From 9c5d423e8d24c6aea5c440909528684ff2c7eb07 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 15 Jan 2024 02:19:14 +0000 Subject: [PATCH] Introduce variable heredoc expansion for SSL/Safe Config file This replaces use of 'sed' to expand the SSL config file for LibreSSL use. Currently, the SSL config file is copied unexpanded from the heredoc to the openssl-easyrsa.cnf file. 'sed' is used to expand the '$ENV::EASYRSA_var' to the configured EasyRSA values. This change replaces use of 'sed' with expanding the 'ssl-cnf' heredoc. The expansion of the heredoc can be configured to expand the original values of, eg: $ENV::EASYRSA_PKI to $EASYRSA_PKI, or be set to expand the values to the originial text of the file. eg: $ENV::EASYRSA_PKI will expand to the same text string: '$ENV::EASYRSA_PKI'. This allows expanding the SSL config heredoc to either: * Unexpanded OpenSSL labels. * Fully expanded safe values, configured by Easy-RSA. The unexpanded output can be varified against the known heredoc hash within the script: 82439f1860838e28f6270d5d06b1771756db777861e19bf9edc21222f86a310d To confirm this hash, use: 'easyrsa write ssl-cnf | openssl dgst' The expanded 'write safe-cnf' has all OpenSSL labels expanded. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 107 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 76 insertions(+), 31 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 254233637..0fd86a2e0 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5601,6 +5601,9 @@ write() { case "$write_type" in safe-cnf) + # Set expansion to use full-expansion style + set_openssl_easyrsa_cnf_vars expanded + # write to stdout or $write_dir/safessl-easyrsa.cnf if [ "$write_dir" ]; then [ -d "$write_dir" ] || \ @@ -5613,6 +5616,9 @@ write() { return ;; ssl-cnf) + # Set expansion to use '$ENV::EASYRSA_PKI' style + set_openssl_easyrsa_cnf_vars + # write to stdout or $write_dir/openssl-easyrsa.cnf if [ "$write_dir" ]; then write_file="$write_dir"/openssl-easyrsa.cnf @@ -5656,6 +5662,45 @@ write() { fi } #= write() +# set heredoc variables +# shellcheck disable=SC2016 # (info): $ don't expand in ' +# shellcheck disable=SC2034 # (warning): appears unused +set_openssl_easyrsa_cnf_vars(){ + if [ "$1" ]; then + # fully expand ssl-cnf for safe-cnf + conf_dir="$EASYRSA_PKI" + conf_EASYRSA_PKI="$EASYRSA_PKI" + conf_EASYRSA_DIGEST="$EASYRSA_DIGEST" + conf_EASYRSA_KEY_SIZE="$EASYRSA_KEY_SIZE" + conf_EASYRSA_DIGEST="$EASYRSA_DIGEST" + conf_EASYRSA_DN="$EASYRSA_DN" + conf_EASYRSA_REQ_CN="$EASYRSA_REQ_CN" + conf_EASYRSA_REQ_COUNTRY="$EASYRSA_REQ_COUNTRY" + conf_EASYRSA_REQ_PROVINCE="$EASYRSA_REQ_PROVINCE" + conf_EASYRSA_REQ_CITY="$EASYRSA_REQ_CITY" + conf_EASYRSA_REQ_ORG="$EASYRSA_REQ_ORG" + conf_EASYRSA_REQ_OU="$EASYRSA_REQ_OU" + conf_EASYRSA_REQ_EMAIL="$EASYRSA_REQ_EMAIL" + conf_EASYRSA_REQ_SERIAL="$EASYRSA_REQ_SERIAL" + else + # write standard ssl-cnf + conf_dir='$dir' + conf_EASYRSA_PKI='$ENV::EASYRSA_PKI' + conf_EASYRSA_DIGEST='$ENV::EASYRSA_DIGEST' + conf_EASYRSA_KEY_SIZE='$ENV::EASYRSA_KEY_SIZE' + conf_EASYRSA_DIGEST='$ENV::EASYRSA_DIGEST' + conf_EASYRSA_DN='$ENV::EASYRSA_DN' + conf_EASYRSA_REQ_CN='$ENV::EASYRSA_REQ_CN' + conf_EASYRSA_REQ_COUNTRY='$ENV::EASYRSA_REQ_COUNTRY' + conf_EASYRSA_REQ_PROVINCE='$ENV::EASYRSA_REQ_PROVINCE' + conf_EASYRSA_REQ_CITY='$ENV::EASYRSA_REQ_CITY' + conf_EASYRSA_REQ_ORG='$ENV::EASYRSA_REQ_ORG' + conf_EASYRSA_REQ_OU='$ENV::EASYRSA_REQ_OU' + conf_EASYRSA_REQ_EMAIL='$ENV::EASYRSA_REQ_EMAIL' + conf_EASYRSA_REQ_SERIAL='$ENV::EASYRSA_REQ_SERIAL' + fi +} # => set_openssl_easyrsa_cnf_vars() + # Create x509 type create_legacy_stream() { case "$1" in @@ -5898,7 +5943,7 @@ CREATE_VARS_EXAMPLE ;; ssl-cnf) # SSL config v3.2.0-1 - cat << "CREATE_SSL_CONFIG" + cat << CREATE_SSL_CONFIG # For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL #################################################################### @@ -5908,17 +5953,17 @@ default_ca = CA_default # The default ca section #################################################################### [ CA_default ] -dir = $ENV::EASYRSA_PKI # Where everything is kept -certs = $dir # Where the issued certs are kept -crl_dir = $dir # Where the issued crl are kept -database = $dir/index.txt # database index file. -new_certs_dir = $dir/certs_by_serial # default place for new certs. +dir = $conf_EASYRSA_PKI # Where everything is kept +certs = $conf_dir # Where the issued certs are kept +crl_dir = $conf_dir # Where the issued crl are kept +database = $conf_dir/index.txt # database