Merge branch 'TinCanTech-fix-subca-len'
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme
commit
e21ab73ba6
@ -1,6 +1,7 @@
|
|||||||
Easy-RSA 3 ChangeLog
|
Easy-RSA 3 ChangeLog
|
||||||
|
|
||||||
3.1.1 (TBD)
|
3.1.1 (TBD)
|
||||||
|
* Resolve long-standing issue with --subca-len=N (#691)
|
||||||
* Expand 'show-renew', include 'renewed/certs_by_serial' (#700)
|
* Expand 'show-renew', include 'renewed/certs_by_serial' (#700)
|
||||||
* Introduce 'renew' (version 3). Only renew cert (#688)
|
* Introduce 'renew' (version 3). Only renew cert (#688)
|
||||||
* Require 'openssl-easyrsa.cnf' is up to date (#695}
|
* Require 'openssl-easyrsa.cnf' is up to date (#695}
|
||||||
|
|||||||
@ -533,10 +533,9 @@ die() {
|
|||||||
print "
|
print "
|
||||||
Easy-RSA error:
|
Easy-RSA error:
|
||||||
|
|
||||||
$1" 1>&2
|
$1
|
||||||
|
" 1>&2
|
||||||
show_host
|
die_error_exit=1
|
||||||
|
|
||||||
exit "${2:-1}"
|
exit "${2:-1}"
|
||||||
} # => die()
|
} # => die()
|
||||||
|
|
||||||
@ -668,7 +667,6 @@ easyrsa_mktemp() {
|
|||||||
|
|
||||||
# remove temp files and do terminal cleanups
|
# remove temp files and do terminal cleanups
|
||||||
cleanup() {
|
cleanup() {
|
||||||
verbose "* Cleanup!"
|
|
||||||
if [ "${EASYRSA_TEMP_DIR_session%/*}" ] && \
|
if [ "${EASYRSA_TEMP_DIR_session%/*}" ] && \
|
||||||
[ -d "$EASYRSA_TEMP_DIR_session" ]
|
[ -d "$EASYRSA_TEMP_DIR_session" ]
|
||||||
then
|
then
|
||||||
@ -701,7 +699,8 @@ Temporary session not preserved."
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
# Remove files when build_full()->sign_req() is interrupted
|
# Remove files when build_full()->sign_req() is interrupted
|
||||||
[ "$on_error_build_full_cleanup" ] && rm -f "$crt_out" "$req_out" "$key_out"
|
[ "$on_error_build_full_cleanup" ] && \
|
||||||
|
rm -f "$crt_out" "$req_out" "$key_out"
|
||||||
|
|
||||||
# Restore files when renew is interrupted
|
# Restore files when renew is interrupted
|
||||||
[ "$on_error_undo_renew_move" ] && renew_restore_move; :
|
[ "$on_error_undo_renew_move" ] && renew_restore_move; :
|
||||||
@ -738,6 +737,8 @@ Temporary session not preserved."
|
|||||||
exit 0
|
exit 0
|
||||||
else
|
else
|
||||||
# if 'cleanup' is called without 'ok' then an error occurred
|
# if 'cleanup' is called without 'ok' then an error occurred
|
||||||
|
# Do not show_host() for confirm() aborted exit
|
||||||
|
[ "$die_error_exit" ] && show_host
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
} # => cleanup()
|
} # => cleanup()
|
||||||
@ -1695,21 +1696,6 @@ at: $crt_out"
|
|||||||
The certificate request file is not in a valid X509 request format.
|
The certificate request file is not in a valid X509 request format.
|
||||||
File Path: $req_in"
|
File Path: $req_in"
|
||||||
|
|
||||||
# Display the request subject in an easy-to-read format
|
|
||||||
# Confirm the user wishes to sign this request
|
|
||||||
# Support batch by internal caller:
|
|
||||||
#[ "$3" = "batch" ] ||
|
|
||||||
confirm "Confirm request details: " "yes" "\
|
|
||||||
You are about to sign the following certificate.
|
|
||||||
Please check over the details shown below for accuracy. Note that this request
|
|
||||||
has not been cryptographically verified. Please be sure it came from a trusted
|
|
||||||
source or that you have verified the request checksum with the sender.
|
|
||||||
|
|
||||||
Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:
|
|
||||||
|
|
||||||
$(display_dn req "$req_in")
|
|
||||||
" # => confirm end
|
|
||||||
|
|
||||||
# Get fixed dates by --fix-offset
|
# Get fixed dates by --fix-offset
|
||||||
if [ "$EASYRSA_FIX_OFFSET" ]; then
|
if [ "$EASYRSA_FIX_OFFSET" ]; then
|
||||||
fixed_dates="$( # subshell for debug
|
fixed_dates="$( # subshell for debug
|
||||||
@ -1760,8 +1746,19 @@ Please update openssl-easyrsa.cnf to the latest official release."
