commit d3592f1b6ea69bb93559108ac78c869308a8e2f3
Merge: ec1d428 05d0213
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu May 11 23:06:20 2023 +0100
Merge branch 'verify-cert-direct-openssl-call' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-verify-cert-direct-openssl-call
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 05d0213d6dff4706d058442b6e9cddcad1124fbc
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu May 11 13:35:12 2023 +0100
verify-cert: Call 'openssl' directly to capture error
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Command 'upgrade' was configured to create a second secure_session,
this is not allowed, so remove.
Minor format changes for 'show-expire' and --verbose output.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This allows a fallback to use temp-files for CA password, in the event
that file-descriptor method fails.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Until now, EasyRSA has used temp-files to store the CA password and
passed those temp-files to SSL to build a CA keypair, when building
a CA manually, with a password.
From now, EasyRSA will use an internal variable to contain the CA
password and pass the value of that variable via file-descriptors
to SSL, when building a CA keypair.
This file-descriptor method is only used when building a CA with a
password manually, when the user enters the password via keyboard.
All other build-ca methods remain unchanged.
Also, move keypair temp-files to output files or error out.
Also, minor improvements to comments and verbose messages.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Saving the name of the fully expanded Safe SSL config means that this
config file only has to be built once.
The assignment of working_safe_ssl_conf, which signifies that a Safe
SSL config has already been created, was set too late, which caused
it to be set even if the Safe SSL config had not been created.
Also, include a final check in verify_working_env() to ensure that
working_safe_ssl_conf has not been set prior to executing the issued
command, eg. build-ca.
Also, improve verbose messages and comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
verify_algo_params() expects errors when settings are not corrrect.
Therefore, is must not use easyrsa_openssl() meta-wrapper, which would
error out with a misleading error message.
Fixing this also ensures that the SAFE SSL config is not built prior
to EASYRSA_REQ_CN being set.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
EASYRSA_KEY_SIZE is present in the SSL config file, therefore,
it MUST always be set, regardless of EASYRSA_ALGO in use.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Command 'easyrsa_openssl makesafecnf' is used internally to create a safe
SSL config file. (By status reports, read_db())
Once the safe SSL config file has been named as a temp-file and created,
the script continues to use that temp-file as the master copy, it does not
recreate a safe SSL config file for subsequent calls to easyrsa_openssl().
Therefore, the temp-file MUST be copied to the standard safe SSL file not
moved. Otherwise, the named temp-file is removed.
Also, move the assignment of the safe SSL temp-file to the correct place.
This means that a new temp-file wiill only be assigned once.
Also, verify that the safe SSL temp-file exists when it is expected to.
Also, change use of '--no--safe-ssl' with LibreSSL to a FATAL error.
Other changes are for error and verbose messages.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
X509-types insert markers are used by 'awk' to insert data at specific
points in the easyrsa-openssl.cnf file in use.
The checks are moved to below more important imput checks
For build-ca, the check is ONLY done if EASYRSA_EXTRA_EXTS is defined.
This is exceedingly unlikely, because EASYRSA_EXTRA_EXTS is not documented.
For sign-req, the check is only done if --copy-ext isused.
Also, remove an over-indent in "Confirm use of NS extestions"
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
* gen-req: Use verify_pki_init().
* sign-req: Use verify_ca_init().
* build-full: Defer requirements to functions above.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
