Introduce new global options: --ku-critical and --bc-critical

These option allow X509 'critical' attributes to be used. --ku-critical (--ku-crit): Configure 'keyUsage' to set 'critical' attribute. --bc-critical (--bc-crit): Configure 'basicContraints' to set 'critical' attribute. Use of these options is left to the discretion of the the user task. Supported certificate types does not include 'email', 'codeSigning' or 'kdc'. Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Jan 14, 2024 · f86fa88 · f86fa88
1 parent d51d79b
commit f86fa88
Showing 1 changed file with 37 additions and 6 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -5666,11 +5666,21 @@ create_legacy_stream() {
 	;;
 	easyrsa)
 	# This could be COMMON but not is not suitable for a CA
-		cat <<- "CREATE_X509_TYPE_EASYRSA"
-		basicConstraints = CA:FALSE
+		_ku='digitalSignature, keyEncipherment'
+		if [ "$EASYRSA_KU_CRITICAL" ]; then
+			_ku="${EASYRSA_KU_CRITICAL}, ${_ku}"
+		fi
+
+		_bc='CA:FALSE'
+		if [ "$EASYRSA_BC_CRITICAL" ]; then
+			_bc="${EASYRSA_BC_CRITICAL}, ${_bc}"
+		fi
+
+		cat <<- CREATE_X509_TYPE_EASYRSA
+		basicConstraints = $_bc
 		subjectKeyIdentifier = hash
 		authorityKeyIdentifier = keyid,issuer:always
-		keyUsage = digitalSignature,keyEncipherment
+		keyUsage = $_ku
 		CREATE_X509_TYPE_EASYRSA
 	;;
 	serverClient)
@@ -5696,11 +5706,21 @@ create_legacy_stream() {
 	;;
 	ca)
 	# ca
-		cat <<- "CREATE_X509_TYPE_CA"
-		basicConstraints = CA:TRUE
+		_ku='cRLSign, keyCertSign'
+		if [ "$EASYRSA_KU_CRITICAL" ]; then
+			_ku="${EASYRSA_KU_CRITICAL}, ${_ku}"
+		fi
+
+		_bc='CA:TRUE'
+		if [ "$EASYRSA_BC_CRITICAL" ]; then
+			_bc="${EASYRSA_BC_CRITICAL}, ${_bc}"
+		fi
+
+		cat <<- CREATE_X509_TYPE_CA
+		basicConstraints = $_bc
 		subjectKeyIdentifier = hash
 		authorityKeyIdentifier = keyid:always,issuer:always
-		keyUsage = cRLSign, keyCertSign
+		keyUsage = $_ku
 		CREATE_X509_TYPE_CA
 	;;
 	codeSigning)
@@ -6056,6 +6076,9 @@ CREATE_SSL_CONFIG
 	*)
 		die "create_legacy_stream: unknown type '$1'"
 	esac
+
+	# Cleanup
+	unset -v _ku _bc
 } # => create_legacy_stream()
 
 # Version information
@@ -6283,6 +6306,14 @@ subjectAltName = $val"
 	--usefn)
 		export EASYRSA_P12_FR_NAME="$val"
 		;;
+	--ku-crit*)
+		empty_ok=1
+		export EASYRSA_KU_CRITICAL=critical
+		;;
+	--bc-crit*)
+		empty_ok=1
+		export EASYRSA_BC_CRITICAL=critical
+		;;
 	--version)
 		shift "$#"
 		set -- "$@" "version"