Add new 'date' test to identify a working command.
Also:
Remove the '-n' "no clobber" option from 'cp' in install_data_to_pki().
Rely on the shell to determine if 'vars' exists.
Closes: #543
Also:
Correctly quote related expansions.
Also:
Minor improvements to host detection.
Unit test completed on Alpine Linux with Busybox v1.34.1
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
$EASYRSA_DUBUG must be deliberately set outside of easyrsa.
'--verbose' mode was a bad hack.
$EASYRSA_DUBUG is also broken from the start but it is the simplest way
to verify what data is being fed to SSL.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
In the context of 'vars-setup', install_data_to_pki() will only copy
the example vars file to a live vars file in the event that no other
vars file exists. This final check will never over-write vars file
which is in the PKI.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The only option which is not SSL version independent is:
-nodes (version 1)
-noenc (version 3)
This is managed via $no_password, which is set by verify_ssl_lib().
* Use SSL 'genpkey' to create All CA private keys.
'genpkey' options are SSL version independent.
* Use SSL 'req' to create All CA certificate/key pairs.
'req' options are SSL version independent.
* Replace $opts, $crypto and $crypto_opts with individual variables
for each purpose.
* '$opts' usage:
-x509 - Replaced by $x509
-date - Replaced by $date_stamp ($date would be too common)
-batch - Replaced by $ssl_batch
* '$crypto' usage:
-aes256 - Replaced by $cipher
* '$crypto_opts' usage:
-aes256 - Replaced by $cipher (2nd layer of unnecessary complexity)
-nodes/-noenc - Replaced by $no_password
* Additional variable $digest for SSL 'req' - Defaults to '-sha256'
Insert $EASYRSA_EXTRA_EXTS into the config file along with x509-types
files 'ca' and COMMON. Replaces the previous method of passing SSL
option '-addext foo:bar' directly to SSL command.
Create new EasyRSA option '--verbose'. This prints the command passed
to the SSL library by easyrsa_openssl().
Add a shellcheck directive to install_data_to_pki().
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
'case' is "immune" to standard word splitting and globbing but
code-style now demands that 'case' does not get treated differently.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
SC2086 - Double quote to prevent globbing and word splitting.
It is not suitable to quote $opts and $EASYRSA_EXTRA_EXTS
because then they are passed to SSL as a single option
with spaces, which is not the intended use.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
* EASYRSA_CA_EXTRA_EXTS: Created to avoid clash with EASYRSA_EXTRA_EXTS
EASYRSA_CA_EXTRA_EXTS was an interim hack to avoid triggering a code
injection buried deep inside easyrsa_openssl(), when building a CA.
Fixed by Commit: 057be57825616199d125dfffbc5abfa9efaae792
Remove EASYRSA_CA_EXTRA_EXTS:
Created by Commit: 6f138abb5b091fe7715fa7c8c6369d7704b6f177
The result is for all extra extensions to be subject to the same code.
The CA no longer has to dodge the code injection.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
'init-pki' is run in two different states:
* Without a pre-existing PKI
* With a pre-existing PKI
This causes 'init-pki' temporary session directory status to be undefined.
If a PKI does exist then a "session" directory will exist.
If a PKI does not exist then a "session" will not be defined and a directory
will not exist.
Additionally, a 'soft' init-pki leaves the current "session" directory
completely intact.
Resolve this by Always deleting the old "session" and creating a new "session".
* Only 'init-pki' is allowed to do this.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
mktemp was used to create temp-files but it is not POSIX and
the version shipped for Windows has known bugs.
Replace mktemp with atomic directory and file creation using mkdir
and mv, both of which are atomic.
The temporary directory "session" directory is created using mkdir
with a 32bit random number for the name.
eg: /tmp/easyrsa-temp/b01dface
The temporary file is created by moving another file into the place
of the temp-file, with a 32bit random number for the name.
eg: /tmp/easyrsa-temp/b01dface/c01dface
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
