From 823f70f8c15043c9d8f16e6743db88b0af58d16c Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 5 Aug 2024 22:33:38 +0100 Subject: [PATCH 01/31] Introduce inline_file(): Rewrite and simplify inlining routine Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 92 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4c554a20..ccd1faaa 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2949,6 +2949,98 @@ INCOMPLETE Inline file created: return 0 } # => build_full() +# Generate inline file V2 +inline_file() { + [ "$1" ] || die "inline_file - Missing file_name_base" + + # Source files + crt_source="${EASYRSA_PKI}/issued/${1}.crt" + key_source="${EASYRSA_PKI}/private/${1}.key" + ca_source="${EASYRSA_PKI}/ca.crt" + + # output + inline_out="${EASYRSA_PKI}/inline/${1}.inline" + easyrsa_mkdir "${EASYRSA_PKI}/inline" + inline_incomplete= + + # Generate fingerprint + crt_fingerprint="$( + "$EASYRSA_OPENSSL" x509 -in "$crt_source" \ + -noout -sha256 -fingerprint + )" || die "inline_file - Failed -fingerprint" + # strip prefix + crt_fingerprint="${crt_fingerprint#*=}" + + # Generate Inline data + # Certificate + if [ -f "$crt_source" ]; then + crt_data="\ + +$(cat "$crt_source") +" + else + inline_incomplete=1 + crt_data="\ + +* Paste your user certificate here * +" + fi + + # Private key + if [ -e "$key_source" ]; then + key_data="\ + +$(cat "$key_source") +" + else + inline_incomplete=1 + key_data="\ + +* Paste your private key here * +" + fi + + # CA certificate + if [ -f "$ca_source" ]; then + ca_data="\ + +$(cat "$ca_source") +" + else + inline_incomplete=1 + ca_data="\ + +* Paste your CA certificate here * +" + fi + + # Print data + print "\ +# Easy-RSA Inline file +# Name: ${1} +# SHA256 fingerprint: +# $crt_fingerprint + +$crt_data + +$key_data + +$ca_data +" > "$inline_out" + + if [ "$inline_incomplete" ]; then + warn "\ +INCOMPLETE Inline file created: +* $inline_out" + else + notice "\ +Inline file created: +* $inline_out" + fi + + return 0 +} # => inline_file() + # Print inline data for file_name_base inline_creds() { [ "$1" ] || die "inline_creds - Missing file_name_base" From 6a0ebb86ad77d5741adfbfbe7167aed670b75422 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 5 Aug 2024 22:43:50 +0100 Subject: [PATCH 02/31] sign-req: Use inline_file() - build_full: Do not use inline_creds() Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ccd1faaa..6180628d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2784,6 +2784,9 @@ Signing failed (openssl output above may have more detail)" Certificate created at: * $crt_out" + # inline file + inline_file "$file_name_base" + return 0 } # => sign_req() @@ -2935,17 +2938,6 @@ See error messages above for details." fi verbose "build_full: END sign_req" - # inline it - if inline_creds "$name" > "$inline_out"; then - notice "\ -Inline file created: -* $inline_out" - else - warn "\ -INCOMPLETE Inline file created: -* $inline_out" - fi - return 0 } # => build_full() From b62986c7981d5f4ac02f71d7d0b73e325b0f1544 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 5 Aug 2024 22:45:27 +0100 Subject: [PATCH 03/31] Remove inline_creds(), replaced by inline_file() Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 108 ----------------------------------------------- 1 file changed, 108 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 6180628d..9cbd2ff7 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3033,114 +3033,6 @@ Inline file created: return 0 } # => inline_file() -# Print inline data for file_name_base -inline_creds() { - [ "$1" ] || die "inline_creds - Missing file_name_base" - - # Source files - crt_source="${EASYRSA_PKI}/issued/${1}.crt" - key_source="${EASYRSA_PKI}/private/${1}.key" - ca_source="$EASYRSA_PKI/ca.crt" - incomplete=0 - - # Generate data - if [ -e "$crt_source" ]; then - # Get EasyRSA cert type, ignore error - type_data= - ssl_cert_x509v3_eku "$crt_source" type_data || : - - # Check for self-signed cert - if "$EASYRSA_OPENSSL" x509 -in "$crt_source" \ - -noout -text | grep -q 'CA:TRUE' - then - # If called by command 'inline' then generate FP - if [ -z "$selfsign_eku" ]; then - # build a self-signed inline file - selfsign_eku=1 - - # Generate fingerprint for inline file - crt_fingerprint="$( - "$EASYRSA_OPENSSL" x509 -in "$crt_source" \ - -noout -sha256 -fingerprint - )" || die "self_sign - Failed -fingerprint" - # strip prefix - crt_fingerprint="${crt_fingerprint#*=}" - fi - else - selfsign_details= - fi - - # self-signed details - if [ "$selfsign_eku" ]; then - selfsign_details="\ -# SELF-SIGNED -# SHA256 fingerprint: -# $crt_fingerprint" - fi - - # Certificate - crt_data="\ - -$(cat "$crt_source") -" - else - # Set EasyRSA cert type to 'undefined' - type_data=undefined - incomplete=1 - crt_data="\ - -* Paste your user certificate here * -" - fi - - # Private key - if [ -e "$key_source" ]; then - key_data="\ - -$(cat "$key_source") -" - else - incomplete=1 - key_data="\ - -* Paste your private key here * -" - fi - - # CA certificate - if [ "$selfsign_eku" ]; then - ca_data="# Self-signed certificate, CA is not required." - else - if [ -e "$ca_source" ]; then - ca_data="\ - -$(cat "$ca_source") -" - else - incomplete=1 - ca_data="\ - -* Paste your CA certificate here * -" - fi - fi - - # Print data - print "\ -# Easy-RSA Type: $type_data -# Name: $1 -$selfsign_details - -$crt_data - -$key_data - -$ca_data -" - # If inline file is incomplete then return error - return "$incomplete" -} # => inline_creds() - # revoke backend revoke() { # pull filename base: From de0c796f6bdcef8432a9da76f18357d321c58d58 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 5 Aug 2024 22:46:41 +0100 Subject: [PATCH 04/31] Select inline_file() for command 'inline' Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 9cbd2ff7..ee0afaeb 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5859,7 +5859,7 @@ case "$cmd" in ;; inline) verify_working_env - inline_creds "$@" || \ + inline_file "$@" || \ easyrsa_exit_with_error=1 ;; export-p12) From 17a759b7f1f5d6766344b5054e382e955cb3f6c4 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 5 Aug 2024 22:55:56 +0100 Subject: [PATCH 05/31] inline: Disable EASYRSA_SILENT, no longer required Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ee0afaeb..b2583a7c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5715,8 +5715,7 @@ case "$cmd" in : # ok ;; inline) - unset -v EASYRSA_VERBOSE - EASYRSA_SILENT=1 + : # ok ;; self-sign-*) : # ok From 6f366e6683f93dc6405f9d45d640220f3886718a Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 01:09:39 +0100 Subject: [PATCH 06/31] inline_file(): Provide full header details Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b2583a7c..3711c839 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2955,14 +2955,6 @@ inline_file() { easyrsa_mkdir "${EASYRSA_PKI}/inline" inline_incomplete= - # Generate fingerprint - crt_fingerprint="$( - "$EASYRSA_OPENSSL" x509 -in "$crt_source" \ - -noout -sha256 -fingerprint - )" || die "inline_file - Failed -fingerprint" - # strip prefix - crt_fingerprint="${crt_fingerprint#*=}" - # Generate Inline data # Certificate if [ -f "$crt_source" ]; then @@ -2970,12 +2962,37 @@ inline_file() { $(cat "$crt_source") " + + # Generate fingerprint + crt_fingerprint="$( + "$EASYRSA_OPENSSL" x509 -in "$crt_source" \ + -noout -sha256 -fingerprint + )" || die "inline_file - Failed -fingerprint" + # strip prefix + crt_fingerprint="${crt_fingerprint#*=}" + + # Certificate type + if [ -z "$crt_type" ]; then + ssl_cert_x509v3_eku "$crt_source" crt_type || \ + die "inline_file: Failed to set crt_type" + fi + + # commonName + crt_CN="$( + display_dn x509 "$crt_source" | grep 'commonName' + )" || die "inline_file: Failed to set crt_CN" + # strip prefix + crt_CN="${crt_CN#*= }" else inline_incomplete=1 crt_data="\ * Paste your user certificate here * " + + crt_fingerprint=unknown + crt_type=unknown + crt_CN=unknown fi # Private key @@ -3009,7 +3026,8 @@ $(cat "$ca_source") # Print data print "\ # Easy-RSA Inline file -# Name: ${1} +# Certificate type: $crt_type +# commonName: $crt_CN # SHA256 fingerprint: # $crt_fingerprint From 853f1724f1815a436d4116d54467e38c90663ede Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 01:14:52 +0100 Subject: [PATCH 07/31] ChangeLog: Move auto-inline from build_full() to sign_req() Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index c1cc7091..9107cbfb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.1 (TBD) + * inline: Move auto-inline from build_full() to sign_req() (823f70f) (#1201) * gen-crl: Create additional CRL in DER format (69df0d8) (#1198) * self-sign: Allow Edwards Curve based keys (81b749b) (#1197) * Re-enable command 'renew' (version 2): Requires EasyRSA Tools (30fe311) (#1195) From 52022d9cdcd35bebb1f6ae2396216f040c26070b Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 01:31:34 +0100 Subject: [PATCH 08/31] Inline self-sign certificate: Use new inline_file() function Requires ssl_cert_x509v3_eku(): Check for self signed certificate. