Introduce variable heredoc expansion for SSL/Safe Config file

This replaces use of 'sed' to expand the SSL config file for LibreSSL use. Currently, the SSL config file is copied unexpanded from the heredoc to the openssl-easyrsa.cnf file. 'sed' is used to expand the '$ENV::EASYRSA_var' to the configured EasyRSA values. This change replaces use of 'sed' with expanding the 'ssl-cnf' heredoc. The expansion of the heredoc can be configured to expand the original values of, eg: $ENV::EASYRSA_PKI to $EASYRSA_PKI, or be set to expand the values to the originial text of the file. eg: $ENV::EASYRSA_PKI will expand to the same text string: '$ENV::EASYRSA_PKI'. This allows expanding the SSL config heredoc to either: * Unexpanded OpenSSL labels. * Fully expanded safe values, configured by Easy-RSA. The unexpanded output can be varified against the known heredoc hash within the script: 82439f1860838e28f6270d5d06b1771756db777861e19bf9edc21222f86a310d To confirm this hash, use: 'easyrsa write ssl-cnf | openssl dgst' The expanded 'write safe-cnf' has all OpenSSL labels expanded. Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Jan 15, 2024 · 9c5d423 · 9c5d423
1 parent d51d79b
commit 9c5d423
Showing 1 changed file with 76 additions and 31 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -5601,6 +5601,9 @@ write() {
 
 	case "$write_type" in
 	safe-cnf)
+		# Set expansion to use full-expansion style
+		set_openssl_easyrsa_cnf_vars expanded
+
 		# write to stdout or $write_dir/safessl-easyrsa.cnf
 		if [ "$write_dir" ]; then
 			[ -d "$write_dir" ] || \
@@ -5613,6 +5616,9 @@ write() {
 		return
 	;;
 	ssl-cnf)
+		# Set expansion to use '$ENV::EASYRSA_PKI' style
+		set_openssl_easyrsa_cnf_vars
+
 		# write to stdout or $write_dir/openssl-easyrsa.cnf
 		if [ "$write_dir" ]; then
 			write_file="$write_dir"/openssl-easyrsa.cnf
@@ -5656,6 +5662,45 @@ write() {
 	fi
 } #= write()
 
+# set heredoc variables
+# shellcheck disable=SC2016 # (info): $ don't expand in '
+# shellcheck disable=SC2034 # (warning): appears unused
+set_openssl_easyrsa_cnf_vars(){
+	if [ "$1" ]; then
+		# fully expand ssl-cnf for safe-cnf
+		conf_dir="$EASYRSA_PKI"
+		conf_EASYRSA_PKI="$EASYRSA_PKI"
+		conf_EASYRSA_DIGEST="$EASYRSA_DIGEST"
+		conf_EASYRSA_KEY_SIZE="$EASYRSA_KEY_SIZE"
+		conf_EASYRSA_DIGEST="$EASYRSA_DIGEST"
+		conf_EASYRSA_DN="$EASYRSA_DN"
+		conf_EASYRSA_REQ_CN="$EASYRSA_REQ_CN"
+		conf_EASYRSA_REQ_COUNTRY="$EASYRSA_REQ_COUNTRY"
+		conf_EASYRSA_REQ_PROVINCE="$EASYRSA_REQ_PROVINCE"
+		conf_EASYRSA_REQ_CITY="$EASYRSA_REQ_CITY"
+		conf_EASYRSA_REQ_ORG="$EASYRSA_REQ_ORG"
+		conf_EASYRSA_REQ_OU="$EASYRSA_REQ_OU"
+		conf_EASYRSA_REQ_EMAIL="$EASYRSA_REQ_EMAIL"
+		conf_EASYRSA_REQ_SERIAL="$EASYRSA_REQ_SERIAL"
+	else
+		# write standard ssl-cnf
+		conf_dir='$dir'
+		conf_EASYRSA_PKI='$ENV::EASYRSA_PKI'
+		conf_EASYRSA_DIGEST='$ENV::EASYRSA_DIGEST'
+		conf_EASYRSA_KEY_SIZE='$ENV::EASYRSA_KEY_SIZE'
+		conf_EASYRSA_DIGEST='$ENV::EASYRSA_DIGEST'
+		conf_EASYRSA_DN='$ENV::EASYRSA_DN'
+		conf_EASYRSA_REQ_CN='$ENV::EASYRSA_REQ_CN'
+		conf_EASYRSA_REQ_COUNTRY='$ENV::EASYRSA_REQ_COUNTRY'
+		conf_EASYRSA_REQ_PROVINCE='$ENV::EASYRSA_REQ_PROVINCE'
+		conf_EASYRSA_REQ_CITY='$ENV::EASYRSA_REQ_CITY'
+		conf_EASYRSA_REQ_ORG='$ENV::EASYRSA_REQ_ORG'
+		conf_EASYRSA_REQ_OU='$ENV::EASYRSA_REQ_OU'
+		conf_EASYRSA_REQ_EMAIL='$ENV::EASYRSA_REQ_EMAIL'
+		conf_EASYRSA_REQ_SERIAL='$ENV::EASYRSA_REQ_SERIAL'
+	fi
+} # => set_openssl_easyrsa_cnf_vars()
+
 # Create x509 type
 create_legacy_stream() {
 	case "$1" in
@@ -5898,7 +5943,7 @@ CREATE_VARS_EXAMPLE
 	;;
 	ssl-cnf)
 	# SSL config v3.2.0-1
-	cat << "CREATE_SSL_CONFIG"
+	cat << CREATE_SSL_CONFIG
 # For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL
 
