Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package easy-rsa for openSUSE:Factory checked in at 2022-09-18 18:48:50 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/easy-rsa (Old) and /work/SRC/openSUSE:Factory/.easy-rsa.new.2083 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "easy-rsa" Sun Sep 18 18:48:50 2022 rev:13 rq:1004440 version:3.1.0 Changes: -------- --- /work/SRC/openSUSE:Factory/easy-rsa/easy-rsa.changes 2022-07-26 19:45:43.955676233 +0200 +++ /work/SRC/openSUSE:Factory/.easy-rsa.new.2083/easy-rsa.changes 2022-09-18 18:48:50.646518583 +0200 @@ -1,0 +2,18 @@ +Mon Sep 5 16:23:46 UTC 2022 - Florian "spirit" <[email protected]> + +- Update to 3.1.0 (2022-05-18) + * Introduce basic support for OpenSSL version 3 (#492) + * Update regex in grep to be POSIX compliant (#556) + * Introduce status reporting tools (#555 & #557) + * Display certificates using UTF8 (#551) + * Allow certificates to be created with fixed date offset (#550) + * Add 'verify' to verify certificate against CA (#549) + * Add PKCS#12 alias 'friendlyName' (#544) + * Disallow use of '--vars=FILE init-pki' (#566) + * Support multiple IP-Addresses in SAN (#564) + * Add option '--renew-days=NN', custom renew grace period (#557) + * Add 'nopass' option to the 'export-pkcs' functions (#411) + * Add support for 'busybox' (#543) + * Add option '--tmp-dir=DIR' to declare Temp-dir (Commit f503a22) + +------------------------------------------------------------------- Old: ---- EasyRSA-v3.0.9.tgz EasyRSA-v3.0.9.tgz.sig New: ---- EasyRSA-3.1.0.tgz EasyRSA-3.1.0.tgz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ easy-rsa.spec ++++++ --- /var/tmp/diff_new_pack.PEui7S/_old 2022-09-18 18:48:51.186520091 +0200 +++ /var/tmp/diff_new_pack.PEui7S/_new 2022-09-18 18:48:51.190520101 +0200 @@ -20,14 +20,14 @@ %define pname EasyRSA Name: easy-rsa -Version: 3.0.9 +Version: 3.1.0 Release: 0 Summary: CLI utility to build and manage a PKI CA License: GPL-2.0-or-later Group: Productivity/Networking/Security URL: https://github.com/OpenVPN/easy-rsa -Source: https://github.com/OpenVPN/%{name}/releases/download/v%{version}/%{pname}-v%{version}.tgz -Source1: https://github.com/OpenVPN/%{name}/releases/download/v%{version}/%{pname}-v%{version}.tgz.sig +Source: https://github.com/OpenVPN/%{name}/releases/download/v%{version}/%{pname}-%{version}.tgz +Source1: https://github.com/OpenVPN/%{name}/releases/download/v%{version}/%{pname}-%{version}.tgz.sig # https://github.com/OpenVPN/easy-rsa/tree/master/release-keys Source2: %{name}.keyring Patch100: suse-packaging.patch @@ -40,7 +40,7 @@ certificates, including sub-CAs, and create Certificate Revokation Lists (CRL). %prep -%setup -q -n %{pname}-v%{version} +%setup -q -n %{pname}-%{version} %patch100 %build ++++++ EasyRSA-v3.0.9.tgz -> EasyRSA-3.1.0.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-v3.0.9/ChangeLog new/EasyRSA-3.1.0/ChangeLog --- old/EasyRSA-v3.0.9/ChangeLog 2022-05-18 15:04:38.000000000 +0200 +++ new/EasyRSA-3.1.0/ChangeLog 2022-05-19 03:53:50.000000000 +0200 @@ -1,7 +1,19 @@ Easy-RSA 3 ChangeLog -3.1.0 (TBD) +3.1.0 (2022-05-18) * Introduce basic support for OpenSSL version 3 (#492) + * Update regex in grep to be POSIX compliant (#556) + * Introduce status reporting tools (#555 & #557) + * Display certificates using UTF8 (#551) + * Allow certificates to be created with fixed date offset (#550) + * Add 'verify' to verify certificate against CA (#549) + * Add PKCS#12 alias 'friendlyName' (#544) + * Disallow use of '--vars=FILE init-pki' (#566) + * Support multiple IP-Addresses in SAN (#564) + * Add option '--renew-days=NN', custom renew grace period (#557) + * Add 'nopass' option to the 'export-pkcs' functions (#411) + * Add support for 'busybox' (#543) + * Add option '--tmp-dir=DIR' to declare Temp-dir (Commit f503a22) 3.0.9 (2022-05-17) * Upgrade OpenSSL from 1.1.0j to 1.1.1o (#405, #407) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-v3.0.9/README.md new/EasyRSA-3.1.0/README.md --- old/EasyRSA-v3.0.9/README.md 2022-05-18 15:04:38.000000000 +0200 +++ new/EasyRSA-3.1.0/README.md 2022-05-19 03:53:50.000000000 +0200 @@ -39,8 +39,9 @@ The prior 2.x and 1.x versions are available as release branches for tracking and possible back-porting of relevant fixes. Branch layout is: - master <- 3.x, at present + master <- 3.1, at present v3.x.x pre-release branches, used for staging branches + release/3.0 v3.0.x bugfix/security/openssl updates release/2.x release/1.x diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-v3.0.9/easyrsa new/EasyRSA-3.1.0/easyrsa --- old/EasyRSA-v3.0.9/easyrsa 2022-05-18 15:04:38.000000000 +0200 +++ new/EasyRSA-3.1.0/easyrsa 2022-05-19 03:53:50.000000000 +0200 @@ -34,16 +34,21 @@ sign-req <type> <filename_base> build-client-full <filename_base> [ cmd-opts ] build-server-full <filename_base> [ cmd-opts ] + build-serverClient-full <filename_base> [ cmd-opts ] revoke <filename_base> [cmd-opts] revoke-renewed <filename_base> [cmd-opts] renew <filename_base> [cmd-opts] - build-serverClient-full <filename_base> [ cmd-opts ] + renewable [ <filename_base> ] gen-crl update-db show-req <filename_base> [ cmd-opts ] show-cert <filename_base> [ cmd-opts ] show-ca [ cmd-opts ] show-crl + show-expire + show-revoke + show-renew + verify <filename_base> import-req <request_file_path> <short_basename> export-p1 <filename_base> [ cmd-opts ] export-p7 <filename_base> [ cmd-opts ] @@ -139,6 +144,9 @@ Renew a certificate specified by the filename_base" opts=" nopass - do not encrypt the private key (default is encrypted)" ;; + renewable) text=" + renewable [ <filename_base> ] + Check which certificates can be renewed" ;; gen-crl) text=" gen-crl Generate a CRL" ;; @@ -169,6 +177,26 @@ Shows details of the current certificate revocation list (CRL) Human-readable output is shown." ;; + show-expire) text=" + show-expire [ cmd-opts ] + Shows details