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 3711c839..0b576ce8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1904,9 +1904,11 @@ self_sign() { case "$1" in server) selfsign_eku=serverAuth + crt_type=self-signed-server ;; client) selfsign_eku=clientAuth + crt_type=self-signed-client ;; *) die "self_sign: Unknown EKU '$1'" @@ -2083,15 +2085,6 @@ self-sign: Use ALGO:'$EASYRSA_ALGO' / CURVE:'$EASYRSA_CURVE'" die "Failed to move new key/cert files." fi - # Generate fingerprint for inline file - crt_fingerprint="$( - "$EASYRSA_OPENSSL" x509 -in "$crt_out" -noout \ - -sha256 -fingerprint - )" || die "self_sign - Failed -fingerprint" - - # strip fingerprint prefix - crt_fingerprint="${crt_fingerprint#*=}" - # User info notice "\ Self-signed '$EASYRSA_ALGO/$EASYRSA_CURVE' \ @@ -2103,15 +2096,7 @@ SHA256 fingerprint (See inline file below): * $crt_fingerprint" # inline key/cert/fingerprint - if inline_creds "$file_name_base" > "$inline_out"; then - notice "\ -Inline file created: -* $inline_out" - else - warn "\ -INCOMPLETE Inline file created: -* $inline_out" - fi + inline_file "$file_name_base" } # => self_sign() # gen-dh backend: @@ -4078,11 +4063,11 @@ ssl_cert_x509v3_eku() { [ "$1" ] || die "ssl_cert_x509v3_eku - Missing input" # check input file name - if [ -e "$1" ]; then + if [ -f "$1" ]; then __crt="$1" else __crt="${EASYRSA_PKI}/issued/${1}.crt" - [ -e "$__crt" ] || \ + [ -f "$__crt" ] || \ die "ssl_cert_x509v3_eku - Missing cert '$__crt'" fi @@ -4137,6 +4122,13 @@ ssl_cert_x509v3_eku() { __type="'$__eku'" esac + # Check for self-sign + if "$EASYRSA_OPENSSL" x509 -in "$__crt" -noout -text | \ + grep -q 'CA:TRUE' + then + __type="self-signed-$__type" + fi + # Set variable to return if [ "$__var" ]; then verbose "ssl_cert_x509v3_eku - EKU: $__type" From 6833d83396f7a53fa823e89125b1c494673e25c5 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 01:56:01 +0100 Subject: [PATCH 09/31] inline: Update help Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0b576ce8..04bfc71e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -204,10 +204,7 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" text=" * inline - Print inline data for , with key and CA. - - * NOTE: To create an inline-file the output must be redirected. - If the output is incomplete then an error is returned." + Create inline file for ." ;; revoke*) text=" From 6ab98c9f6b4d929e1450b918482f40705eaf2fed Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 09:35:12 +0100 Subject: [PATCH 10/31] revoke_move(): Simplify and use '-f' for file existence check Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 04bfc71e..73f0568c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3255,17 +3255,14 @@ certificate from being accepted." # moves revoked certificates to the 'revoked' folder # allows reissuing certificates with the same name revoke_move() { - parent_dir="$EASYRSA_PKI"/revoked - easyrsa_mkdir "$parent_dir" - for i in reqs_by_serial certs_by_serial private_by_serial - do - easyrsa_mkdir "${parent_dir}/$i" - done - parent_dir= + easyrsa_mkdir "$EASYRSA_PKI"/revoked + easyrsa_mkdir "$EASYRSA_PKI"/revoked/reqs_by_serial + easyrsa_mkdir "$EASYRSA_PKI"/revoked/certs_by_serial + easyrsa_mkdir "$EASYRSA_PKI"/revoked/private_by_serial # only move the req when revoking an issued cert # and if we have the req - if [ "$move_req_and_key" ] && [ -e "$req_in" ]; then + if [ "$move_req_and_key" ] && [ -f "$req_in" ]; then mv "$req_in" "$req_out" || warn "Failed to move: $req_in" fi @@ -3274,19 +3271,19 @@ revoke_move() { # only move the key when revoking an issued cert # and if we have the key - if [ "$move_req_and_key" ] && [ -e "$key_in" ]; then + if [ "$move_req_and_key" ] && [ -f "$key_in" ]; then mv "$key_in" "$key_out" || warn "Failed to move: $key_in" fi # remove any pkcs files for pkcs in p12 p7b p8 p1; do - if [ -e "$in_dir/issued/$file_name_base.