All candidate vars-files are searched for and EASYRSA_VARS_FILE is set
to the first valid vars-file found. According to Advanced.md
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Check that sourcing default pki/vars has NOT changed EASYRSA or EASYRSA_PKI.
This will be resolved in v3.2.0 - See #comment for details.
Refactor select_vars():
To: single if/elif/else/fi.
From: separate if/fi statements.
Always set EASYRSA_VARS_FILE to the used vars-file.
(Required for 'help' status)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
vars_setup was trying to do more work than only setting up vars.
These tasks have been broken down as follows:
select_vars:
* Choose only ONE vars file to source by priority specified in Advanced.md
* Apply restrictions to default vars changing EASYRSA or EASYRSA_PKI.
source_vars:
* Verify and source a vars file.
default_vars:
* Set all default values as expected.
Note: Also disable use of vars_setup.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If a vars file in the PKI tries to change the expected PKI then fail.
Allow vars file in the working directory to change the PKI.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The main changes made are:
* If EASYRSA is set then only allow default vars file. No auto-load
* If EASYRSA_PKI is set then allow also EASYRSA_PKI/vars. Use auto-load.
This is something like "The Three Laws"; vars auto-load is unnecassary
and should be replaced by a single default vars file. However, here is
the latest version:
1. The DEFAULT vars file is in the working directory: ./vars
2. Using --vars=<FILE>, takes priority ALWAYS. NO auto-load!
3. Using --pki-dir=<DIR>, allows "$EASYRSA_PKI/vars". Use auto-load!
Note:
A user set PKI can auto-load a default vars file in the PKI, however,
that can also conflict with a default ./vars file.
4. ERROR, if vars auto-load finds more than one VIABLE vars file.
Viable vars files and conflicts:
1. "$PWD/vars" - Can conflict.
2. "$PWD/pki/vars" - Can conflict.
3. "$EASYRSA/vars" - User defined EASYRSA, no conflict.
4. "$EASYRSA_PKI/vars" - User defined EASYRSA_PKI, can conflict.
This is achieved by making the following changes:
Prioritise user-set EASYRSA to force "$EASYRSA/vars" ONLY.
No auto-load.
Expand assigning EASYRSA_PKI/vars to test for user-set PKI or default PKI.
Use auto-load.
Remove unused code and improve comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
When a certificate CN is not the same as the file-name then show-expire
must calculate the expiry date, in seconds, from the database field.
This is done by functions:
* db_date_to_iso_8601_date()
Translate from database format to ISO_8601 date format.
* iso_8601_timestamp_to_seconds()
Translate from ISO_86012 date format to time-stamp in seconds.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
If '--vars=vars' is used, without specifying a path to 'vars', then
sourcing 'vars' fails to find './vars'. POSIX '.' searches the PATH
when the file-name does not contain a slash '/'. [man dot(1p)]
Since EasyRSA expects the 'vars' file to be within the current working
directory, setting 'PATH=./' forces '.' to search ONLY './'.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The option 'soft' for 'init-pki' has been found to be flawed, because
keeping the 'vars' file in the PKI is now forbidden. The 'soft' option
will be removed in due course.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
For 'init-pki, disable creating vars.example, which also disables
creating a vars file in the PKI.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The default 'vars' file MUST be "$PWD/vars", no other file can be default.
In order to enforce that, a default 'pki/vars' file MUST be forbidden.
This patch:
* Disables the recommandation for 'vars' to be moved TO the PKI, './pki/vars.
* Forbids the file called './pki/vars'.
* Forbids multiple 'vars' files
* Recommends ONLY the working directory copy of a 'vars' file.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The upgrade function is no longer required.
Easy-RSA version 3.1.6 provides full upgrade path for older PKIs.
For rare PKIs which do not have 'unique_subject = no' set
in the 'index.txt.attr' file, fall back to SSL error.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Forbid any path ending with '/', '\' or ':'
This protects user variables for paths from being set to the root folder.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This allows a client that has not built a CA to use 'inline'.
The CA and signed client certificate can be sent to the client,
allowing the client to create a complete X509 based inline file,
without creating a redundant CA.
Also, add 'inline' command to the list of commands which do not
require a CA.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Expose 'inline' command to command line.
Inline available data and ignore missing files.
This function prints the available inline data to stdout.
To create inline files the data must be redirected to a file.
Internally, this redirection is taken care of.
Return 'soft' error when any data is missing but always print
available data.
This behaviour allows for incomplete inline files. For example,
when a CA signs a certificate but does not have the private key.
Any combination of missing files is allowed.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
nix.sh/win.sh/busybox.sh never return error from unset
when an invalid variable name 'a=b' is used with a value
to set, eg. 'c'; This causes EasyRSA to execute:
eval "export a=b=c".
'set_var EASYRSA_PKI=pki' results in $EASYRSA_PKI being
set to 'pki=pki-', without error!
Guard against this possible user error with 'case'.
Minor improvements to other input checks.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Now that easyrsa covers missing x509-types, the 'init-pki' message,
for the status of x509-types, is no longer required.
Improve and correct other messages and comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Re-arranging the p12 command to follow the standard:
- In file
- out file
Followed by
- Conditional: -nokeys
- Unconditional: -inkey file
This is a reminder that '-inkey' is subordinate to '-nokeys' but
is ALWAYS required.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The current export functions only allow use on a complete PKI, with CA.
This change allows the following:
* Server - Export P12/P7 without client key
* Client - Export P12/P7 without CA, P8/P1 without PKI
Due to the relative obscurity of the command options 'noca' and 'nokey',
exporting P12/P7 with incorrect options can be adjusted on-the-fly with
confirmation from the user.
Correct behaviour of export-p1 with OpenSSL v3 by using -legacy option.
Otherwise, OpenSSL v3 outputs a PKCS#8 format file.
Minor improvements to comments.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This applies to all direct calls using EASYRSA_OPENSSL (Default: 'openssl'),
which bypass using easyrsa_openssl() wrapper function.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
