From b18fe386a1d43cc6e52db635a663ac6906aeea04 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 5 Jun 2024 12:40:16 +0100 Subject: [PATCH] Introduce Global Safe SSL config and Local SSL config The global safe SSL config is used by ancillary commands, such as 'vefiry_file()' and 'display_dn()', when no other SSL config has been created so far. The global safe SSL config is created with all env-vars fully expanded, which allows this file to be used by any SSL library. The local SSL config is used by commands that build X509 files, such as build-ca and gen-req. This file is created per command. The local SSL config is created as per the requirements of the SSL library in use. eg. OpenSSL:Unexpanded, LibreSSL:Expanded. The local SSL config is the file which is edited by commands, which insert data, such as "copy_extensions = copy" --copy-ext. The local file is tracked via EASYRSA_SSL_CONF. Calling command easyrsa_openssl() finally sets OPENSSL_CONF to EASYRSA_SSL_CONF. The global file is not tracked, it is only used when no local file has been created. OPENSSL_CONF is set to the global file, by default, from the start. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 65 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 49 insertions(+), 16 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 6b43e8491..d2fa32bbe 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1212,8 +1212,8 @@ easyrsa_openssl() { expand_ssl_config || \ die "easyrsa_openssl - expand_ssl_config failed" - # VERIFY safe temp-file exists - export OPENSSL_CONF="$EASYRSA_SSL_CONF" + # create local SSL cnf + write_easyrsa_ssl_cnf_tmp verbose "easyrsa_openssl: OPENSSL_CONF = $OPENSSL_CONF" # Debug level @@ -1657,6 +1657,9 @@ Unable to create necessary PKI files (permissions?)" fi fi + # create local SSL cnf + write_easyrsa_ssl_cnf_tmp + # Check for insert-marker in ssl config file if [ "$EASYRSA_EXTRA_EXTS" ]; then if ! grep -q '^#%CA_X509_TYPES_EXTRA_EXTS%' \ @@ -2143,6 +2146,9 @@ Option conflict --req-cn: # Enforce commonName export EASYRSA_REQ_CN="$file_name_base" + # create local SSL cnf + write_easyrsa_ssl_cnf_tmp + # Output files key_out="$EASYRSA_PKI/private/${file_name_base}.key" req_out="$EASYRSA_PKI/reqs/${file_name_base}.req" @@ -2294,6 +2300,9 @@ Option conflict --req-cn: # Enforce commonName export EASYRSA_REQ_CN="$file_name_base" + # create local SSL cnf + write_easyrsa_ssl_cnf_tmp + # Check optional subject force_subj= while [ "$1" ]; do @@ -2763,7 +2772,7 @@ Option conflict --req-cn: remove_secure_session locate_support_files secure_session - write_easyrsa_ssl_cnf_tmp + write_global_safe_ssl_cnf_tmp # Require --copy-ext export EASYRSA_CP_EXT=1 @@ -2916,6 +2925,17 @@ Run easyrsa without commands for usage and command help." file_name_base="$1" shift + # Prohibit --req-cn + [ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\ +Option conflict --req-cn: +* '$cmd' does not support setting an external commonName" + + # Enforce commonName + export EASYRSA_REQ_CN="$file_name_base" + + # create local SSL cnf + write_easyrsa_ssl_cnf_tmp + in_dir="$EASYRSA_PKI" key_in="$in_dir/private/${file_name_base}.key" req_in="$in_dir/reqs/${file_name_base}.req" @@ -3635,6 +3655,7 @@ display_dn - input error" # Display DN ssl_out="$( + #export OPENSSL_CONF="$global_safe_ssl_cnf_tmp" "$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject \ -nameopt utf8,sep_multiline,space_eq,lname,align)" || \ die "display_dn: SSL command '$format'" @@ -4361,13 +4382,11 @@ verify_working_env() { # Verify PKI is initialised verify_pki_init - # Temp dir session and default SSL conf file - if [ -z "$secured_session" ]; then - secure_session + # Temp dir session + secure_session - # Verify or create temp EASYRSA_SSL_CONF - write_easyrsa_ssl_cnf_tmp - fi + # global safe ssl cnf temp + write_global_safe_ssl_cnf_tmp # Verify selected algorithm and parameters verify_algo_params @@ -4382,13 +4401,11 @@ verify_working_env() { # If there is a valid temp-dir: # Create temp-session and openssl-easyrsa.cnf (Temp) now if [ -d "$EASYRSA_TEMP_DIR" ]; then - # Temp dir session and default SSL conf file - if [ -z "$secured_session" ]; then - secure_session + # Temp dir session + secure_session - # Verify or create: EASYRSA_SSL_CONF - write_easyrsa_ssl_cnf_tmp - fi + # global safe ssl cnf temp + write_global_safe_ssl_cnf_tmp fi fi verbose "verify_working_env: COMPLETED Handover-to: $cmd" @@ -4429,6 +4446,19 @@ force_set_var() { die "force_set_var - set_var '$*'" } # => force_set_var() +# global Safe SSL conf file, for use by any SSL lib +write_global_safe_ssl_cnf_tmp() { + global_safe_ssl_cnf_tmp= + easyrsa_mktemp global_safe_ssl_cnf_tmp || die "\ +verify_working_env - easyrsa_mktemp global_safe_ssl_cnf_tmp" + + write safe-cnf > "$global_safe_ssl_cnf_tmp" || die "\ +verify_working_env - write safe-cnf" + + export OPENSSL_CONF="$global_safe_ssl_cnf_tmp" + verbose "GLOBAL - OPENSSL_CONF = $OPENSSL_CONF" +} # => write_global_safe_ssl_cnf_tmp() + # Create as needed: $EASYRSA_SSL_CONF pki/openssl-easyrsa.cnf # If the existing file has a known hash then use temp-file. # Otherwise, use the file in place. @@ -4527,13 +4557,16 @@ write_easyrsa_ssl_cnf_tmp - easyrsa_mktemp" # Write SSL cnf to temp-file write "$ssl_cnf_type" > "$ssl_cnf_tmp" || die "\ -write_easyrsa_ssl_cnf_tmp - write ssl-cnf: $ssl_cnf_tmp" +write_easyrsa_ssl_cnf_tmp - write $ssl_cnf_type: $ssl_cnf_tmp" # export SSL cnf tmp export EASYRSA_SSL_CONF="$ssl_cnf_tmp" verbose "\ write_easyrsa_ssl_cnf_tmp: $ssl_cnf_type \ - EASYRSA_SSL_CONF = $ssl_cnf_tmp" + + export OPENSSL_CONF="$EASYRSA_SSL_CONF" + verbose "LOCAL - OPENSSL_CONF = $OPENSSL_CONF" } # => write_easyrsa_ssl_cnf_tmp() # Write x509 type file to a temp file