X509-types insert markers are used by 'awk' to insert data at specific
points in the easyrsa-openssl.cnf file in use.
The checks are moved to below more important imput checks
For build-ca, the check is ONLY done if EASYRSA_EXTRA_EXTS is defined.
This is exceedingly unlikely, because EASYRSA_EXTRA_EXTS is not documented.
For sign-req, the check is only done if --copy-ext isused.
Also, remove an over-indent in "Confirm use of NS extestions"
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
* gen-req: Use verify_pki_init().
* sign-req: Use verify_ca_init().
* build-full: Defer requirements to functions above.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
In verify_working_env(), move to AFTER the check for temporary folder.
The move is aesthetic because secure_session() does its own check
for temporary folder.
In 'init-pki', remove secure_session() completely, as not required.
Add more verbose output.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
easyrsa_openssl() default behaviour is to re-use the generated
safe SSL config file, after bieng called for the first time.
NOTE: easyrsa_openssl() is a heavily nested function.
This option forces recreation of a safe SSL config file for each
call to easyrsa_openssl().
Only effective when an SSL config fie is required.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Status reports function read_db() MUST recreate the secure session
for each record of the database being read.
Introduce remove_secure_session(), to remove the session and reset
related flags:
- secure_session: The directory name of the session. Deleted.
- working_safe_ssl_conf - Safe SSL config file. Deleted.
- mktemp_counter - Count of temp files. Deleted.
Also use remove_secure_session() in cleanup().
Improve some verbose output.
Wrap some long lines.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If the certificate does not exist then the database date is used.
The database date is a shortened ISO-8601 date, the certifcate date
is presented in a completely different format.
Omit the calculated "seconds since epoch" double check via 'date',
when the certificate does not exist.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit df0a19e7ebaba5cb6fd2787ce4747d6338447a0a
Merge: e3e9f9e a7e58dd
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 8 14:30:46 2023 +0100
Merge branch 'easyrsa_mktemp-increase-depth' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-easyrsa_mktemp-increase-depth
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit a7e58dd70cb2aeb06ebee39c6b2c438e9ac76cdc
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 8 02:43:20 2023 +0100
verify_algo_params(): Edwards Curve, call OpenSSL directly
This allows the output to be discarded via /dev/null, because
there is no use of temp-files and verbose messages.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit d64dfcc16676b1e1b3fda7090667aea76bd718fc
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 8 02:13:29 2023 +0100
easyrsa_mktemp(): Windows, 'set -o noclobber' to control 'mv.exe'
Currently, mv.exe will always prompt before over-writing a file.
When creating temp-files, mv.exe must NEVER prompt but silently
fail and try again with a new, sequentially numbered, file-name.
Using 'set -o noclobber' causes mv.exe to behave correctly here.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 948e1a1fbb338a32cf9b42d6fe9801b0fe7bfde9
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 8 01:22:47 2023 +0100
easyrsa_mktemp(): Allow nine (9) test files
Use of easyrsa_openssl() creates temp-files by default
and is used in subshells. This requires maximum of (7)
seven test files to move the shot-file to. (Currently)
Raise the the number of test-files to maximum nine (9).
Status reports, read_db(): Recreate temporary session
directory for each record. 'easyrsa' is designed to run
one command and then exit, removing the temp session.
Status reports run 'easyrsa' for the number of records
in the database, before exiting. Therefore, the temp
session MUST be reset for eash record read.
Add verbose output to help debug easyrsa_mktemp problems.
Improve comments.
Complete renaming of
- EASYRSA_CERT_RENEW -to- EASYRSA_PRE_EXPIRY_WINDOW
Split vars_setup(), add verify_working_env()
- vars_setup() now only processes vars file.
- verify_working_env() does the rest.
The split does not change any of the enclosed code.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Insert the day "February 29th" only after "Feb-28" during leap years.
