Required changes:
* Use 'verify_ssl_lib()' to determine SSL Library version.
Returns '1', '3' OR error.
Sets 'no_password' to either '-nodes' (SSLv1) or '-noenc' (SSLv3)
* Replace OpenSSL paramater '-nodes' [DEPRECATED], with '-noenc'.
Ref: https://www.openssl.org/docs/man3.0/man1/openssl-req.html
This effects All Easy-RSA CAs built using OpenSSL version 3.
* Replace OpenSSL command 'genrsa' [DEPRECATED], with 'genpkey'.
Ref: https://www.openssl.org/docs/man3.0/man1/openssl-genrsa.html
This effects Easy-RSA 'RSA' CAs built using OpenSSL version 3.
OpenSSL advises using 'genpkey' over 'genrsa'.
* OpenSSL 'genpkey' does not accept the parameters defined by
easyrsa $opts and $no_password when generating CA private keys.
Do not use these variables for OpenSSL-v3 'genpkey'.
Optional changes:
* Use 'easyrsa_openssl()' wrapper function to build All CAs.
* Add 'genpkey' to easyrsa_openssl() wrapper, to include using the
EasyRSA/OpenSSL Configuration file $EASYRSA_SAFE_CONF.
* Change EasyRSA Elliptic Curve (ec) CA's to also use OpenSSL 'genpkey',
instead of OpenSSL 'ec'. This change is not required, however, this
means that all EasyRSA CA Private keys are created using 'genpkey'
with OpenSSL v3.
* EasyRSA 'gen_req()' is the only other code which uses OpenSSL '-nodes'.
Make 'gen_req()' aware of the SSL Library version and therefore the
correct parameter for an unencrypted private key. (-noenc vs -nodes)
Note: OpenSSL '-nodes' is only deprecated not removed.
* Indent OpenSSL version 1 code block to match. No functional changes.
Tests Passed:
Full extended unit tests, with both OpenSSL version 1.1.x and 3.0.1
(Includes standard test for Edwards Curve PKI)
Manual building of All OpenSSL *v3* CAs with passwords and subsequent
building and signing of a server or client certificate.
Manual building of OpenSSL *v1* EC CA with password and subsequent
building and signing of a server or client certificate.
Tested due to changing CA key from OpenSSL 'ec' to 'genpkey'.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This removes our dependency on an external non-POSIX mktemp
implementation and uses openssl's built in rand function.
Addresses #478
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
Using another build of OpenSSL that appears to work fine in testing.
Long term, we should be building OpenSSL ourselves and shipping it on a
regular basis. That's another project on the list.
Resolves#405.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
This reverts commit 5f3e5ca450eaf464ed21a5d3ec62d39f7594fd99.
There is an incompatibility in 1.1.1g with the EasyRSA script. There
are no new features in 1.1.1g we are leveraging directly, so just going
to revert to support the OpenVPN 2.5 release process and get EasyRSA
v3.x into more hands.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
Commit 1e98ba8 introduced an issue with RSA keys (only ED keys were
tested).
Closes#403 and #395
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
This fixes an argument error I made in commit 1e98ba808c9c90629595827773a66b59f8c9b927, sorry I have not tested RSA keys as I only use ED.
The argument is -passout for all openssl versions (tested on LibreSSL 2.8.3 and OpenSSL 1.1.1d).
When a vars file cannot be found, the up23_manage_upgrade_23() function
will now exit and print a message stating such. Previously, it exited
silently.
Fixes#377.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
This resolves a bug where build_ca ignores the nopass flag and always makes non-encrypted private keys when ALGO is "ed".
Also solves build_ca handling of EASYRSA_PASSOUT argument when generating private keys with ALGO set to "ed".
Merge branch 'madmajestro-use-passin-update-db'
Adds support for leveraging the --passin option for the CA private key
password when running the update-db command.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
Merge branch 'madmajestro-setpass-never-returns-0-in-batchmode'
Similar bug to what was fixed in 2953817, with the same fix.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
Merge branch 'madmajestro-imrove-returncode-notice-and-warn'
This resolves a bug where the warn() and notice() functions would
produce a non-zero exit during batch mode operations. This bug was
introduced by me in 09e2c3b.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
The functions notice() and warn() allways exited with an return-code !=
0 if called in batch-mode, which can cause unexpected behavior in the
calling code. Now it is ensured that they return with succes.
