This allows a fallback to use temp-files for CA password, in the event
that file-descriptor method fails.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Until now, EasyRSA has used temp-files to store the CA password and
passed those temp-files to SSL to build a CA keypair, when building
a CA manually, with a password.
From now, EasyRSA will use an internal variable to contain the CA
password and pass the value of that variable via file-descriptors
to SSL, when building a CA keypair.
This file-descriptor method is only used when building a CA with a
password manually, when the user enters the password via keyboard.
All other build-ca methods remain unchanged.
Also, move keypair temp-files to output files or error out.
Also, minor improvements to comments and verbose messages.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Saving the name of the fully expanded Safe SSL config means that this
config file only has to be built once.
The assignment of working_safe_ssl_conf, which signifies that a Safe
SSL config has already been created, was set too late, which caused
it to be set even if the Safe SSL config had not been created.
Also, include a final check in verify_working_env() to ensure that
working_safe_ssl_conf has not been set prior to executing the issued
command, eg. build-ca.
Also, improve verbose messages and comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
verify_algo_params() expects errors when settings are not corrrect.
Therefore, is must not use easyrsa_openssl() meta-wrapper, which would
error out with a misleading error message.
Fixing this also ensures that the SAFE SSL config is not built prior
to EASYRSA_REQ_CN being set.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
EASYRSA_KEY_SIZE is present in the SSL config file, therefore,
it MUST always be set, regardless of EASYRSA_ALGO in use.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Command 'easyrsa_openssl makesafecnf' is used internally to create a safe
SSL config file. (By status reports, read_db())
Once the safe SSL config file has been named as a temp-file and created,
the script continues to use that temp-file as the master copy, it does not
recreate a safe SSL config file for subsequent calls to easyrsa_openssl().
Therefore, the temp-file MUST be copied to the standard safe SSL file not
moved. Otherwise, the named temp-file is removed.
Also, move the assignment of the safe SSL temp-file to the correct place.
This means that a new temp-file wiill only be assigned once.
Also, verify that the safe SSL temp-file exists when it is expected to.
Also, change use of '--no--safe-ssl' with LibreSSL to a FATAL error.
Other changes are for error and verbose messages.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
X509-types insert markers are used by 'awk' to insert data at specific
points in the easyrsa-openssl.cnf file in use.
The checks are moved to below more important imput checks
For build-ca, the check is ONLY done if EASYRSA_EXTRA_EXTS is defined.
This is exceedingly unlikely, because EASYRSA_EXTRA_EXTS is not documented.
For sign-req, the check is only done if --copy-ext isused.
Also, remove an over-indent in "Confirm use of NS extestions"
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
* gen-req: Use verify_pki_init().
* sign-req: Use verify_ca_init().
* build-full: Defer requirements to functions above.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
In verify_working_env(), move to AFTER the check for temporary folder.
The move is aesthetic because secure_session() does its own check
for temporary folder.
In 'init-pki', remove secure_session() completely, as not required.
Add more verbose output.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
easyrsa_openssl() default behaviour is to re-use the generated
safe SSL config file, after bieng called for the first time.
NOTE: easyrsa_openssl() is a heavily nested function.
This option forces recreation of a safe SSL config file for each
call to easyrsa_openssl().
Only effective when an SSL config fie is required.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
