From 0a461649debfd7f156f2ef91fa9b235676c9f6ee Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 26 Mar 2024 22:39:54 +0000 Subject: [PATCH 1/4] Restrict use of --req-cn to build-ca Quote: "easy-rsa - Simple shell based CA utility" Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0d04a8a18..ef9a8ca9e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -464,13 +464,12 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" text=" * Option: --req-cn=NAME - This specific option can set the CSR commonName. + This global option can be used to set the CA commonName. - Can only be used in BATCH mode for the following commands: * To build a new CA [or Sub-CA]: eg: '--batch --req-cn=NAME build-ca [subca]' - * To generate a certificate signing request: - eg: '--batch --req-cn=NAME gen-req '" + + Can only be used in BATCH mode." ;; tool*|util*|more) # Test features @@ -610,7 +609,7 @@ Distinguished Name mode: --dn-mode=MODE : Distinguished Name mode to use 'cn_only' (Default) or 'org' ---req-cn=NAME : Set CSR commonName to NAME. For details, see: 'help req-cn' +--req-cn=NAME : Set CA commonName. For details, see: 'help req-cn' Distinguished Name Organizational options: (only used with '--dn-mode=org') --req-c=CC : Country code (2-letters) @@ -1918,20 +1917,14 @@ Run easyrsa without commands for usage and commands." # Initialisation unset -v text ssl_batch - # Set ssl batch mode and Default commonName, as required + # Set ssl batch mode as required if [ "$EASYRSA_BATCH" ]; then ssl_batch=1 - # If EASYRSA_REQ_CN is set to something other than - # 'ChangeMe' then keep user defined value - if [ "$EASYRSA_REQ_CN" = ChangeMe ]; then - export EASYRSA_REQ_CN="$file_name_base" - fi - else - # --req-cn must be used with --batch - # otherwise use file-name - export EASYRSA_REQ_CN="$file_name_base" fi + # Enforce commonName + export EASYRSA_REQ_CN="$file_name_base" + # Output files key_out="$EASYRSA_PKI/private/${file_name_base}.key" req_out="$EASYRSA_PKI/reqs/${file_name_base}.req" From 8165d31e927f4e77e218341e0786585ed3fd3879 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 26 Mar 2024 22:56:04 +0000 Subject: [PATCH 2/4] ChangeLog: Restrict use of --req-cn to build-ca Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 6d66ea99a..55fb3c3a3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Restrict use of --req-cn to build-ca (0a46164) (#1098) * Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#1096) * help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#1096) * Allow --san to be used multiple times (5a06f94) (#1096) From 7227909fb4f3e95980fdd24c600ece9c885aa155 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 27 Mar 2024 22:40:37 +0000 Subject: [PATCH 3/4] Prohibit --req-cn for gen-req, sign-req and build-*-full This correct behavior of build-*-full, which uses nested commands gen-req and sign-req. EASYRSA_REQ_CN must be prohibited and reset during build. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ef9a8ca9e..bcf798ef7 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1922,6 +1922,11 @@ Run easyrsa without commands for usage and commands." ssl_batch=1 fi + # Prohibit --req-cn + [ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\ +Option conflict --req-cn: +* '$cmd' does not support setting an external commonName" + # Enforce commonName export EASYRSA_REQ_CN="$file_name_base" @@ -2067,6 +2072,14 @@ expected 2, got $# (see command help for usage)" crt_out="$EASYRSA_PKI/issued/$file_name_base.crt" shift 2 + # Prohibit --req-cn + [ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\ +Option conflict --req-cn: +* '$cmd' does not support setting an external commonName" + + # Enforce commonName + export EASYRSA_REQ_CN="$file_name_base" + # Check for preserve-dn while [ "$1" ]; do case "$1" in @@ -2487,17 +2500,21 @@ An inline file for name '$name' already exists: # Set commonName [ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\ -Option conflict: +Option conflict --req-cn: * '$cmd' does not support setting an external commonName" - EASYRSA_REQ_CN="$name" - # create request + # Set to modify sign-req confirmation message do_build_full=1 + + # create request gen_req "$name" batch # Require --copy-ext export EASYRSA_CP_EXT=1 + # Must be reset for nested commmands + export EASYRSA_REQ_CN=ChangeMe + # Sign it error_build_full_cleanup=1 if sign_req "$crt_type" "$name"; then From 2cf552678ab780dbf48dedac66c935b4926452ad Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 27 Mar 2024 22:49:26 +0000 Subject: [PATCH 4/4] renew: Pass SSL output directly to grep - Remove subshell capture This change is required to allow unit-test "extreme" 'vars' file to pass. However, this is also the correct way to handle unexpected SSL output, which shell cannot control or manipulate. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index bcf798ef7..7e20f118e 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2952,19 +2952,13 @@ This certificate cannot be renewed due to inconsistent Subject." die "renew: display_dn" confirm_sn=" serial-number = $cert_serial" - # Get SAN from cert - # capture complete cert - crt_text="$( - easyrsa_openssl x509 -in "$crt_in" -noout -text - )" || die "renew: openssl: crt_text" - # Check cert for SAN - if echo "$crt_text" | \ - grep -s 'X509v3 Subject Alternative Name' + if easyrsa_openssl x509 -in "$crt_in" -noout -text | \ + grep -q '^[[:blank:]]*X509v3 Subject Alternative Name:' then # extract cert SAN crt_x509_san_full="$( - echo "$crt_text" | \ + easyrsa_openssl x509 -in "$crt_in" -noout -text | \ grep -A 1 'X509v3 Subject Alternative Name' )" || die "renew: crt_x509_san_full: grep -A 1"