From 7039d02952bc68e0d06dc1efd0b07a430099544d Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 15 Jul 2023 21:13:13 +0100 Subject: [PATCH] Add vars.example here-doc and move here-docs code to lower section Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 588 ++++++++++++++++++++++++++++++----------------- 1 file changed, 375 insertions(+), 213 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index dad73e597..0044f6b32 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1522,219 +1522,6 @@ install_data_to_pki - Missing: '$x509_types_dir'" verbose "install_data_to_pki: $context - COMPLETED" } # => install_data_to_pki () -# Create X509-type files -create_x509_type() { - x509_type="$1" - [ "$x509_type" ] || \ - die "create_x509_type - type undefined" - - case "$x509_type" in - COMMON) - cat <<- "X509_TYPE_COMMON" - X509_TYPE_COMMON - ;; - serverClient) - create_x509_type_easyrsa - cat <<- "X509_TYPE_SERV_CLI" - extendedKeyUsage = serverAuth,clientAuth - X509_TYPE_SERV_CLI - ;; - server) - create_x509_type_easyrsa - cat <<- "X509_TYPE_SERV" - extendedKeyUsage = serverAuth - X509_TYPE_SERV - ;; - client) - create_x509_type_easyrsa - cat <<- "X509_TYPE_CLI" - extendedKeyUsage = clientAuth - X509_TYPE_CLI - ;; - ca) - cat <<- "X509_TYPE_CA" - basicConstraints = CA:TRUE - subjectKeyIdentifier = hash - authorityKeyIdentifier = keyid:always,issuer:always - keyUsage = cRLSign, keyCertSign - X509_TYPE_CA - ;; - *) - # Unknown type: User MUST supply the X509 file - die "Unknown X509 type: $x509_type" - esac -} # => create_x509_type() - -# Create x509-type/easyrsa -# This could be COMMON but not is not suitable for a CA -create_x509_type_easyrsa() { - cat <<- "X509_TYPE_EASYRSA" - basicConstraints = CA:FALSE - subjectKeyIdentifier = hash - authorityKeyIdentifier = keyid,issuer:always - keyUsage = digitalSignature,keyEncipherment - X509_TYPE_EASYRSA -} # => create_x509_type_easyrsa() - -# Create vars.example - Not used -# TODO -create_vars_example() { - cat << "VARSEXFILECOMPLETE" -VARSEXFILECOMPLETE -} # => create_vars_example() - -# Create openssl-easyrsa.cnf -create_openssl_easyrsa_cnf() { - cat << "SSLCONFCOMPLETE" -# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL - -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = $ENV::EASYRSA_PKI # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir/certs_by_serial # default place for new certs. - -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/ca.key # The private key -RANDFILE = $dir/.rand # private random number file - -x509_extensions = basic_exts # The extensions to add to the cert - -# A placeholder to handle the --copy-ext feature: -#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it - -# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA -# is designed for will. In return, we get the Issuer attached to CRLs. -crl_extensions = crl_ext - -default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for -default_crl_days = $ENV::EASYRSA_CRL_DAYS # how long before next CRL -default_md = $ENV::EASYRSA_DIGEST # use public key default MD -preserve = no # keep passed DN ordering - -# This allows to renew certificates which have not been revoked -unique_subject = no - -# A few different ways of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_anything - -# For the 'anything' policy, which defines allowed DN fields -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -serialNumber = optional - -#################################################################### -# Easy-RSA request handling -# We key off $DN_MODE to determine how to format the DN -[ req ] -default_bits = $ENV::EASYRSA_KEY_SIZE -default_keyfile = privkey.pem -default_md = $ENV::EASYRSA_DIGEST -distinguished_name = $ENV::EASYRSA_DN -x509_extensions = easyrsa_ca # The extensions to add to the self signed cert - -# A placeholder to handle the $EXTRA_EXTS feature: -#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it - -#################################################################### -# Easy-RSA DN (Subject) handling - -# Easy-RSA DN for cn_only support: -[ cn_only ] -commonName = Common Name (eg: your user, host, or server name) -commonName_max = 64 -commonName_default = $ENV::EASYRSA_REQ_CN - -# Easy-RSA DN for org support: -[ org ] -countryName = Country Name (2 letter code) -countryName_default = $ENV::EASYRSA_REQ_COUNTRY -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE - -localityName = Locality Name (eg, city) -localityName_default = $ENV::EASYRSA_REQ_CITY - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = $ENV::EASYRSA_REQ_ORG - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = $ENV::EASYRSA_REQ_OU - -commonName = Common Name (eg: your user, host, or server name) -commonName_max = 64 -commonName_default = $ENV::EASYRSA_REQ_CN - -emailAddress = Email Address -emailAddress_default = $ENV::EASYRSA_REQ_EMAIL -emailAddress_max = 64 - -serialNumber = Serial-number (eg, device serial-number) -serialNumber_default = $ENV::EASYRSA_REQ_SERIAL - -#################################################################### -# Easy-RSA cert extension handling - -# This section is effectively unused as the main script sets extensions -# dynamically. This core section is left to support the odd usecase where -# a user calls openssl directly. -[ basic_exts ] -basicConstraints = CA:FALSE -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer:always - -# The Easy-RSA CA extensions -[ easyrsa_ca ] - -# PKIX recommendations: - -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always - -# This could be marked critical, but it's nice to support reading by any -# broken clients who attempt to do so. -basicConstraints = CA:true - -# Limit key usage to CA tasks. If you really want to use the generated pair as -# a self-signed cert, comment this out. -keyUsage = cRLSign, keyCertSign - -# nsCertType omitted by default. Let's try to let the deprecated stuff die. -# nsCertType = sslCA - -# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS: -#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it - -# CRL extensions. -[ crl_ext ] - -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always' -SSLCONFCOMPLETE -} # => create_openssl_easyrsa_cnf() - # Disable terminal echo, if possible, otherwise warn hide_read_pass() { @@ -5943,6 +5730,381 @@ force_set_var() { +############################################################################ +# +# Create X509-type files +create_x509_type() { + case "$1" in + COMMON) + cat <<- "X509_TYPE_COMMON" + X509_TYPE_COMMON + ;; + serverClient) + create_x509_type_easyrsa + cat <<- "X509_TYPE_SERV_CLI" + extendedKeyUsage = serverAuth,clientAuth + X509_TYPE_SERV_CLI + ;; + server) + create_x509_type_easyrsa + cat <<- "X509_TYPE_SERV" + extendedKeyUsage = serverAuth + X509_TYPE_SERV + ;; + client) + create_x509_type_easyrsa + cat <<- "X509_TYPE_CLI" + extendedKeyUsage = clientAuth + X509_TYPE_CLI + ;; + ca) + cat <<- "X509_TYPE_CA" + basicConstraints = CA:TRUE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid:always,issuer:always + keyUsage = cRLSign, keyCertSign + X509_TYPE_CA + ;; + *) + # Unknown type: User MUST supply the X509 file + die "create_x509_type - Unknown X509 type: '$1'" + esac +} # => create_x509_type() + +# Create x509-type/easyrsa +# This could be COMMON but not is not suitable for a CA +create_x509_type_easyrsa() { + cat <<- "X509_TYPE_EASYRSA" + basicConstraints = CA:FALSE + subjectKeyIdentifier = hash + authorityKeyIdentifier = keyid,issuer:always + keyUsage = digitalSignature,keyEncipherment + X509_TYPE_EASYRSA +} # => create_x509_type_easyrsa() + +# Create vars.example - Minimum settings only +create_vars_example() { + cat << "VARS_EXAMPLE" +# Easy-RSA 3 parameter settings + +# NOTE: If you installed Easy-RSA from your package manager, do not edit +# this file in place -- instead, you should copy the entire easy-rsa directory +# to another location so future upgrades do not wipe out your changes. + +# HOW TO USE THIS FILE +# +# vars.example contains built-in examples to Easy-RSA settings. You MUST name +# this file "vars" if you want it to be used as a configuration file. If you +# do not, it WILL NOT be automatically read when you call easyrsa commands. +# +# It is not necessary to use this config file unless you wish to change +# operational defaults. These defaults should be fine for many uses without +# the need to copy and edit the "vars" file. +# +# All of the editable settings are shown commented and start with the command +# "set_var" -- this means any set_var command that is uncommented has been +# modified by the user. If you are happy with a default, there is no need to +# define the value to its default. + +# NOTES FOR WINDOWS USERS +# +# Paths for Windows *MUST* use forward slashes, or optionally double-escaped +# backslashes (single forward slashes are recommended.) This means your path +# to the openssl binary might look like this: +# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# A little housekeeping: DO NOT EDIT