index file. +new_certs_dir = $conf_dir/certs_by_serial # default place for new certs. -certificate = $dir/ca.crt # The CA certificate -serial = $dir/serial # The current serial number -crl = $dir/crl.pem # The current CRL -private_key = $dir/private/ca.key # The private key -RANDFILE = $dir/.rand # private random number file +certificate = $conf_dir/ca.crt # The CA certificate +serial = $conf_dir/serial # The current serial number +crl = $conf_dir/crl.pem # The current CRL +private_key = $conf_dir/private/ca.key # The private key +RANDFILE = $conf_dir/.rand # private random number file x509_extensions = basic_exts # The extensions to add to the cert @@ -5933,11 +5978,11 @@ crl_extensions = crl_ext # These fields are removed from this here-doc but retained # in 'openssl-easyrsa.cnf' file, in case something breaks. # default_days is no longer required by Easy-RSA -#default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for +#default_days = \$ENV::EASYRSA_CERT_EXPIRE # how long to certify for # default_crl_days is no longer required by Easy-RSA -#default_crl_days = $ENV::EASYRSA_CRL_DAYS # how long before next CRL +#default_crl_days = \$ENV::EASYRSA_CRL_DAYS # how long before next CRL -default_md = $ENV::EASYRSA_DIGEST # use public key default MD +default_md = $conf_EASYRSA_DIGEST # use public key default MD preserve = no # keep passed DN ordering # This allows to renew certificates which have not been revoked @@ -5961,16 +6006,16 @@ serialNumber = optional #################################################################### # Easy-RSA request handling -# We key off $DN_MODE to determine how to format the DN +# We key off \$DN_MODE to determine how to format the DN [ req ] -default_bits = $ENV::EASYRSA_KEY_SIZE +default_bits = $conf_EASYRSA_KEY_SIZE default_keyfile = privkey.pem -default_md = $ENV::EASYRSA_DIGEST -distinguished_name = $ENV::EASYRSA_DN +default_md = $conf_EASYRSA_DIGEST +distinguished_name = $conf_EASYRSA_DN x509_extensions = easyrsa_ca # The extensions to add to the self signed cert -# A placeholder to handle the $EXTRA_EXTS feature: -#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it +# A placeholder to handle the \$EXTRA_EXTS feature: +#%EXTRA_EXTS% # Do NOT remove or change this line as \$EXTRA_EXTS support requires it #################################################################### # Easy-RSA DN (Subject) handling @@ -5979,37 +6024,37 @@ x509_extensions = easyrsa_ca # The extensions to add to the self signed cert [ cn_only ] commonName = Common Name (eg: your user, host, or server name) commonName_max = 64 -commonName_default = $ENV::EASYRSA_REQ_CN +commonName_default = $conf_EASYRSA_REQ_CN # Easy-RSA DN for org support: [ org ] countryName = Country Name (2 letter code) -countryName_default = $ENV::EASYRSA_REQ_COUNTRY +countryName_default = $conf_EASYRSA_REQ_COUNTRY countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE +stateOrProvinceName_default = $conf_EASYRSA_REQ_PROVINCE localityName = Locality Name (eg, city) -localityName_default = $ENV::EASYRSA_REQ_CITY +localityName_default = $conf_EASYRSA_REQ_CITY 0.organizationName = Organization Name (eg, company) -0.organizationName_default = $ENV::EASYRSA_REQ_ORG +0.organizationName_default = $conf_EASYRSA_REQ_ORG organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = $ENV::EASYRSA_REQ_OU +organizationalUnitName_default = $conf_EASYRSA_REQ_OU commonName = Common Name (eg: your user, host, or server name) commonName_max = 64 -commonName_default = $ENV::EASYRSA_REQ_CN +commonName_default = $conf_EASYRSA_REQ_CN emailAddress = Email Address -emailAddress_default = $ENV::EASYRSA_REQ_EMAIL +emailAddress_default = $conf_EASYRSA_REQ_EMAIL emailAddress_max = 64 serialNumber = Serial-number (eg, device serial-number) -serialNumber_default = $ENV::EASYRSA_REQ_SERIAL +serialNumber_default = $conf_EASYRSA_REQ_SERIAL #################################################################### # Easy-RSA cert extension handling @@ -6041,8 +6086,8 @@ keyUsage = cRLSign, keyCertSign # nsCertType omitted by default. Let's try to let the deprecated stuff die. # nsCertType = sslCA -# A placeholder to handle the $X509_TYPES and CA extra extensions $EXTRA_EXTS: -#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as $X509_TYPES and EXTRA_EXTS demands it +# A placeholder to handle the \$X509_TYPES and CA extra extensions \$EXTRA_EXTS: +#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as \$X509_TYPES and EXTRA_EXTS demands it # CRL extensions. [ crl_ext ]