When EasyRSA is installed to a path with a space in it, gen_req() fails
for EC and ED crypto. This is caused by the space in the file-name for
the parameters file $EASYRSA_CURVE.
To resolve this, '-newkey' must be removed from $algo_opts and inserted
into the OpenSSL command. And $algo_opts must be quoted. (#494)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Where 'if' is replaced with 'case', functionality is generaly maintained.
With the following exceptions:
* verify_curve_ed() does not need to identify the specific curve.
Error status will provide the correct result for a curve name error.
* For Edwards curve crypto, the 'case' statement is further reduced to
use the verified $EASYRSA_CURVE inside the OpenSSL command.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Commit a0dbc346bd92088ee481f5488ac53a7537b32073 leads to bug caused
by OpenSSL 'genpkey' inconsistency. OpenSSL version 1 'genpkey' does
not support option '-config' but OpenSSL version 3 does.
(Details can be found at: https://www.openssl.org/docs/manpages.html)
To use 'genpkey' option '-config', easyrsa_openssl() needs to be aware
of the SSL Library version and only set '-config' for version 3.
This patch sets OpenSSL version 3 ONLY option '-config' for 'genpkey'.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
* (1) Move definition of $crypto_opts inside 'case' for OSSLv1 (NFC)
This defines $crypto_opts for the CA private key.
* Wrap long lines (NFC)
* (2) Expand definition of $crypto_opts to use $no_password.
This defines $crypto_opts for the CA pair.
Note: Before this change (2), the command which EasyRSA uses
does not include '-nodes' when building an unencrypted CA.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Required changes:
* Use 'verify_ssl_lib()' to determine SSL Library version.
Returns '1', '3' OR error.
Sets 'no_password' to either '-nodes' (SSLv1) or '-noenc' (SSLv3)
* Replace OpenSSL paramater '-nodes' [DEPRECATED], with '-noenc'.
Ref: https://www.openssl.org/docs/man3.0/man1/openssl-req.html
This effects All Easy-RSA CAs built using OpenSSL version 3.
* Replace OpenSSL command 'genrsa' [DEPRECATED], with 'genpkey'.
Ref: https://www.openssl.org/docs/man3.0/man1/openssl-genrsa.html
This effects Easy-RSA 'RSA' CAs built using OpenSSL version 3.
OpenSSL advises using 'genpkey' over 'genrsa'.
* OpenSSL 'genpkey' does not accept the parameters defined by
easyrsa $opts and $no_password when generating CA private keys.
Do not use these variables for OpenSSL-v3 'genpkey'.
Optional changes:
* Use 'easyrsa_openssl()' wrapper function to build All CAs.
* Add 'genpkey' to easyrsa_openssl() wrapper, to include using the
EasyRSA/OpenSSL Configuration file $EASYRSA_SAFE_CONF.
* Change EasyRSA Elliptic Curve (ec) CA's to also use OpenSSL 'genpkey',
instead of OpenSSL 'ec'. This change is not required, however, this
means that all EasyRSA CA Private keys are created using 'genpkey'
with OpenSSL v3.
* EasyRSA 'gen_req()' is the only other code which uses OpenSSL '-nodes'.
Make 'gen_req()' aware of the SSL Library version and therefore the
correct parameter for an unencrypted private key. (-noenc vs -nodes)
Note: OpenSSL '-nodes' is only deprecated not removed.
* Indent OpenSSL version 1 code block to match. No functional changes.
Tests Passed:
Full extended unit tests, with both OpenSSL version 1.1.x and 3.0.1
(Includes standard test for Edwards Curve PKI)
Manual building of All OpenSSL *v3* CAs with passwords and subsequent
building and signing of a server or client certificate.
Manual building of OpenSSL *v1* EC CA with password and subsequent
building and signing of a server or client certificate.
Tested due to changing CA key from OpenSSL 'ec' to 'genpkey'.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This removes our dependency on an external non-POSIX mktemp
implementation and uses openssl's built in rand function.
Addresses #478
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
The openssl call relied on word splitting for $crypto_ops
but $crypto_opts consists of a path which could contain spaces.
Now path is stored in $pass_opts which is quoted when using in
openssl call.
Using another build of OpenSSL that appears to work fine in testing.
Long term, we should be building OpenSSL ourselves and shipping it on a
regular basis. That's another project on the list.
Resolves#405.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
This reverts commit 5f3e5ca450eaf464ed21a5d3ec62d39f7594fd99.
There is an incompatibility in 1.1.1g with the EasyRSA script. There
are no new features in 1.1.1g we are leveraging directly, so just going
to revert to support the OpenVPN 2.5 release process and get EasyRSA
v3.x into more hands.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
Commit 1e98ba8 introduced an issue with RSA keys (only ED keys were
tested).
Closes#403 and #395
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
This fixes an argument error I made in commit 1e98ba808c9c90629595827773a66b59f8c9b927, sorry I have not tested RSA keys as I only use ED.
The argument is -passout for all openssl versions (tested on LibreSSL 2.8.3 and OpenSSL 1.1.1d).