Additinally, the Script will now terminate if the printf command in the
function print() fails. This ensures that errors during
output-generation will not be ignored.
If changing passwords in batch-mode, the commands set-rsa-pass and
set-ec-pass allways returned with an exit code != 0 on success.
The origin for this is the implementation of the function notice() which
allway returns an return-code != 0 if called in batch-mode.
This patch fixes the bug by adding a return 0 at the end of set_pass(),
because this is the way this behaviour is fixed in other functions. I
will provide an additional pull-request to improve the functions
notice() and warn().
Fixed an issue where op_test.sh would exit with the status of the rm
command from cleanup, rather than from the unit tests it was running.
Closes#355
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
When Edwards curves are currently specified, they will be used for the
signature algorithm, but the actual public/private keypair will fall
back to defaults (RSA2048), which is likely not what the user intends.
This commit modifies the code so that requesting Edwards curves will
result in their use for the Public Key Algorithm (new behavior) in
addition to the Signature Algorithm (current behavior)
Examples of fixed and current (broken) behavior given below. Note the
Public Key Algorithm in the middle of the certificate and the message
from openssl of the private key type that's being generated
==> This still doesn't appear to fix the issue when generating
certificates on macOS with LibreSSL. I haven't looked too far into
this, though.
Address OpenSSL in #350, needs more attention.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
When Edwards curves are currently specified, they will be used for the
signature algorithm, but the actual public/private keypair will fall
back to defaults (RSA2048), which is likely not what the user intends.
This commit modifies the code so that requesting Edwards curves will
result in their use for the Public Key Algorithm (new behavior) in
addition to the Signature Algorithm (current behavior)
Examples of fixed and current (broken) behavior given below. Note the
Public Key Algorithm in the middle of the certificate and the message
from openssl of the private key type that's being generated:
Merge branch 'fix-ed25519' of https://github.com/InsaneScientist/easy-rsa into InsaneScientist-fix-ed25519
gen-dh would overwrite dh.pem without warning
In batch mode, easyrsa now exits 1 if dh.pem exists.
In interactive move, the user is prompted if dh.pem exists.
Fixes#373
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
Now supports both --version and "version and outputs detailed version
information. Tested on FreeBSD, macOS, and Windows 10 64-bit.
Sample Output:
EasyRSA Version Information
Version: git-development
Generated: Tue Apr 14 18:54:42 CDT 2020
SSL Lib: OpenSSL 1.1.1a-freebsd 20 Nov 2018
Git Commit: f0129cfe6222820a85db2d394ab73d3c7759c5be
Source Repo: https://github.com/OpenVPN/easy-rsa
This closes#372
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
When Edwards curves are currently specified, they will be used for the
signature algorithm, but the actual public/private keypair will fall
back to defaults (RSA2048), which is likely not what the user intends.