$pkcs" ]; then + if [ -f "$in_dir/issued/$file_name_base.$pkcs" ]; then # issued rm "$in_dir/issued/$file_name_base.$pkcs" || warn "Failed to remove: $file_name_base.$pkcs" fi - if [ -e "$in_dir/private/$file_name_base.$pkcs" ]; then + if [ -f "$in_dir/private/$file_name_base.$pkcs" ]; then # private rm "$in_dir/private/$file_name_base.$pkcs" || warn "Failed to remove: $file_name_base.$pkcs" @@ -3294,14 +3291,14 @@ revoke_move() { done # remove credentials file - if [ -e "$creds_in" ]; then + if [ -f "$creds_in" ]; then rm "$creds_in" || warn "\ Failed to remove credentials file: * $creds_in" fi # remove inline file - if [ -e "$inline_in" ]; then + if [ -f "$inline_in" ]; then rm "$inline_in" || warn "\ Failed to remove inline file: * $inline_in" From b71028dd9be04ba6c3f5b123bcd5a023575ff343 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 09:44:24 +0100 Subject: [PATCH 11/31] expire_cert(): Use '-f' for file existence check Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 73f0568c..f5a3bc90 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3334,7 +3334,7 @@ Run easyrsa without commands for usage and command help." easyrsa_mkdir "$EASYRSA_PKI"/expired # Do not over write existing cert - if [ -e "$crt_out" ]; then + if [ -f "$crt_out" ]; then user_error "\ Existing file must be revoked: * $crt_out" From 321a2c0c58c0439e61043f529e57e5c4520e210e Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:10:29 +0100 Subject: [PATCH 12/31] locate_support_files(): Use '-d' and '-f' for dir/file existence check Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index f5a3bc90..08e39960 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1467,17 +1467,17 @@ locate_support_files() { # EOL do # Find x509-types - if [ -e "${area}/${x509_types_dir}" ]; then + if [ -d "${area}/${x509_types_dir}" ]; then set_var EASYRSA_EXT_DIR "${area}/${x509_types_dir}" fi # Find openssl-easyrsa.cnf - if [ -e "${area}/${ssl_cnf_file}" ]; then + if [ -f "${area}/${ssl_cnf_file}" ]; then set_var EASYRSA_SSL_CONF "${area}/${ssl_cnf_file}" fi # Find easyrsa-tools.lib - if [ -e "${area}/${easyrsa_tools}" ]; then + if [ -f "${area}/${easyrsa_tools}" ]; then set_var EASYRSA_TOOLS_LIB "${area}/${easyrsa_tools}" fi done From 42feab39643bd887093c9a2e3ece7af5122a2459 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:18:19 +0100 Subject: [PATCH 13/31] build_ca(): Simplify use of easyrsa_mkdir Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 08e39960..f0d3919f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1608,13 +1608,10 @@ current CA. To start a new CA, run init-pki first." err_msg="\ Unable to create necessary PKI files (permissions?)" - for i in certs_by_serial \ - revoked \ - revoked/certs_by_serial \ - revoked/private_by_serial - do - easyrsa_mkdir "${EASYRSA_PKI}/$i" - done + easyrsa_mkdir "${EASYRSA_PKI}"/certs_by_serial + easyrsa_mkdir "${EASYRSA_PKI}"/revoked + easyrsa_mkdir "${EASYRSA_PKI}"/revoked/certs_by_serial + easyrsa_mkdir "${EASYRSA_PKI}"/revoked/private_by_serial # create necessary files: printf "" > \ From 1c53ca0c2528b51dea6cfbee25f032d61bd64947 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:20:16 +0100 Subject: [PATCH 14/31] self_sign(): Simplify and use '-f' for file existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index f0d3919f..1a02e90d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1955,13 +1955,13 @@ Option conflict --req-cn: inline_out="$EASYRSA_PKI/inline/${file_name_base}.inline" # key file must NOT exist - [ ! -e "$key_out" ] || user_error "\ + [ -f "$key_out" ] && user_error "\ Cannot self-sign this request for '$file_name_base'. Conflicting key exists at: * $key_out" # Certificate file must NOT exist - [ ! -e "$crt_out" ] || user_error "\ + [ -f "$crt_out" ] && user_error "\ Cannot self-sign this request for '$file_name_base'. Conflicting certificate exists at: * $crt_out" From 24dcd554c58a3bc4c3813991a2874a8520865be1 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:23:34 +0100 Subject: [PATCH 15/31] gen_dh(): Use '-f' for file existence and correct indentation Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 1a02e90d..4cc76280 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2098,7 +2098,7 @@ gen_dh() { out_file="$EASYRSA_PKI/dh.pem" # check to