Easy-RSA uses unquoted expansion.
Each instance of SC2086 has been vetted, accepted and ignored.
shellcheck will still find new exceptions.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
1. Name All supported vars files
2. Search for each supported vars file
3. Only allow One (or None) supported vars file to exist.
4. Prefer PKI/vars file.
5. Warn for All other deprecated vars files, if they exist.
6. Warn for NO vars file found and prefer PKI/vars.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
New standards introduced:
* Use '-e' to test for existence not '-f' file.
* Only use '-z' not '-n', more visually distinct.
Minor code improvement: Use 'if command' to test for success.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Add:
* Prefer 'PKI/vars' over all other locations (#528)
* Introduce 'init-pki soft' option (#197)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Tidy up comments.
Silence spurious warning about 'vars not found'.
Only show which vars are found if more than one exists.
Minor code improvements.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If an inline file is found that matches the certificate being revoked
or renewed then it will be removed, pending standard confirmation.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Note:
Also added command line option 'text' to include the request text
in the request file.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
vars_setup() now ignores some setup when this is 'init-pki'.
* Do not set anything which requires a PKI.
Remove some undocumented commands, which are known to break Windows.
Find 'vars' in preferred locations and only allow ONE instance.
* Probably a breaking change but only where things are already broken.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Set env:var:
EASYRSA_EXTRA_EXTS="-addext foo,a:b -addext bah,c:d -addext baz e:f,g"
The value of EASYRSA_EXTRA_EXTS is passed as-is to the SSL command.
Creating a CA does not allow for an arbitrary extensions file, therefore
extensions must be added via the config file (#526) or via SSL Library
option '-addext' (Can be specified to SSL multiple times).
Option '-addext' is allowed to be specified multiple times to SSL,
therefore, this string must be syntactically correct for SSL not EasyRSA.
Finally, rename EASYRSA_EXTRA_EXTS to EASYRSA_CA_EXTRA_EXTS to avoid
triggering EASYRSA_EXTRA_EXTS code buried inside of easyrsa_openssl().
Closes: #54
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
To sign a request, easyrsa uses 'openssl ca', which does support -extfile.
To create a CA, easyrsa uses 'openssl req', which does not support -extfile.
Therefore, the x509-types 'ca' and COMMON files cannot be specified using
-extfile to create a CA. Instead, they must be included within the SSL
config file, which 'openssl req' does support.
Using the same awk script from gen_req(), with New Token '#%X509_TYPES%',
the x509-types files 'ca' and COMMON are inserted into the SSL config file.
Closes: #525
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
All requests now have the specified commonName <FILE_NAME_BASE>
Changes:
* Separate EASYRSA_BATCH from internal SSL -batch option.
This makes the code easier to understand.
* If both EASYRSA_BATCH and openssl_batch are unset then full
inter-active mode is enabled. The user can verify the input.
Otherwise SSL interactive is disabled and no user interaction
is required.
In either case, all DN fields are fully populated, depending on
EASYRSA_DN mode ('org' or 'cn_only').
Closes: #456
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Introduce EASYRSA_SILENT to enhance the use of EASYRSA_BATCH.
Effected functions: warn()
The change in behaviour is that warn() can ONLY be silenced by
option --silent. Batch-mode is still respected but silence is not.
For scripts which rely on EasyRSA, if they use option --batch then
the change to restore prevous bevaviour is to use option --sbatch.
Otherwise, export EASYRSA_SILENT=1.
This is a minimal change that preserves batch-mode functionality but
also heeds Warnings, unless NEW option --sbatch is specifcally used.
Warnings should not be silenced by batch-mode.
Closes: #512
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