THIS SECTION +# +# Easy-RSA 3.x does not source into the environment directly. +# Complain if a user tries to do this: +if [ -z "$EASYRSA_CALLER" ]; then + echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2 + echo "no longer necessary and is disallowed. See the section called" >&2 + echo "*How to use this file* near the top comments for more details." >&2 + return 1 +fi + +# DO YOUR EDITS BELOW THIS POINT + +# This variable is used as the base location of configuration files needed by +# easyrsa. More specific variables for specific files (eg: EASYRSA_SSL_CONF) +# may override this default. +# +# The default value of this variable is the location of the easyrsa script +# itself, which is also where the configuration files are located in the +# easy-rsa tree. +# +#set_var EASYRSA "${0%/*}" + +# If your OpenSSL command is not in the system PATH, you will need to define +# the path here. Normally this means a full path to the executable, otherwise +# you could have left it undefined here and the shown default would be used. +# +# Windows users, remember to use paths with forward-slashes (or escaped +# back-slashes.) Windows users should declare the full path to the openssl +# binary here if it is not in their system PATH. +# +#set_var EASYRSA_OPENSSL "openssl" +# +# This sample is in Windows syntax -- edit it for your path if not using PATH: +#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" + +# Edit this variable to point to your soon-to-be-created key directory. +# By default, this will be "$PWD/pki" (ie: the "pki" subdirectory of the +# directory you are currently in). +# +# WARNING: init-pki will do a rm -rf on this directory so make sure you define +# it correctly! Interactive mode will prompt before acting. +# +#set_var EASYRSA_PKI "$PWD/pki" + +# Define directory for temporary subdirectories. +# +#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" + +# Define X509 DN mode. +# +# This is used to adjust which elements are included in the Subject field +# as the DN ("Distinguished Name"). Note that in 'cn_only' mode the +# Organizational fields, listed further below, are not used. +# +# Choices are: +# cn_only - Use just a commonName value. +# org - Use the "traditional" format: +# Country/Province/City/Org/Org.Unit/email/commonName +# +#set_var EASYRSA_DN "cn_only" + +# Organizational fields (used with "org" mode and ignored in "cn_only" mode). +# These are the default values for fields which will be placed in the +# certificate. Do not leave any of these fields blank, although interactively +# you may omit any specific field by typing the "." symbol (not valid for +# email). +# +# NOTE: The following characters are not supported +# in these "Organizational fields" by Easy-RSA: +# back-tick (`) +# +#set_var EASYRSA_REQ_COUNTRY "US" +#set_var EASYRSA_REQ_PROVINCE "California" +#set_var EASYRSA_REQ_CITY "San Francisco" +#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" +#set_var EASYRSA_REQ_EMAIL "me@example.net" +#set_var EASYRSA_REQ_OU "My Organizational Unit" + +# Preserve the Distinguished Name field order +# of the certificate signing request +# *Only* effective in --dn-mode=org +# +#set_var EASYRSA_PRESERVE_DN 1 + +# Set no password mode - This will create the entire PKI without passwords. +# This can be better managed by choosing which entity private keys should be +# encrypted with the following command line options: +# Global option '--no-pass' or command option 'nopass'. +# +#set_var EASYRSA_NO_PASS 1 + +# Choose a size in bits for your keypairs. The recommended value is 2048. +# Using 2048-bit keys is considered more than sufficient for many years into +# the future. Larger keysizes will slow down TLS negotiation and make key/DH +# param generation take much longer. Values up to 4096 should be accepted by +# most software. Only used when the crypto alg is rsa, see below. +# +#set_var EASYRSA_KEY_SIZE 2048 + +# The default crypto mode is rsa; ec can enable elliptic curve support. +# Note that not all software supports ECC, so use care when enabling it. +# Choices for crypto alg are: (each in lower-case) +# * rsa +# * ec +# * ed +# +#set_var EASYRSA_ALGO rsa + +# Define the named curve, used in ec & ed modes: +# +#set_var EASYRSA_CURVE secp384r1 + +# In how many days should the root CA key expire? +# +#set_var EASYRSA_CA_EXPIRE 3650 + +# In how many days should certificates expire? +# +#set_var EASYRSA_CERT_EXPIRE 825 + +# How many days until the next CRL publish date? Note that the