see if we already have a dh parameters file - if [ -e "$out_file" ]; then + if [ -f "$out_file" ]; then if [ "$EASYRSA_BATCH" ]; then # if batch is enabled, die user_error "\ @@ -2119,14 +2119,12 @@ at: $out_file" die "gen_dh - easyrsa_mktemp tmp_dh_file" # Generate dh.pem - easyrsa_openssl dhparam -out "$tmp_dh_file" \ - "$EASYRSA_KEY_SIZE" || \ - die "Failed to generate DH params" + easyrsa_openssl dhparam -out "$tmp_dh_file" \ + "$EASYRSA_KEY_SIZE" || die "Failed to generate DH params" # Validate dh.pem - easyrsa_openssl dhparam -in "$tmp_dh_file" \ - -check -noout || \ - die "Failed to validate DH params" + easyrsa_openssl dhparam -in "$tmp_dh_file" \ + -check -noout || die "Failed to validate DH params" # Move temp-files to target-files mv "$tmp_dh_file" "$out_file" || mv_temp_error=1 From 9f6cf24373a48b4fc2f8ddcb86366d6515c9e560 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:27:13 +0100 Subject: [PATCH 16/31] sign_req(): Simplify and use '-f' for file exitence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4cc76280..4b615a02 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2381,7 +2381,7 @@ Expected to find the request at: * $req_in" # Certificate file must NOT exist - [ ! -e "$crt_out" ] || user_error "\ + [ -f "$crt_out" ] && user_error "\ Cannot sign this request for '$file_name_base'. Conflicting certificate exists at: * $crt_out" From 41e87dde2e428af1bd8961ab294a2ecba3227ada Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:30:08 +0100 Subject: [PATCH 17/31] build_full(): Use '-f' for file existence and drop existing inline check Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4b615a02..a3369fbd 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2865,26 +2865,14 @@ file already exists. Aborting build to avoid overwriting this file. If you wish to continue, please use a different name. Conflicting file found at: *" - [ -e "$req_out" ] && \ + [ -f "$req_out" ] && \ user_error "Request $err_exists $req_out" - [ -e "$key_out" ] && \ + [ -f "$key_out" ] && \ user_error "Key $err_exists $key_out" - [ -e "$crt_out" ] && \ + [ -f "$crt_out" ] && \ user_error "Certificate $err_exists $crt_out" unset -v err_exists - # Make inline directory - easyrsa_mkdir "$EASYRSA_PKI"/inline - - # Confirm over write inline file - inline_out="$EASYRSA_PKI/inline/$name.inline" - [ -e "$inline_out" ] && \ - confirm "Confirm OVER-WRITE existing inline file ? " y "\ -Warning! - -An inline file for name '$name' already exists: -* $inline_out" - # create request verbose "build_full: BEGIN gen_req" gen_req "$name" batch From 8882eba8820e8aa2250e5602f03d0358fddc14f8 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:32:16 +0100 Subject: [PATCH 18/31] inline_file(): Use '-f' for file existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a3369fbd..21e2c42f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2961,7 +2961,7 @@ $(cat "$crt_source") fi # Private key - if [ -e "$key_source" ]; then + if [ -f "$key_source" ]; then key_data="\ $(cat "$key_source") From 86f12083ce8a2ca4d4fa0c7d07d51b53d30dd16b Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:37:11 +0100 Subject: [PATCH 19/31] revoke(): Use '-f' for file existence and remove excess '{}' braces Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 21e2c42f..b1e42460 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3065,7 +3065,7 @@ Unexpected reason: '$crl_reason'. See 'help revoke' for valid reasons." fi # referenced cert must exist: - [ -e "$crt_in" ] || user_error "\ + [ -f "$crt_in" ] || user_error "\ Unable to revoke as no certificate was found. Certificate was expected at: * $crt_in" @@ -3077,18 +3077,18 @@ Certificate was expected at: * $crt_in" # Check for misuse of revoke when revoke-* is intended - case "${cert_dir}" in + case "$cert_dir" in issued) # expired cert exp_exist="${in_dir}/expired/${file_name_base}.crt" - if [ -f "${exp_exist}" ]; then + if [ -f "$exp_exist" ]; then exp_endd="$( - "$EASYRSA_OPENSSL" x509 -in "${exp_exist}" -noout \ + "$EASYRSA_OPENSSL" x509 -in "$exp_exist" -noout \ -enddate -serial)" || die "revoke - expire -enddate" # shellcheck disable=SC2295 # Expansions inside ${..