From d530bc3aa55dd58e87e75d59bd50fd4e6f2becbe Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 4 Dec 2024 22:36:25 +0000 Subject: [PATCH 1/7] Always use locate_support_files() after secure_session() easyrsa: Move locate_support_files() to the last command in verify_working_env(). This means that for single commands, locate_support_files() will find an existing 'openssl-easyrsa.cnf' file, after secure_session() has cleared '$EASYRSA_SSL_CONF' variable. For build_full(), use locate_support_files() after secure_session(), during the phase between gen_req() and sign_req(), when the secure session is recreated. easyrsa-tools.lib: In read_db(), set the same order as above, between each record. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 14 ++++++++++---- easyrsa3/easyrsa-tools.lib | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d64dcbd1..17a15f70 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2984,8 +2984,8 @@ Conflicting file found at: # Recreate temp-session and # drop edits to SSL Conf file remove_secure_session - locate_support_files secure_session + locate_support_files write_global_safe_ssl_cnf_tmp # Require --copy-ext @@ -4661,6 +4661,11 @@ verify_working_env() { write_global_safe_ssl_cnf_tmp fi fi + + # Find x509-types, openssl-easyrsa.cnf + # and easyrsa-tools.lib + locate_support_files + verbose "verify_working_env: COMPLETED Handover-to: $cmd" } # => verify_working_env() @@ -4716,6 +4721,10 @@ verify_working_env - easyrsa_mktemp global_safe_ssl_cnf_tmp" # If the existing file has a known hash then use temp-file. # Otherwise, use the file in place. write_easyrsa_ssl_cnf_tmp() { + # If EASYRSA_SSL_CONF is undefined then use default + [ "$EASYRSA_SSL_CONF" ] || set_var \ + EASYRSA_SSL_CONF "$EASYRSA_PKI"/openssl-easyrsa.cnf + if [ -f "$EASYRSA_SSL_CONF" ]; then verbose "write_easyrsa_ssl_cnf_tmp: SSL config EXISTS" @@ -5832,9 +5841,6 @@ validate_default_vars # Check for conflicting input options mutual_exclusions -# Find x509-types, openssl-easyrsa.cnf and easyrsa-tools.lib -locate_support_files - # Verify SSL Lib - One time ONLY verify_ssl_lib diff --git a/easyrsa3/easyrsa-tools.lib b/easyrsa3/easyrsa-tools.lib index d92cad86..37a080d4 100644 --- a/easyrsa3/easyrsa-tools.lib +++ b/easyrsa3/easyrsa-tools.lib @@ -417,11 +417,11 @@ read_db() { # Recreate temp session remove_secure_session || \ die "read_db - remove_secure_session" - locate_support_files secure_session || \ die "read_db - secure_session" # Recreate openssl-easyrsa.cnf (Temp) write_global_safe_ssl_cnf_tmp + locate_support_files # Interpret the db/certificate record unset -v db_serial db_cn db_revoke_date db_reason From d6937113f0854ea275d3caf27617c2d0432478b9 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 4 Dec 2024 22:37:54 +0000 Subject: [PATCH 2/7] ChangeLog: bugfix: Use locate_support_files() after secure_session() Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 91c0c800..24c60197 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.2 (TBD) + * bugfix: Always use locate_support_files() after secure_session() (d530bc3) (#1270) * bugfix: easyrsa-tools.lib: renew, write full metadata to temp-file (b47d2af) (#1267) * Introduce new command 'revoke-issued' (38bf2d8) (#1266) Commands 'revoke' and 'revoke-issued' are identical. From 7cdb14dde66d7e67f552310f0ddb49298e90ab54 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 5 Dec 2024 18:50:57 +0000 Subject: [PATCH 3/7] Save and Restore $EASYRSA_SSL_CONF for compound commands Compound function build_full() calls gen_req() then sign_req(). However, between the two, $EASYRSA_SSL_CONF is set to a temp-file, which has now been deleted. This causes sign_req() to use a different SSL config file than that used by gen_req(). Also, '--ssl-conf' is ignored when secure_session() clears $EASYRSA_SSL_CONF. This change saves the original setting for $EASYRSA_SSL_CONF, which is then restored when remove_secure_session() is called. Also, secure_session() no longer clears $EASYRSA_SSL_CONF, preserving the setting of '--ssl-conf'. This mechanism also covers easyrsa-tools.lib:read_db(), which also resets the temporary session. This does not require updating easyrsa-tool.lib version (@v322). Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 13 +++++++++---- easyrsa3/easyrsa-tools.lib | 12 +++++------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 17a15f70..b135a8d8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -840,8 +840,7 @@ secure_session - Missing temporary directory: die "secure_session - temp-file EXISTS" # New session requires safe-ssl conf - unset -v session OPENSSL_CONF \ - EASYRSA_SSL_CONF safe_ssl_cnf_tmp \ + unset -v session OPENSSL_CONF safe_ssl_cnf_tmp \ working_safe_ssl_conf working_safe_org_conf easyrsa_err_log="$secured_session/error.log" @@ -859,8 +858,11 @@ remove_secure_session() { if rm -rf "$secured_session"; then verbose "\ remove_secure_session: DELETED: $secured_session" - unset -v secured_session OPENSSL_CONF \ - EASYRSA_SSL_CONF safe_ssl_cnf_tmp \ + + # Restore original EASYRSA_SSL_CONF + EASYRSA_SSL_CONF="$original_ssl_cnf" + + unset -v secured_session OPENSSL_CONF safe_ssl_cnf_tmp \ working_safe_ssl_conf working_safe_org_conf return fi @@ -4666,6 +4668,9 @@ verify_working_env() { # and easyrsa-tools.lib locate_support_files + # Save original EASYRSA_SSL_CONF + original_ssl_cnf="$EASYRSA_SSL_CONF" + verbose "verify_working_env: COMPLETED Handover-to: $cmd" } # => verify_working_env() diff --git a/easyrsa3/easyrsa-tools.lib b/easyrsa3/easyrsa-tools.lib index 37a080d4..e9e4aed2 100644 --- a/easyrsa3/easyrsa-tools.lib +++ b/easyrsa3/easyrsa-tools.lib @@ -414,14 +414,12 @@ read_db() { verbose "***** Read next record *****" - # Recreate temp session - remove_secure_session || \ - die "read_db - remove_secure_session" - secure_session || \ - die "read_db - secure_session" - # Recreate openssl-easyrsa.cnf (Temp) - write_global_safe_ssl_cnf_tmp + # Recreate temp-session and + # drop edits to SSL Conf file + remove_secure_session + secure_session locate_support_files + write_global_safe_ssl_cnf_tmp # Interpret the db/certificate record unset -v db_serial db_cn db_revoke_date db_reason From 5049ff609d5f0960f3647bbd13e2bbc6860a49fb Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 5 Dec 2024 22:38:59 +0000 Subject: [PATCH 4/7] ChangeLog: bugfix: Save/Restore $EASYRSA_SSL_CONF for compound commands Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 24c60197..1c97b3ac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.2 (TBD) + * bugfix: Save and Restore $EASYRSA_SSL_CONF for compound commands (7cdb14d) (#1270) * bugfix: Always use locate_support_files() after secure_session() (d530bc3) (#1270) * bugfix: easyrsa-tools.lib: renew, write full metadata to temp-file (b47d2af) (#1267) * Introduce new command 'revoke-issued' (38bf2d8) (#1266) From c7884234d8fafb84ae3865d6d494b8cdc2dcf510 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 6 Dec 2024 00:48:42 +0000 Subject: [PATCH 5/7] Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf Retain --ssl-conf for backward cmpatibility Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b135a8d8..cfdcb96f 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -625,7 +625,7 @@ General options: (Default PKI directory is sub-directory 'pki') See Advanced.md for in depth usage. ---ssl-conf=FILE : Define a specific OpenSSL config file for Easy-RSA to use +--ssl-cnf=FILE : Define a specific OpenSSL config file for Easy-RSA to use (Default config file is in the EasyRSA PKI directory) --force-safe-ssl: Always generate a safe SSL config file (Default: Generate Safe SSL config once per instance) @@ -5592,7 +5592,7 @@ while :; do --tmp-dir) export EASYRSA_TEMP_DIR="$val" ;; - --ssl-conf) + --ssl-cnf|--ssl-conf) export EASYRSA_SSL_CONF="$val" ;; --keep-tmp) From fab08b2d1e2746fe52a373b1cfd706aed6fc18ad Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 6 Dec 2024 00:52:36 +0000 Subject: [PATCH 6/7] ChangeLog: Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 1c97b3ac..020c0927 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.2 (TBD) + * Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf (c788423) (#1270) * bugfix: Save and Restore $EASYRSA_SSL_CONF for compound commands (7cdb14d) (#1270) * bugfix: Always use locate_support_files() after secure_session() (d530bc3) (#1270) * bugfix: easyrsa-tools.lib: renew, write full metadata to temp-file (b47d2af) (#1267) From a3dc16822df8146d445617a409f9025e4a718723 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 6 Dec 2024 02:07:55 +0000 Subject: [PATCH 7/7] sign-req: Add comment to clarify restriction for EASYRSA_REQ_CN To change a requested CN use option --new-subject not --req-cn. Option --req-cn is reserved for use with commamd 'gen-req'. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 1 + 1 file changed, 1 insertion(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cfdcb96f..c1f7bc44 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2680,6 +2680,7 @@ basicConstraints is not defined, cannot use 'pathlen'" # Get request CN # EASYRSA_REQ_CN MUST always be set to the CSR CN + # or use --new-subect EASYRSA_REQ_CN="$( "$EASYRSA_OPENSSL" req -utf8 -in "$req_in" -noout \ -subject -nameopt multiline | grep 'commonName'