Skip to content

Commit

Permalink
Merge branch 'san-critical' of ssh://github.com/TinCanTech/easy-rsa i…
Browse files Browse the repository at this point in the history
…nto TinCanTech-san-critical

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Jul 1, 2024
2 parents 34586ad + 4e5c5c9 commit a1e90cd
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog

3.2.1 (TBD)

* Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
* Introduce new global options: --ku-crit and --bc-crit (b79abee) (#1176)
* gen-req: Always check for existing request file (7eab98e) (#1177)
* revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
Expand Down
14 changes: 12 additions & 2 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -611,6 +611,7 @@ Certificate & Request options: (these impact cert/req field values)
--san|--subject-alt-name=SUBJECT_ALT_NAME
: Add a subjectAltName. Can be used multiple times.
For more info and syntax, see: 'easyrsa help altname'
--san-crit : Mark X509v3 subjectAltName as critical

--new-subject='SUBJECT'
: Specify a new subject field to sign a request with.
Expand Down Expand Up @@ -2266,6 +2267,8 @@ $EASYRSA_EXTRA_EXTS"
> "$adjusted_ssl_cnf_tmp" || \
die "Writing SSL config to temp file failed"

[ "${EASYRSA_SAN_CRIT}" ] && verbose "gen-req: SAN critical OK"

# Use this SSL config for the rest of this function
EASYRSA_SSL_CONF="$adjusted_ssl_cnf_tmp"
fi
Expand Down Expand Up @@ -2567,6 +2570,8 @@ basicConstraints is not defined, cannot use 'pathlen'"
unset -v ns_cert_type
esac

[ "${EASYRSA_SAN_CRIT}" ] && verbose "sign-req: SAN critical OK"

# Generate the extensions file for this cert:
ext_tmp=""
easyrsa_mktemp ext_tmp || \
Expand Down Expand Up @@ -2601,6 +2606,7 @@ Failed to create temp extension file (bad permissions?) at:
verbose "sign_req: Generated extensions file OK"

# Get request CN
# EASYRSA_REQ_CN MUST always be set to the CSR CN
EASYRSA_REQ_CN="$(
"$EASYRSA_OPENSSL" req -utf8 -in "$req_in" -noout \
-subject -nameopt multiline | grep 'commonName'
Expand Down Expand Up @@ -2663,7 +2669,7 @@ $confirm_dn"
if [ "$EASYRSA_SAN" ]; then
confirm_san="\
X509v3 Subject Alternative Name:
$EASYRSA_SAN"
${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
else
confirm_san="$req_x509_san"
fi
Expand Down Expand Up @@ -5529,6 +5535,10 @@ while :; do
EASYRSA_SAN="$val"
fi
;;
--san-crit*)
empty_ok=1
export EASYRSA_SAN_CRIT='critical,'
;;
--new-subj*)
export EASYRSA_NEW_SUBJECT="$val"
;;
Expand Down Expand Up @@ -5587,7 +5597,7 @@ done
if [ "$EASYRSA_SAN" ]; then
EASYRSA_EXTRA_EXTS="\
$EASYRSA_EXTRA_EXTS
subjectAltName = $EASYRSA_SAN"
subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
fi

# Set cmd now
Expand Down

0 comments on commit a1e90cd

Please sign in to comment.