Hello community, here is the log from the commit of package easy-rsa for openSUSE:Factory checked in at 2018-01-30 15:44:13 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/easy-rsa (Old) and /work/SRC/openSUSE:Factory/.easy-rsa.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "easy-rsa" Tue Jan 30 15:44:13 2018 rev:8 rq:570787 version:3.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/easy-rsa/easy-rsa.changes 2017-10-26 18:44:14.496350296 +0200 +++ /work/SRC/openSUSE:Factory/.easy-rsa.new/easy-rsa.changes 2018-01-30 15:44:29.838342664 +0100 @@ -1,0 +2,8 @@ +Sun Jan 28 19:05:46 UTC 2018 - [email protected] + +- Upgrade to version 3.0.4 + * Remove use of egrep (#154) + * Finally(?) fix the subjectAltName issues (really fixes #168) +- Improve RPM description + +------------------------------------------------------------------- Old: ---- EasyRSA-3.0.3.tgz EasyRSA-3.0.3.tgz.sig New: ---- EasyRSA-3.0.4.tgz EasyRSA-3.0.4.tgz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ easy-rsa.spec ++++++ --- /var/tmp/diff_new_pack.hj9Ekj/_old 2018-01-30 15:44:30.342319136 +0100 +++ /var/tmp/diff_new_pack.hj9Ekj/_new 2018-01-30 15:44:30.346318950 +0100 @@ -1,7 +1,7 @@ # # spec file for package easy-rsa # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2015 Stefan Jakobs. # # All modifications and additions to the file contributed by third parties @@ -18,7 +18,7 @@ Name: easy-rsa -Version: 3.0.3 +Version: 3.0.4 Release: 0 Summary: CLI utility to build and manage a PKI CA License: GPL-2.0 @@ -33,9 +33,9 @@ BuildArch: noarch %description -easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, -this means to create a root certificate authority, and request and sign -certificates, including sub-CAs and certificate revokation lists (CRL). +easy-rsa is a CLI utility to build and manage a Public Key Infrastructure +(PKI). Once the Certificate Authority (CA) is created, you can request and sign +certificates, including sub-CAs, and create Certificate Revokation Lists (CRL). %prep %setup -q -n EasyRSA-%{version} @@ -47,7 +47,7 @@ install -dm0755 %{buildroot}/%{_sysconfdir}/easy-rsa/ install -dm0755 %{buildroot}/%{_sysconfdir}/easy-rsa/x509-types install -Dm0644 vars.example %{buildroot}/%{_sysconfdir}/easy-rsa/ -install -Dm0644 openssl-1.0.cnf %{buildroot}/%{_sysconfdir}/easy-rsa/openssl-1.0.cnf +install -Dm0644 openssl-easyrsa.cnf %{buildroot}/%{_sysconfdir}/easy-rsa/ install -Dm0644 x509-types/* %{buildroot}/%{_sysconfdir}/easy-rsa/x509-types/ install -Dm0755 easyrsa %{buildroot}/%{_bindir}/easyrsa ++++++ EasyRSA-3.0.3.tgz -> EasyRSA-3.0.4.tgz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-3.0.3/ChangeLog new/EasyRSA-3.0.4/ChangeLog --- old/EasyRSA-3.0.3/ChangeLog 2015-09-03 01:54:57.000000000 +0200 +++ new/EasyRSA-3.0.4/ChangeLog 2018-01-21 16:37:25.000000000 +0100 @@ -1,5 +1,27 @@ Easy-RSA 3 ChangeLog +3.0.4 (TBD) + * Remove use of egrep (#154) + * Integrate with Travis-CI (#165) + * Remove "local" from variable assignment (#165) + * Other changes related to Travis-CI fixes + * Assign values to variables defined previously w/local + * Finally(?) fix the subjectAltName issues I presented earlier (really + fixes #168 + +3.0.3 (2017-08-22) + * Include mktemp windows binary + * copy CSR extensions into signed certificate + + +3.0.2 (2017-08-21) + * add missing windows binaries + + +3.0.1 (2015-10-25) + * correct some packaging errors + + 3.0.0 (2015-09-07) * cab4a07 Fix typo: Hellman diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-3.0.3/README.md new/EasyRSA-3.0.4/README.md --- old/EasyRSA-3.0.3/README.md 1970-01-01 01:00:00.000000000 +0100 +++ new/EasyRSA-3.0.4/README.md 2018-01-21 16:37:25.000000000 +0100 @@ -0,0 +1,52 @@ +# Overview + +easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms, +this means to create a root certificate authority, and request and sign +certificates, including sub-CAs and certificate revocation lists (CRL). + +# Downloads + +If you are looking for release downloads, please see the releases section on +GitHub. Releases are also available as source checkouts using named tags. + +# Documentation + +For 3.x project documentation and usage, see the [README.quickstart.md](README.quickstart.md) file or +the more detailed docs under the doc/ directory. The .md files are in Markdown +format and can be converted to html files as desired for release packages, or +read as-is in plaintext. + +# Getting help using easy-rsa + +Currently, Easy-RSA development co-exists with OpenVPN even though they are +separate projects. The following resources are good places as of this writing to +seek help using Easy-RSA: + +The [openvpn-users mailing list](https://lists.sourceforge.net/lists/listinfo/openvpn-users) +is a good place to post usage or help questions. + +You can also try IRC at Freenode/#openvpn + +# Branch structure + +The easy-rsa master branch is currently tracking development for the 3.x release +cycle. Please note that, at any given time, master may be broken. Feel free to +create issues against master, but have patience when using the master branch. It +is recommended to use a release, and priority will be given to bugs identified in +the most recent release. + +The prior 2.x and 1.x versions are available as release branches for +tracking and possible back-porting of relevant fixes. Branch layout is: + + master <- 3.x, at present + v3.x.x pre-release branches, used for staging branches + release/2.x + release/1.x + +LICENSING info for 3.x is in the [COPYING.md](COPYING.md) file + +# Code style, standards + +We are attempting to adhere to the POSIX standard, which can be found here: + +http://pubs.opengroup.org/onlinepubs/9699919799/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-3.0.3/doc/EasyRSA-Advanced.md new/EasyRSA-3.0.4/doc/EasyRSA-Advanced.md --- old/EasyRSA-3.0.3/doc/EasyRSA-Advanced.md 2017-08-22 15:03:01.000000000 +0200 +++ new/EasyRSA-3.0.4/doc/EasyRSA-Advanced.md 2018-01-21 16:38:00.000000000 +0100 @@ -31,12 +31,12 @@ The following locations are checked, in this order, for a vars file. Only the first one found is used: - 1. File referenced by the --vars CLI option + 1. The file referenced by the --vars CLI option 2. The file referenced by the env-var named `EASYRSA_VARS_FILE` - 3. The `EASYRSA_PKI` directory - 4. The default PKI directory at $PWD/pki (usually will be the same as above) - 4. The `EASYRSA` directory - 5. The location of the easyrsa program (usually will be the same as above) + 3. The directory referenced by the `EASYRSA_PKI` env-var + 4. The default PKI directory at $PWD/pki + 4. The directory referenced by the `EASYRSA` env-var + 5. The directory containing the easyrsa program Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars file in all cases, including defining it subsequently as a global option. @@ -52,8 +52,8 @@ 1. The env-var `EASYRSA_SSL_CONF` 2. The 'vars' file (see `vars Autodetection` above) - 3. The `EASYRSA_PKI` directory with a filename of `openssl-1.0.cnf` - 4. The `EASYRSA` directory with a filename of `openssl-1.0.cnf` + 3. The `EASYRSA_PKI` directory with a filename of `openssl-easyrsa.cnf` + 4. The `EASYRSA` directory with a filename of `openssl-easyrsa.cnf` Advanced extension handling --------------------------- @@ -78,10 +78,10 @@ A list of env-vars, any matching global option (CLI) to set/override it, and a possible terse description is shown below: - * `EASYRSA` - should point to the Easy-RSA top-level dir, normally $PWD + * `EASYRSA` - should point to the Easy-RSA top-level dir, where the easyrsa script is located. * `EASYRSA_OPENSSL` - command to invoke openssl * `EASYRSA_SSL_CONF` - the openssl config file to use - * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, normally $PWD/pki. + * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, defaults to $PWD/pki. * `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to alter the fields to include in the req DN * `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-3.0.3/easyrsa new/EasyRSA-3.0.4/easyrsa --- old/EasyRSA-3.0.3/easyrsa 2017-08-21 23:31:35.000000000 +0200 +++ new/EasyRSA-3.0.4/easyrsa 2018-01-21 16:37:26.000000000 +0100 @@ -46,20 +46,21 @@ " # collect/show dir status: - local err_source="Not defined: vars autodetect failed and no value provided" - local work_dir="${EASYRSA:-$err_source}" - local pki_dir="${EASYRSA_PKI:-$err_source}" + err_source="Not defined: vars autodetect failed and no value provided" + work_dir="${EASYRSA:-$err_source}" + pki_dir="${EASYRSA_PKI:-$err_source}" print "\ DIRECTORY STATUS (commands would take effect on these locations) EASYRSA: $work_dir - PKI: $pki_dir + PKI: $pki_dir " } # => usage() # Detailed command help # When called with no args, calls usage(), otherwise shows help for a command cmd_help() { - local text opts + text="" + opts="" case "$1" in init-pki|clean-all) text=" init-pki [ cmd-opts ] @@ -199,6 +200,7 @@ ./easyrsa help altname --use-algo=ALG : crypto alg to use: choose rsa (default) or ec --curve=NAME : for elliptic curve, sets the named curve to use +--copy-ext : Copy included request X509 extensions (namely subjAltName Organizational DN options: (only used with the 'org' DN mode) (values may be blank for org DN options) @@ -248,7 +250,7 @@ # Returns 0 when input contains yes, 1 for no, 2 for no match # If both strings are present, returns 1; first matching line returns. awk_yesno() { - local awkscript=' + awkscript=' BEGIN {IGNORECASE=1; r=2} { if(match($0,"no")) {r=1; exit} if(match($0,"yes")) {r=0; exit} @@ -260,7 +262,10 @@ # returns without prompting in EASYRSA_BATCH confirm() { [ $EASYRSA_BATCH ] && return - local prompt="$1" value="$2" msg="$3" input + prompt="$1" + value="$2" + msg="$3" + input="" print " $msg @@ -274,7 +279,7 @@ # remove temp files clean_temp() { - for f in "$EASYRSA_TEMP_FILE" "$EASYRSA_TEMP_FILE_2" "$EASYRSA_TEMP_FILE_3" + for f in "$EASYRSA_TEMP_CONF" "$EASYRSA_TEMP_EXT" "$EASYRSA_TEMP_FILE_2" "$EASYRSA_TEMP_FILE_3" do [ -f "$f" ] && rm "$f" 2>/dev/null done } # => clean_temp() @@ -286,7 +291,7 @@ # Verify EASYRSA_OPENSSL command gives expected output if [ -z "$EASYRSA_SSL_OK" ]; then - local val="$("$EASYRSA_OPENSSL" version)" + val="$("$EASYRSA_OPENSSL" version)" case "${val%% *}" in OpenSSL|LibreSSL) ;; *) die "\ @@ -316,7 +321,7 @@ $EASYRSA_EC_DIR" # Check that the required ecparams file exists - local out="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" + out="$EASYRSA_EC_DIR/${EASYRSA_CURVE}.pem" [ -f "$out" ] && return 0 "$EASYRSA_OPENSSL" ecparam -name "$EASYRSA_CURVE" -out "$out" || die "\ Failed to generate ecparam file (permissions?) when writing to: @@ -328,7 +333,7 @@ # Basic sanity-check of PKI init and complain if missing verify_pki_init() { - local help_note="Run easyrsa without commands for usage and command help." + help_note="Run easyrsa without commands for usage and command help." # check that the pki dir exists vars_source_check @@ -347,7 +352,7 @@ # Verify core CA files present verify_ca_init() { - local help_note="Run without commands for usage and command help." + help_note="Run without commands for usage and command help." # First check the PKI has been initialized verify_pki_init @@ -407,7 +412,8 @@ # build-ca backend: build_ca() { - local opts= sub_ca= + opts="" + sub_ca="" while [ -n "$1" ]; do case "$1" in nopass) opts="$opts -nodes" ;; @@ -421,8 +427,8 @@ [ "$EASYRSA_ALGO" = "ec" ] && verify_curve # setup for the simpler sub-CA situation and overwrite with root-CA if needed: - local out_file="$EASYRSA_PKI/reqs/ca.req" - local out_key="$EASYRSA_PKI/private/ca.key" + out_file="$EASYRSA_PKI/reqs/ca.req" + out_key="$EASYRSA_PKI/private/ca.key" if [ ! $sub_ca ]; then out_file="$EASYRSA_PKI/ca.crt" opts="$opts -x509 -days $EASYRSA_CA_EXPIRE" @@ -444,7 +450,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." # create necessary files and dirs: - local err_file="Unable to create necessary PKI files (permissions?)" + err_file="Unable to create necessary PKI files (permissions?)" for i in issued certs_by_serial; do mkdir -p "$EASYRSA_PKI/$i" || die "$err_file" done @@ -454,8 +460,8 @@ # Default CN only when not in global EASYRSA_BATCH mode: [ $EASYRSA_BATCH ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA" - out_key_tmp="$(mktemp -u "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp" - out_file_tmp="$(mktemp -u "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp" + out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp" + out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp" # create the CA keypair: "$EASYRSA_OPENSSL" req -utf8 -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \ -config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $opts || \ @@ -483,7 +489,7 @@ gen_dh() { verify_pki_init - local out_file="$EASYRSA_PKI/dh.pem" + out_file="$EASYRSA_PKI/dh.pem" "$EASYRSA_OPENSSL" dhparam -out "$out_file" $EASYRSA_KEY_SIZE || \ die "Failed to build DH params" notice "\ @@ -498,18 +504,18 @@ [ -n "$1" ] || die "\ Error: gen-req must have a file base as the first argument. Run easyrsa without commands for usage and commands." - local key_out="$EASYRSA_PKI/private/$1.key" - local req_out="$EASYRSA_PKI/reqs/$1.req" + key_out="$EASYRSA_PKI/private/$1.key" + req_out="$EASYRSA_PKI/reqs/$1.req" [ ! $EASYRSA_BATCH ] && EASYRSA_REQ_CN="$1" shift # function opts support - local opts= + opts= while [ -n "$1" ]; do case "$1" in nopass) opts="$opts -nodes" ;; # batch flag supports internal callers needing silent operation - batch) local EASYRSA_BATCH=1 ;; + batch) EASYRSA_BATCH=1 ;; *) warn "Ignoring unknown