Squashed commit of the following:
commit c27825c3bc5dddaeb3749d7a315a77239146ad22
Merge: 02f13f6 93da550
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue Oct 25 20:50:44 2022 +0100
Merge branch 'vars-remove-req-cn' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-vars-remove-req-cn
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 93da55003cee29695616d01243aecddcf7954c25
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri Oct 21 21:10:08 2022 +0100
vars.example: Minor corrections and formatting
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 9976f3f0d13a73827052f490438b95153a1b7576
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri Oct 21 20:57:07 2022 +0100
vars.example: Remove EASYRSA_TEMP_FILE
Closes: #729
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 8a35375f84ab88b6f009e5971ddb7358f6619a03
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri Oct 21 20:44:53 2022 +0100
vars.example: Remove EASYRSA_REQ_CN
Closes: #730
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since the introduction of 'escape_hazard()' function, all characters
except (`) backtick are supported.
This patch brings vars.example in line with the warning in easyrsa and
also only warns about backtick.
It is possible that curly brace '{}' may also cause OpenSSL to behave
strangely. However, the strange behaviour, which I previously observed,
may have been rectified by OpenSSL.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The initial idea was to mask the actual certificate creation date.
The reason was to further anonymise user certificates. (YMMV)
There is now a second part to this date "fixing":
* This allows for all certificates to expire on the same day.
Using command option '--fix-offset=nnn', all certificates will be created
* with a 'notBefore' date of January 1st of the current year.
* with a 'notAfter' date of the day-of-year number from '--fix-offset',
in the final year, as per EASYRSA_CERT_EXPIRE (Default 825 days).
The default 825 days results in 2 years plus the offset given.
This can also be set in the 'vars' file, for convenience.
The default day-of-year offered is 183; either July 2 or 3 (leap year).
Follow-up to: #550 (Replaces 'nodatetime' with '--fix-offset')
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
In 'org' mode, fields such as EASYRSA_REQ_ORG can be abused.
If the field contains single quote ('), ampersand (&), back-tick (`),
dollar sign ($) or hash (#) then the result is undefined.
Due to EasyRSA running on Linux and Windows and supporting multiple
SSL Libraries, it is not feasible to support these characters.
Add a check to determine if any unsupported characters are found in
the vars file and issue a warning if they are found.
Add a sub-shell test to source vars. If the test fails then exit
gracefully, with a specific error message.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Manually managing temp files into fixes variables (EASYRSA_TEMP_FILE_*),
can result in errors like in build_ca that reused EASYRSA_TEMP_FILE_3.
A temporary directory simplify the cleanup.
A configurable directory for temp files (var EASYRSA_TEMP_DIR) also
allows the user to define a different temporary directory. This is
important for devices using flash disks that have limited number of
writes.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
This clarifies the use of the file as specific to EasyRSA while also
closing the loop on the openssl version chase. No reason to have a
configuration file that is specific to openssl version at this point.
If the need arises, we'll do so in a sane fashion.
Resolves#159
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
The --batch CLI arg now takes no options and enables batch-mode when
present.
init-pki no longer takes a 'force' value which did the same as --batch.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
Add documentation & help output; add quoting; add error messages; put
the ecparams dir under PKI dir with env-var tunable.
Signed-off-by: Josh Cepek <josh.cepek@usa.net>
