From 5a06f9442d091e526d290efd6df85477f6d1f535 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 24 Mar 2024 00:12:24 +0000 Subject: [PATCH 01/11] Separate SAN from DN - Refactor display_dn() This change is required to allow the correct confirmation details to be presented, for commands: sign-req, revoke, renew and revoke-renewed. This change also removes unnecessarily nested sub-shells. Refactor display_dn(): To separate SAN from DN, 'display_dn()' must not include SAN details. SAN is now handled individually, by the Easy-RSA command in use. This also allows global option '--san' to take priority over a SAN created in the request [CSR]. Remove 'display_san()', replaced by options '--san' and '--copy-ext'. The SAN to be used now adheres to the following order: * Global option '--san' always takes priority. * Global option '--copy-ext' will copy request extensions. Only SAN extension is supported by Easy-RSA. Other extensions can be set externally via env-var EASYRSA_EXTRA_EXTS. * If '--san' and '--copy-ext' are not used then NO extensions will be used or copied from the request. * This effects use of commands: sign-req and renew, only. The majority of this change is to present the correct confirmation details to commands: sign-req, revoke, renew and revoke-renewed. Which means that behavior is mostly unchanged. The other change is to allow multiple use of global option '--san'. Example: '--san=DNS:example.net --san=IP:10.0.0.1' Equivalent to: '--san=DNS:example.net,IP:10.0.0.1' Both versions of '--san' above can be used, even at the same time. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 208 +++++++++++++++++++++++++++++++---------------- 1 file changed, 136 insertions(+), 72 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 434be0892..46751f40d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2249,6 +2249,54 @@ until date '$EASYRSA_END_DATE'" for '$EASYRSA_CERT_EXPIRE' days" fi + # Set confirm DN + confirm_dn="$(display_dn req "$req_in")" || \ + die "sign-req: display_dn" + + # Set confirm SAN + # SAN from .req + if [ "$EASYRSA_CP_EXT" ]; then + # cature complete CSR + req_text="$( + OPENSSL_CONF=/dev/null \ + "$EASYRSA_OPENSSL" req -in "$req_in" -noout -text + )" || die "sign-req: openssl: req_text" + + # Check CSR for any requested SAN + if echo "$req_text" | \ + grep -s 'X509v3 Subject Alternative Name' + then + # extract requested SAN + req_x509_san="$( + echo "$req_text" | \ + grep -A 1 'X509v3 Subject Alternative Name' + )" || die "sign-req: req_x509_san: grep -A 1 " + else + # No requested SAN + req_x509_san= + fi + fi + + # --san takes priority over req SAN and --copy-ext + if [ "$EASYRSA_SAN" ]; then + confirm_san="\ + X509v3 Subject Alternative Name: + $EASYRSA_SAN" + else + confirm_san="$req_x509_san" + fi + + # Set confirm text for DN and SAN + if [ "$EASYRSA_SAN" ] || [ "$req_x509_san" ]; then + confirm_details="\ +$confirm_dn + +$confirm_san" + else + confirm_details="\ +$confirm_dn" + fi + # Display the request subject in an easy-to-read format # Confirm the user wishes to sign this request # The foriegn_request confirmation is not required @@ -2270,7 +2318,7 @@ You are about to sign the following certificate: ${foriegn_request}Request subject, to be signed as a \ $crt_type certificate ${valid_period}: -$(display_dn req "$req_in")" # => confirm end +$confirm_details" # => confirm end # Assign temp cert file crt_out_tmp="" @@ -2613,6 +2661,11 @@ Cannot revoke this certificate, a conflicting file exists. [ -e "$req_in" ] && if_exist_req_in=" * $req_in" + # Set confirm DN and serial + confirm_dn="$(display_dn x509 "$crt_in")" || \ + die "revoke: display_dn" + confirm_sn=" serial-number = $cert_serial" + # confirm operation by displaying DN: warn "\ This process is destructive! @@ -2634,11 +2687,10 @@ The duplicate certificate: Please confirm that you wish to revoke the certificate with the following subject: - $(display_dn x509 "$crt_in") - - serial-number: $cert_serial +$confirm_dn +$confirm_sn - Reason: ${crl_reason:-None given}" + Reason: ${crl_reason:-None given}" # Revoke certificate easyrsa_openssl ca -utf8 -revoke "$crt_in" \ @@ -2816,7 +2868,7 @@ Cannot renew this certificate, a conflicting file exists: unset -v deny_msg # Make inline directory - [ -d "$EASYRSA_PKI/inline" ] || \ + [ -d "$EASYRSA_PKI/inline" ] || \ mkdir -p "$EASYRSA_PKI/inline" || \ die "Failed to create inline directoy." @@ -2825,20 +2877,55 @@ Cannot renew this certificate, a conflicting file exists: ssl_cert_x509v3_eku "$crt_in" cert_type || \ die "Unknown EKU: $cert_type" - # Use SAN from --san if set else use SAN from old cert - if echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName - then - : # ok - Use current subjectAltName + # Set confirm DN and serial + confirm_dn="$(display_dn x509 "$crt_in")" || \ + die "renew: display_dn" + confirm_sn=" serial-number = $cert_serial" + + # Set confirm SAN + # SAN from .req + if [ "$EASYRSA_CP_EXT" ]; then + # cature complete CSR + req_text="$( + OPENSSL_CONF=/dev/null \ + "$EASYRSA_OPENSSL" req -in "$req_in" -noout -text + )" || die "renew: openssl: req_text" + + # Check CSR for any requested SAN + if echo "$req_text" | \ + grep -s 'X509v3 Subject Alternative Name' + then + # extract requested SAN + req_x509_san="$( + echo "$req_text" | \ + grep -A 1 'X509v3 Subject Alternative Name' + )" || die "renew: req_x509_san: grep -A 1 " + else + # No requested SAN + req_x509_san= + fi + fi + + # --san takes priority over req SAN and --copy-ext + if [ "$EASYRSA_SAN" ]; then + confirm_san="\ + X509v3 Subject Alternative Name: + $EASYRSA_SAN" else - san="$( -easyrsa_openssl x509 -in "$crt_in" -noout -text | sed -n \ -"/X509v3 Subject Alternative Name:\ -/{n;s/IP Address:/IP:/g;s/ //g;p;}" - )" || die "renew - san: easyrsa_openssl subshell" + confirm_san="$req_x509_san" + fi - [ "$san" ] && export EASYRSA_EXTRA_EXTS="\ -$EASYRSA_EXTRA_EXTS -subjectAltName = $san" + # Format confirm text for DN and SAN + if [ "$EASYRSA_SAN" ] || [ "$req_x509_san" ]; then + confirm_details="\ +$confirm_dn +$confirm_sn + +$confirm_san" + else + confirm_details="\ +$confirm_dn +$confirm_sn" fi # confirm operation by displaying DN: @@ -2862,9 +2949,7 @@ The duplicate certificate: Please confirm you wish to renew the certificate with the following subject: - $(display_dn x509 "$crt_in") - - serial-number: $cert_serial" +$confirm_details" # move renewed files # so we can reissue certificate with the same name @@ -3075,12 +3160,23 @@ Cannot revoke this certificate, a conflicting file exists. user_error "$deny_msg request : $req_out" unset -v deny_msg + # Set confirm details + confirm_dn="$(display_dn x509 "$crt_in")" || \ + die "revoke: display_dn" + confirm_sn=" serial-number = $cert_serial" + confirm_details="\ +$confirm_dn +$confirm_sn + + Reason: ${crl_reason:-None given}" + # confirm operation by displaying DN: unset -v if_exist_key_in if_exist_req_in [ -e "$key_in" ] && if_exist_key_in=" * $key_in" [ -e "$req_in" ] && if_exist_req_in=" * $req_in" + warn "\ This process is destructive! @@ -3091,11 +3187,7 @@ These files will be MOVED to the 'revoked' sub-directory: Please confirm you wish to revoke the renewed certificate with the following subject: - $(display_dn x509 "$crt_in") - - serial-number: $cert_serial - - Reason: ${crl_reason:-None given}" +$confirm_details" # Revoke the old (already renewed) certificate easyrsa_openssl ca -utf8 -revoke "$crt_in" \ @@ -3625,51 +3717,12 @@ display_dn - input error" shift 2 # Display DN - print "$( - easyrsa_openssl "$format" -in "$path" -noout -subject \ - -nameopt utf8,sep_multiline,space_eq,lname,align - )" - - # Display SAN, if present - san="$(display_san "$format" "$path")" - if [ "$san" ]; then - print "" - print "X509v3 Subject Alternative Name:" - print " $san" - fi + print "$(OPENSSL_CONF=/dev/null \ + "$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject \ + -nameopt utf8,sep_multiline,space_eq,lname,align)" || \ + die "display_dn: SSL command '$format'" } # => display_dn() -# Display subjectAltName -display_san() { - [ "$#" = 2 ] || die "\ -display_san - input error" - - format="$1" - path="$2" - shift 2 - - if echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName; then - # Print user defined SAN - print "$(\ - echo "$EASYRSA_EXTRA_EXTS" | grep subjectAltName | \ - sed 's/^[[:space:]]*subjectAltName[[:space:]]*=[[:space:]]*//' - )" - - else - # Generate a SAN - san="$( - x509v3san='X509v3 Subject Alternative Name:' - easyrsa_openssl "$format" -in "$path" -noout -text | sed -n \ - "/${x509v3san}/{n;s/ //g;s/IPAddress:/IP:/g;s/RegisteredID/RID/;p;}" - )" - - # Print