CRL can still +# be parsed after this timeframe passes. It is only used for an expected next +# publication date. +# +#set_var EASYRSA_CRL_DAYS 180 + +# Random serial numbers by default. +# Set to 'no' for the old incremental serial numbers. +# +#set_var EASYRSA_RAND_SN "yes" + +# Cut-off window for checking expiring certificates. +# +#set_var EASYRSA_PRE_EXPIRY_WINDOW 90 +VARS_EXAMPLE +} # => create_vars_example() + +# Create openssl-easyrsa.cnf +create_openssl_easyrsa_cnf() { + cat << "SSL_CONFIG" +# For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = $ENV::EASYRSA_PKI # Where everything is kept +certs = $dir # Where the issued certs are kept +crl_dir = $dir # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/certs_by_serial # default place for new certs. + +certificate = $dir/ca.crt # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/ca.key # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = basic_exts # The extensions to add to the cert + +# A placeholder to handle the --copy-ext feature: +#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it + +# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA +# is designed for will. In return, we get the Issuer attached to CRLs. +crl_extensions = crl_ext + +default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for +default_crl_days = $ENV::EASYRSA_CRL_DAYS # how long before next CRL +default_md = $ENV::EASYRSA_DIGEST # use public key default MD +preserve = no # keep passed DN ordering + +# This allows to renew certificates which have not been revoked +unique_subject = no + +# A few different ways of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_anything + +# For the 'anything' policy, which defines allowed DN fields +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional +serialNumber = optional + +#################################################################### +# Easy-RSA request handling +# We key off $DN_MODE to determine how to format the DN +[ req ] +default_bits = $ENV::EASYRSA_KEY_SIZE +default_keyfile = privkey.pem +default_md = $ENV::EASYRSA_DIGEST +distinguished_name = $ENV::EASYRSA_DN +x509_extensions = easyrsa_ca # The extensions to add to the self signed cert + +# A placeholder to handle the $EXTRA_EXTS feature: +#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it + +#################################################################### +# Easy-RSA DN (Subject) handling + +# Easy-RSA DN for cn_only support: +[ cn_only ] +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +# Easy-RSA DN for org support: +[ org ] +countryName = Country Name (2 letter code) +countryName_default = $ENV::EASYRSA_REQ_COUNTRY +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE + +localityName = Locality Name (eg, city) +localityName_default = $ENV::EASYRSA_REQ_CITY + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $ENV::EASYRSA_REQ_ORG + +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = $ENV::EASYRSA_REQ_OU + +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + +emailAddress = Email Address +emailAddress_default = $ENV::EASYRSA_REQ_EMAIL +emailAddress_max = 64 + +serialNumber = Serial-number (eg, device serial-number) +serialNumber_default = $ENV::EASYRSA_REQ_SERIAL + +#################################################################### +# Easy-RSA cert extension handling + +# This section is effectively unused as the main script sets extensions +# dynamically. This core section is left to support the odd usecase where +# a user calls openssl directly. +[ basic_exts ] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always + +# The Easy-RSA CA extensions +[ easyrsa_ca ] + +# PKIX recommendations: + +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always + +# This could be marked critical, but it's nice to support reading by any +# broken clients who attempt to do so. +basicConstraints = CA:true + +# Limit key usage to CA tasks. If you really want to use the generated pair as +# a self-signed cert, comment this out. +keyUsage = cRLSign, keyCertSign + +# nsCertType omitted by default. Let's try to let the deprecated stuff die. +# nsCertType = sslCA + +# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS: +#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it + +# CRL extensions. +[ crl_ext ] + +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always' +SSL_CONFIG +} # => create_openssl_easyrsa_cnf() + + + ############################################################################ # Upgrade v2 PKI to v3 PKI