When signing a request, EasyRSA ALWAYS defaults to the CA defined
Distinguished Name field order, as defined by openssl-easyrsa.cnf
configuration file.
In the unlikely event that a CSR is received with a different DN-
field order, that order can be preserved for the signed certificate.
Command 'sign-req', now has a command option 'preserve' for this.
Additional:
Use of 'preserve = yes' in openssl-easyrsa.cnf has no effect for
EasyRSA.
Testing OpenSSL directly indicates that this option may have no effect
when used in OpenSSL default configuration file openssl.cnf
Also, OpenSSL documentation for command 'ca', option '-preserveDN'
does NOT infer that this option can be used in the configuration file.
None of which is important to EasyRSA because only foreign CSRs can
have a different DN-field order, so default behavior can remain.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Change the integration of the following:
* build-ca: Replace password temp-file method with file-descriptors
* commit 27870d695a324e278854146afdac5d6bdade9bba
Instead of 'replacing' the standard temp-file method, the new 'stdin'
method is offered as an alternative by using option '--ca-via-stdin'
Discussion:
Using EasyRSA temp-files means that these files can be written to
specific places. In the case of the CA password, it is recommended
to use a RAM-Disk to write CA password temp-files to.
Using heredocs to pass data via file-descriptors, in all probability,
will write the heredoc data to a temp-file managed by the shell in use.
Thus, there are temp-files written in both methods.
The difference being that, the EasyRSA managed temp-files can be written to
specific places, while the shell managed temp-files are out of EasyRSA scope.
In conclusion, both methods are offered, however, the default remains
as EasyRSA temp-files for the CA password method.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Replace all 'set-X-pass' commands with single 'set-pass' command.
The new EasyRSA 'set-pass' command uses OpenSSL command 'pkey' to manipulate
private keys. OpenSSL 'pkey' command supports all EasyRSA cryptography.
Retain compatibility with old commands.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 3bff869d3058b2d8d2e21b572dfed6bac773ffe8
Merge: dbb8517 1652f20
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 3 19:55:34 2022 +0000
Merge branch 'new-global-opt-nopass' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-new-global-opt-nopass
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 1652f20e88ae72e731d8e6001d561d10aebdb780
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 2 17:46:54 2022 +0000
Introduce global option '--nopass|--no-pass' (#752)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 7817324cbb31baf922724e46d5a50947b0b649d6
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 2 17:29:41 2022 +0000
Introduce global option '--nopass|--no-pass'
This change forces all commands where passwords are not desired,
to internally rely on the specific EasyRSA variable 'EASYRSA_NO_PASS'.
Current use of 'nopass' as a command option, is unchanged.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Added ChangeLog notice.
Squashed commit of the following:
commit de8f9e689e6409b606f112067754c28e3eef1d1d
Merge: ab7c480 0753241
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Oct 26 21:45:29 2022 +0100
Merge branch 'help-err-exit' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-help-err-exit
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 0753241b0c45311475822d05ce492ef925423dad
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue Oct 25 21:52:49 2022 +0100
Command 'help': For unknown command, exit with error.
Closes: #736
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit cd3ef9f218ba9e2862914ad9846dc674d5b89ea6
Merge: 368de14 8a8136b
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue Oct 25 21:04:16 2022 +0100
Merge branch 'changlog-725' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-changlog-725
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 8a8136b20a4465b53d4bd59eff4b638af57a5d5b
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue Oct 25 20:03:49 2022 +0100
ChangeLog: Find data-files in the correct order (#727)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Backport the patch from a4e37cfe54167cca2610aa401b06caae6fa4f724 to 3.0
that fixes the data arguments on Darwin and BSD. Patch originally
authored by @tincantech.
Update .gitignore to ignore macOS .DS_Store files.
Update ChangeLog for v3.0.9 release
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