 ####################################################################
@@ -5908,17 +5953,17 @@ default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]
 
-dir		= $ENV::EASYRSA_PKI	# Where everything is kept
-certs		= $dir			# Where the issued certs are kept
-crl_dir		= $dir			# Where the issued crl are kept
-database	= $dir/index.txt	# database index file.
-new_certs_dir	= $dir/certs_by_serial	# default place for new certs.
+dir		= $conf_EASYRSA_PKI	# Where everything is kept
+certs		= $conf_dir			# Where the issued certs are kept
+crl_dir		= $conf_dir			# Where the issued crl are kept
+database	= $conf_dir/index.txt	# database index file.
+new_certs_dir	= $conf_dir/certs_by_serial	# default place for new certs.
 
-certificate	= $dir/ca.crt		# The CA certificate
-serial		= $dir/serial		# The current serial number
-crl		= $dir/crl.pem		# The current CRL
-private_key	= $dir/private/ca.key	# The private key
-RANDFILE	= $dir/.rand		# private random number file
+certificate	= $conf_dir/ca.crt		# The CA certificate
+serial		= $conf_dir/serial		# The current serial number
+crl		= $conf_dir/crl.pem		# The current CRL
+private_key	= $conf_dir/private/ca.key	# The private key
+RANDFILE	= $conf_dir/.rand		# private random number file
 
 x509_extensions	= basic_exts		# The extensions to add to the cert
 
@@ -5933,11 +5978,11 @@ crl_extensions	= crl_ext
 # These fields are removed from this here-doc but retained
 # in 'openssl-easyrsa.cnf' file, in case something breaks.
 # default_days is no longer required by Easy-RSA
-#default_days	= $ENV::EASYRSA_CERT_EXPIRE	# how long to certify for
+#default_days	= \$ENV::EASYRSA_CERT_EXPIRE	# how long to certify for
 # default_crl_days is no longer required by Easy-RSA
-#default_crl_days	= $ENV::EASYRSA_CRL_DAYS	# how long before next CRL
+#default_crl_days	= \$ENV::EASYRSA_CRL_DAYS	# how long before next CRL
 
-default_md	= $ENV::EASYRSA_DIGEST		# use public key default MD
+default_md	= $conf_EASYRSA_DIGEST		# use public key default MD
 preserve	= no			# keep passed DN ordering
 