auto SAN - if [ "$san" ]; then - print "$san" - fi - fi -} # => display_san() - # Verify certificate against CA verify_cert() { # pull filename base: @@ -5388,9 +5441,12 @@ while :; do export EASYRSA_CP_EXT=1 ;; --subject-alt-name|--san) - export EASYRSA_EXTRA_EXTS="\ -$EASYRSA_EXTRA_EXTS -subjectAltName = $val" + # This allows --san to be used multiple times + if [ "$EASYRSA_SAN" ]; then + EASYRSA_SAN="$EASYRSA_SAN, $val" + else + EASYRSA_SAN="$val" + fi ;; --usefn) export EASYRSA_P12_FR_NAME="$val" @@ -5434,6 +5490,14 @@ Run 'easyrsa help options' for option help." shift done +# option dependencies +# Add full --san to extra extensions +if [ "$EASYRSA_SAN" ]; then + EASYRSA_EXTRA_EXTS="\ +$EASYRSA_EXTRA_EXTS +subjectAltName = $EASYRSA_SAN" +fi + # Set cmd now # vars_setup needs to know if this is init-pki cmd="$1" From b966544fdd4af1238c89b0eb9f40f5d866d5775f Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 24 Mar 2024 00:13:43 +0000 Subject: [PATCH 02/11] Force commands build-*-full to use global option --copy-ext Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 3 +++ 1 file changed, 3 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 46751f40d..7c61f4120 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2472,6 +2472,9 @@ Option conflict: do_build_full=1 gen_req "$name" batch + # Require --copy-ext + export EASYRSA_CP_EXT=1 + # Sign it error_build_full_cleanup=1 if sign_req "$crt_type" "$name"; then From 1413528a76bf8d4e5fe281c860615c4a7e14b388 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 24 Mar 2024 00:59:04 +0000 Subject: [PATCH 03/11] sign-req, renew: Use easyrsa_openssl() wrapper to fetch DN This is required for SSL command 'req', to provide a working SSL config. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 7c61f4120..fdac99149 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2258,8 +2258,7 @@ for '$EASYRSA_CERT_EXPIRE' days" if [ "$EASYRSA_CP_EXT" ]; then # cature complete CSR req_text="$( - OPENSSL_CONF=/dev/null \ - "$EASYRSA_OPENSSL" req -in "$req_in" -noout -text + easyrsa_openssl req -in "$req_in" -noout -text )" || die "sign-req: openssl: req_text" # Check CSR for any requested SAN @@ -2890,8 +2889,7 @@ Cannot renew this certificate, a conflicting file exists: if [ "$EASYRSA_CP_EXT" ]; then # cature complete CSR req_text="$( - OPENSSL_CONF=/dev/null \ - "$EASYRSA_OPENSSL" req -in "$req_in" -noout -text + easyrsa_openssl req -in "$req_in" -noout -text )" || die "renew: openssl: req_text" # Check CSR for any requested SAN From 65827722aa036a27f517237286b62b0473c94556 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 25 Mar 2024 23:55:21 +0000 Subject: [PATCH 04/11] renew: Add sanity checks and format confirmation text Sanity checks: * Check that request 'Subject' is hash identical to certificate. This is to ensure that generating a new certificate from the original CSR will create the old certificate 'Subject'. * Prohibit use of --san The only x509v3 extension currently supported is SubjectAltName. The new SAN is auto-generated from the old certificate. This SAN cannot be changed by renewal. * Prohibit use of --copy-ext --copy-ext is not required because SAN is taken care of above and SAN is the only supported extention. Certificates using unsupported x509v3 extensions are not renewable. Format confirmation text: * Show the correct new certificate details, prior to renewing. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 88 ++++++++++++++++++++++++++++++------------------ 1 file changed, 56 insertions(+), 32 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index fdac99149..374280c0c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2879,53 +2879,77 @@ Cannot renew this certificate, a conflicting file exists: ssl_cert_x509v3_eku "$crt_in" cert_type || \ die "Unknown EKU: $cert_type" - # Set confirm DN and serial - confirm_dn="$(display_dn x509 "$crt_in")" || \ - die "renew: display_dn" - confirm_sn=" serial-number = $cert_serial" + # Check cert subject against request subject + crt_subj_hash="$( + "$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout \ + -subject | "$EASYRSA_OPENSSL" dgst -sha1 + )" + req_subj_hash="$( + "$EASYRSA_OPENSSL" req -in "$req_in" -noout \ + -subject | "$EASYRSA_OPENSSL" dgst -sha1 + )" - # Set confirm