} exp_confirm=" Expired certificate: -* ${exp_exist} +* $exp_exist Expiry: ${exp_endd%%${NL}serial=*} Serial: ${exp_endd##*serial=} Use command 'revoke-expired' to revoke this certificate." @@ -3098,14 +3098,14 @@ Expired certificate: # renewed cert ren_exist="${in_dir}/renewed/${file_name_base}.crt" - if [ -f "${ren_exist}" ]; then + if [ -f "$ren_exist" ]; then ren_endd="$( - "$EASYRSA_OPENSSL" x509 -in "${ren_exist}" -noout \ + "$EASYRSA_OPENSSL" x509 -in "$ren_exist" -noout \ -enddate -serial)" || die "revoke - renew -enddate" # shellcheck disable=SC2295 # Expansions inside ${..} ren_confirm=" Renewed certificate: -* ${ren_exist} +* $ren_exist Expiry: ${ren_endd%%${NL}serial=*} Serial: ${ren_endd##*serial=} Use command 'revoke-renewed' to revoke this certificate." @@ -3115,18 +3115,18 @@ Renewed certificate: # issued cert crt_endd="$( - "$EASYRSA_OPENSSL" x509 -in "${crt_in}" -noout \ + "$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout \ -enddate -serial)" || die "revoke - expire -enddate" # Confirm intended use of 'revoke' - if [ "${exp_exist}" ] || [ "${ren_exist}" ]; then + if [ "$exp_exist" ] || [ "$ren_exist" ]; then warn "The following certificate(s) exist: ${exp_exist:+${exp_confirm}${NL}}${ren_exist:+${ren_confirm}${NL}}" # shellcheck disable=SC2295 # Expansions inside ${..} confirm " Confirm intended use of 'revoke' ? " yes "\ Please confirm your intended use of 'revoke' for the following issued certificate:${NL} -* ${crt_in} +* $crt_in Expiry: ${crt_endd%%${NL}serial=*} Serial: ${crt_endd##*serial=}" fi @@ -3143,7 +3143,7 @@ issued certificate:${NL} esac # Verify request - if [ -e "$req_in" ]; then + if [ -f "$req_in" ]; then verify_file req "$req_in" || user_error "\ Unable to verify request. The file is not a valid request. Request was expected at: @@ -3165,11 +3165,11 @@ Request was expected at: deny_msg="\ Cannot revoke this certificate, a conflicting file exists. *" - [ -e "$crt_out" ] && \ + [ -f "$crt_out" ] && \ user_error "$deny_msg certificate: $crt_out" - [ -e "$key_out" ] && \ + [ -f "$key_out" ] && \ user_error "$deny_msg private key: $key_out" - [ -e "$req_out" ] && \ + [ -f "$req_out" ] && \ user_error "$deny_msg request : $req_out" unset -v deny_msg From 9dddda97db4408eb6a68e7f177ec8469e1d7dc7c Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:39:43 +0100 Subject: [PATCH 20/31] import_req(): Use '-f' for file existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b1e42460..62878ba6 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3449,7 +3449,7 @@ Unable to import: incorrect command syntax. Run easyrsa without commands for usage and command help." # Request file must exist - [ -e "$in_req" ] || user_error "\ + [ -f "$in_req" ] || user_error "\ No request found for the input: '$2' Expected to find the request at: * $in_req" @@ -3459,7 +3459,7 @@ The certificate request file is not in a valid X509 format: * $in_req" # destination must not exist - [ -e "$out_req" ] && user_error "\ + [ -f "$out_req" ] && user_error "\ Please choose a different name for your imported request file. Conflicting file already exists at: * $out_req" From 962c68f1887f56f32b8cbbc4835ae8e6d9c9a397 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:47:48 +0100 Subject: [PATCH 21/31] set_pass(): Use '-f' for file existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 62878ba6..a1857183 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3794,7 +3794,7 @@ Missing argument: no name/file supplied." unset -v cipher fi - [ -e "$file" ] || user_error "\ + [ -f "$file" ] || user_error "\ Missing private key: expected to find the private key file at: * $file" From 272200f4f1f20e4267c9f9bdc4e2cab5ab6ada6e Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:53:19 +0100 Subject: [PATCH 22/31] export_pkcs(): Use '-f' for file existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index a1857183..985b0612 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3175,12 +3175,12 @@ Cannot revoke this certificate, a conflicting file exists. # Check for key and request files unset -v if_exist_key_in if_exist_req_in - if [ "$move_req_and_key" ] && [ -e "$key_in" ]; then + if [ "$move_req_and_key" ] && [ -f "$key_in" ]; then if_exist_key_in=" * $key_in" fi - if [ "$move_req_and_key" ] && [ -e "$req_in" ]; then + if [ "$move_req_and_key" ] && [ -f "$req_in" ]; then if_exist_req_in=" * $req_in" fi @@ -3589,7 +3589,7 @@ but the CA Certificate