of expiring certificates + + Human-readable output is shown." ;; + show-revoke) text=" + show-revoke [ cmd-opts ] + Shows details of revoked certificates + + Human-readable output is shown." ;; + show-renew) text=" + show-renew [ cmd-opts ] + Shows details of renewed certificates, which have not been revoked + + Human-readable output is shown." ;; + verify) text=" + verify <filename_base> [ cmd-opts ] + Verify certificate against CA" + opts=" + batch - On failure to verify, return error (1) to calling program" ;; import-req) text=" import-req <request_file_path> <short_basename> Import a certificate request from a file @@ -236,10 +264,11 @@ esac # display the help text - print "$text" + [ "$text" ] && print "$text" [ -n "$opts" ] && print " cmd-opts is an optional set of command options from this list: -$opts" +$opts +" } # => cmd_help() # Options usage @@ -259,15 +288,20 @@ --passin=ARG : set -passin ARG for openssl --passout=ARG : set -passout ARG for openssl ---pki-dir=DIR : declare the PKI directory ---tmp-dir=DIR : declare the temporary directory --ssl-conf=FILE : define a specific OpenSSL config file for Easy-RSA to use + --vars=FILE : define a specific 'vars' file to use for Easy-RSA config + Can be used with everything, except 'init-pki' +--pki-dir=DIR : declare the PKI directory + Use this for 'init-pki', not '--vars' above. + +--tmp-dir=DIR : declare the temporary directory --version : prints EasyRSA version and build information, then exits Certificate & Request options: (these impact cert/req field values) --days=# : sets the signing validity to the specified number of days +--renew-days=# : Number of days grace period before allowing renewal --fix-offset=# : Generate certificate with fixed start and end dates. : Range 1 to 365 : start date: 01 January 00:00:00 of the current year @@ -311,14 +345,16 @@ # Exit fatally with a message to stderr # present even with EASYRSA_BATCH as these are fatal problems die() { + # If renew failed then restore cert, key and req. Otherwise, issue a warning + # If *restore* fails then at least the file-names are not serial-numbers + [ "$restore_failed_renew" ] && renew_restore_move print " Easy-RSA error: $1" 1>&2 print " -Host: $host_out -${EASYRSA_DEBUG+ +Host: $host_out${EASYRSA_DEBUG+ *** Disable EASYRSA_DEBUG mode ***}" exit "${2:-1}" @@ -382,14 +418,17 @@ [ "$EASYRSA_TEMP_DIR_session" ] && die "session overload" # temporary directory must exist - [ -n "$EASYRSA_TEMP_DIR" ] || return - [ -d "$EASYRSA_TEMP_DIR" ] || die "\ -Non-existant temporary directory: $EASYRSA_TEMP_DIR" + if [ "$EASYRSA_TEMP_DIR" ] && [ -d "$EASYRSA_TEMP_DIR" ]; then + : # ok + else + die "Non-existant temporary directory: $EASYRSA_TEMP_DIR" + fi for i in 1 2 3; do # Always use openssl directly for rand - rand="$("$EASYRSA_OPENSSL" rand -hex 4)" \ - || die "secure_session - rand '$rand'" + rand="$( + "$EASYRSA_OPENSSL" rand -hex 4 + )" || die "secure_session - rand '$rand'" mkdir "${EASYRSA_TEMP_DIR}/${rand}" || continue EASYRSA_TEMP_DIR_session="${EASYRSA_TEMP_DIR}/${rand}" @@ -401,13 +440,17 @@ # Create tempfile atomically or fail easyrsa_mktemp() { # session directory must exist - [ -n "$EASYRSA_TEMP_DIR_session" ] || return - [ -d "$EASYRSA_TEMP_DIR_session" ] || return + if [ "$EASYRSA_TEMP_DIR_session" ] && [ -d "$EASYRSA_TEMP_DIR_session" ]; then + : # ok + else + die "Non-existant temporary session: $EASYRSA_TEMP_DIR_session" + fi for i in 1 2 3; do # Always use openssl directly for rand - rand="$("$EASYRSA_OPENSSL" rand -hex 4)" \ - || die "easyrsa_mktemp - rand '$rand'" + rand="$( + "$EASYRSA_OPENSSL" rand -hex 4 + )" || die "easyrsa_mktemp - rand '$rand'" shotfile="${EASYRSA_TEMP_DIR_session}/shot.$rand" if [ -e "$shotfile" ]; then @@ -426,17 +469,41 @@ # remove temp files and do terminal cleanups cleanup() { - [ -z "$EASYRSA_TEMP_DIR_session" ] || rm -rf "$EASYRSA_TEMP_DIR_session" - [ -n "${EASYRSA_EC_DIR%/*}" ] && [ -d "$EASYRSA_EC_DIR" ] && \ + if [ "${EASYRSA_TEMP_DIR_session%/*}" ] && [ -d "$EASYRSA_TEMP_DIR_session" ] + then + rm -rf "$EASYRSA_TEMP_DIR_session" + fi + + if [ "${EASYRSA_EC_DIR%/*}" ] && [ -d "$EASYRSA_EC_DIR" ] + then rm -rf "$EASYRSA_EC_DIR" + fi # shellcheck disable=SC3040 # In POSIX sh, set option [name] is undefined case "$easyrsa_host_os" in - nix) stty echo ;; - win) set -o echo ;; + nix) [ -t 1 ] && stty echo ;; + win) + if [ "$easyrsa_win_git_bash" ]; then + [ -t 1 ] && stty echo + else + set -o echo + fi + ;; *) warn "Host OS undefined." esac - [ "$EASYRSA_SILENT" ] || echo "" # just to get a clean line + + # Exit with error 1, if an error ocured... + if [ "$easyrsa_error_exit" ]; then + # Set by verify_cert() for full error-out + exit 1 + elif [ "$1" = ok ]; then + # if there is no error then 'cleanup ok' is called + exit 0 + else + # if 'cleanup' is called without 'ok' then an error occurred + [ "$EASYRSA_SILENT" ] || echo "" # just to get a clean line + exit 1 + fi } # => cleanup() # Easy-RSA meta-wrapper for SSL @@ -461,6 +528,7 @@ # Make LibreSSL safe config file from OpenSSL config file # Do not use easyrsa_mktemp() for init-pki + # LibreSSL cannot generate random without a PKI and safe-conf if [ "$no_pki_required" ]; then # for init-pki $EASYRSA_SAFE_CONF is always set in the PKI, use it. easyrsa_openssl_conf="${EASYRSA_SAFE_CONF}.init-tmp" @@ -470,6 +538,7 @@ fi # OpenSSL does not require a safe config, so skip to the copy + # require_safe_ssl_conf is set by verify_ssl_lib() if [ "$require_safe_ssl_conf" ]; then # Make a safe SSL config file sed \ @@ -501,10 +570,6 @@ mv -f "$easyrsa_openssl_conf" "$EASYRSA_SAFE_CONF" || \ die "easyrsa_openssl - makesafeconf failed" else - # !!! - # this debug CANNOT be used in automated testing - # to function correctly easyrsa_openssl() - # must ONLY output SSL layer output # debug log on if [ "$EASYRSA_DEBUG" ]; then set -x; fi @@ -516,10 +581,6 @@ if [ "$EASYRSA_DEBUG" ]; then