550,7 @@ init_pki() {
# If EASYRSA_PKI exists, confirm before we rm -rf (skipped with EASYRSA_BATCH) # If EASYRSA_PKI exists, confirm before we rm -rf (skipped with EASYRSA_BATCH)
if [ -e "$EASYRSA_PKI" ]; then if [ -e "$EASYRSA_PKI" ]; then
confirm "Confirm removal: " "yes" " confirm "Confirm removal: " "yes" "\
WARNING!!! WARNING!!!
You are about to remove the EASYRSA_PKI at: You are about to remove the EASYRSA_PKI at:
@ -594,7 +595,7 @@ and initialize a fresh PKI here."
die "init-pki failed to create safe SSL conf: $EASYRSA_SAFE_CONF" die "init-pki failed to create safe SSL conf: $EASYRSA_SAFE_CONF"
fi fi
notice " notice "\
init-pki complete; you may now create a CA or requests. init-pki complete; you may now create a CA or requests.
@ -1008,18 +1009,20 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
[ -f "$out_key_pass_tmp" ] && rm "$out_key_pass_tmp" [ -f "$out_key_pass_tmp" ] && rm "$out_key_pass_tmp"
# Success messages # Success messages
[ "$EASYRSA_SILENT" ] || print # Separate Notice below
if [ -n "$sub_ca" ]; then if [ -n "$sub_ca" ]; then
notice "\ notice "\
NOTE: Your intermediate CA request is at $out_file NOTE: Your intermediate CA request is at $out_file
and now must be sent to your parent CA for signing. Place your resulting cert and now must be sent to your parent CA for signing. Place your resulting cert
at $EASYRSA_PKI/ca.crt prior to signing operations. at $EASYRSA_PKI/ca.crt prior to signing operations."
"
else notice "\ else notice "\
CA creation complete and you may now import and sign cert requests. CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at: Your new CA certificate file for publishing is at:
$out_file $out_file"
"
fi fi
return 0 return 0
} # => build_ca() } # => build_ca()
@ -1042,9 +1045,11 @@ gen_dh() {
"$EASYRSA_OPENSSL" dhparam -out "$out_file" "$EASYRSA_KEY_SIZE" || \ "$EASYRSA_OPENSSL" dhparam -out "$out_file" "$EASYRSA_KEY_SIZE" || \
die "Failed to build DH params" die "Failed to build DH params"
[ "$EASYRSA_SILENT" ] || print # Separate Notice below
notice "\ notice "\
DH parameters of size $EASYRSA_KEY_SIZE created at $out_file
" DH parameters of size $EASYRSA_KEY_SIZE created at $out_file"
return 0 return 0
} # => gen_dh() } # => gen_dh()
@ -1136,11 +1141,13 @@ $EASYRSA_EXTRA_EXTS"
|| die "Failed to generate request" || die "Failed to generate request"
mv "$key_out_tmp" "$key_out" mv "$key_out_tmp" "$key_out"
mv "$req_out_tmp" "$req_out" mv "$req_out_tmp" "$req_out"
notice "\ notice "\
Keypair and certificate request completed. Your files are: Keypair and certificate request completed. Your files are:
req: $req_out req: $req_out
key: $key_out key: $key_out"
"
return 0 return 0
} # => gen_req() } # => gen_req()
@ -1267,9 +1274,13 @@ $ext_tmp"
mv "$crt_out_tmp" "$crt_out" mv "$crt_out_tmp" "$crt_out"
rm -f "$ext_tmp" rm -f "$ext_tmp"
[ "$EASYRSA_SILENT" ] || print # Separate Notice below
unset -v EASYRSA_BATCH # This is why batch mode should not silence output
notice "\ notice "\
Certificate created at: $crt_out
" Certificate created at: $crt_out"
return 0 return 0
} # => sign_req() } # => sign_req()
@ -1387,12 +1398,14 @@ Failed to revoke certificate: revocation command failed."
# move revoked files so we can reissue certificates with the same name # move revoked files so we can reissue certificates with the same name
move_revoked "$1" move_revoked "$1"
[ "$EASYRSA_SILENT" ] || print # Separate Notice below
notice "\ notice "\
IMPORTANT!!! IMPORTANT!!!
Revocation was successful. You must run gen-crl and upload a CRL to your Revocation was successful. You must run gen-crl and upload a CRL to your
infrastructure in order to prevent the revoked cert from being accepted. infrastructure in order to prevent the revoked cert from being accepted."
" # => notice end
return 0 return 0
} #= revoke() } #= revoke()
@ -1578,12 +1591,14 @@ subjectAltName = $san"
build_full $cert_type "$1" $opts || die "\ build_full $cert_type "$1" $opts || die "\
Failed to renew certificate: renew command failed." Failed to renew certificate: renew command failed."
[ "$EASYRSA_SILENT" ] || print # Separate Notice below
notice "\ notice "\
IMPORTANT!!! IMPORTANT!!!
Renew was successful. Renew was successful.
You may want to revoke the old certificate once the new one has been deployed. You may want to revoke the old certificate once the new one has been deployed."
" # => notice end
return 0 return 0
} #= renew() } #= renew()
@ -1678,14 +1693,16 @@ gen_crl() {
# shellcheck disable=SC2086 # Ignore unquoted variables # shellcheck disable=SC2086 # Ignore unquoted variables
easyrsa_openssl ca -utf8 -gencrl -out "$out_file_tmp" \ easyrsa_openssl ca -utf8 -gencrl -out "$out_file_tmp" \
${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\
CRL Generation failed. CRL Generation failed."