will not be included." # Check for key, if required if [ "$want_key" ]; then - if [ -e "$key_in" ]; then + if [ -f "$key_in" ]; then : #ok else case "$pkcs_type" in @@ -3624,7 +3624,7 @@ Missing Private Key, expected at: fi # Check for certificate, if required - if [ -e "$crt_in" ]; then + if [ -f "$crt_in" ]; then : # ok else case "$pkcs_type" in From 54866a1600df43d4c23b8369542a0cd4002157e7 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:54:57 +0100 Subject: [PATCH 23/31] verify_cert(): Use '-f' for file existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 985b0612..40104aa5 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3878,7 +3878,7 @@ Run easyrsa without commands for usage and command help." crt_in="$in_dir/issued/$file_name_base.crt" # Cert file must exist - [ -e "$crt_in" ] || user_error "\ + [ -f "$crt_in" ] || user_error "\ No certificate found for the input: * '$crt_in'" From 45b42fd10bed4b060ad04326df750bd21888c9de Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:56:08 +0100 Subject: [PATCH 24/31] show() and show_ca(): Use '-f' for file existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 40104aa5..2eef82b4 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3978,7 +3978,7 @@ Run easyrsa without commands for usage help." esac # Verify file exists and is of the correct type - [ -e "$in_file" ] || user_error "\ + [ -f "$in_file" ] || user_error "\ No such '$type' type file with a of '$name'. Expected to find this file at: * $in_file" @@ -4017,7 +4017,7 @@ show_ca() { format="x509" # Verify file exists and is of the correct type - [ -e "$in_file" ] || user_error "\ + [ -f "$in_file" ] || user_error "\ No such $type file with a basename of '$name' is present. Expected to find this file at: $in_file" From d9c93122713887399987175bd9a59eaef2eaa0f6 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 10:58:57 +0100 Subject: [PATCH 25/31] select_vars() and source_vars(): Use '-f' for file existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 2eef82b4..3b7f860c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -4324,7 +4324,7 @@ select_vars() { # User specified PKI; if vars exists, use it ONLY if [ "$EASYRSA_PKI" ]; then - if [ -e "$EASYRSA_PKI/vars" ]; then + if [ -f "$EASYRSA_PKI/vars" ]; then verbose "select_vars: source EASYRSA_PKI/vars" set_var EASYRSA_VARS_FILE "$EASYRSA_PKI/vars" fi @@ -4332,14 +4332,14 @@ select_vars() { # User specified EASYRSA; if vars exists, use it ONLY if [ "$EASYRSA" ]; then - if [ -e "$EASYRSA/vars" ]; then + if [ -f "$EASYRSA/vars" ]; then verbose "select_vars: EASYRSA/vars" set_var EASYRSA_VARS_FILE "$EASYRSA/vars" fi fi # Default PKI; if vars exists, use it ONLY - if [ -e "$PWD/pki/vars" ] && \ + if [ -f "$PWD/pki/vars" ] && \ [ -z "$EASYRSA_PKI" ] && \ [ -z "$EASYRSA" ] then @@ -4363,7 +4363,7 @@ select_vars() { fi # Default working dir; if vars exists, use it ONLY - if [ -e "$PWD/vars" ]; then + if [ -f "$PWD/vars" ]; then verbose "select_vars: PWD/vars" set_var EASYRSA_VARS_FILE "$PWD/vars" fi @@ -4387,7 +4387,7 @@ Missing vars file: * $target_file" # 'vars' now MUST exist - [ -e "$target_file" ] || user_error "\ + [ -f "$target_file" ] || user_error "\ Missing vars file: * $target_file" From 12aaddac933055155568aa8b93be142d8e7f93c0 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 11:00:28 +0100 Subject: [PATCH 26/31] Command parser: Use '-f' for file existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 3b7f860c..9743da8c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5896,7 +5896,7 @@ case "$cmd" in verify_working_env # easyrsa-tools.lib is required - if [ -e "$EASYRSA_TOOLS_LIB" ]; then + if [ -f "$EASYRSA_TOOLS_LIB" ]; then export EASYRSA_TOOLS_CALLER=1 # shellcheck disable=SC1090 # can't follow non-constant.. . "$EASYRSA_TOOLS_LIB" || \ From 4ad4ceffdab781b84cdd75091a3e3ec26c184c52 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 11:02:02 +0100 Subject: [PATCH 27/31] easyrsa_mktemp(): Use '-f' for file existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 9743da8c..0a6087b3 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -853,7 +853,7 @@ easyrsa_mktemp - Temporary session undefined (--tmp-dir)" # Create shotfile for ext_shot in x y z; do shotfile="${tmp_fname}.