SAN - # SAN from .req - if [ "$EASYRSA_CP_EXT" ]; then - # cature complete CSR - req_text="$( - easyrsa_openssl req -in "$req_in" -noout -text - )" || die "renew: openssl: req_text" + if [ "$crt_subj_hash" = "$req_subj_hash" ]; then + : # ok + else + die "\ +This certificate cannot be renewed due to inconsistent Subject." + fi - # Check CSR for any requested SAN - if echo "$req_text" | \ - grep -s 'X509v3 Subject Alternative Name' - then - # extract requested SAN - req_x509_san="$( - echo "$req_text" | \ - grep -A 1 'X509v3 Subject Alternative Name' - )" || die "renew: req_x509_san: grep -A 1 " - else - # No requested SAN - req_x509_san= - fi + # Prohibit --copy-ext - renew only supports SAN extention + if [ "$EASYRSA_CP_EXT" ]; then + user_error "Command '$cmd' does not support --copy-ext" fi - # --san takes priority over req SAN and --copy-ext + # Prohibit --san - renew uses SAN from old cert only if [ "$EASYRSA_SAN" ]; then - confirm_san="\ - X509v3 Subject Alternative Name: - $EASYRSA_SAN" + user_error "Command '$cmd' does not support --san" + fi + + # Set confirm DN and serial + confirm_dn="$(display_dn req "$req_in")" || \ + die "renew: display_dn" + confirm_sn=" serial-number = $cert_serial" + + # Get SAN from cert + # capture complete cert + crt_text="$( + easyrsa_openssl x509 -in "$crt_in" -noout -text + )" || die "renew: openssl: crt_text" + + # Check cert for SAN + if echo "$crt_text" | \ + grep -s 'X509v3 Subject Alternative Name' + then + # extract cert SAN + crt_x509_san_full="$( + echo "$crt_text" | \ + grep -A 1 'X509v3 Subject Alternative Name' + )" || die "renew: crt_x509_san_full: grep -A 1" + + # Strip x509 header + crt_x509_san="$( + echo "$crt_x509_san_full" | \ + grep -v 'X509v3 Subject Alternative Name' + )" || die "renew: crt_x509_san: grep -v" else - confirm_san="$req_x509_san" + # No cert SAN + crt_x509_san_full= + crt_x509_san= fi - # Format confirm text for DN and SAN - if [ "$EASYRSA_SAN" ] || [ "$req_x509_san" ]; then + # Format confirmation text + if [ "$crt_x509_san" ]; then confirm_details="\ $confirm_dn + $confirm_sn -$confirm_san" +$crt_x509_san_full" else confirm_details="\ $confirm_dn + $confirm_sn" fi From ca2aad753405b5e942df17a951f9943e04ac382e Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 26 Mar 2024 00:09:58 +0000 Subject: [PATCH 05/11] help: Add details for use of --copy-ext and --san Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 374280c0c..04d5b8cf3 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -410,6 +410,26 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" * DNS:primary.example.net,DNS:alternate.example.net * IP:203.0.113.29 * email:alternate@example.net" + ;; + copyext|copy-ext) + text_only=1 + text=" +* How to use --copy-ext and --san= + + These are the only commands that support --copy-ext and/or --san. + + Command 'gen-req': + --san: Add SAN extention to the request file. + + Command 'sign-req': + --copy-ext: Copy all request extentions to the signed certificate. + --san: Over write the request SAN with option SAN. + + Command 'build-*-full': + --copy-ext: Always enabled. + --san: Add SAN extention to the request and signed certificate. + + See 'help san' for option --san full syntax." ;; --days|days) text_only=1 @@ -567,6 +587,7 @@ Certificate & Request options: (these impact cert/req field values) --subca-len=# : Path length of signed intermediate CA certificates --copy-ext : Copy included request X509 extensions (namely subjAltName) + For more info, see: 'easyrsa help copyext' --san|--subject-alt-name= : Add a subjectAltName. From 568704653b5a99bbe5ca2ce4dcf327821720594d Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 26 Mar 2024 16:51:04 +0000 Subject: [PATCH 06/11] Remove command 'display-san' Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 7 ------- 1 file changed, 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 04d5b8cf3..24965c8b1 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -475,9 +475,6 @@ These commands are safe to test and will NOT effect your PKI. Display DN of certificate: display-dn - Display SAN of certificate: - display-san - Display EKU of certificate: show-eku @@ -5811,10 +5808,6 @@ Place a copy of easyrsa-tools.lib in a standard system location." verify_working_env display_dn "$@" ;; - display-san) - verify_working_env - display_san "$@" - ;; x509-eku|show-eku) verify_working_env ssl_cert_x509v3_eku "$@" || \ From eb67ddd3196f022d20a1c330783da32e31732bc5 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 26 Mar 2024 17:21:23 +0000 Subject: [PATCH 07/11] help: Minor corrections to tools Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 24965c8b1..da5a2efa7 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -459,7 +459,7 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" * To generate a certificate signing request: eg: '--batch --req-cn=NAME gen-req '" ;; - util|more) + tool|tools|util|utils|more) # Test features text_only=1 text=" @@ -469,14 +469,14 @@ These commands are safe to test and will NOT effect your PKI. Check number is unique: serial|check-serial - Display CN of certificate:
= req|x509 - display-cn + Display CN of request or certificate: = req|x509 + display-cn - Display DN of certificate: - display-dn + Display DN of request or certificate: = req|x509 + display-dn Display EKU of certificate: - show-eku + show-eku | Generate random hex: rand From 22328f8043ea6a801230285d8c0239988343c976 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 26 Mar 2024 19:11:56 +0000 Subject: [PATCH 08/11] help: Add multiple --subject-alt-name usage Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index da5a2efa7..712059db6 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -400,9 +400,12 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" This global option adds a subjectAltName to the request or issued certificate. It MUST be in a valid format accepted by openssl or - req/cert generation will fail. Note that including multiple such - names requires them to be comma-separated; further invocations of - this option will REPLACE the value. + req/cert generation will fail. NOTE: --san can be specified more + than once on the command line. + + The following two command line examples are equivalent: + 1. --san=DNS:server1,DNS:serverA,IP:10.0.0.1 + 2. --san=DNS:server1 --san=DNS:serverA --san=IP:10.0.0.1 Examples of the SAN_FORMAT_STRING shown below: From e509f393f7e516a587165a0831d3f324d95fd655 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 26 Mar 2024 20:01:44 +0000 Subject: [PATCH 09/11] ChangeLog: Allow --san to be used multiple times Signed-off-by: Richard T Bonhomme --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 48861dabe..6d66ea99a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#1096) + * help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#1096) + * Allow --san to be used multiple times (5a06f94) (#1096) * Remove default server subject alternative name (0b85a5d) (#576) * Move Status Reports to 'easyrsa-tools.lib' (214b909) (#1080) * export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a) From 0c356059fb7d2898b8a743429be79edee64ffbc0 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 26 Mar 2024 20:48:12 +0000 Subject: [PATCH 10/11] help: Minor improvement to tools/utils command option name Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 712059db6..ecf77420d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -462,7 +462,7 @@ Usage: easyrsa [ OPTIONS.. ] [ cmd-opts.. ]" * To generate a certificate signing request: eg: '--batch --req-cn=NAME gen-req '" ;; - tool|tools|util|utils|more) + tool*|util*|more) # Test features text_only=1 text=" From 0569d45ab60f06581c3b7051a2bf95c4d9973506 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 26 Mar 2024 20:57:21 +0000 Subject: [PATCH 11/11] Command 'easyrsa --verbose': Reformat output Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ecf77420d..0d04a8a18 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -90,8 +90,18 @@ DIRECTORY STATUS (commands would take effect on these locations) EASYRSA: $work_dir PKI: $pki_dir vars-file: ${EASYRSA_VARS_FILE:-Missing or undefined}${ivmsg} - x509-types: ${EASYRSA_EXT_DIR:-Missing or undefined} $CA_status${NL}" + + # verbose info + verbose "ssl-cnf: ${EASYRSA_SSL_CONF:-built-in}" + verbose "x509-types: ${EASYRSA_EXT_DIR:-built-in}" + if [ -d "$EASYRSA_TEMP_DIR" ]; then + verbose "temp-dir: Found: $EASYRSA_TEMP_DIR" + elif [ "$EASYRSA_TEMP_DIR" ]; then + verbose "temp-dir: Missing: $EASYRSA_TEMP_DIR" + else + verbose "temp-dir: undefined" + fi } # => usage() # Detailed command help