Locate existing x509-types directory, after sourcing vars.
If vars is set incorrectly then this WILL over-ride vars.
Closes: #654
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 5e9609873a01dd358e3a4c6928fc553e5257d8ea
Merge: ed54b1a 42bfae4
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Aug 28 14:44:13 2022 +0100
Merge branch 'subca-default-cn' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-subca-default-cn
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 42bfae4673996307107964be0fc8b15883072d31
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Aug 27 13:20:41 2022 +0100
build-ca: Assign default sub-CA commonName and enable SSL interactive
When building a CA/SubCA, if a commonName has not been assigned by --req-cn
then assign a default commonName, of either:
* 'Easy-RSA CA' or 'Easy-RSA Sub-CA'.
If a default commonName has been assigned then use SSL interactive mode
to edit/confirm each of the subject fields individually. Otherwise, use
EasyRSA to confirm all of the subject fields with a single prompt.
Closes: #659
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Make find_x509_types_dir() a stand alone function.
When calling usage(), find_x509_types_dir() can be a soft fail.
When x509-types directory is required, this function is a hard fail.
This also simplifies install_data_to_pki(), because x509-types do not
need to be installed in the PKI.
Closes: #654
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Note: --req-cn can only be used when building a CA/subCA.
When building All other certificates --req-cn is not honoured.
Reported-in: #659
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Processing vars at init-pki was intentionally kept to minimum, due to
complications with user expectations verses Easy-RSA preferences.
This overhaul aims to finalise Easy-RSA interference with vars.
1. Prefer that vars is in the PKI but only force that at init-pki,
when no other vars files can be found. Otherwise, do not create a
template vars and leave it to the user, with appropriate messages.
2. Fail all commands, except init-pki, if more than one vars exists.
3. Take special care of 'init-pki soft'.
4. For existing PKIs, be aware that vars may NOT exist.
This patch is less complicated than it appears to be.
Most of the changes are either comments or user messages.
There are some new state flags to manage the location of vars,
which are used to decide when a new vars is created and control
user messages.
Closes: #651
New message for "Using x509-types directory: $EASYRSA_EXT_DIR"
Closes: #654
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since the introduction of 'escape_hazard()' function, all characters
except (`) backtick are supported.
This patch brings vars.example in line with the warning in easyrsa and
also only warns about backtick.
It is possible that curly brace '{}' may also cause OpenSSL to behave
strangely. However, the strange behaviour, which I previously observed,
may have been rectified by OpenSSL.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Add warning for new password status, prior to renewal.
Add reminder to replace certificate AND key files, after renewal.
Correct input check for option 'nopass'
Closes: m#644
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Previously, testing vars for unsupported characters was only done if
vars was in the PKI. This test can now be done for all vars files.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The 3 definitions of $prog_dir:
- foo -> prog_dir=/search/path ## Not $PWD
- ./foo -> prog_dir=. ## $PWD
- /full/path/foo -> prog_dir=/full/path ## Could be $PWD
'/full/path' was previously missing from the check.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Since relaxing the rules concerning the location of vars file,
commit f4a604438d3ce5fe67a1f4db956dc42fc4ae5588, it is no longer
necessary to prohibit the use of --vars=file with 'init-pki'.
This initial prohibition was only a temporary measure and has
proven to be of no value.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
'shift 2' was moved above the parameter check in previous commit:
1d227736e404b805e84b8949aa238a240c4ad5eb
Move it back to after the check and reword user output for clarity.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If verify_ca_init fails then the error message states that: 'serial
is missing'. While this is true, it is not 'user friendly'.
Reorder the checks so that if verify_ca_init fails then the error
message will "probably" state that: 'ca.crt is missing', which makes
more sense if the CA has not been initialised.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The command 'sign-req COMMON client1 nopass' would generate an invalid
certificate. Do not allow COMMON as a $cert_type.
Also, improve comment and user output for existing certificate check.
Closese: #634
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If a user breaks out [Ctrl-C] from generating a DH parameters file
then there is an empty dh.pem file left over.
Output the DH parameters to a temp-file and move it upon validation
and completion.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Prefer /usr/local/share over /usr/share
and move /etc/easy-rsa to last place.
Tidy up a 'case', no functional change.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The utility script 'make-cadir' creates a CA directory with a vars file.
