From cb201ad2b165ec99da2d04a6da7c93802db1e8bb Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 4 May 2024 00:14:19 +0100 Subject: [PATCH] self-sign: Adjust 'X509v3 Key Usage' Self signed certificates are not used for any signing purposes. Replace signing usage with standard server/client usage. Set: X509v3 Key Usage: Digital Signature, Key Encipherment Remove: X509v3 Key Usage: Certificate Sign, CRL Sign If this is changed by using SSL command 'req', option -addext, without using an SSL config file then 'X509v3 Basic Constraints' is set to 'critical'. Also, SSL command 'req' does not support -extfile, which is why the script uses the '#%CA_X509_TYPES_EXTRA_EXTS%' marker in order to insert the required extensions into the SSL config file. This change is of no consequense to OpenVPN peer fingerprint mode but it does make all EasyRSA generated certificates use extensions consistently. This also introduces an x509-type file for self-signed certificates. This file is not exposed via the x509-types files, it is retained for internal use only. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 68 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index dfee8c366..639a879bf 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1924,6 +1924,56 @@ Conflicting certificate exists at: verbose "\ self-sign: Use ALGO/CURVE to $EASYRSA_ALGO/$EASYRSA_CURVE" + # Assign tmp-file for config + adjusted_ssl_cnf_tmp="" + easyrsa_mktemp adjusted_ssl_cnf_tmp || \ + die "build_self_sign - easyrsa_mktemp adjusted_ssl_cnf_tmp" + + # Assign awkscript to insert EASYRSA_EXTRA_EXTS + # shellcheck disable=SC2016 # No expand '' - build_ca() + awkscript='\ +{if ( match($0, "^#%CA_X509_TYPES_EXTRA_EXTS%") ) + { while ( getline<"/dev/stdin" ) {print} next } + {print} +}' + + # Find or create x509 CA file + if [ -f "$EASYRSA_EXT_DIR/selfsign" ]; then + # Use the x509-types/ca file + x509_selfsign_file="$EASYRSA_EXT_DIR/selfsign" + else + # Use a temp file + write_x509_type_tmp selfsign + x509_selfsign_file="$write_x509_file_tmp" + fi + + # Find or create x509 COMMON file + if [ -f "$EASYRSA_EXT_DIR/COMMON" ]; then + # Use the x509-types/COMMON file + x509_COMMON_file="$EASYRSA_EXT_DIR/COMMON" + else + # Use a temp file + write_x509_type_tmp COMMON + x509_COMMON_file="$write_x509_file_tmp" + fi + + # Insert x509-types COMMON and 'ca' and EASYRSA_EXTRA_EXTS + { + # X509 files + cat "$x509_selfsign_file" "$x509_COMMON_file" + + # User extentions + [ "$EASYRSA_EXTRA_EXTS" ] && \ + print "$EASYRSA_EXTRA_EXTS" + + } | awk "$awkscript" "$EASYRSA_SSL_CONF" \ + > "$adjusted_ssl_cnf_tmp" || \ + die "Copying X509_TYPES to config file failed" + verbose "build_self_sign: insert x509 and extensions OK" + + # Use this new SSL config for the rest of this function + EASYRSA_SSL_CONF="$adjusted_ssl_cnf_tmp" + # temp-file for params-file selfsign_params_file="" easyrsa_mktemp selfsign_params_file || \ @@ -1941,7 +1991,6 @@ self-sign: Use ALGO/CURVE to $EASYRSA_ALGO/$EASYRSA_CURVE" -keyout "$key_out" \ -out "$crt_out" \ -subj "/CN=$file_name_base" \ - -addext extendedKeyUsage="$selfsign_eku" \ ${EASYRSA_NO_PASS:+ "$no_password"} \ ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \ ${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \ @@ -4557,6 +4606,12 @@ write() { write_file="$write_dir/$write_type" fi ;; + selfsign) + # write to stdout or $write_dir/$write_type [x509-type] + if [ "$write_dir" ]; then + write_file="$write_dir/$write_type" + fi + ;; *) user_error "write - unknown type '$write_type'" esac @@ -4678,6 +4733,17 @@ create_legacy_stream() { keyUsage = cRLSign, keyCertSign CREATE_X509_TYPE_CA ;; + selfsign) + # selfsign + cat <<- "CREATE_X509_TYPE_SELFSIGN" + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer:always + basicConstraints = CA:TRUE + keyUsage = digitalSignature,keyEncipherment + CREATE_X509_TYPE_SELFSIGN + + print "extendedKeyUsage = $selfsign_eku" + ;; codeSigning) # codeSigning cat <<- "CREATE_X509_CODE_SIGNING"