 # This allows to renew certificates which have not been revoked
@@ -5961,16 +6006,16 @@ serialNumber	= optional
 
 ####################################################################
 # Easy-RSA request handling
-# We key off $DN_MODE to determine how to format the DN
+# We key off \$DN_MODE to determine how to format the DN
 [ req ]
-default_bits		= $ENV::EASYRSA_KEY_SIZE
+default_bits		= $conf_EASYRSA_KEY_SIZE
 default_keyfile	= privkey.pem
-default_md		= $ENV::EASYRSA_DIGEST
-distinguished_name	= $ENV::EASYRSA_DN
+default_md		= $conf_EASYRSA_DIGEST
+distinguished_name	= $conf_EASYRSA_DN
 x509_extensions		= easyrsa_ca	# The extensions to add to the self signed cert
 
-# A placeholder to handle the $EXTRA_EXTS feature:
-#%EXTRA_EXTS%	# Do NOT remove or change this line as $EXTRA_EXTS support requires it
+# A placeholder to handle the \$EXTRA_EXTS feature:
+#%EXTRA_EXTS%	# Do NOT remove or change this line as \$EXTRA_EXTS support requires it
 
 ####################################################################
 # Easy-RSA DN (Subject) handling
@@ -5979,37 +6024,37 @@ x509_extensions		= easyrsa_ca	# The extensions to add to the self signed cert
 [ cn_only ]
 commonName		= Common Name (eg: your user, host, or server name)
 commonName_max		= 64
-commonName_default	= $ENV::EASYRSA_REQ_CN
+commonName_default	= $conf_EASYRSA_REQ_CN
 
 # Easy-RSA DN for org support:
 [ org ]
 countryName			= Country Name (2 letter code)
-countryName_default		= $ENV::EASYRSA_REQ_COUNTRY
+countryName_default		= $conf_EASYRSA_REQ_COUNTRY
 countryName_min			= 2
 countryName_max			= 2
 
 stateOrProvinceName		= State or Province Name (full name)
-stateOrProvinceName_default	= $ENV::EASYRSA_REQ_PROVINCE
+stateOrProvinceName_default	= $conf_EASYRSA_REQ_PROVINCE
 
 localityName			= Locality Name (eg, city)
-localityName_default		= $ENV::EASYRSA_REQ_CITY
+localityName_default		= $conf_EASYRSA_REQ_CITY
 
 0.organizationName		= Organization Name (eg, company)
-0.organizationName_default	= $ENV::EASYRSA_REQ_ORG
+0.organizationName_default	= $conf_EASYRSA_REQ_ORG
 
 organizationalUnitName		= Organizational Unit Name (eg, section)
-organizationalUnitName_default	= $ENV::EASYRSA_REQ_OU
+organizationalUnitName_default	= $conf_EASYRSA_REQ_OU
 
 commonName			= Common Name (eg: your user, host, or server name)
 commonName_max			= 64
-commonName_default		= $ENV::EASYRSA_REQ_CN
+commonName_default		= $conf_EASYRSA_REQ_CN
 
 emailAddress			= Email Address
-emailAddress_default		= $ENV::EASYRSA_REQ_EMAIL
+emailAddress_default		= $conf_EASYRSA_REQ_EMAIL
 emailAddress_max		= 64
 
 serialNumber		= Serial-number (eg, device serial-number)
-serialNumber_default	= $ENV::EASYRSA_REQ_SERIAL
+serialNumber_default	= $conf_EASYRSA_REQ_SERIAL
 
 ####################################################################
 # Easy-RSA cert extension handling
@@ -6041,8 +6086,8 @@ keyUsage = cRLSign, keyCertSign
 # nsCertType omitted by default. Let's try to let the deprecated stuff die.
 # nsCertType = sslCA
 
-# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS:
-#%CA_X509_TYPES_EXTRA_EXTS%	# Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it
+# A placeholder to handle the \$X509_TYPES and CA extra extensions \$EXTRA_EXTS:
+#%CA_X509_TYPES_EXTRA_EXTS%	# Do NOT remove or change this line as \$X509_TYPES and EXTRA_EXTS demands it
 
 # CRL extensions.
 [ crl_ext ]