This commit modifies the code so that requesting Edwards curves will
result in their use for the Public Key Algorithm (new behavior) in
addition to the Signature Algorithm (current behavior)
Examples of fixed and current (broken) behavior given below. Note the
Public Key Algorithm in the middle of the certificate and the message
from openssl of the private key type that's being generated:
-----------------------------------------------------------------------
Fixed example:
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch --req-cn=ed25519-fixed \
gen-req ed25519-fixed nopass >/dev/null
Generating a ED25519 private key
writing new private key to
'/home/easyrsa/easy-rsa/easyrsa3/pki/easy-rsa-6978.eq66M2/tmp.fEv2Hd'
-----
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch sign-req client \
ed25519-fixed 2>/dev/null
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ cat ./pki/issued/ed25519-fixed.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:34:a6:4c:f8:6b:a5:e9:d0:4d:87:4f:d5:a0:e8:df
Signature Algorithm: ED25519
Issuer: CN=Easy-RSA CA
Validity
Not Before: Apr 5 00:32:23 2020 GMT
Not After : Jul 9 00:32:23 2022 GMT
Subject: CN=ed25519-fixed
Subject Public Key Info:
Public Key Algorithm: ED25519
ED25519 Public-Key:
pub:
ac:12:08:26:f7:ba:21:97:b4:51:ff:02:64:a2:af:
09:3a:08:e3:a0:42:8c:4f:d2:e8:a2:52:df:ee:26:
c0:da
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
4B:BD:7F:5E:A5:BD:3A:1B:4C:AB:60:D3:B7:78:80:96:DB:78:89:95
X509v3 Authority Key Identifier:
keyid:36:00:DF:FE:4A:31:5F:3B:F2:83:81:D9:E6:44:D7:ED:14:6B:67:90
DirName:/CN=Easy-RSA CA
serial:69:B7:DB:13:B1:D5:A3:E7:A5:AF:74:38:49:12:E3:DB:50:AD:0D:87
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: ED25519
0d:7c:19:1c:92:dc:0a:8e:2f:4a:f7:c1:0b:02:a5:18:93:19:
45:04:0f:6e:40:f2:c3:a9:bf:72:bc:66:c2:f4:ef:48:4e:72:
e9:14:43:9c:22:c8:8e:70:f8:25:db:b6:f7:8a:8f:78:c0:a5:
3e:40:77:3c:12:f5:5a:72:eb:0d
-----BEGIN CERTIFICATE-----
MIIBjzCCAUGgAwIBAgIQPDSmTPhrpenQTYdP1aDo3zAFBgMrZXAwFjEUMBIGA1UE
AwwLRWFzeS1SU0EgQ0EwHhcNMjAwNDA1MDAzMjIzWhcNMjIwNzA5MDAzMjIzWjAY
MRYwFAYDVQQDDA1lZDI1NTE5LWZpeGVkMCowBQYDK2VwAyEArBIIJve6IZe0Uf8C
ZKKvCToI46BCjE/S6KJS3+4mwNqjgaIwgZ8wCQYDVR0TBAIwADAdBgNVHQ4EFgQU
S71/XqW9OhtMq2DTt3iAltt4iZUwUQYDVR0jBEowSIAUNgDf/koxXzvyg4HZ5kTX
7RRrZ5ChGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRpt9sTsdWj56WvdDhJ
EuPbUK0NhzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwBQYDK2Vw
A0EADXwZHJLcCo4vSvfBCwKlGJMZRQQPbkDyw6m/crxmwvTvSE5y6RRDnCLIjnD4
Jdu294qPeMClPkB3PBL1WnLrDQ==
-----END CERTIFICATE-----
-----------------------------------------------------------------------
Current (broken) example:
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch --req-cn=ed25519-broken \
gen-req ed25519-broken nopass >/dev/null
Generating a RSA private key
..........................................................................+++++
......+++++
writing new private key to
