If a vars file in the PKI tries to change the expected PKI then fail.
Allow vars file in the working directory to change the PKI.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The main changes made are:
* If EASYRSA is set then only allow default vars file. No auto-load
* If EASYRSA_PKI is set then allow also EASYRSA_PKI/vars. Use auto-load.
This is something like "The Three Laws"; vars auto-load is unnecassary
and should be replaced by a single default vars file. However, here is
the latest version:
1. The DEFAULT vars file is in the working directory: ./vars
2. Using --vars=<FILE>, takes priority ALWAYS. NO auto-load!
3. Using --pki-dir=<DIR>, allows "$EASYRSA_PKI/vars". Use auto-load!
Note:
A user set PKI can auto-load a default vars file in the PKI, however,
that can also conflict with a default ./vars file.
4. ERROR, if vars auto-load finds more than one VIABLE vars file.
Viable vars files and conflicts:
1. "$PWD/vars" - Can conflict.
2. "$PWD/pki/vars" - Can conflict.
3. "$EASYRSA/vars" - User defined EASYRSA, no conflict.
4. "$EASYRSA_PKI/vars" - User defined EASYRSA_PKI, can conflict.
This is achieved by making the following changes:
Prioritise user-set EASYRSA to force "$EASYRSA/vars" ONLY.
No auto-load.
Expand assigning EASYRSA_PKI/vars to test for user-set PKI or default PKI.
Use auto-load.
Remove unused code and improve comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
When a certificate CN is not the same as the file-name then show-expire
must calculate the expiry date, in seconds, from the database field.
This is done by functions:
* db_date_to_iso_8601_date()
Translate from database format to ISO_8601 date format.
* iso_8601_timestamp_to_seconds()
Translate from ISO_86012 date format to time-stamp in seconds.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If '--vars=vars' is used, without specifying a path to 'vars', then
sourcing 'vars' fails to find './vars'. POSIX '.' searches the PATH
when the file-name does not contain a slash '/'. [man dot(1p)]
Since EasyRSA expects the 'vars' file to be within the current working
directory, setting 'PATH=./' forces '.' to search ONLY './'.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The option 'soft' for 'init-pki' has been found to be flawed, because
keeping the 'vars' file in the PKI is now forbidden. The 'soft' option
will be removed in due course.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
For 'init-pki, disable creating vars.example, which also disables
creating a vars file in the PKI.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The default 'vars' file MUST be "$PWD/vars", no other file can be default.
In order to enforce that, a default 'pki/vars' file MUST be forbidden.
This patch:
* Disables the recommandation for 'vars' to be moved TO the PKI, './pki/vars.
* Forbids the file called './pki/vars'.
* Forbids multiple 'vars' files
* Recommends ONLY the working directory copy of a 'vars' file.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The upgrade function is no longer required.
Easy-RSA version 3.1.6 provides full upgrade path for older PKIs.
For rare PKIs which do not have 'unique_subject = no' set
in the 'index.txt.attr' file, fall back to SSL error.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
