Merge branch 'TinCanTech-san-critical'

Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Jul 1, 2024 · f6b43dc · f6b43dc
2 parents 34586ad + a1e90cd
commit f6b43dc
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog
 
 3.2.1 (TBD)
 
+   * Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
    * Introduce new global options: --ku-crit and --bc-crit (b79abee) (#1176)
    * gen-req: Always check for existing request file (7eab98e) (#1177)
    * revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -611,6 +611,7 @@ Certificate & Request options: (these impact cert/req field values)
 --san|--subject-alt-name=SUBJECT_ALT_NAME
                 : Add a subjectAltName. Can be used multiple times.
                   For more info and syntax, see: 'easyrsa help altname'
+--san-crit      : Mark X509v3 subjectAltName as critical
 
 --new-subject='SUBJECT'
                 : Specify a new subject field to sign a request with.
@@ -2266,6 +2267,8 @@ $EASYRSA_EXTRA_EXTS"
 			> "$adjusted_ssl_cnf_tmp" || \
 				die "Writing SSL config to temp file failed"
 
+	[ "${EASYRSA_SAN_CRIT}" ] && verbose "gen-req: SAN critical OK"
+
 		# Use this SSL config for the rest of this function
 		EASYRSA_SSL_CONF="$adjusted_ssl_cnf_tmp"
 	fi
@@ -2567,6 +2570,8 @@ basicConstraints is not defined, cannot use 'pathlen'"
 		unset -v ns_cert_type
 	esac
 
+	[ "${EASYRSA_SAN_CRIT}" ] && verbose "sign-req: SAN critical OK"
+
 	# Generate the extensions file for this cert:
 	ext_tmp=""
 	easyrsa_mktemp ext_tmp || \
@@ -2601,6 +2606,7 @@ Failed to create temp extension file (bad permissions?) at:
 	verbose "sign_req: Generated extensions file OK"
 
 	# Get request CN
+	# EASYRSA_REQ_CN MUST always be set to the CSR CN
 	EASYRSA_REQ_CN="$(
 		"$EASYRSA_OPENSSL" req -utf8 -in "$req_in" -noout \
 			-subject -nameopt multiline | grep 'commonName'
@@ -2663,7 +2669,7 @@ $confirm_dn"
 	if [ "$EASYRSA_SAN" ]; then
 		confirm_san="\
             X509v3 Subject Alternative Name:
-                $EASYRSA_SAN"
+                ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
 	else
 		confirm_san="$req_x509_san"
 	fi
@@ -5529,6 +5535,10 @@ while :; do
 				EASYRSA_SAN="$val"
 			fi
 			;;
+		--san-crit*)
+			empty_ok=1
+			export EASYRSA_SAN_CRIT='critical,'
+			;;
 		--new-subj*)
 			export EASYRSA_NEW_SUBJECT="$val"
 			;;
@@ -5587,7 +5597,7 @@ done
 if [ "$EASYRSA_SAN" ]; then
 	EASYRSA_EXTRA_EXTS="\
 $EASYRSA_EXTRA_EXTS
-subjectAltName = $EASYRSA_SAN"
+subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
 fi
 
 # Set cmd now