From f86fa8857cb78ddaf7dc9ed7a1515dddc361924d Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 14 Jan 2024 00:53:58 +0000 Subject: [PATCH] Introduce new global options: --ku-critical and --bc-critical These option allow X509 'critical' attributes to be used. --ku-critical (--ku-crit): Configure 'keyUsage' to set 'critical' attribute. --bc-critical (--bc-crit): Configure 'basicContraints' to set 'critical' attribute. Use of these options is left to the discretion of the the user task. Supported certificate types does not include 'email', 'codeSigning' or 'kdc'. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 43 +++++++++++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 254233637..32747aae4 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5666,11 +5666,21 @@ create_legacy_stream() { ;; easyrsa) # This could be COMMON but not is not suitable for a CA - cat <<- "CREATE_X509_TYPE_EASYRSA" - basicConstraints = CA:FALSE + _ku='digitalSignature, keyEncipherment' + if [ "$EASYRSA_KU_CRITICAL" ]; then + _ku="${EASYRSA_KU_CRITICAL}, ${_ku}" + fi + + _bc='CA:FALSE' + if [ "$EASYRSA_BC_CRITICAL" ]; then + _bc="${EASYRSA_BC_CRITICAL}, ${_bc}" + fi + + cat <<- CREATE_X509_TYPE_EASYRSA + basicConstraints = $_bc subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always - keyUsage = digitalSignature,keyEncipherment + keyUsage = $_ku CREATE_X509_TYPE_EASYRSA ;; serverClient) @@ -5696,11 +5706,21 @@ create_legacy_stream() { ;; ca) # ca - cat <<- "CREATE_X509_TYPE_CA" - basicConstraints = CA:TRUE + _ku='cRLSign, keyCertSign' + if [ "$EASYRSA_KU_CRITICAL" ]; then + _ku="${EASYRSA_KU_CRITICAL}, ${_ku}" + fi + + _bc='CA:TRUE' + if [ "$EASYRSA_BC_CRITICAL" ]; then + _bc="${EASYRSA_BC_CRITICAL}, ${_bc}" + fi + + cat <<- CREATE_X509_TYPE_CA + basicConstraints = $_bc subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always - keyUsage = cRLSign, keyCertSign + keyUsage = $_ku CREATE_X509_TYPE_CA ;; codeSigning) @@ -6056,6 +6076,9 @@ CREATE_SSL_CONFIG *) die "create_legacy_stream: unknown type '$1'" esac + + # Cleanup + unset -v _ku _bc } # => create_legacy_stream() # Version information @@ -6283,6 +6306,14 @@ subjectAltName = $val" --usefn) export EASYRSA_P12_FR_NAME="$val" ;; + --ku-crit*) + empty_ok=1 + export EASYRSA_KU_CRITICAL=critical + ;; + --bc-crit*) + empty_ok=1 + export EASYRSA_BC_CRITICAL=critical + ;; --version) shift "$#" set -- "$@" "version"