Prepend century (eg. 20 or 19) to a two digit Year value. ISO-8601
Require four digit 'yyyy'
Improve verbose output.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The preferred way to set a user defined 'vars' file is to use global
option '--vars=<vars-file>'. Therefore, the current code erronously
does not check for externally set 'EASYRSA_VARS_FILE'.
This change now looks for a user defined 'vars' file by checking if
'EASYRSA_VARS_FILE' is defined, instead of 'user_vars_true'.
Also, move other automated 'vars' file locating to after the check
for user defined 'vars'.
Wrap long lines in set_var().
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 423a478dcaf941476f1d8ea339657e2efeb86dec
Merge: 2cadb05 52ebec8
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Apr 2 19:29:40 2023 +0100
Merge branch 'iso_8601-date-code' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-iso_8601-date-code
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 52ebec824febbcd8eb7f338a997dcbc513e9efa6
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 1 14:32:56 2023 +0100
Status reports: Rename EASYRSA_CERT_EXPIRE: EASYRSA_PRE_EXPIRY_WINDOW
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit ec8267afad8bf2c074b7c47e40f300a64d0be4a0
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 1 12:19:54 2023 +0100
Status reports: Re-order functions (NFC)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 72e682d6e9934726ceaf2d4553a456113a57f382
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 1 12:16:59 2023 +0100
Status reports: Improve comments
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit dccb8c6773aa778404040865640feeccb6d843f7
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Mar 30 20:41:20 2023 +0100
Status reports: Move force_set_var() to a suitable place (NFC)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 9c48513f4adcb30f0f73db72b4fcf156aeeddffd
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Mar 30 20:39:55 2023 +0100
Status reports: Remove ff_date_to_cert_date() (Unused)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 93f51fd0aa2321dd1c511351eec69b4301dd7a80
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Mar 30 20:34:50 2023 +0100
Status reports: Introduce cert_date_to_iso_8601_date()
Terminate use of ff_date_to_cert_date() (To be removed).
Other minor formatting.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit aa79739235e5ae93ff71fd8860f809fef3ae2451
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Mar 30 15:16:56 2023 +0100
Status reports: Remove unsed function offset_days_to_cert_date()
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 6017ae1cefecb6519c15f3a8d5ffd2ba168f744c
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Mar 30 14:43:40 2023 +0100
Status reports: Use iso_8601 date format
These changes ONLY effect status reports.
With OpenSSL v3 there is option '-dateopt iso_8601' which outputs
dates as specified: 'yyyy-mm-dd HH:MM:SSTZ'
Using this format, date related calculations become more managable
because the need to use various 'date' programs is reduced to a
single use. The single use is 'date +%s', to print the current
date/time as a timestamp "seconds since epoch". All supported
versions of date use the same exact command.
Introduce new functions:
- days_to_timestamp_s()
Return current date/time +/- number-of-days (Can be zero)
as a timestamp seconds since epoch.
Use date program in an OS agnostic manner. 'date +%s'
- db_date_to_iso_8601_date()
Renamed db_date_to_ff_date() - No functional changes.
- iso_8601_cert_startdate()
- iso_8601_cert_enddate()
Return certificate -startdate or -enddate in iso_8601 format.
If the SSL lib does not support iso_8601 format then return error
to the calling function, which will fallback to old method.
- iso_8601_timestamp_to_seconds()
Calculate the "seconds since epoch" from iso_8601 date.
If input date is not iso_8601 format then return error
to the calling function, which will fallback to old method.
Notice:
EasyRSA will calculate "seconds since epoch" itself. It will also
use the old method (use various date programs) to get a timestamp
and verify if the two timestamps are an EXACT match.
If they do not match then a configurable margin-of-error can be
used to allow the mismatch to pass. (Not enabled by default)
Testing so far, all timestamps are exact matches.
Introduce new global options:
--verbose: Be very verbose about easyrsa internal activity.
Only currently used by status reports.
--days-margin: Allow a margin of error for a timestamp mismatch.
Only currently used by status reports. (Disabled by default)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