${ext_shot}" - if [ -e "$shotfile" ]; then + if [ -f "$shotfile" ]; then verbose "\ easyrsa_mktemp: shotfile EXISTS: $shotfile" continue @@ -872,7 +872,7 @@ easyrsa_mktemp: create shotfile failed (1) $1" [ "$EASYRSA_MAX_TEMP" -gt "$ext_try" ] || print "\ Max temp-file limit $ext_try, hit for: $1" >> "$easyrsa_err_log" - if [ -e "$want_tmp_file" ]; then + if [ -f "$want_tmp_file" ]; then verbose "\ easyrsa_mktemp: temp-file EXISTS: $want_tmp_file" continue From 7a0839b98f898d85566c6f4bffad6cb2bb6da1c7 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 11:03:33 +0100 Subject: [PATCH 28/31] cleanup(): Add comment to explain use of '-e' for object existence Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 1 + 1 file changed, 1 insertion(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0a6087b3..7d3f9b94 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -947,6 +947,7 @@ cleanup() { if [ "$EASYRSA_KEEP_TEMP" ] then # skip on black-listed directory names, with a warning + # Use '-e' for directory or file name if [ -e "$EASYRSA_TEMP_DIR/$EASYRSA_KEEP_TEMP" ] then warn "\ From a2d57f57eb08606a3af79c4defa3de5478f565fe Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 11:05:28 +0100 Subject: [PATCH 29/31] init_pki(): Use '-d' for directory existence; sign_req(): Use '-f' Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 7d3f9b94..e4281bcc 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1380,7 +1380,7 @@ init_pki() { esac # If EASYRSA_PKI exists, confirm before deletion - if [ -e "$EASYRSA_PKI" ]; then + if [ -d "$EASYRSA_PKI" ]; then confirm "Confirm removal: " "yes" " WARNING!!! @@ -2376,7 +2376,7 @@ must also be specified." Invalid certificate type: '$crt_type'" # Request file must exist - [ -e "$req_in" ] || user_error "\ + [ -f "$req_in" ] || user_error "\ No request found for the input: '$file_name_base' Expected to find the request at: * $req_in" From a02f5455d218f56228d5fdd4e340925248538320 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 11:13:36 +0100 Subject: [PATCH 30/31] easyrsa-tools.lib: Use '-f' for file existence Signed-off-by: Richard T Bonhomme --- dev/easyrsa-tools.lib | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib index 0d8a69f4..40d244a0 100644 --- a/dev/easyrsa-tools.lib +++ b/dev/easyrsa-tools.lib @@ -606,7 +606,7 @@ expire_status() { # The certificate for CN should exist but may not unset -v expire_status_cert_exists - if [ -e "$cert_issued" ]; then + if [ -f "$cert_issued" ]; then verbose "expire_status: cert exists" expire_status_cert_exists=1 @@ -829,13 +829,13 @@ renew_status() { cert_file_in cert_is_issued cert_is_serial renew_is_old # Find renewed/issued/CN - if [ -e "$cert_r_issued" ]; then + if [ -f "$cert_r_issued" ]; then cert_file_in="$cert_r_issued" cert_is_issued=1 fi # Find renewed/cert_by_serial/SN - if [ -e "$cert_r_by_sno" ]; then + if [ -f "$cert_r_by_sno" ]; then cert_file_in="$cert_r_by_sno" cert_is_serial=1 renew_is_old=1 @@ -969,7 +969,7 @@ Missing certificate file: fi # Verify request - if [ -e "$req_in" ]; then + if [ -f "$req_in" ]; then verify_file req "$req_in" || user_error "\ Input file is not a valid request: * $req_in" @@ -1010,7 +1010,7 @@ Missing request file: deny_msg="\ Cannot renew this certificate, a conflicting file exists: *" - [ -e "$crt_out" ] && \ + [ -f "$crt_out" ] && \ user_error "$deny_msg certificate: $crt_out" unset -v deny_msg @@ -1179,14 +1179,14 @@ renew_move() { done # remove credentials file - if [ -e "$creds_in" ]; then + if [ -f "$creds_in" ]; then rm "$creds_in" || warn "\ Failed to remove credentials file: * $creds_in" fi # remove inline file - if [ -e "$inline_in" ]; then + if [ -f "$inline_in" ]; then rm "$inline_in" || warn "\ Failed to remove inline file: * $inline_in" From 219011070c4c699655b34712f086ce4adb3cd33e Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 20:34:47 +0100 Subject: [PATCH 31/31] ChangeLog: Switch to '-f' for file existence Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 9107cbfb..5c228423 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.1 (TBD) + * Switch to '-f' for file existence (6ab98c9..a02f545) (#1201) * inline: Move auto-inline from build_full() to sign_req() (823f70f) (#1201) * gen-crl: Create additional CRL in DER format (69df0d8) (#1198) * self-sign: Allow Edwards Curve based keys (81b749b) (#1197)