command option: '$1'" ;; esac shift @@ -529,25 +535,25 @@ # When EASYRSA_EXTRA_EXTS is defined, append it to openssl's [req] section: if [ -n "$EASYRSA_EXTRA_EXTS" ]; then # Setup & insert the extra ext data keyed by a magic line - local extra_exts=" + extra_exts=" req_extensions = req_extra [ req_extra ] $EASYRSA_EXTRA_EXTS" - local awkscript=' + awkscript=' {if ( match($0, "^#%EXTRA_EXTS%") ) { while ( getline<"/dev/stdin" ) {print} next } {print} }' print "$extra_exts" | \ awk "$awkscript" "$EASYRSA_SSL_CONF" \ - > "$EASYRSA_TEMP_FILE" \ + > "$EASYRSA_TEMP_CONF" \ || die "Copying SSL config to temp file failed" # Use this new SSL config for the rest of this function - local EASYRSA_SSL_CONF="$EASYRSA_TEMP_FILE" + EASYRSA_SSL_CONF="$EASYRSA_TEMP_CONF" fi - key_out_tmp="$(mktemp -u "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key_out_tmp" - req_out_tmp="$(mktemp -u "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp" + key_out_tmp="$(mktemp "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key_out_tmp" + req_out_tmp="$(mktemp "$req_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$req_out_tmp" # generate request [ $EASYRSA_BATCH ] && opts="$opts -batch" "$EASYRSA_OPENSSL" req -utf8 -new -newkey $EASYRSA_ALGO:"$EASYRSA_ALGO_PARAMS" \ @@ -565,14 +571,17 @@ # common signing backend sign_req() { - local crt_type="$1" opts= - local req_in="$EASYRSA_PKI/reqs/$2.req" - local crt_out="$EASYRSA_PKI/issued/$2.crt" + crt_type="$1" + opts="" + req_in="$EASYRSA_PKI/reqs/$2.req" + crt_out="$EASYRSA_PKI/issued/$2.crt" # Randomize Serial number - local i= serial= check_serial= + i="" + serial="" + check_serial="" for i in 1 2 3 4 5; do - "$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial" + "$EASYRSA_OPENSSL" rand -hex -out "$EASYRSA_PKI/serial" 16 serial="$(cat "$EASYRSA_PKI/serial")" check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)" case "$check_serial" in @@ -582,7 +591,7 @@ done # Support batch by internal caller: - [ "$3" = "batch" ] && local EASYRSA_BATCH=1 + [ "$3" = "batch" ] && EASYRSA_BATCH=1 verify_ca_init @@ -623,6 +632,8 @@ # Append first any COMMON file (if present) then the cert-type extensions cat "$EASYRSA_EXT_DIR/COMMON" cat "$EASYRSA_EXT_DIR/$crt_type" + # copy req extensions + [ $EASYRSA_CP_EXT ] && print "copy_extensions = copy" # Support a dynamic CA path length when present: [ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \ @@ -641,25 +652,26 @@ # If type is server and no subjectAltName was requested, # add one to the extensions file - if [[ "$crt_type" == 'server' ]] + if [ "$crt_type" = 'server' ]; then + sname=$(basename $req_in | cut -d. -f1) echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName || - print $(default_server_san "$req_in") + default_server_san $req_in fi # Add any advanced extensions supplied by env-var: [ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS" : # needed to keep die from inherting the above test - } > "$EASYRSA_TEMP_FILE" || die "\ + } > "$EASYRSA_TEMP_EXT" || die "\ Failed to create temp extension file (bad permissions?) at: -$EASYRSA_TEMP_FILE" +$EASYRSA_TEMP_EXT" # sign request - crt_out_tmp="$(mktemp -u "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp" + crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp" "$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \ - -extfile "$EASYRSA_TEMP_FILE" -days $EASYRSA_CERT_EXPIRE -batch $opts \ + -extfile "$EASYRSA_TEMP_EXT" -days $EASYRSA_CERT_EXPIRE -batch $opts \ || die "signing failed (openssl output above may have more detail)" mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2= notice "\ @@ -677,14 +689,14 @@ [ -n "$2" ] || die "\ Error: didn't find a file base name as the first argument. Run easyrsa without commands for usage and commands." - local crt_type="$1" name="$2" - local req_out="$EASYRSA_PKI/reqs/$2.req" - local key_out="$EASYRSA_PKI/private/$2.key" - local crt_out="$EASYRSA_PKI/issued/$2.crt" + crt_type="$1" name="$2" + req_out="$EASYRSA_PKI/reqs/$2.req" + key_out="$EASYRSA_PKI/private/$2.key" + crt_out="$EASYRSA_PKI/issued/$2.crt" shift 2 # function opts support - local req_opts= + req_opts= while [ -n "$1" ]; do case "$1" in nopass) req_opts="$req_opts nopass" ;; @@ -694,7 +706,7 @@ done # abort on existing req/key/crt files - local err_exists="\ + err_exists="\ file already exists. Aborting build to avoid overwriting this file. If you wish to continue, please use a different name or remove the file. Matching file found at: " @@ -719,7 +731,7 @@ [ -n "$1" ] || die "\ Error: didn't find a file base name as the first argument. Run easyrsa without commands for usage and command help." - local crt_in="$EASYRSA_PKI/issued/$1.crt" + crt_in="$EASYRSA_PKI/issued/$1.crt" verify_file x509 "$crt_in" || die "\ Unable to revoke as the input file is not a valid certificate. Unexpected @@ -753,8 +765,8 @@ gen_crl() { verify_ca_init - local out_file="$EASYRSA_PKI/crl.pem" - out_file_tmp="$(mktemp -u "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp" + out_file="$EASYRSA_PKI/crl.pem" + out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_file_tmp" "$EASYRSA_OPENSSL" ca -utf8 -gencrl -out "$out_file_tmp" -config "$EASYRSA_SSL_CONF" || die "\ CRL Generation failed. " @@ -772,8 +784,8 @@ verify_pki_init # pull passed paths - local in_req="$1" short_name="$2" - local out_req="$EASYRSA_PKI/reqs/$2.req" + in_req="$1" short_name="$2" + out_req="$EASYRSA_PKI/reqs/$2.req" [ -n "$short_name" ] || die "\ Unable to import: incorrect command syntax. @@ -801,24 +813,24 @@ # export pkcs#12 or pkcs#7 export_pkcs() { - local pkcs_type="$1" + pkcs_type="$1" shift [ -n "$1" ] || die "\ Unable to export p12: incorrect command syntax. Run easyrsa without commands for usage and command help." - local short_name="$1" - local crt_in="$EASYRSA_PKI/issued/$1.crt" - local key_in="$EASYRSA_PKI/private/$1.key" - local crt_ca="$EASYRSA_PKI/ca.crt" + short_name="$1" + crt_in="$EASYRSA_PKI/issued/$1.crt" + key_in="$EASYRSA_PKI/private/$1.key" + crt_ca="$EASYRSA_PKI/ca.crt" shift verify_pki_init # opts support - local want_ca=1 - local want_key=1 + want_ca=1 + want_key=1 while [ -n "$1" ]; do case "$1" in noca) want_ca= ;; @@ -828,7 +840,7 @@ shift done - local pkcs_opts= + pkcs_opts= if [ $want_ca ]; then verify_file x509 "$crt_ca" || die "\ Unable to include CA cert in the $pkcs_type output (missing file, or use noca option.) @@ -843,7 +855,7 @@ case "$pkcs_type" in p12) - local pkcs_out="$EASYRSA_PKI/private/$short_name.p12" + pkcs_out="$EASYRSA_PKI/private/$short_name.p12" if [ $want_key ]; then [ -f "$key_in" ] || die "\ @@ -860,7 +872,7 @@ Export of p12 failed: see above for related openssl errors." ;; p7) - local pkcs_out="$EASYRSA_PKI/issued/$short_name.p7b" + pkcs_out="$EASYRSA_PKI/issued/$short_name.p7b" # export the p7: "$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \ @@ -881,18 +893,18 @@ verify_pki_init # key type, supplied internally from frontend command call (rsa/ec) - local key_type="$1" + key_type="$1" # values supplied by the user: - local raw_file="$2" - local file="$EASYRSA_PKI/private/$raw_file.key" + raw_file="$2" + file="$EASYRSA_PKI/private/$raw_file.key" [ -n "$raw_file" ] || die "\ Missing argument to 'set-$key_type-pass' command: no name/file supplied. See help output for usage details." # parse command options shift 2 - local crypto="-aes256" + crypto="-aes256" while [ -n "$1" ]; do case "$1" in nopass) crypto= ;; @@ -929,20 +941,19 @@ # display cert DN info on a req/X509, passed by full pathname display_dn() { - local format="$1" path="$2" + format="$1" path="$2" print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)" } # => display_dn() # generate default SAN from req/X509, passed by full pathname default_server_san() { - local path="$1" - local cn=$( + path="$1" + cn=$( "$EASYRSA_OPENSSL" req -in "$path" -noout -subject -nameopt sep_multiline | awk -F'=' '/^ *CN=/{print $2}' ) - echo "$cn" | egrep -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$' - if [[ $? -eq 0 ]] - then + echo "$cn" | grep -E -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$' + if [ $? -eq 0 ]; then print "subjectAltName = IP:$cn" else print "subjectAltName = DNS:$cn" @@ -951,7 +962,8 @@ # verify a file seems to be a valid req/X509 verify_file() { - local format="$1" path="$2" + format="$1" + path="$2" "$EASYRSA_OPENSSL" $format -in "$path" -noout 2>/dev/null || return 1 return 0 } # => verify_file() @@ -959,18 +971,25 @@ # show-* command backend # Prints req/cert details in a readable format show() { - local type="$1" name="$2" in_file format + type="$1" + name="$2" + in_file="" + format="" [ -n "$name" ] || die "\ Missing expected filename_base argument. Run easyrsa without commands for usage help." shift 2 # opts support - local opts="-${type}opt no_pubkey,no_sigdump" + opts="-${type}opt no_pubkey,no_sigdump" while [ -n "$1" ]; do case "$1" in - full) opts= ;; - *) warn "Ignoring unknown command option: '$1'" ;; + full) + opts="" + ;; + *) + warn "Ignoring unknown command option: '$1'" + ;; esac shift