From 761736f4d139d41319f85c4675df3b738daf99e3 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 31 May 2024 18:42:02 +0100 Subject: [PATCH] build-ca, gen-req, sign-req: Use write_easyrsa_ssl_cnf_tmp() earlier This guarantees that a working EasyRSA SSL config file exists and that both $EASYRSA_SSL_CONF and $OPENSSL_CONF are set to that file. If the initial file has been user, or by EasyRSA internally, edited then that file is used, in place. With these expanson rules applied: This file will be OpenSSL:Un-expanded, LibreSSL:Expanded or expanded by global option --force-safe-ssl or $EASYRSA_FORCE_SAFE_SSL. If the file in place is absent or recognised by SHA256 hash then it will be replaced by here-doc expansion, including SSL Lib expansion as required. The effected code here is verify_file(), which now calls $EASYRSA_OPENSSL directly. Submitting to $OPENSSL_CONF place, or error. Improve comments in the code. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 44 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 8ad9cb18e..ae6da405d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1643,7 +1643,11 @@ Unable to create necessary PKI files (permissions?)" # Verify or create openssl-easyrsa.cnf temp-file # Must be done after setting EASYRSA_REQ_CN + # Must be done before using $EASYRSA_EXTRA_EXTS etc + # And export $OPENSSL_CONF write_easyrsa_ssl_cnf_tmp + export OPENSSL_CONF="$EASYRSA_SSL_CONF" + verbose "sign_req: OPENSSL_CONF = $OPENSSL_CONF" # When EASYRSA_EXTRA_EXTS is defined, if [ "$EASYRSA_EXTRA_EXTS" ]; then @@ -1955,6 +1959,14 @@ Conflicting certificate exists at: verbose "\ self-sign: Use ALGO/CURVE to $EASYRSA_ALGO/$EASYRSA_CURVE" + # Verify or create openssl-easyrsa.cnf temp-file + # Must be done after setting EASYRSA_REQ_CN + # Must be done before using verify_file() etc + # And export $OPENSSL_CONF + write_easyrsa_ssl_cnf_tmp + export OPENSSL_CONF="$EASYRSA_SSL_CONF" + verbose "sign_req: OPENSSL_CONF = $OPENSSL_CONF" + # Assign tmp-file for config adjusted_ssl_cnf_tmp="" easyrsa_mktemp adjusted_ssl_cnf_tmp || \ @@ -2135,6 +2147,14 @@ Option conflict --req-cn: # Enforce commonName export EASYRSA_REQ_CN="$file_name_base" + # Verify or create openssl-easyrsa.cnf temp-file + # Must be done after setting EASYRSA_REQ_CN + # Must be done before using $EASYRSA_EXTRA_EXTS etc + # And export $OPENSSL_CONF + write_easyrsa_ssl_cnf_tmp + export OPENSSL_CONF="$EASYRSA_SSL_CONF" + verbose "sign_req: OPENSSL_CONF = $OPENSSL_CONF" + # Output files key_out="$EASYRSA_PKI/private/${file_name_base}.key" req_out="$EASYRSA_PKI/reqs/${file_name_base}.req" @@ -2167,10 +2187,6 @@ An existing private key was found at $key_out Continuing with key generation will replace this key." fi - # Verify or create openssl-easyrsa.cnf temp-file - # Must be done after setting EASYRSA_REQ_CN - write_easyrsa_ssl_cnf_tmp - # When EASYRSA_EXTRA_EXTS is defined, # append it to openssl's [req] section: if [ "$EASYRSA_EXTRA_EXTS" ]; then @@ -2293,6 +2309,14 @@ Option conflict --req-cn: # Enforce commonName export EASYRSA_REQ_CN="$file_name_base" + # Verify or create openssl-easyrsa.cnf temp-file + # Must be done after setting EASYRSA_REQ_CN + # Must be done before using verify_file() etc + # And export $OPENSSL_CONF + write_easyrsa_ssl_cnf_tmp + export OPENSSL_CONF="$EASYRSA_SSL_CONF" + verbose "sign_req: OPENSSL_CONF = $OPENSSL_CONF" + # Check optional subject force_subj= while [ "$1" ]; do @@ -3723,7 +3747,7 @@ Input is not a valid certificate: verify_file() { format="$1" path="$2" - easyrsa_openssl "$format" -in "$path" -noout 2>/dev/null + "$EASYRSA_OPENSSL" "$format" -in "$path" -noout 2>/dev/null } # => verify_file() # show-* command backend @@ -4423,6 +4447,16 @@ force_set_var() { # Create as needed: $EASYRSA_SSL_CONF pki/openssl-easyrsa.cnf # If the existing file has a known hash then use temp-file. # Otherwise, use the file in place. +# +# v3.2.x +# If $EASYRSA_SSL_CONF exists and is changed from default, +# by either user edits or insertions from code, +# then the existing file remains 'in-tact'. +# For LibreSSL, the 'in-tact' file will be expanded by 'sed' +# +# If $EASYRSA_SSL_CONF does not exist or is known by sha256 hash +# then it is replaced by a here-doc file: +# OpenSSL:Unexpanded, LibreSSL:Expanded write_easyrsa_ssl_cnf_tmp() { if [ -f "$EASYRSA_SSL_CONF" ]; then verbose "write_easyrsa_ssl_cnf_tmp: SSL config EXISTS"