"
mv "$out_file_tmp" "$out_file" mv "$out_file_tmp" "$out_file"
[ "$EASYRSA_SILENT" ] || print # Separate Notice below
notice "\ notice "\
An updated CRL has been created. An updated CRL has been created.
CRL file: $out_file CRL file: $out_file"
"
return 0 return 0
} # => gen_crl() } # => gen_crl()
@ -1715,9 +1732,10 @@ Existing file at: $out_req"
cp "$in_req" "$out_req" cp "$in_req" "$out_req"
notice "\ notice "\
The request has been successfully imported with a short name of: $short_name The request has been successfully imported with a short name of: $short_name
You may now use this name to perform signing operations on this request. You may now use this name to perform signing operations on this request."
"
return 0 return 0
} # => import_req() } # => import_req()
@ -1817,9 +1835,10 @@ Export of p8 failed: see above for related openssl errors."
esac esac
notice "\ notice "\
Successful export of $pkcs_type file. Your exported file is at the following Successful export of $pkcs_type file. Your exported file is at the following
location: $pkcs_out location: $pkcs_out"
"
return 0 return 0
} # => export_pkcs() } # => export_pkcs()
@ -1869,6 +1888,7 @@ error messages."
mv "$out_key_tmp" "$file" || die "\ mv "$out_key_tmp" "$file" || die "\
Failed to change the private key passphrase. See above for error messages." Failed to change the private key passphrase. See above for error messages."
[ "$EASYRSA_SILENT" ] || print # Separate Notice below
notice "Key passphrase successfully changed" notice "Key passphrase successfully changed"
return 0 return 0
@ -1881,6 +1901,7 @@ update_db() {
easyrsa_openssl ca -utf8 -updatedb \ easyrsa_openssl ca -utf8 -updatedb \
${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || die "\
Failed to perform update-db: see above for related openssl errors." Failed to perform update-db: see above for related openssl errors."
return 0 return 0
} # => update_db() } # => update_db()
@ -1911,7 +1932,6 @@ display_dn() {
print "X509v3 Subject Alternative Name:" print "X509v3 Subject Alternative Name:"
print " $san" print " $san"
fi fi
} # => display_dn() } # => display_dn()
# generate default SAN from req/X509, passed by full pathname # generate default SAN from req/X509, passed by full pathname
@ -1980,16 +2000,18 @@ Run easyrsa without commands for usage help."
No such $type file with a basename of '$name' is present. No such $type file with a basename of '$name' is present.
Expected to find this file at: Expected to find this file at:
$in_file" $in_file"
# shellcheck disable=SC2086 # Ignore unquoted variables # shellcheck disable=SC2086 # Ignore unquoted variables
verify_file $format "$in_file" || die "\ verify_file $format "$in_file" || die "\
This file is not a valid $type file: This file is not a valid $type file:
$in_file" $in_file"
notice "\ notice "\
Showing $type details for '$name'.
This file is stored at: Showing $type details for '$name'.
$in_file This file is stored at:
" * $in_file"
# shellcheck disable=SC2086 # Ignore unquoted variables # shellcheck disable=SC2086 # Ignore unquoted variables
easyrsa_openssl $format -in "$in_file" -noout -text\ easyrsa_openssl $format -in "$in_file" -noout -text\
-nameopt multiline $opts || die "\ -nameopt multiline $opts || die "\
@ -2023,11 +2045,11 @@ $in_file"
This file is not a valid $type file: This file is not a valid $type file:
$in_file" $in_file"
notice " notice "\
Showing $type details for 'ca'. Showing $type details for 'ca'.
This file is stored at: This file is stored at:
$in_file * $in_file"
"
# shellcheck disable=SC2086 # Ignore unquoted variables # shellcheck disable=SC2086 # Ignore unquoted variables
easyrsa_openssl $format -in "$in_file" -noout -text\ easyrsa_openssl $format -in "$in_file" -noout -text\
@ -2116,10 +2138,10 @@ vars_setup() {
[ "$e_easy_vars" ] && print "Found: $easy_vars" [ "$e_easy_vars" ] && print "Found: $easy_vars"
[ "$e_pwd_vars" ] && print "Found: $pwd_vars" [ "$e_pwd_vars" ] && print "Found: $pwd_vars"
[ "$e_prog_vars" ] && print "Found: $prog_vars" [ "$e_prog_vars" ] && print "Found: $prog_vars"
die "Conflicting 'vars' files found. die "\
Conflicting 'vars' files found.
Priority should be given to your PKI vars file: Priority should be given to your PKI vars file:
* $expected_pki_vars * $expected_pki_vars
" "
esac esac
@ -2142,8 +2164,7 @@ Priority should be given to your PKI vars file:
die "\ die "\
Variable EASYRSA_PASSIN or EASYRSA_PASSOUT has been found in the configuration Variable EASYRSA_PASSIN or EASYRSA_PASSOUT has been found in the configuration
file. Storing sensitive information in the configuration file is not file. Storing sensitive information in the configuration file is not
recommended - please remove it from there before continuing. recommended - please remove it from there before continuing."
"
fi fi
# Sanitize vars further but ONLY if it is in PKI folder # Sanitize vars further but ONLY if it is in PKI folder
@ -2153,8 +2174,7 @@ recommended - please remove it from there before continuing.
warn "\ warn "\
Single quote (') has been found in the configuration file. Single quote (') has been found in the configuration file.
This character is not supported in the configuration file. This character is not supported in the configuration file.
Sourcing the vars file will probably fail .. Sourcing the vars file will probably fail .."
"
fi fi
fi fi