set +x; fi fi else - # !!! - # this debug CANNOT be used in automated testing - # to function correctly easyrsa_openssl() - # must ONLY output SSL layer output # debug log on if [ "$EASYRSA_DEBUG" ]; then set -x; fi @@ -531,33 +592,6 @@ fi } # => easyrsa_openssl() -# Verify supplied curve exists and Always generate curve file -verify_curve_ec() { - # Check that the ecparams dir exists - [ -d "$EASYRSA_EC_DIR" ] || mkdir "$EASYRSA_EC_DIR" || die "\ -Failed creating ecparams dir (permissions?) at: -$EASYRSA_EC_DIR" - - # Check that the required ecparams file exists - if easyrsa_openssl ecparam -name "$EASYRSA_CURVE" \ - -out "$EASYRSA_ALGO_PARAMS" 1>/dev/null - then - return 0 - fi - - # Clean up failure - rm -rf "$EASYRSA_EC_DIR" - die "\ -Failed to generate ecparam file (permissions?) when writing to: -$EASYRSA_ALGO_PARAMS" -} # => verify_curve_ec() - -# Verify if Edwards Curve exists -verify_curve_ed() { - easyrsa_openssl genpkey -algorithm "$EASYRSA_CURVE" > /dev/null \ - || die "Edwards Curve $EASYRSA_CURVE not found." -} # => verify_curve_ed() - # Verify the SSL library is functional and establish version dependencies verify_ssl_lib() { if [ -z "$EASYRSA_SSL_OK" ]; then @@ -716,9 +750,14 @@ init-pki complete; you may now create a CA or requests. Your newly created PKI dir is: - * $EASYRSA_PKI + * $EASYRSA_PKI" + if [ "$user_vars_true" ]; then + : # ok - No message required + else + notice "\ IMPORTANT: Easy-RSA 'vars' file has now been moved to your PKI above." + fi } # => init_pki() # Copy data-files from various sources @@ -810,7 +849,7 @@ set_var EASYRSA_EXT_DIR "$EASYRSA_PKI/x509-types" fi - # If this is init-pki then create PKI/vars from PKI/example + # Create PKI/vars from PKI/example case "$context" in init-pki) if [ -e "${EASYRSA_PKI}/${vars_file_example}" ]; then @@ -889,8 +928,6 @@ done verify_pki_init - [ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec - [ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed out_key="$EASYRSA_PKI/private/ca.key" # setup for an intermediate CA @@ -917,6 +954,7 @@ Unable to create a CA as you already seem to have one set up. If you intended to start a new CA, run init-pki first." fi + # If a private key exists here, a intermediate ca was created but not signed. # Notify the user and require a signed ca.crt or a init-pki: [ -f "$out_key" ] && \ @@ -1031,6 +1069,7 @@ ${EASYRSA_DIGEST+ -"$EASYRSA_DIGEST"} \ ${no_password+ "$no_password"} \ ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \ + ${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \ ${out_key_pass_tmp:+ -passin file:"$out_key_pass_tmp"} \ || die "Failed to build the CA" ;; @@ -1049,7 +1088,8 @@ NOTE: Your intermediate CA request is at $out_file and now must be sent to your parent CA for signing. Place your resulting cert at $EASYRSA_PKI/ca.crt prior to signing operations." - else notice "\ + else + notice "\ CA creation complete and you may now import and sign cert requests. Your new CA certificate file for publishing is at: @@ -1113,10 +1153,6 @@ shift done - # Verify required curves - [ "$EASYRSA_ALGO" = "ec" ] && verify_curve_ec - [ "$EASYRSA_ALGO" = "ed" ] && verify_curve_ed - # don't wipe out an existing private key without confirmation [ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\ @@ -1592,112 +1628,6 @@ return 0 } # => move_revoked() -# Set certificate expire date, renew date and variables needed for fixdate -cert_dates() { - if [ "$1" ]; then - # Required for renewal - crt_not_before="$(easyrsa_openssl x509 -in "$1" -noout -startdate)" - crt_not_before="${crt_not_before#*=}" - crt_not_after="$(easyrsa_openssl x509 -in "$1" -noout -enddate)" - crt_not_after="${crt_not_after#*=}" - shift - fi - - # Set fixed dates for new certificate - case "$EASYRSA_FIX_OFFSET" in - '') : ;; # empty ok - *[!1234567890]*|0*) die "\ -Non-decimal value for EASYRSA_FIX_OFFSET: '$EASYRSA_FIX_OFFSET'" - ;; - *) - # Check offset range - if [ 1 -gt "$EASYRSA_FIX_OFFSET" ] || [ 365 -lt "$EASYRSA_FIX_OFFSET" ] - then - die "Fixed off-set out of range [1-365 days]: $EASYRSA_FIX_OFFSET" - fi - - # initialise fixed dates - unset -v start_fixdate end_fixdate - - # Number of years from default (2 years) plus fixed offset - fix_days="$(( (EASYRSA_CERT_EXPIRE / 365) * 365 + EASYRSA_FIX_OFFSET ))" - - # Current Year and seconds - this_year="$(date +%Y)" - now_sec="$(date +%s)" - esac - - # OS dependencies - case "$easyrsa_uname" in - "Darwin"|*"BSD") - now_sec="$(date -j +%s)" - expire_date="$(date -j -f '%b %d %T %Y %Z' "$crt_not_after" +%s)" - allow_renew_date="$(( now_sec + EASYRSA_CERT_RENEW * 86400 ))" - - if [ "$EASYRSA_FIX_OFFSET" ]; then - start_fix_sec="$( - date -j -f '%Y%m%d%H%M%S' "${this_year}0101000000" +%s - )" - end_fix_sec="$(( start_fix_sec + fix_days * 86400 ))" - # Convert to date-stamps for SSL input - start_fixdate="$(date -j -r "$start_fix_sec" +%Y%m%d%H%M%SZ)" - end_fixdate="$(date -j -r "$end_fix_sec" +%Y%m%d%H%M%SZ)" - fi - ;; - *) - # Linux and Windows (FTR: date.exe does not support format +%s as input) - if expire_date="$(date -d "$crt_not_after" +%s)" - then - allow_renew_date="$(date -d "+${EASYRSA_CERT_RENEW}day" +%s)" - - if [ "$EASYRSA_FIX_OFFSET" ]; then - # New Years Day, this year - New_Year_day="$( - date -d "${this_year}-01-01 00:00:00Z" '+%Y-%m-%d %H:%M:%SZ' - )" - # Convert to date-stamps for SSL input - start_fixdate="$( - date -d "$New_Year_day" +%Y%m%d%H%M%SZ - )" - end_fixdate="$( - date -d "$New_Year_day +${fix_days}days" +%Y%m%d%H%M%SZ - )" - end_fix_sec="$( - date -d "$New_Year_day +${fix_days}days" +%s - )" - fi - - # Alpine Linux and busybox - elif expire_date="$(date -D "%b %e %H:%M:%S %Y" -d "$crt_not_after" +%s)" - then - allow_renew_date="$(( now_sec + EASYRSA_CERT_RENEW * 86400 ))" - - if [ "$EASYRSA_FIX_OFFSET" ]; then - start_fix_sec="$(date -d "${this_year}01010000.00" +%s)" - end_fix_sec="$(( start_fix_sec + fix_days * 86400 ))" - # Convert to date-stamps for SSL input - start_fixdate="$(date -d @"$start_fix_sec" +%Y%m%d%H%M%SZ)" - end_fixdate="$(date -d @"$end_fix_sec" +%Y%m%d%H%M%SZ)" - fi - - # Something else - else - die "Date failed" - fi - esac - - # Do not generate an expired, fixed date certificate - if [ "$EASYRSA_FIX_OFFSET" ]; then - [ "$now_sec" ] || die "Undefined: now_sec" - [ "$end_fix_sec" ] || die "Undefined end_fix_sec" - [ "$now_sec" -lt "$end_fix_sec" ] || die "\ -The lifetime of the certificate will expire before the date today." - [ "$start_fixdate" ] || die "Undefined: start_fixdate" - [ "$end_fixdate" ] || die "Undefined: end_fixdate" - fi - -} # => cert_dates() - # renew backend renew() { # pull filename base: @@ -1774,7 +1704,7 @@ # Check if old cert is expired or expires within 30 cert_dates "$crt_in" - [ "$expire_date" -lt "$allow_renew_date" ] || die "\ + [ "$expire_date_s" -lt "$allow_renew_date_s" ] || die "\ Certificate expires in more than $EASYRSA_CERT_RENEW days. Renewal not allowed." @@ -1803,7 +1733,7 @@ else san="$( easyrsa_openssl x509 -in "$crt_in" -noout -text | sed -n \ - "/X509v3 Subject Alternative Name:/{n;s/IP Address:/IP:/;s/ //g;p;}" + "/X509v3 Subject Alternative Name:/{n;s/IP Address:/IP:/g;s/ //g;p;}" )" [ -n "$san" ] && export EASYRSA_EXTRA_EXTS="\ @@ -1824,10 +1754,14 @@ # move renewed files so we can reissue certificate with the same name renew_move + # Set restore on error flag + restore_failed_renew=1 + # renew certificate build_full "$cert_type" "$file_name_base" "$opt_nopass" || die "\ Failed to renew certificate: renew command failed." + # Success messages [ "$EASYRSA_SILENT" ] || print # Separate Notice below notice "\ @@ -1840,7 +1774,41 @@ return 0 } # => renew() -# move-renewed +# Restore files on failure to renew +renew_restore_move() { + unset -v restore_failed_renew rrm_err + # restore crt, key and req file to PKI folders + if ! mv "$restore_crt_out" "$restore_crt_in"; then + warn "Failed to restore: $restore_crt_out" + rrm_err=1 + fi + + # only restore the key if we have it + if [ -e "$restore_key_out" ]; then + if ! mv "$restore_key_out" "$restore_key_in"; then + warn "Failed to restore: $restore_key_out" + rrm_err=1 + fi + fi + + # only restore the req if we have it + if [ -e "$restore_req_out" ]; then + if ! mv "$restore_req_out" "$restore_req_in"; then + warn "Failed to restore: $restore_req_out" + rrm_err=1 + fi + fi + + # messages + [ "$EASYRSA_SILENT" ] || print # Separate Notice below + if [ "$rrm_err" ]; then + warn "Failed to restore renewed files." + else + notice "Renewed files have been restored." + fi +} # => renew_restore_move() + +# renew_move # moves renewed certificates to the 'renewed' folder # allows reissuing certificates with the same name renew_move() { @@ -1855,39 +1823,45 @@ done # move crt, key and req file to renewed folders + restore_crt_in="$crt_in" + restore_crt_out="$crt_out" mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in" # only move the key if we have it + restore_key_in="$key_in" + restore_key_out="$key_out" if [ -e "$key_in" ]; then mv "$key_in" "$key_out" || die "Failed to move: $key_in" fi # only move the req if we have it + restore_req_in="$req_in" + restore_req_out="$req_out" if [ -e "$req_in" ]; then mv "$req_in" "$req_out" || die "Failed to move: $req_in" fi - # move any pkcs files + # remove any pkcs files for pkcs in p12 p7b p8 p1; do if [ -e "$in_dir/issued/$file_name_base.$pkcs" ]; then # issued - mv "$in_dir/issued/$file_name_base.$pkcs" \ - "$out_dir/issued/$file_name_base.$pkcs" \ - || die "Failed to move: $file_name_base.$pkcs" + rm "$in_dir/issued/$file_name_base.$pkcs" \ + || die "Failed to remove: $file_name_base.$pkcs" elif [ -e "$in_dir/private/$file_name_base.$pkcs" ]; then # private - mv "$in_dir/private/$file_name_base.$pkcs" \ - "$out_dir/private/$file_name_base.$pkcs" \ - || die "Failed to move: $file_name_base.$pkcs" + rm "$in_dir/private/$file_name_base.$pkcs" \ + || die "Failed to remove: $file_name_base.$pkcs" else : # ok fi done # remove the duplicate certificate in the certs_by_serial folder - rm "$duplicate_crt_by_serial" || warn \ + if [ -e "$duplicate_crt_by_serial" ]; then + rm "$duplicate_crt_by_serial" || warn \ "Failed to remove the duplicate certificate in the certs_by_serial folder" + fi # remove credentials file (if exists) if [ -e "$creds_in" ]; then @@ -1896,7 +1870,7 @@ fi return 0 -} # => move_renewed() +} # => renew_move() # revoke-renewed backend revoke_renewed() { @@ -2058,6 +2032,168 @@ return 0 } # => revoke_renewed_move() +# renewable backend +renewable() { + verify_ca_init + + in_dir="$EASYRSA_PKI" + MATCH=$(echo "$*" | sed -re 's/\s+/|/g') + DATE=$(date --date \ + "+${EASYRSA_CERT_RENEW} days" \ + +"%y%m%d%H%M%S") + { awkscript=$(cat) ; } <<EOF +BEGIN { FS = "\t" }; +# Only report valid entries +\$1 ~ /V/ { + # Only consider CN + gsub(".*/CN=", "", \$6); + gsub("[^-0-9a-zA-Z.].*", "", \$6); + # Only report old enough candidates + if (\$2 < "${DATE}") { + # Only report matches + if (\$6 ~ /(${MATCH})/) { + print \$6; + } + } +} +EOF + matches=$(awk "$awkscript" "${in_dir}/index.txt") + if [ -z "$matches" ] ; then + # Nothing to renew + exit 1 + else + print "$matches" + fi +} # => renewable + +# Set certificate expire date, renew date and variables needed for fixdate +cert_dates() { + if [ -e "$1" ]; then + # Required for renewal + # Call openssl directly, otherwise this is not debug compatible + crt_not_before="$("$EASYRSA_OPENSSL" x509 -in "$1" -noout -startdate 2>&1)" \ + || die "cert_dates - crt_not_before: $crt_not_before" + crt_not_before="${crt_not_before#*=}" + crt_not_after="$("$EASYRSA_OPENSSL" x509 -in "$1" -noout -enddate 2>&1)" \ + || die "cert_dates - crt_not_after: $crt_not_after" + crt_not_after="${crt_not_after#*=}" + shift + elif [ "$1" ]; then + # Required for status + crt_not_after="$1" + else + # Required