From 9f5267a0a73478023b84f2eb139d8ab8fc920cb3 Mon Sep 17 00:00:00 2001 From: Hugues Fafard Date: Sat, 10 Feb 2018 17:47:41 +0100 Subject: [PATCH 1/3] Honor priv-key related settings during `build-ca` The EASYRSA_ALGO, EASYRSA_KEY_SIZE, and EASYRSA_CURVE settings in `vars`, as well as their runtime overrides are ignored during `build-ca` since 6268cd9. This restores previous behavior of honring the settings. Should also fix #179. --- easyrsa3/easyrsa | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ae946f0..9da7b6b 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -414,7 +414,7 @@ Your newly created PKI dir is: $EASYRSA_PKI # build-ca backend: build_ca() { - opts="" + opts="" sub_ca="" crypto="-aes256" while [ -n "$1" ]; do @@ -484,12 +484,17 @@ current CA keypair. If you intended to start a new CA, run init-pki first." die "Passphrases do not match." fi # create the CA key using AES256 - "$EASYRSA_OPENSSL" genrsa -aes256 -out "$out_key_tmp" -passout file:"$out_key_pass_tmp" + if [ "$EASYRSA_ALGO" = "rsa" ]; then + "$EASYRSA_OPENSSL" genrsa "$crypto" -out "$out_key_tmp" -passout file:"$out_key_pass_tmp" "$EASYRSA_ALGO_PARAMS" + elif [ "$EASYRSA_ALGO" = "ec" ]; then + "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | "$EASYRSA_OPENSSL" ec "$crypto" -out "$out_key_tmp" -passout file:"$out_key_pass_tmp" + fi # create the CA keypair: #shellcheck disable=SC2086 "$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \ -config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" -passin file:"$out_key_pass_tmp" $opts || \ die "Failed to build the CA" + mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2= mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_3= rm "$out_key_pass_tmp" From 67f76dafe0b7b8945af6ac087ba373adc9857217 Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Mon, 26 Feb 2018 07:26:49 -0600 Subject: [PATCH 2/3] Remove quotes around $pkcs_opts Credit to @OtherSystems and @Antagonym and some others who pointed this out. This resolves #189 and #193 and #186 and #179. Signed-off-by: Eric F Crist --- easyrsa3/easyrsa | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4963bfc..ef36800 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -897,16 +897,18 @@ Missing key expected at: $key_in" fi # export the p12: + # shellcheck disable=SC2086 "$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \ - -out "$pkcs_out" "$pkcs_opts" || die "\ + -out "$pkcs_out" $pkcs_opts || die "\ Export of p12 failed: see above for related openssl errors." ;; p7) pkcs_out="$EASYRSA_PKI/issued/$short_name.p7b" # export the p7: + # shellcheck disable=SC2086 "$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \ - -out "$pkcs_out" "$pkcs_opts" || die "\ + -out "$pkcs_out" $pkcs_opts || die "\ Export of p7 failed: see above for related openssl errors." ;; esac From 63224439a672283c76ba4e21dbdf72244862b56b Mon Sep 17 00:00:00 2001 From: Hugues Fafard Date: Mon, 26 Feb 2018 15:42:05 +0100 Subject: [PATCH 3/3] Fixed broken `nopass` option in `build-ca` subcommand --- easyrsa3/easyrsa | 54 ++++++++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index defb327..cede5b1 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -417,11 +417,13 @@ Your newly created PKI dir is: $EASYRSA_PKI build_ca() { opts="" sub_ca="" + nopass="" crypto="-aes256" + crypto_opts="" while [ -n "$1" ]; do case "$1" in - nopass) opts="$opts -nodes " ;; subca) sub_ca=1 ;; + nopass) nopass=1 ;; *) warn "Ignoring unknown command option: '$1'" ;; esac shift @@ -466,40 +468,48 @@ current CA keypair. If you intended to start a new CA, run init-pki first." [ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA" out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp" - # shellcheck disable=SC2154 - out_key_pass_tmp="$(mktemp "$out_key_pass.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_key_pass_tmp" out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp" - printf "Enter New CA Key Passphrase: " - stty -echo - read -r kpass - stty echo - echo - printf "Re-Enter New CA Key Passphrase: " - stty -echo - read -r kpass2 - stty echo - echo - if [ "$kpass" = "$kpass2" ]; - then - printf "%s" "$kpass" > "$out_key_pass_tmp" - else - die "Passphrases do not match." + # Get password from user if necessary + if [ ! $nopass ]; then + out_key_pass_tmp="$(mktemp)"; EASYRSA_TEMP_FILE_3="$out_key_pass_tmp" + printf "Enter New CA Key Passphrase: " + stty -echo + read -r kpass + stty echo + echo + printf "Re-Enter New CA Key Passphrase: " + stty -echo + read -r kpass2 + stty echo + echo + if [ "$kpass" = "$kpass2" ]; + then + printf "%s" "$kpass" > "$out_key_pass_tmp" + else + die "Passphrases do not match." + fi fi + # create the CA key using AES256 + [ ! $nopass ] && crypto_opts="$crypto -passout file:$out_key_pass_tmp" if [ "$EASYRSA_ALGO" = "rsa" ]; then - "$EASYRSA_OPENSSL" genrsa "$crypto" -out "$out_key_tmp" -passout file:"$out_key_pass_tmp" "$EASYRSA_ALGO_PARAMS" + #shellcheck disable=SC2086 + "$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts "$EASYRSA_ALGO_PARAMS" elif [ "$EASYRSA_ALGO" = "ec" ]; then - "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | "$EASYRSA_OPENSSL" ec "$crypto" -out "$out_key_tmp" -passout file:"$out_key_pass_tmp" + #shellcheck disable=SC2086 + "$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \ + "$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts fi # create the CA keypair: + [ ! $nopass ] && crypto_opts="-passin file:$out_key_pass_tmp" #shellcheck disable=SC2086 "$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \ - -config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" -passin file:"$out_key_pass_tmp" $opts || \ + -config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \ die "Failed to build the CA" mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2= mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_3= - rm "$out_key_pass_tmp" + [ -f "$out_key_pass_tmp" ] && rm "$out_key_pass_tmp" # Success messages if [ $sub_ca ]; then