This vars file conflicts with the preferred PKI-vars file.
This patch changes 'init-pki' to allow make-cadir vars file to over-ride
the preferred PKI-vars file, without error.
Closes: #633
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
To create Easyrsa Safe SSL config file, a standard temporary
directory is required, which can only be created after a secure
session has been assigned.
Closes: #622
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
It is possible that only the 'foo_by_serial' folders will exist in
the 'pki/renewed' sub-folder when 'rewind-renew' is needed.
Create the required folders when using 'rewind-renew'.
Closes: #612
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Because easyrsa uses die() on errors, functions which call other
functions may not receive a returned error code and, therefore,
a test for an error will not occur in the calling function.
If 'renew' fails in the build_full() phase then build_full(), gen_req()
or sign_req() will error out to die() and not return an error to 'renew'.
This leaves the files which are about to be renewed in the 'renewed'
sub-folder without replacement files in the PKI folders.
Set 'on_error_undo_renew_move=1' and call renew_restore_move() from
cleanup() when an error occurs during the build_full() phase of 'renew'.
Closes: #613
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
EasyRSA 'renew' does not renew a certificate, it builds a new cert/key pair.
This 'old' method thus causes the Entity Private Key to be 'leaked'.
'renew-req' allows the original Entity Private Key to remain ''secure''.
This is achieved by generating a new certificate request for the original
Entity Private Key, to be submitted for signing by the CA administrator.
Resolves: #609
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Add a *final* layer of granularity to X509 Distinguished Name.
Only used if --req-serial="<PRINTABLE>user data" is specified.
To minimize the noise to the user by this new field, change the way
that OpenSSL is called to build a CA: Always use '-batch' mode.
User visible change when building a CA:
* Instead of being prompted for each individual DN field, now the
user is presented with a read-out of how the fields are currently
set. There is now only a single confirmation that all fields are
correct.
* If '--req-serial' is not used then 'serialNumber' is not displayed.
PRINTABLE: a-z,A-Z,0-9, -+/=.,?:()
Closes: OpenVPN#462 - The original proposal and prototype code.
Closes: OpenVPN#598 - Supersedes: Introduce 1.organizationalUnitName
Closes: OpenVPN#600 - Bugfix: Remove unused 'name' definition from SSL conf.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
* easyrsa_openssl() - Disable 'genpkey -config' for LibreSSL
Closes: #601
* Set '-nodes' for LibreSSL version 3 'no-password' mode
Closes: #602
Minor corrections to indentation/comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Subshell is required due to use of die() in sign_req().
Otherwise, on error sign_req() errors out without removing input files.
Revert part of commit: 15429df9fdd5c63c6e33dba141ff2e9a77ed0855
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Option '--renew-days=#', variable $EASYRSA_CERT_RENEW was used to enforce a
"grace" period, *outside of which* 'renew' was prohibited. Default: 30days.
This prohibition is no longer enforced:
* https://github.com/OpenVPN/easy-rsa/issues/593
Option '--renew-days=#' now represents the cut-off date for EasyRSA status
report 'show-expire'. This report *only* lists those certificates which will
expire within the given $EASYRSA_CERT_RENEW number of days 'from now'.
This also effects the command 'renewable'. (Only supports GNU 'date')
Updates to 'help options'.
(1) Official notice of "intention to deprecate" option: '--req-cn'
EasyRSA has *never* supported '--req-cn'.
For "type" server/client 'Build-$type-full' AlWAYS explicitly sets variable
EASYRSA_REQ_CN to $2 from the command line. Always over-riding the option.
'gen-req' explicitly sets 'EASYRSA_REQ_CN="$1"'. Always over-riding ..
'sign-req' explicitly sets 'crt_out="$EASYRSA_PKI/issued/$2.crt"' .. ditto.
'build-ca' requires specific code review to understand.
Labeled as: "May have tried but gave up.."
This is *only* a notice of "intention to deprecate".
The main goal of the option '--req-cn' is to achieve a disconnect between
certificate 'commonName' verses the 'file-name' of the certificate.
Eg: file-name: mmjd0101.crt | commonName: "mass-murderer John Doe (#0101)"
There is "merit" to this functionality but then .. EasyRSA is Free-OSS.
"If You need this functionality then You should help provide it."
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
