diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 7615e59..940b93b 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -583,26 +583,28 @@ Your newly created PKI dir is: $EASYRSA_PKI" # Copy data-files from various sources install_data_to_pki () { # -# This function is here to explicitly copy data-files to the PKI. +# This function will explicitly find and optionally copy data-files to the PKI. # During 'init-pki' this is the new default. # During all other functions these requirements are tested for and # files will be copied to the PKI, if they do not already exist there. # -# One of the reasons for this change is to make packing EasyRSA work. -# This function searches favoured and then common 'areas' for the -# EasyRSA data-files(A): -# 'openssl-easyrsa.cnf' 'x509-types':(folder). +# One of the reasons for this change is to make packaging EasyRSA work. # -# These files MUST be found in at least one location and will be copied -# to the current PKI, if they do not already exist there. +# First: search favoured and then common 'areas' for the EasyRSA data-files(A): +# * 'openssl-easyrsa.cnf' and 'x509-types' (folder). # +# These files MUST be found in at least one location. +# * 'openssl-easyrsa.cnf' will be copied to the PKI. +# A warning will be issued if this file cannot be found. +# +# * 'x509-types' will set EASYRSA_EXT_DIR to the found location. +# If x509-types cannot be found then that is a FATAL error. # # Other EasyRSA data-files(B): it is not crucial that these are found -# but if they are then they are also copied to the PKI. -# 'vars' 'vars.example' +# but if they are then they are copied to the PKI. (Note: 1) +# * 'vars' and 'vars.example' # -# -# For 'vars' consideration must be given to: +# Note 1: For 'vars' consideration must be given to: # "Where the user expects to find vars!" # # Currently, *if* 'vars' is copied to the PKI then the PKI 'vars' will take @@ -616,19 +618,9 @@ install_data_to_pki () { ssl_cnf_file='openssl-easyrsa.cnf' x509_types_dir='x509-types' - # Only use if required - # Omit 'vars' - [ -e "${EASYRSA_PKI}/${vars_file}" ] && - if [ -e "$EASYRSA_SAFE_CONF" ] && \ - [ -e "${EASYRSA_PKI}/${vars_file_example}" ] && \ - [ -e "${EASYRSA_PKI}/${ssl_cnf_file}" ] && \ - [ -e "${EASYRSA_PKI}/${x509_types_dir}" ] - then - return 0 - fi - # PWD - Covers EasyRSA-Windows installed by OpenVPN, and git forks - # "prog_dir" - Old way - # /etc/easy-rsa - Sensible default - Includes: Arch, hopefully others agree.. + # "prog_dir" - Old way (Who installs data files in /usr/bin ?) + # /etc/easy-rsa - possible default # /usr/share/easy-rsa - usr # /usr/local/share/easy-rsa - usr/local @@ -661,14 +653,19 @@ install_data_to_pki () { # Find x509-types [ -e "${area}/${x509_types_dir}" ] || continue - # If x509-types does not exist in the PKI then copy it. - if [ -e "${EASYRSA_PKI}/${x509_types_dir}" ]; then - continue - else - copy_data_to_pki "${area}/${x509_types_dir}" recurse || return + # Declare in preferred order, first wins, beaten by command line. + # Only set if not in PKI; Same condition made in vars_setup() + if [ ! -d "$EASYRSA_PKI/x509-types" ]; then + set_var EASYRSA_EXT_DIR "${area}/${x509_types_dir}" fi done + # if PKI/x509-types exists then it wins, except command line + # Same condition made in vars_setup() + if [ -d "$EASYRSA_PKI/x509-types" ]; then + set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types" + fi + # If this is init-pki then create PKI/vars from PKI/example case "$1" in init-pki) @@ -677,7 +674,7 @@ install_data_to_pki () { [ ! -e "${EASYRSA_PKI}/${vars_file}" ] then cp -f "${EASYRSA_PKI}/${vars_file_example}" \ - "${EASYRSA_PKI}/${vars_file}" + "${EASYRSA_PKI}/${vars_file}" || return fi ;; vars-setup) @@ -688,11 +685,15 @@ install_data_to_pki () { die "install_data_to_pki - unknown context: $1" esac - # Check PKI is updated - Omit 'vars' and example. + # Check PKI is updated - Omit unnecessary checks #[ -e "${EASYRSA_PKI}/${vars_file}" ] || return #[ -e "${EASYRSA_PKI}/${vars_file_example}" ] || return [ -e "${EASYRSA_PKI}/${ssl_cnf_file}" ] || return - [ -e "${EASYRSA_PKI}/${x509_types_dir}" ] || return + #[ -e "${EASYRSA_PKI}/${x509_types_dir}" ] || return + + # EASYRSA_EXT_DIR must be found! No exceptions! + [ -n "$EASYRSA_EXT_DIR" ] && [ -e "$EASYRSA_EXT_DIR" ] || \ + die "x509-types folder cannot be found" # Complete or error [ -e "$EASYRSA_SAFE_CONF" ] || easyrsa_openssl makesafeconf @@ -700,8 +701,8 @@ install_data_to_pki () { # Copy the source to the PKI copy_data_to_pki () { - cp ${2:+-R} "$1" "$EASYRSA_PKI" || return - shift # Clear recurse + cp "$1" "$EASYRSA_PKI" || return + shift } # => copy_data_to_pki () # Disable terminal echo, if possible, otherwise warn @@ -2004,31 +2005,23 @@ Note: using Easy-RSA configuration from: $vars" mktemp -du "$EASYRSA_TEMP_DIR/easy-rsa-$$.XXXXXX" )" - # Same as above for the x509-types extensions dir - if [ -d "$EASYRSA_PKI/x509-types" ]; then - set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types" - else - #TODO: This should be removed. Not really suitable for packaging. #set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" # Hard break from 'old' Easy-RSA, see obsolete comment above. - # Install data-files into ALL PKIs - install_data_to_pki vars-setup || \ - warn "Failed to install new required data-dir to PKI. (x509)" - set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types" - fi + # Install data-files into ALL PKIs + # This will find x509-types and export EASYRSA_EXT_DIR or die. + # Other errors only require warning. + install_data_to_pki vars-setup || \ + warn "Failed to install new required data-dir to PKI. (setup)" + # EASYRSA_SAFE_CONF is output by 'install_data_to_pki()' + # via 'easyrsa_openssl() makesafeconf' above. # Setting EasyRSA specific OPENSSL_CONF to sanatized safe conf if [ -e "$EASYRSA_SAFE_CONF" ]; then export OPENSSL_CONF="$EASYRSA_SAFE_CONF" else - # Install data-files into ALL PKIs - install_data_to_pki vars-setup || \ - warn "Failed to install new required data-files to PKI. (SSL)" - # EASYRSA_SAFE_CONF is output by - # 'install_data_to_pki()' via 'easyrsa_openssl() makesafeconf' - export OPENSSL_CONF="$EASYRSA_SAFE_CONF" + die "Failed to find Safe-SSL config file." fi # Upgrade to 306: Create $EASYRSA_SSL_CONF if it does not exist