Hello community, here is the log from the commit of package easy-rsa for openSUSE:Factory checked in at 2017-07-25 11:41:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/easy-rsa (Old) and /work/SRC/openSUSE:Factory/.easy-rsa.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "easy-rsa" Tue Jul 25 11:41:18 2017 rev:4 rq:512354 version:3.0.1 Changes: -------- --- /work/SRC/openSUSE:Factory/easy-rsa/easy-rsa.changes 2017-06-12 15:33:59.451166936 +0200 +++ /work/SRC/openSUSE:Factory/.easy-rsa.new/easy-rsa.changes 2017-07-25 11:41:33.746463623 +0200 @@ -1,0 +2,9 @@ +Tue Jul 18 18:32:22 UTC 2017 - [email protected] + +- Include upstream patches: + + 6436eaf.patch + Add CN as SAN (if none requested) on server certs by default + + e9e8e27.patch + Moved @ValdikSS's serial randomization to sign_req + +------------------------------------------------------------------- New: ---- 6436eaf.patch e9e8e27.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ easy-rsa.spec ++++++ --- /var/tmp/diff_new_pack.lpU0p1/_old 2017-07-25 11:41:34.402371019 +0200 +++ /var/tmp/diff_new_pack.lpU0p1/_new 2017-07-25 11:41:34.406370454 +0200 @@ -36,6 +36,10 @@ Patch3: https://github.com/OpenVPN/easy-rsa/commit/fb4d8d8.patch # Convert README and COPYING into markdown files Patch4: https://github.com/OpenVPN/easy-rsa/commit/b75faa4.patch +# Add CN as SAN (if none requested) on server certs by default +Patch5: https://github.com/OpenVPN/easy-rsa/commit/6436eaf.patch +# Moved @ValdikSS's serial randomization to sign_req +Patch6: https://github.com/OpenVPN/easy-rsa/commit/e9e8e27.patch # openSUSE specific Patch100: easy-rsa-packaging.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -53,6 +57,8 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 %patch100 -p0 sed -i 's;#\(set_var EASYRSA \)"$PWD";\1"%{_sysconfdir}/easy-rsa";' easyrsa3/vars.example ++++++ 6436eaf.patch ++++++ commit 6436eaf8c1e5e3c44d23c1c7a0a5fef14f19d375 Author: Martin Schmitt <[email protected]> Date: Fri Jun 30 16:12:13 2017 +0200 Add CN as SAN (if none requested) on server certs by default diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 088faeb..f5ec797 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -627,6 +627,15 @@ $(display_dn req "$req_in") esac fi + # If type is server and no subjectAltName was requested, + # add one to the extensions file + if [[ "$crt_type" == 'server' ]] + then + echo "$EASYRSA_EXTRA_EXTS" | + grep -q subjectAltName || + print $(default_server_san "$req_in") + fi + # Add any advanced extensions supplied by env-var: [ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS" @@ -923,6 +932,22 @@ display_dn() { print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)" } # => display_dn() +# generate default SAN from req/X509, passed by full pathname +default_server_san() { + local path="$1" + local cn=$( + "$EASYRSA_OPENSSL" req -in "$path" -noout -subject -nameopt sep_multiline | + awk -F'=' '/^ *CN=/{print $2}' + ) + echo "$cn" | egrep -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$' + if [[ $? -eq 0 ]] + then + print "subjectAltName = IP:$cn" + else + print "subjectAltName = DNS:$cn" + fi +} # => default_server_san() + # verify a file seems to be a valid req/X509 verify_file() { local format="$1" path="$2" ++++++ e9e8e27.patch ++++++ commit e9e8e272e0eb5225ecfb0d8a0953a5b480c5e85d Author: Martin Schmitt <[email protected]> Date: Fri Jun 30 17:04:31 2017 +0200 Moved @ValdikSS's serial randomization to sign_req diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index f5ec797..cff63f2 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -569,6 +569,18 @@ sign_req() { local req_in="$EASYRSA_PKI/reqs/$2.req" local crt_out="$EASYRSA_PKI/issued/$2.crt" + # Randomize Serial number + local i= serial= check_serial= + for i in 1 2 3 4 5; do + "$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial" + serial="$(cat "$EASYRSA_PKI/serial")" + check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)" + case "$check_serial" in + *"not present in db"*) break ;; + *) continue ;; + esac + done + # Support batch by internal caller: [ "$3" = "batch" ] && local EASYRSA_BATCH=1 @@ -661,17 +673,6 @@ Certificate created at: $crt_out build_full() { verify_ca_init - local i= serial= check_serial= - for i in 1 2 3 4 5; do - "$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial" - serial="$(cat "$EASYRSA_PKI/serial")" - check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)" - case "$check_serial" in - *"not present in db"*) break ;; - *) continue ;; - esac - done - # pull filename base: [ -n "$2" ] || die "\ Error: didn't find a file base name as the first argument.