'/home/easyrsa/easy-rsa/easyrsa3/pki/easy-rsa-6901.tfUGNM/tmp.IEPoPv'
-----
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ ./easyrsa --batch sign-req client \
ed25519-broken 2>/dev/null
Using SSL: openssl OpenSSL 1.1.1c 28 May 2019
easyrsa@ubuntu:~/easy-rsa/easyrsa3$ cat ./pki/issued/ed25519-broken.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8b:9c:25:ae:25:b0:b2:b1:ab:b0:34:b1:fc:75:70:f8
Signature Algorithm: ED25519
Issuer: CN=Easy-RSA CA
Validity
Not Before: Apr 5 00:27:09 2020 GMT
Not After : Jul 9 00:27:09 2022 GMT
Subject: CN=ed25519-broken
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cf:30:67:14:18:e8:bd:8b:89:23:ac:ac:a8:6c:
c4:6b:bd:50:cd:0d:d1:cf:b0:09:4a:8a:11:89:52:
7e:8e:01:78:d9:99:94:35:90:be:7e:0a:8b:20:c2:
ca:36:ef:3d:0e:17:8e:c9:83:66:42:a1:83:ed:3e:
ed:4d:04:4a:3f:fd:33:ba:6f:dc:cc:5c:c4:0b:1f:
3f:02:8a:d2:13:5b:e8:36:d4:88:10💿14:4a:41:
bd:b1:d1:f4:04:89:8f:a0:10:da:16:da:12:57:91:
06:81:c9🇩🇪2a:da:c2:1b:51:52:2e:a6:20:36:04:
2f:9a:6f:b5:05:6d:f8:ec:65:86:9a:85:d2:6e:44:
47:8a:76:bb:0b:96:34:57:db:b6:a3:b6:76:53:95:
a5:9d:08:9f:35:17:04:22:11:04:66:1e:aa:28:1d:
78:90:c5:9c:19:6b:5d:41:52:79:82:cb:0a:3a:12:
86:71:bc:61:19:c7:e3:42:94:8b:b5:69:47:ac:2c:
8f:18:13🇩🇪f4:52:6a:b5:ba:78:f0:65:5a:88:50:
0f:0f:46:ef:d9:8e:61:fe:33:5c:01:06:82:38:8b:
db:71:f3:7b:94:14:13:8f:94:25:a7:db:8c:53:85:
ea:6a:b2:89:fc:59:c6:61:10🆎ea:38:94:e2:1f:
0d:47
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
40:DF:D9:F3:85:F9:56:5B:E4:65:EC:5A:32:CE:0D:42:35:0F:89:7F
X509v3 Authority Key Identifier:
keyid:36:00:DF:FE:4A:31:5F:3B:F2:83:81:D9:E6:44:D7:ED:14:6B:67:90
DirName:/CN=Easy-RSA CA
serial:69:B7:DB:13:B1:D5:A3:E7:A5:AF:74:38:49:12:E3:DB:50:AD:0D:87
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: ED25519
b3:61:98:2d:49:2f:f9:ce:79:a7:bb:dd:9c:31:41:12:e4:a5:
72:a4:5b:2e:f0:ec:6a:56:26:4e:5c:f9:91:b9:5e:96:d0:c4:
83:8c:81:49:18:df:10:0d:78:b9:82:86:22:f5:67:f9:1a:f5:
3e:5a:19:15:66:38:2f:ce:3a:0e
-----BEGIN CERTIFICATE-----
MIICizCCAj2gAwIBAgIRAIucJa4lsLKxq7A0sfx1cPgwBQYDK2VwMBYxFDASBgNV
BAMMC0Vhc3ktUlNBIENBMB4XDTIwMDQwNTAwMjcwOVoXDTIyMDcwOTAwMjcwOVow
GTEXMBUGA1UEAwwOZWQyNTUxOS1icm9rZW4wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDPMGcUGOi9i4kjrKyobMRrvVDNDdHPsAlKihGJUn6OAXjZmZQ1
kL5+Cosgwso27z0OF47Jg2ZCoYPtPu1NBEo//TO6b9zMXMQLHz8CitITW+g21IgQ
zRRKQb2x0fQEiY+gENoW2hJXkQaByd4q2sIbUVIupiA2BC+ab7UFbfjsZYaahdJu
REeKdrsLljRX27ajtnZTlaWdCJ81FwQiEQRmHqooHXiQxZwZa11BUnmCywo6EoZx
vGEZx+NClIu1aUesLI8YE970Umq1unjwZVqIUA8PRu/ZjmH+M1wBBoI4i9tx83uU
FBOPlCWn24xThepqson8WcZhEKvqOJTiHw1HAgMBAAGjgaIwgZ8wCQYDVR0TBAIw
ADAdBgNVHQ4EFgQUQN/Z84X5VlvkZexaMs4NQjUPiX8wUQYDVR0jBEowSIAUNgDf
/koxXzvyg4HZ5kTX7RRrZ5ChGqQYMBYxFDASBgNVBAMMC0Vhc3ktUlNBIENBghRp
t9sTsdWj56WvdDhJEuPbUK0NhzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8E
BAMCB4AwBQYDK2VwA0EAs2GYLUkv+c55p7vdnDFBEuSlcqRbLvDsalYmTlz5kble
ltDEg4yBSRjfEA14uYKGIvVn+Rr1PloZFWY4L846Dg==
-----END CERTIFICATE-----