for --fix-offset + # This is a fake date to satisfy the 'if expire_date_s' command test + crt_not_after="Jun 12 02:02:02 1999 GMT" + fi + + # Set fixed dates for new certificate + case "$EASYRSA_FIX_OFFSET" in + '') : ;; # empty ok + *[!1234567890]*|0*) die "\ +Non-decimal value for EASYRSA_FIX_OFFSET: '$EASYRSA_FIX_OFFSET'" + ;; + *) + # Check offset range + if [ 1 -gt "$EASYRSA_FIX_OFFSET" ] || [ 365 -lt "$EASYRSA_FIX_OFFSET" ] + then + die "Fixed off-set out of range [1-365 days]: $EASYRSA_FIX_OFFSET" + fi + + # initialise fixed dates + unset -v start_fixdate end_fixdate + + # Number of years from default (2 years) plus fixed offset + fix_days="$(( (EASYRSA_CERT_EXPIRE / 365) * 365 + EASYRSA_FIX_OFFSET ))" + + # Current Year and seconds + this_year="$(date +%Y)" || die "cert_dates - this_year" + now_sec="$(date +%s)" || die "cert_dates - now_sec" + esac + + # OS dependencies + case "$easyrsa_uname" in + "Darwin"|*"BSD") + now_sec="$(date -j +%s)" + expire_date="$(date -j -f '%b %d %T %Y %Z' "$crt_not_after")" + expire_date_s="$(date -j -f '%b %d %T %Y %Z' "$crt_not_after" +%s)" + allow_renew_date_s="$(( now_sec + EASYRSA_CERT_RENEW * 86400 ))" + + if [ "$EASYRSA_FIX_OFFSET" ]; then + start_fix_sec="$( + date -j -f '%Y%m%d%H%M%S' "${this_year}0101000000" +%s + )" + end_fix_sec="$(( start_fix_sec + fix_days * 86400 ))" + # Convert to date-stamps for SSL input + start_fixdate="$(date -j -r "$start_fix_sec" +%Y%m%d%H%M%SZ)" + end_fixdate="$(date -j -r "$end_fix_sec" +%Y%m%d%H%M%SZ)" + fi + ;; + *) + # Linux and Windows (FTR: date.exe does not support format +%s as input) + if expire_date_s="$(date -d "$crt_not_after" +%s)" + then + # Note: date.exe is Year 2038 end 32bit + expire_date="$(date -d "$crt_not_after")" + allow_renew_date_s="$(date -d "+${EASYRSA_CERT_RENEW}day" +%s)" + + if [ "$EASYRSA_FIX_OFFSET" ]; then + # New Years Day, this year + New_Year_day="$( + date -d "${this_year}-01-01 00:00:00Z" '+%Y-%m-%d %H:%M:%SZ' + )" + # Convert to date-stamps for SSL input + start_fixdate="$( + date -d "$New_Year_day" +%Y%m%d%H%M%SZ + )" + end_fixdate="$( + date -d "$New_Year_day +${fix_days}days" +%Y%m%d%H%M%SZ + )" + end_fix_sec="$( + date -d "$New_Year_day +${fix_days}days" +%s + )" + fi + + # Alpine Linux and busybox + elif expire_date_s="$(date -D "%b %e %H:%M:%S %Y" -d "$crt_not_after" +%s)" + then + expire_date="$(date -D "%b %e %H:%M:%S %Y" -d "$crt_not_after")" + allow_renew_date_s="$(( now_sec + EASYRSA_CERT_RENEW * 86400 ))" + + if [ "$EASYRSA_FIX_OFFSET" ]; then + start_fix_sec="$(date -d "${this_year}01010000.00" +%s)" + end_fix_sec="$(( start_fix_sec + fix_days * 86400 ))" + # Convert to date-stamps for SSL input + start_fixdate="$(date -d @"$start_fix_sec" +%Y%m%d%H%M%SZ)" + end_fixdate="$(date -d @"$end_fix_sec" +%Y%m%d%H%M%SZ)" + fi + + # Something else + else + die "Date failed" + fi + esac + + # Do not generate an expired, fixed date certificate + if [ "$EASYRSA_FIX_OFFSET" ]; then + for date_stamp in "${now_sec}" "${end_fix_sec}"; do + case "${date_stamp}" in + ''|*[!1234567890]*|0*) + die "Undefined: '$now_sec', '$end_fix_sec'" + ;; + *) + [ "${#date_stamp}" -eq 10 ] \ + || die "Undefined: $now_sec, $end_fix_sec" + esac + done + [ "$now_sec" -lt "$end_fix_sec" ] || die "\ +The lifetime of the certificate will expire before the date today." + [ "$start_fixdate" ] || die "Undefined: start_fixdate" + [ "$end_fixdate" ] || die "Undefined: end_fixdate" + unset -v crt_not_after + fi +} # => cert_dates() + # gen-crl backend gen_crl() { verify_ca_init @@ -2352,6 +2488,60 @@ fi } # => default_server_san() +# Verify certificate against CA +verify_cert() { + # pull filename base: + [ "$1" ] || die "\ +Error: didn't find a file base name as the first argument. +Run easyrsa without commands for usage and command help." + + verify_ca_init + + # Assign file_name_base and dust off! + file_name_base="$1" + shift + + # function opts support + unset -v exit_with_error + while [ "$1" ]; do + case "$1" in + # batch flag, return status [0/1] to calling program + # Otherwise, exit 0 on successful completion + batch) exit_with_error=1 ;; + *) warn "Ignoring unknown command option: '$1'" + esac + shift + done + + in_dir="$EASYRSA_PKI" + ca_crt="$in_dir/ca.crt" + crt_in="$in_dir/issued/$file_name_base.crt" + + # Cert file must exist + [ -f "$crt_in" ] || die "\ +No certificate found for the input: '$crt_in'" + + # Verify file is a valid cert + verify_file x509 "$crt_in" || die "\ +Input is not a valid certificate: $crt_in" + + # Test and show SSL out + if easyrsa_openssl verify -CAfile "$ca_crt" "$crt_in"; then + [ "$EASYRSA_SILENT" ] || print # Separate Notice below + notice "\ + Certificate name: $file_name_base + Verfication status: GOOD" + # easyrsa_error_exit=1 # Simple 'proof of concept' test + else + [ "$EASYRSA_SILENT" ] || print # Separate Notice below + notice "\ + Certificate name: $file_name_base + Verfication status: FAILED" + # Exit with error (cmd-opt: batch), otherwise terminal msg only + [ "$exit_with_error" ] && easyrsa_error_exit=1 + fi +} # => verify_cert() + # verify a file seems to be a valid req/X509 verify_file() { format="$1" @@ -2467,6 +2657,199 @@ OpenSSL failure to process the input" } # => show_ca() +# Fixed format date +# Build a Windows date.exe compatible input field +build_ff_date_string() { + unset -v ff_date + ff_date="$1" + [ "$ff_date" ] || die "ff_date: '$ff_date'" + yy="${ff_date%???????????}" + ff_date="${ff_date#"$yy"}" + mm="${ff_date%?????????}" + ff_date="${ff_date#"$mm"}" + dd="${ff_date%???????}" + ff_date="${ff_date#"$dd"}" + HH="${ff_date%?????}" + ff_date="${ff_date#"$HH"}" + MM="${ff_date%???}" + ff_date="${ff_date#"$MM"}" + SS="${ff_date%?}" + ff_date="${ff_date#"$SS"}" + TZ="$ff_date" + ff_date="${yy}-${mm}-${dd} ${HH}:${MM}:${SS}${TZ}" +} # => build_date_string() + +# SC2295: (info): Expansions inside ${..