|
|||||||
die "Failed to read X509-type $crt_type"
|
die "Failed to read X509-type $crt_type"
|
||||||
|
|
||||||
# Support a dynamic CA path length when present:
|
# Support a dynamic CA path length when present:
|
||||||
[ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ] && \
|
if [ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ]; then
|
||||||
print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBCA_LEN"
|
# Print the last occurence of basicContraints in x509-types/ca
|
||||||
|
# If basicContraints not defined then bail
|
||||||
|
# shellcheck disable=SC2016 # vars don't expand in ''
|
||||||
|
awkscript='/^[[:blank:]]*basicConstraints[[:blank:]]*=/ { bC=$0 }
|
||||||
|
END { if (length(bC) == 0 ) exit 1; print bC }'
|
||||||
|
basicConstraints="$(
|
||||||
|
awk "$awkscript" "$EASYRSA_EXT_DIR/$crt_type"
|
||||||
|
)" || die "\
|
||||||
|
basicConstraints is not defined, cannot use 'pathlen'"
|
||||||
|
print "$basicConstraints, pathlen:$EASYRSA_SUBCA_LEN"
|
||||||
|
unset -v basicConstraints
|
||||||
|
fi
|
||||||
|
|
||||||
# Deprecated Netscape extension support, if enabled
|
# Deprecated Netscape extension support, if enabled
|
||||||
if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then
|
if print "$EASYRSA_NS_SUPPORT" | awk_yesno; then
|
||||||
@ -1801,6 +1798,21 @@ Please update openssl-easyrsa.cnf to the latest official release."
|
|||||||
Failed to create temp extension file (bad permissions?) at:
|
Failed to create temp extension file (bad permissions?) at:
|
||||||
$ext_tmp"
|
$ext_tmp"
|
||||||
|
|
||||||
|
# Display the request subject in an easy-to-read format
|
||||||
|
# Confirm the user wishes to sign this request
|
||||||
|
# Support batch by internal caller:
|
||||||
|
#[ "$3" = "batch" ] ||
|
||||||
|
confirm "Confirm request details: " "yes" "\
|
||||||
|
You are about to sign the following certificate.
|
||||||
|
Please check over the details shown below for accuracy. Note that this request
|
||||||
|
has not been cryptographically verified. Please be sure it came from a trusted
|
||||||
|
source or that you have verified the request checksum with the sender.
|
||||||
|
|
||||||
|
Request subject, to be signed as a $crt_type certificate for $EASYRSA_CERT_EXPIRE days:
|
||||||
|
|
||||||
|
$(display_dn req "$req_in")
|
||||||
|
" # => confirm end
|
||||||
|
|
||||||
# sign request
|
# sign request
|
||||||
crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
|
crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
|
||||||
easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \
|
easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \
|
||||||
@ -3989,7 +4001,6 @@ detect_host() {
|
|||||||
|
|
||||||
# Extra diagnostics
|
# Extra diagnostics
|
||||||
show_host() {
|
show_host() {
|
||||||
print
|
|
||||||
print_version
|
print_version
|
||||||
print "$host_out | ${ssl_version:-ssl_version not currently set}"
|
print "$host_out | ${ssl_version:-ssl_version not currently set}"
|
||||||
[ "$EASYRSA_DEBUG" ] || return 0
|
[ "$EASYRSA_DEBUG" ] || return 0
|
||||||
@ -4938,12 +4949,9 @@ trap "exit 3" 3
|
|||||||
trap "exit 6" 6
|
trap "exit 6" 6
|
||||||
trap "exit 14" 15
|
trap "exit 14" 15
|
||||||
|
|
||||||
# Get host details - does not require vars_setup
|
|
||||||
detect_host
|
|
||||||
|
|
||||||
# Initialisation requirements
|
# Initialisation requirements
|
||||||
unset -v easyrsa_error_exit user_san_true user_vars_true \
|
unset -v die_error_exit easyrsa_error_exit \
|
||||||
alias_days
|
user_san_true user_vars_true alias_days
|
||||||
|
|
||||||
# Parse options
|
# Parse options
|
||||||
while :; do
|
while :; do
|
||||||
@ -5100,6 +5108,9 @@ case "$cmd" in
|
|||||||
unset -v no_pki_required
|
unset -v no_pki_required
|
||||||
esac
|
esac
|
||||||
|
|
||||||
|
# Get host details - does not require vars_setup
|
||||||
|
detect_host
|
||||||
|
|
||||||
# Intelligent env-var detection and auto-loading:
|
# Intelligent env-var detection and auto-loading:
|
||||||
vars_setup
|
vars_setup
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user