Auto-escape '&' ampersand explanation:
'easyrsa' uses 'sed' to build a safe SSL config file, which means
that an unescaped '&' ampersand cannot be used in the 'vars' file.
This is due to 'sed' treating '&' as a special character.
Rather than expect users to know all this and use extended escaping,
to get around 'easyrsa' set_var(), use auto-escape. This allows use
of unescaped '&' in vars file. Like any other character.
Auto-escape '$' dollar-sign explanation:
Using '$' in the 'vars' file MUST be escaped. Escaping '$' to stop
expansion is common knowledge and the first thing a user will try.
Using an escaped '$' in the 'vars' file results in an unescaped '$'
being written to the SSL config file, which is then expanded by
OpenSSL or choked on by LibreSSL. Auto-escaping '$' fixes this.
Add SSL library name to die().
Allow verify_ssl_lib() to run ONLY once.
Improve comments.
Re-order the areas searched for data files to prioritise preferred
locations over old defaults.
Tested-with: OpenSSL and LibreSSL and on Windows and FreeBSD.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Changes:
* Improve help
* Move renew_restore_move() out of die() and back to renewal block.
* Minor corrections to user output.
* Add detailed description of which files will be moved/removed.
* Simplify check/create revoked/renewed directory structures.
* Only die on failure to move certificate, otherwise warn only.
Some files may not be present. eg. PKCS files, already removed.
Manually tested.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Having used help extensively, this reformats help for readability.
Both 'user output' and 'code style' _appear_ to be improved.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Use move not copy (copy was used in development).
Corrections to help and error messages.
Re-arrange "hand-off" 'case'; group renew functions together.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The original version of EasyRSA command 'renew', leaves the certificate
without a method to be revoked.
This is due to 'renew' moving files OUT of the PKI, which means they cannot
be targeted by command 'revoke'.
Additionally, 'renew' renames the files to an unfriendly serial-number.
--
Command 'rewind-renew' restores the original commonName as file-name-base.
And moves these files to renewed folders which are targeted by 'revoke-renewed'.
Closes: #578 (Thoroughly tested)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Command '[' uses '-n' by default:
* Never use '[ -n "$example" ]'
* Always use '[ "$example" ]'
This improves readabiity.
Use only '-e' to test for file existence.
Try to use simple tests, not 'not not X' (double negative) tests.
Example:
* [ "$EASYRSA_RAND_SERIAL != "no" ] = Replace with ' = "yes" '
Use 'shift' cleanly, immediately after assignment.
Improve/correct comments and user messages.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Use the flag as intended.
Also, improvements to layout and comments, in nearby functions.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Helps with preventing #571 again by removing the test pki that may
exist. The build script now removes it if present.
Update the python call the python3 so it works on macOS like in master.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
The input data, when a certificate is not found, was an unpunctuated
numerical representation of date. eg: '220613123456'.
Format this input to: '22-06-13 12:34:56' for use.
Also, disambiguate between certificate-data verses database-data
by renaming the database variables from 'crt_foo' to 'db_foo'.
Also, disambiguate between full-date verses epoch-date-seconds
by renaming epoch-date-seconds variables from 'foo' to 'foo_s'.
Also, improvements to status reports output format.
Also, improve related comments.
Closes: #568
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
New function: verify_algo_params()
Verify algorithm and parameters in a single function.
Remove verify_curve_ec() and verify_curve_ed()
Place verify_algo_params() at the end of vars_setup().
No longer use a dedicated directory for Elliptic curve
parameters file. Instead, use an easyrsa-temp file.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Flags are set when a 'vars' file is found:
eg. [ -e "$pki_vars" ] && e_pki_vars=1
Use flag '$e_pki_vars' not the target file variable '$pki_vars' for
subsequent code decisions. Unset '$pki_vars', once it us used.
The same goes for: '$prog_vars', '$pwd_vars' and '$easy_vars'.
Closes: #567
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This check ensures the a valid command does not sneak a missing but
expected 'vars' file through 'vars' detection phase.
Move detect_host() and expand the comment.
Minor reformatting, for readability.
Improve/update comments.
Stage-3-of: #566
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Undo changes made by 4922cae2637ff1d6247840a800f3c691aa7eb7ab
which allowed '--vars=FILE init-pki'.
Keep the changes to user output which suppress messages to "use PKI/vars".
Stage-2-of: #566
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