} need to be quoted separately, +# otherwise they match as patterns. (what-ever that means .. ;-) +# Unfortunately, Windows sh.exe has an absolutely ridiculous bug. +# Try this in sh.exe: t=' '; s="a${t}b${t}c"; echo "${s%%"${t}"*}" + +# Read db +# shellcheck disable=SC2295 +read_db() { + report="$1"; shift + + tab_char=' ' + db_in="$EASYRSA_PKI/index.txt" + while read -r db_status db_notAfter db_record; do + + # Interpret the db/certificate record + unset -v db_serial db_cn db_revoke_date db_reason + case "$db_status" in + V) # Valid + db_serial="${db_record%%${tab_char}*}" + db_record="${db_record#*${tab_char}}" + db_cn="${db_record#*/CN=}"; db_cn="${db_cn%%/*}" + crt_file="$EASYRSA_PKI/issued/$db_cn.crt" + ;; + R) # Revoked + db_revoke_date="${db_record%%${tab_char}*}" + db_reason="${db_revoke_date#*,}" + if [ "$db_reason" = "$db_revoke_date" ]; then + db_reason="None given" + else + db_revoke_date="${db_revoke_date%,*}" + fi + db_record="${db_record#*${tab_char}}" + + db_serial="${db_record%%${tab_char}*}" + db_record="${db_record#*${tab_char}}" + db_cn="${db_record#*/CN=}"; db_cn="${db_cn%%/*}" + ;; + *) die "Unexpected status: $db_status" + esac + + # Output selected status report for this record + case "$report" in + expire) # Certs which expire before EASYRSA_CERT_RENEW days + if [ "$db_status" = V ]; then expire_status; fi + ;; + revoke) # Certs which have been revoked + if [ "$db_status" = R ]; then revoke_status; fi + ;; + renew) # Certs which have been renewed but not revoked + if [ "$db_status" = V ]; then renew_status; fi + ;; + *) die "Unrecognised report: $report" + esac + done < "$db_in" +} # => read_db() + +# Expire status +expire_status() { + crt_file="$EASYRSA_PKI/issued/$db_cn.crt" + if [ -e "$crt_file" ]; then + # Use cert date + cert_dates "$crt_file" + else + # Translate db date to usable date + build_ff_date_string "$db_notAfter" + db_notAfter="$ff_date" + # Use db translated date + cert_dates "$db_notAfter" + fi + + if [ "$expire_date_s" -lt "$allow_renew_date_s" ]; then + # Cert expires in less than grace period + printf '%s%s\n' "$db_status | Serial: $db_serial | " \ + "Expires: $expire_date | CN: $db_cn" + fi +} # => expire_status() + +# Revoke status +revoke_status() { + # Translate db date to usable date + build_ff_date_string "$db_revoke_date" + db_revoke_date="$ff_date" + # Use db translated date + # ff db_revoke_date returns db_revoke_date as full expire_date + cert_dates "$db_revoke_date" + crt_revoke_date="$expire_date" + + printf '%s%s\n' "$db_status | Serial: $db_serial | " \ + "Revoked: $crt_revoke_date | Reason: $db_reason | CN: $db_cn" +} # => revoke_status() + +# Renewed status +# renewed certs only remain in the renewed folder until they are revoked +# Only ONE renewed cert with unique CN can exist in the renewed folder +renew_status() { + build_ff_date_string "$db_notAfter" + + # Does a Renewed cert exist ? + crt_file="$EASYRSA_PKI/renewed/issued/${db_cn}.crt" + if [ -e "$crt_file" ]; then + # Use cert date + cert_dates "$crt_file" + + # get the serial number of the certificate -> serial=XXXX + renewed_crt_serial="$(easyrsa_openssl x509 -in "$crt_file" -noout -serial)" + # remove the serial= part -> we only need the XXXX part + renewed_crt_serial="${renewed_crt_serial##*=}" + + # db serial must match certificate serial + if [ "$db_serial" = "$renewed_crt_serial" ]; then + printf '%s%s\n' "$db_status | Serial: $db_serial | " \ + "Expires: $crt_not_after | CN: $db_cn" + else + # Cert is valid, this is the replacement cert from renewal + : # ok - ignore + fi + else + # Cert is valid but no renewed cert exists or it has been revoked + : # ok - ignore + fi +} # => renew_status() + +# cert status reports +status() { + report="$1" + in_crt="$2" + shift 2 + + verify_ca_init + + # This does not build certs, so do not need support for fixed dates + unset -v EASYRSA_FIX_OFFSET + + case "$report" in + expire) + case "$in_crt" in + all) + [ "$EASYRSA_SILENT" ] || print "\ +* Showing certificates which expire in less than $EASYRSA_CERT_RENEW days: +" + read_db expire + ;; + *) print "Coming soon.." + esac + ;; + revoke) + case "$in_crt" in + all) + [ "$EASYRSA_SILENT" ] || print "\ +* Showing certificates which are revoked: +" + read_db revoke + ;; + *) print "Coming soon.." + esac + ;; + renew) + case "$in_crt" in + all) + [ "$EASYRSA_SILENT" ] || print "\ +* Showing certificates which have been renewed but NOT revoked: +" + read_db renew + ;; + *) print "Coming soon.." + esac + ;; + *) warn "Unrecognised report: $report" + esac +} # => status() + # set_var is not known by shellcheck, therefore: # Fake declare known variables for shellcheck # Use these options without this function: @@ -2547,6 +2930,33 @@ unset -v easyrsa_host_test } # => detect_host() +# Verify the selected algorithm parameters +verify_algo_params() { + # EASYRSA_ALGO_PARAMS must be set depending on selected algo + case "$EASYRSA_ALGO" in + rsa) + # Set RSA key size + EASYRSA_ALGO_PARAMS="$EASYRSA_KEY_SIZE" + ;; + ec) + # Verify Elliptic curve + EASYRSA_ALGO_PARAMS="$(easyrsa_mktemp)" + + # Create the required ecparams file + easyrsa_openssl ecparam -name "$EASYRSA_CURVE" \ + -out "$EASYRSA_ALGO_PARAMS" 1>/dev/null || die "\ +Failed to generate ecparam file (permissions?) when writing to: +$EASYRSA_ALGO_PARAMS" + ;; + ed) + # Verify Edwards curve + easyrsa_openssl genpkey -algorithm "$EASYRSA_CURVE" > /dev/null \ + || die "Edwards Curve $EASYRSA_CURVE not found." + ;; + *) die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed'" + esac +} # => verify_algo_params() + # vars setup # Here sourcing of 'vars' if present occurs. If not present, defaults are used # to support running without a sourced config format @@ -2563,6 +2973,7 @@ #prog_file2="$(which -- "$prog_file" 2>/dev/null)" && prog_file="$prog_file2" #prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" && prog_file="$prog_file2" prog_dir="${prog_file%/*}" + if [ "$prog_dir" = . ]; then prog_in_pwd=1; else unset -v prog_in_pwd; fi # Program dir vars - This location is least wanted. prog_vars="${prog_dir}/vars" @@ -2590,28 +3001,35 @@ # If the --vars option does not point to a file, show helpful error. die "The file '$EASYRSA_VARS_FILE' was not found." fi + unset -v prog_vars pwd_vars easy_vars pki_vars expected_pki_vars # Otherwise, find vars 'the new way' followed by 'the old way' .. else # if PKI is required - if [ -z "$no_pki_required" ]; then - + if [ "$no_pki_required" ]; then + : # ok - No vars required either + else # Clear flags - This is the preferred order to find: unset -v e_pki_vars e_easy_vars e_pwd_vars e_prog_vars \ - found_vars + found_vars vars_in_pki # PKI location, if present: - { [ -e "$pki_vars" ] && e_pki_vars=1; } || unset -v pki_vars + [ -e "$pki_vars" ] && e_pki_vars=1 # EASYRSA, if defined: - { [ -e "$easy_vars" ] && e_easy_vars=1; } || unset -v easy_vars + [ -e "$easy_vars" ] && e_easy_vars=1 # Eventually the file below must be removed from EasyRSA # vars of last resort - { [ -e "$pwd_vars" ] && e_pwd_vars=1; } || unset -v pwd_vars + [ -e "$pwd_vars" ] && e_pwd_vars=1 # program location: - { [ -e "$prog_vars" ] && e_prog_vars=1; } || unset -v prog_vars + [ -e "$prog_vars" ] && e_prog_vars=1 + + # Filter duplicates + if [ "$e_prog_vars" ] && [ "$e_pwd_vars" ] && [ "$prog_in_pwd" ]; then + unset -v prog_vars e_prog_vars + fi # Allow only one vars to be found, No exceptions! found_vars="$((e_pki_vars + e_easy_vars + e_pwd_vars + e_prog_vars))" @@ -2634,56 +3052,72 @@ esac # If a SINGLE vars file is found then assign $vars - [ "$pwd_vars" ] && vars="$pwd_vars" - [ "$easy_vars" ] && vars="$easy_vars" - [ "$prog_vars" ] && vars="$prog_vars" - [ "$pki_vars" ] && vars="$pki_vars" + [ "$e_prog_vars" ] && vars="$prog_vars" + [ "$e_pwd_vars" ] && vars="$pwd_vars" + [ "$e_easy_vars" ] && vars="$easy_vars" + [ "$e_pki_vars" ] && vars="$pki_vars" && vars_in_pki=1 + + # Clean up + unset -v prog_vars pwd_vars easy_vars pki_vars fi + # END: Find vars + fi - # If $EASYRSA_NO_VARS is defined (not blank) then do not use vars - # if $no_pki_required then no vars is required. - if [ "$EASYRSA_NO_VARS" ] || [ "$no_pki_required" ]; then + # If $EASYRSA_NO_VARS is defined (not blank) then do not use vars. + # If $no_pki_required then located vars files are not required. + if [ "$EASYRSA_NO_VARS" ] || [ "$no_pki_required" ]; then + : # ok + else + # If a vars file was located then source it + if [ -z "$vars" ]; then + # $vars remains undefined .. no vars found + # install_data_to_pki() will create a default 'PKI/vars' : # ok else - # If a vars file was located then source it - if [ -z "$vars" ]; then - # $vars remains undefined .. no vars found - : # ok - else - # Sanitize vars - if grep -Eq 'EASYRSA_PASSIN|EASYRSA_PASSOUT' "$vars"; then - die "\ + # 'vars' now MUST exist + [ -e "$vars" ] || die "Missing vars file, expected: $vars" + + # Sanitize vars + if grep -Eq 'EASYRSA_PASSIN|EASYRSA_PASSOUT' "$vars"; then + die "\ Variable EASYRSA_PASSIN or EASYRSA_PASSOUT has been found in the configuration file. Storing sensitive information in the configuration file is not recommended - please remove it from there before continuing." - fi + fi - # Sanitize vars further but ONLY if it is in PKI folder - if [ "$pki_vars" ]; then - # Warning: Single quote - if grep '^[[:blank:]]*set_var[[:blank:]]\+.*' "$vars" | \ - grep -q -e '&' -e "'" -e '`' -e '\$' -e '#' ; then - warn "\ + # Sanitize vars further but ONLY if it is in PKI folder + if [ "$vars_in_pki" ]; then + # Warning: Unsupported characters + if grep '^[[:blank:]]*set_var[[:blank:]]\+.*' "$vars" | \ + grep -q -e '&' -e "'" -e '`' -e '\$' -e '#' ; then + warn "\ Unsupported characters are present in the vars file. These characters are not supported: (') (&) (\`) (\$) (#) Sourcing the vars file and building certificates will probably fail .." - fi fi + fi - # shellcheck disable=SC2034 # EASYRSA_CALLER appears unused. - EASYRSA_CALLER=1 - # shellcheck disable=1090 # can't follow non-constant source. vars - ( . "$vars" 2>/dev/null ) || die "\ + # Enable sourcing 'vars' + # shellcheck disable=SC2034 # EASYRSA_CALLER appears unused. + EASYRSA_CALLER=1 + + # Test souring 'vars' in a subshell + # shellcheck disable=1090 # can't follow non-constant source. vars + ( . "$vars" 2>/dev/null ) || die "\ Failed to source the vars file, remove any unsupported characters." - # shellcheck disable=1090 # can't follow non-constant source. vars - . "$vars" 2>/dev/null - notice "Using Easy-RSA configuration from: $vars" - [ "$pki_vars" ] || \ - warn "Move your vars file to your PKI folder, where it is safe!" + # Source 'vars' now + # shellcheck disable=1090 # can't follow non-constant source. vars + . "$vars" 2>/dev/null + notice "Using Easy-RSA configuration from: $vars" + if [ "$user_vars_true" ]; then + : # ok - No message required + else + [ "$vars_in_pki" ] || \ + warn "\ + Move your vars file to your PKI folder, where it is safe!" fi fi - # END: Find vars fi # Set defaults, preferring existing env-vars if present @@ -2706,7 +3140,7 @@ set_var EASYRSA_CERT_RENEW 30 set_var EASYRSA_CRL_DAYS 180 set_var EASYRSA_NS_SUPPORT no - set_var EASYRSA_NS_COMMENT "Easy-RSA (v3.0.9) Generated Certificate" + set_var EASYRSA_NS_COMMENT "Easy-RSA (3.1.0) Generated Certificate" set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" set_var EASYRSA_REQ_CN ChangeMe set_var EASYRSA_DIGEST sha256 @@ -2717,37 +3151,24 @@ set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" - # EASYRSA_ALGO_PARAMS must be set depending on selected algo - case "$EASYRSA_ALGO" in - rsa) EASYRSA_ALGO_PARAMS="${EASYRSA_KEY_SIZE}" ;; - ec) EASYRSA_ALGO_PARAMS="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" ;; - ed) : ;; # ok - *) die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed' " - esac - - # Assign value to $EASYRSA_TEMP_DIR_session - # and work-around Windows mktemp bug when parent dir is missing - # - # Bug: When the parent-dir is missing Windows'mktemp -du' fails. - # The work-around is to create the parent-dir, if it does not exist. - # The reason it does not exist is because 'init-pki' has not been run. - # Use the same gaurd against a missing PKI; Only set variables which - # require a PKI, eg '$EASYRSA_PKI', if there is a PKI ! - # - # Also, integrate a partial 'init-pki' by using 'install_data_to_pki()' - # - # If EASYRSA_PKI directory exists then + # For commands which 'require a PKI' and the PKI exists if [ ! "$no_pki_required" ] && [ -d "$EASYRSA_PKI" ]; then # Make a safe SSL config for LibreSSL + # Must specify 'no_pki_required' and 'require_safe_ssl_conf' here + # because verify_ssl_lib() has not yet run # sub-shell out, to change running variables, only the file is required - ( - no_pki_required=1 - require_safe_ssl_conf=1 - easyrsa_openssl makesafeconf - ) || die "Failed to create safe ssl conf (vars_setup)" + #( + # no_pki_required=1 + # require_safe_ssl_conf=1 + # easyrsa_openssl makesafeconf + #) || \ + # die "Failed to create safe ssl conf (vars_setup)" + # Alternate version: + no_pki_required=1 require_safe_ssl_conf=1 easyrsa_openssl makesafeconf || \ + die "Failed to create safe ssl conf (vars_setup)" - # Temp dir session + # mkdir Temp dir session secure_session || die "Temporary directory secure-session failed." if [ -d "$EASYRSA_TEMP_DIR" ]; then @@ -2762,6 +3183,7 @@ install_data_to_pki vars-setup || \ warn "Failed to install new required data-dir to PKI. (vars_setup)" + # export OPENSSL_CONF for OpenSSL, OpenSSL config file MUST exist # EASYRSA_SAFE_CONF is output by 'install_data_to_pki()' # via 'easyrsa_openssl() makesafeconf' above. # Setting EasyRSA specific OPENSSL_CONF to sanatized safe conf @@ -2771,10 +3193,13 @@ die "Failed to find Safe-SSL config file." fi + # Verify selected algorithm and parameters + verify_algo_params + else # If the directory does not exist then we have not run init-pki # The temp-dir is Always created by 'install_data_to_pki' - : # ok + die "Temporary directory does not exist: $EASYRSA_TEMP_DIR" fi fi } # vars_setup() @@ -3389,13 +3814,12 @@ ssl_version="$("${EASYRSA_OPENSSL:-openssl}" version)" cat << VERSION_TEXT EasyRSA Version Information -Version: v3.0.9 -Generated: Wed May 18 08:04:38 CDT 2022 +Version: 3.1.0 +Generated: Wed May 18 20:53:50 CDT 2022 SSL Lib: $ssl_version -Git Commit: 150e96ec9b290396ccbe160bd23f6dd1b277250d +Git Commit: 1600b3fe9bd71e229b8648cd24206c55917b2f9b Source Repo: https://github.com/OpenVPN/easy-rsa VERSION_TEXT - exit 0 } # => print_version () @@ -3409,7 +3833,7 @@ [ -z "$EASYRSA_NO_UMASK" ] && umask "${EASYRSA_UMASK:-077}" # Initialisation requirements -unset -v user_san_true +unset -v easyrsa_error_exit user_san_true user_vars_true # Parse options while :; do @@ -3432,6 +3856,8 @@ ;; --fix-offset) export EASYRSA_FIX_OFFSET="$val" ;; + --renew-days) + export EASYRSA_CERT_RENEW="$val" ;; --pki-dir) export EASYRSA_PKI="$val" ;; --tmp-dir) @@ -3490,6 +3916,7 @@ --subca-len) export EASYRSA_SUBCA_LEN="$val" ;; --vars) + user_vars_true=1 export EASYRSA_VARS_FILE="$val" ;; --copy-ext) empty_ok=1 @@ -3526,27 +3953,30 @@ trap "exit 6" 6 trap "exit 14" 15 +# Get host details - does not require vars_setup +detect_host + # Set cmd now because vars_setup needs to know if this is init-pki cmd="$1" [ -n "$1" ] && shift # scrape off command # This avoids unnecessary warnings and notices case "$cmd" in - init-pki|clean-all) no_pki_required=1 ;; - ""|help|-h|--help|--usage) no_pki_required=1 ;; - version) no_pki_required=1 ;; + init-pki|clean-all|""|help|-h|--help|--usage|version) + no_pki_required=1 ;; *) unset -v no_pki_required esac -# Get host details -detect_host - # Intelligent env-var detection and auto-loading: vars_setup # determine how we were called, then hand off to the function responsible case "$cmd" in init-pki|clean-all) + if [ "$user_vars_true" ]; then + # Ref: https://github.com/OpenVPN/easy-rsa/issues/566 + die "Use of '--vars=FILE init-pki' is prohibited, use '--pki-dir=DIR'" + fi init_pki "$@" ;; build-ca) @@ -3582,6 +4012,9 @@ renew) renew "$@" ;; + renewable) + renewable "$@" + ;; import-req) import_req "$@" ;; @@ -3618,12 +4051,35 @@ show-ca) show_ca "$@" ;; + verify) + verify_cert "$@" + ;; + show-expire) + if [ -z "$*" ]; then + status expire all + else + status expire "$@" + fi + ;; + show-revoke) + if [ -z "$*" ]; then + status revoke all + else + status revoke "$@" + fi + ;; + show-renew) + if [ -z "$*" ]; then + status renew all + else + status renew "$@" + fi + ;; upgrade) up23_manage_upgrade_23 "$@" ;; ""|help|-h|--help|--usage) cmd_help "$1" - exit 0 ;; version) print_version @@ -3632,4 +4088,8 @@ die "Unknown command '$cmd'. Run without commands for usage help." esac +# Clear traps and do 'cleanup ok' on successful completion +trap - 0 1 2 3 6 15 +cleanup ok + # vim: ft=sh nu ai sw=8 ts=8 noet ++++++ suse-packaging.patch ++++++ --- /var/tmp/diff_new_pack.PEui7S/_old 2022-09-18 18:48:51.358520570 +0200 +++ /var/tmp/diff_new_pack.PEui7S/_new 2022-09-18 18:48:51.362520582 +0200 @@ -1,12 +1,12 @@ ---- easyrsa.orig 2022-06-15 21:04:39.858643843 +0200 -+++ easyrsa 2022-06-15 21:05:18.250698012 +0200 -@@ -2562,7 +2562,7 @@ +--- easyrsa.orig 2022-09-05 18:43:38.396956744 +0200 ++++ easyrsa 2022-06-15 2022-09-05 18:44:14.154777676 +0200 +@@ -2972,7 +2972,7 @@ # Removed for basic sanity - To re-enable provide a REASON #prog_file2="$(which -- "$prog_file" 2>/dev/null)" && prog_file="$prog_file2" #prog_file2="$(readlink -f "$prog_file" 2>/dev/null)" && prog_file="$prog_file2" - prog_dir="${prog_file%/*}" + prog_dir="/etc/easy-rsa" + if [ "$prog_dir" = . ]; then prog_in_pwd=1; else unset -v prog_in_pwd; fi # Program dir vars - This location is least wanted. - prog_vars="${prog_dir}/vars"