done @@ -1011,12 +1030,12 @@ vars_setup() { # Try to locate a 'vars' file in order of location preference. # If one is found, source it - local vars= + vars= # set up program path - local prog_vars="${0%/*}/vars" + prog_vars="${0%/*}/vars" # set up PKI path - local pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" + pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" # command-line path: if [ -f "$EASYRSA_VARS_FILE" ]; then @@ -1060,16 +1079,17 @@ set_var EASYRSA_CRL_DAYS 180 set_var EASYRSA_NS_SUPPORT no set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" - set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" + set_var EASYRSA_TEMP_CONF "$EASYRSA_PKI/openssl-easyrsa.temp" + set_var EASYRSA_TEMP_EXT "$EASYRSA_PKI/extensions.temp" set_var EASYRSA_TEMP_FILE_2 "" set_var EASYRSA_TEMP_FILE_3 "" set_var EASYRSA_REQ_CN ChangeMe set_var EASYRSA_DIGEST sha256 # Detect openssl config, preferring EASYRSA_PKI over EASYRSA - if [ -f "$EASYRSA_PKI/openssl-1.0.cnf" ]; then - set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-1.0.cnf" - else set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" + if [ -f "$EASYRSA_PKI/openssl-easyrsa.cnf" ]; then + set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf" + else set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" fi # Same as above for the x509-types extensions dir @@ -1095,9 +1115,9 @@ # the variable when it is already defined (even if currently null) # Sets $1 as the value contained in $2 and exports (may be blank) set_var() { - local var=$1 + var=$1 shift - local value="$*" + value="$*" eval "export $var=\"\${$var-$value}\"" } #=> set_var() @@ -1167,6 +1187,9 @@ export EASYRSA_SUBCA_LEN="$val" ;; --vars) export EASYRSA_VARS_FILE="$val" ;; + --copy-ext) + empty_ok=1 + export EASYRSA_CP_EXT=1 ;; --subject-alt-name) export EASYRSA_EXTRA_EXTS="\ $EASYRSA_EXTRA_EXTS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-3.0.3/mktemp.txt new/EasyRSA-3.0.4/mktemp.txt --- old/EasyRSA-3.0.3/mktemp.txt 1970-01-01 01:00:00.000000000 +0100 +++ new/EasyRSA-3.0.4/mktemp.txt 2018-01-21 16:37:25.000000000 +0100 @@ -0,0 +1,20 @@ +Mktemp is distributed under the following ISC-style license: + + Copyright (c) 1996-1997, 2000-2001, 2008, 2010 + Todd C. Miller <[email protected]> + Copyright (c) 1996, David Mazieres <[email protected]> + Copyright (c) 2008, Damien Miller <[email protected]> + + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +From https://www.mktemp.org/mktemp/license.html diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-3.0.3/openssl-1.0.cnf new/EasyRSA-3.0.4/openssl-1.0.cnf --- old/EasyRSA-3.0.3/openssl-1.0.cnf 2015-09-03 01:10:26.000000000 +0200 +++ new/EasyRSA-3.0.4/openssl-1.0.cnf 1970-01-01 01:00:00.000000000 +0100 @@ -1,137 +0,0 @@ -# For use with Easy-RSA 3.0 and OpenSSL 1.0.* - -RANDFILE = $ENV::EASYRSA_PKI/.rnd - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = $ENV::EASYRSA_PKI # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir/certs_by_serial # default place for new certs. - -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/ca.key # The private key -RANDFILE = $dir/.rand # private random number file - -x509_extensions = basic_exts # The extentions to add to the cert - -# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA -# is designed for will. In return, we get the Issuer attached to CRLs. -crl_extensions = crl_ext - -default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for -default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL -default_md = $ENV::EASYRSA_DIGEST # use public key default MD -preserve = no # keep passed DN ordering - -# A few difference way of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_anything - -# For the 'anything' policy, which defines allowed DN fields -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -name = optional -emailAddress = optional - -#################################################################### -# Easy-RSA request handling -# We key off $DN_MODE to determine how to format the DN -[ req ] -default_bits = $ENV::EASYRSA_KEY_SIZE -default_keyfile = privkey.pem -default_md = $ENV::EASYRSA_DIGEST -distinguished_name = $ENV::EASYRSA_DN -x509_extensions = easyrsa_ca # The extentions to add to the self signed cert - -# A placeholder to handle the $EXTRA_EXTS feature: -#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it - -#################################################################### -# Easy-RSA DN (Subject) handling - -# Easy-RSA DN for cn_only support: -[ cn_only ] -commonName = Common Name (eg: your user, host, or server name) -commonName_max = 64 -commonName_default = $ENV::EASYRSA_REQ_CN - -# Easy-RSA DN for org support: -[ org ] -countryName = Country Name (2 letter code) -countryName_default = $ENV::EASYRSA_REQ_COUNTRY -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE - -localityName = Locality Name (eg, city) -localityName_default = $ENV::EASYRSA_REQ_CITY - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = $ENV::EASYRSA_REQ_ORG - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = $ENV::EASYRSA_REQ_OU - -commonName = Common Name (eg: your user, host, or server name) -commonName_max = 64 -commonName_default = $ENV::EASYRSA_REQ_CN - -emailAddress = Email Address -emailAddress_default = $ENV::EASYRSA_REQ_EMAIL -emailAddress_max = 64 - -#################################################################### -# Easy-RSA cert extension handling - -# This section is effectively unused as the main script sets extensions -# dynamically. This core section is left to support the odd usecase where -# a user calls openssl directly. -[ basic_exts ] -basicConstraints = CA:FALSE -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer:always - -# The Easy-RSA CA extensions -[ easyrsa_ca ] - -# PKIX recommendations: - -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always - -# This could be marked critical, but it's nice to support reading by any -# broken clients who attempt to do so. -basicConstraints = CA:true - -# Limit key usage to CA tasks. If you really want to use the generated pair as -# a self-signed cert, comment this out. -keyUsage = cRLSign, keyCertSign - -# nsCertType omitted by default. Let's try to let the deprecated stuff die. -# nsCertType = sslCA - -# CRL extensions. -[ crl_ext ] - -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-3.0.3/openssl-easyrsa.cnf new/EasyRSA-3.0.4/openssl-easyrsa.cnf --- old/EasyRSA-3.0.3/openssl-easyrsa.cnf 1970-01-01 01:00:00.000000000 +0100 +++ new/EasyRSA-3.0.4/openssl-easyrsa.cnf 2018-01-21 16:37:26.000000000 +0100 @@ -0,0 +1,137 @@ +# For use with Easy-RSA 3.0 and OpenSSL 1.0.* + +RANDFILE = $ENV::EASYRSA_PKI/.rnd + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::EASYRSA_PKI # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/certs_by_serial # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = basic_exts # The extentions to add to the cert + +# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA +# is designed for will. In return, we get the Issuer attached to CRLs. +crl_extensions = crl_ext + +default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for +default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL +default_md = $ENV::EASYRSA_DIGEST # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the 'anything' policy, which defines allowed DN fields +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +name = optional +emailAddress = optional + +#################################################################### +# Easy-RSA request handling +# We key off $DN_MODE to determine how to format the DN +[ req ] +default_bits = $ENV::EASYRSA_KEY_SIZE +default_keyfile = privkey.pem +default_md = $ENV::EASYRSA_DIGEST +distinguished_name = $ENV::EASYRSA_DN +x509_extensions = easyrsa_ca # The extentions to add to the self signed cert + +# A placeholder to handle the $EXTRA_EXTS feature: +#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it + +#################################################################### +# Easy-RSA DN (Subject) handling + +# Easy-RSA DN for cn_only support: +[ cn_only ] +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +# Easy-RSA DN for org support: +[ org ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::EASYRSA_REQ_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::EASYRSA_REQ_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::EASYRSA_REQ_ORG + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = $ENV::EASYRSA_REQ_OU + +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +emailAddress = Email Address +emailAddress_default = $ENV::EASYRSA_REQ_EMAIL +emailAddress_max = 64 + +#################################################################### +# Easy-RSA cert extension handling + +# This section is effectively unused as the main script sets extensions +# dynamically. This core section is left to support the odd usecase where +# a user calls openssl directly. +[ basic_exts ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always + +# The Easy-RSA CA extensions +[ easyrsa_ca ] + +# PKIX recommendations: + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always + +# This could be marked critical, but it's nice to support reading by any +# broken clients who attempt to do so. +basicConstraints = CA:true + +# Limit key usage to CA tasks. If you really want to use the generated pair as +# a self-signed cert, comment this out. +keyUsage = cRLSign, keyCertSign + +# nsCertType omitted by default. Let's try to let the deprecated stuff die. +# nsCertType = sslCA + +# CRL extensions. +[ crl_ext ] + +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-3.0.3/vars.example new/EasyRSA-3.0.4/vars.example --- old/EasyRSA-3.0.3/vars.example 2015-09-03 01:10:26.000000000 +0200 +++ new/EasyRSA-3.0.4/vars.example 2018-01-21 16:37:26.000000000 +0100 @@ -39,10 +39,15 @@ # DO YOUR EDITS BELOW THIS POINT -# This variable should point to the top level of the easy-rsa tree. By default, -# this is taken to be the directory you are currently in. +# This variable is used as the base location of configuration files needed by +# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF) +# may override this default. +# +# The default value of this variable is the location of the easyrsa script +# itself, which is also where the configuration files are located in the +# easy-rsa tree. -#set_var EASYRSA "$PWD" +#set_var EASYRSA "${0%/*}" # If your OpenSSL command is not in the system PATH, you will need to define the # path to it here. Normally this means a full path to the executable, otherwise @@ -57,12 +62,14 @@ # This sample is in Windows syntax -- edit it for your path if not using PATH: #set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" -# Edit this variable to point to your soon-to-be-created key directory. +# Edit this variable to point to your soon-to-be-created key directory. By +# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the +# directory you are currently in). # # WARNING: init-pki will do a rm -rf on this directory so make sure you define # it correctly! (Interactive mode will prompt before acting.) -#set_var EASYRSA_PKI "$EASYRSA/pki" +#set_var EASYRSA_PKI "$PWD/pki" # Define X509 DN mode. # This is used to adjust what elements are included in the Subject field as the DN @@ -172,12 +179,12 @@ # OpenSSL config file: # If you need to use a specific openssl config file, you can reference it here. -# Normally this file is auto-detected from a file named openssl-1.0.cnf from the +# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the # EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA # specific and you cannot just use a standard config file, so this is an # advanced feature. -#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-1.0.cnf" +#set_var EASYRSA_SSL_CONF "$EASYRSA/openssl-easyrsa.cnf" # Default CN: # This is best left alone. Interactively you will set this manually, and BATCH diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-3.0.3/x509-types/code-signing new/EasyRSA-3.0.4/x509-types/code-signing --- old/EasyRSA-3.0.3/x509-types/code-signing 1970-01-01 01:00:00.000000000 +0100 +++ new/EasyRSA-3.0.4/x509-types/code-signing 2018-01-21 16:37:26.000000000 +0100 @@ -0,0 +1,8 @@ +# X509 extensions for a client + +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +extendedKeyUsage = codeSigning +keyUsage = digitalSignature + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/EasyRSA-3.0.3/x509-types/san new/EasyRSA-3.0.4/x509-types/san --- old/EasyRSA-3.0.3/x509-types/san 2017-08-22 00:55:16.000000000 +0200 +++ new/EasyRSA-3.0.4/x509-types/san 1970-01-01 01:00:00.000000000 +0100 @@ -1,2 +0,0 @@ -[ san ] -subjectAltName=${ENV::SAN} ++++++ suse-packaging.patch ++++++ --- /var/tmp/diff_new_pack.hj9Ekj/_old 2018-01-30 15:44:30.498311853 +0100 +++ /var/tmp/diff_new_pack.hj9Ekj/_new 2018-01-30 15:44:30.502311667 +0100 @@ -2,20 +2,20 @@ --- easyrsa3/easyrsa 2017-07-19 05:24:59.583924924 +0200 *************** *** 1014,1020 **** - local vars= + vars= # set up program path -! local prog_vars="${0%/*}/vars" +! prog_vars="${0%/*}/vars" # set up PKI path - local pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" + pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" --- 1014,1020 ---- - local vars= + vars= # set up program path -! local prog_vars="/etc/easy-rsa/vars" +! prog_vars="/etc/easy-rsa/vars" # set up PKI path - local pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" + pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars" *************** *** 1041,1047 ****
