diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b7a9e6d43..1fa2e142d 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -757,6 +757,7 @@ secure_session() { session= for i in 1 2 3; do easyrsa_random 4 session + #session="$$" secured_session="${EASYRSA_TEMP_DIR}/${session}" # atomic: @@ -5693,6 +5694,7 @@ write() { # set heredoc variables for openssl-esyrsa.cnf # shellcheck disable=SC2016 # (info): $ don't expand in '' +# shellcheck disable=SC2034 # appears unused set_openssl_easyrsa_cnf_vars(){ case "$1" in expanded) @@ -5735,6 +5737,7 @@ set_openssl_easyrsa_cnf_vars(){ } # => set_openssl_easyrsa_cnf_vars() # Create x509 type +# shellcheck disable=SC2317 # appears to be unreachable. create_legacy_stream() { case "$1" in COMMON) @@ -5827,308 +5830,20 @@ CREATE_X509_TYPE_KDC ;; vars) # vars + return 1 cat << "CREATE_VARS_EXAMPLE" # Easy-RSA 3 parameter settings -# NOTE: If you installed Easy-RSA from your package manager, do not edit -# this file in place -- instead, you should copy the entire easy-rsa directory -# to another location so future upgrades do not wipe out your changes. - -# HOW TO USE THIS FILE -# -# vars.example contains built-in examples to Easy-RSA settings. You MUST name -# this file "vars" if you want it to be used as a configuration file. If you -# do not, it WILL NOT be automatically read when you call easyrsa commands. -# -# It is not necessary to use this config file unless you wish to change -# operational defaults. These defaults should be fine for many uses without -# the need to copy and edit the "vars" file. -# -# All of the editable settings are shown commented and start with the command -# "set_var" -- this means any set_var command that is uncommented has been -# modified by the user. If you are happy with a default, there is no need to -# define the value to its default. - -# NOTES FOR WINDOWS USERS -# -# Paths for Windows *MUST* use forward slashes, or optionally double-escaped -# backslashes (single forward slashes are recommended.) This means your path -# to the openssl binary might look like this: -# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" - -# A little housekeeping: DO NOT EDIT THIS SECTION -# -# Easy-RSA 3.x does not source into the environment directly. -# Complain if a user tries to do this: -if [ -z "$EASYRSA_CALLER" ]; then - echo "You appear to be sourcing an Easy-RSA *vars* file. This is" >&2 - echo "no longer necessary and is disallowed. See the section called" >&2 - echo "*How to use this file* near the top comments for more details." >&2 - return 1 -fi - -# DO YOUR EDITS BELOW THIS POINT - -# If your OpenSSL command is not in the system PATH, you will need to define -# the path here. Normally this means a full path to the executable, otherwise -# you could have left it undefined here and the shown default would be used. -# -# Windows users, remember to use paths with forward-slashes (or escaped -# back-slashes.) Windows users should declare the full path to the openssl -# binary here if it is not in their system PATH. -# -#set_var EASYRSA_OPENSSL "openssl" -# -# This sample is in Windows syntax -- edit it for your path if not using PATH: -#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe" - -# Define X509 DN mode. -# -# This is used to adjust which elements are included in the Subject field -# as the DN ("Distinguished Name"). Note that in 'cn_only' mode the -# Organizational fields, listed further below, are not used. -# -# Choices are: -# cn_only - Use just a commonName value. -# org - Use the "traditional" format: -# Country/Province/City/Org/Org.Unit/email/commonName -# -#set_var EASYRSA_DN "cn_only" - -# Organizational fields (used with "org" mode and ignored in "cn_only" mode). -# These are the default values for fields which will be placed in the -# certificate. Do not leave any of these fields blank, although interactively -# you may omit any specific field by typing the "." symbol (not valid for -# email). -# -# NOTE: The following characters are not supported -# in these "Organizational fields" by Easy-RSA: -# back-tick (`) -# -#set_var EASYRSA_REQ_COUNTRY "US" -#set_var EASYRSA_REQ_PROVINCE "California" -#set_var EASYRSA_REQ_CITY "San Francisco" -#set_var EASYRSA_REQ_ORG "Copyleft Certificate Co" -#set_var EASYRSA_REQ_EMAIL "me@example.net" -#set_var EASYRSA_REQ_OU "My Organizational Unit" - -# Preserve the Distinguished Name field order -# of the certificate signing request -# *Only* effective in --dn-mode=org -# -#set_var EASYRSA_PRESERVE_DN 1 - -# Set no password mode - This will create the entire PKI without passwords. -# This can be better managed by choosing which entity private keys should be -# encrypted with the following command line options: -# Global option '--no-pass' or command option 'nopass'. -# -#set_var EASYRSA_NO_PASS 1 - -# Choose a size in bits for your keypairs. The recommended value is 2048. -# Using 2048-bit keys is considered more than sufficient for many years into -# the future. Larger keysizes will slow down TLS negotiation and make key/DH -# param generation take much longer. Values up to 4096 should be accepted by -# most software. Only used when the crypto alg is rsa, see below. -# -#set_var EASYRSA_KEY_SIZE 2048 - -# The default crypto mode is rsa; ec can enable elliptic curve support. -# Note that not all software supports ECC, so use care when enabling it. -# Choices for crypto alg are: (each in lower-case) -# * rsa -# * ec -# * ed -# -#set_var EASYRSA_ALGO rsa - -# Define the named curve, used in ec & ed modes: -# -#set_var EASYRSA_CURVE secp384r1 - -# In how many days should the root CA key expire? -# -#set_var EASYRSA_CA_EXPIRE 3650 - -# In how many days should certificates expire? -# -#set_var EASYRSA_CERT_EXPIRE 825 - -# How many days until the next CRL publish date? Note that the CRL can still -# be parsed after this timeframe passes. It is only used for an expected next -# publication date. -# -#set_var EASYRSA_CRL_DAYS 180 - -# Random serial numbers by default. -# Set to 'no' for the old incremental serial numbers. -# -#set_var EASYRSA_RAND_SN "yes" - -# Cut-off window for checking expiring certificates. -# -#set_var EASYRSA_PRE_EXPIRY_WINDOW 90 - -# Define directory for temporary subdirectories. -# -#set_var EASYRSA_TEMP_DIR "$EASYRSA_PKI" +*** DISABLED *** CREATE_VARS_EXAMPLE ;; ssl-cnf|safe-cnf) # SSL config v3.2.0-1 - cat << CREATE_SSL_CONFIG + return 1 + cat << CREATE_SSL_CONFIG # For use with Easy-RSA 3.0+ and OpenSSL or LibreSSL -#################################################################### -[ ca ] -default_ca = CA_default # The default ca section - -#################################################################### -[ CA_default ] - -dir = $conf_EASYRSA_PKI # Where everything is kept -certs = $conf_EASYRSA_dir # Where the issued certs are kept -crl_dir = $conf_EASYRSA_dir # Where the issued crl are kept -database = $conf_EASYRSA_dir/index.txt # database index file. -new_certs_dir = $conf_EASYRSA_dir/certs_by_serial # default place for new certs. - -certificate = $conf_EASYRSA_dir/ca.crt # The CA certificate -serial = $conf_EASYRSA_dir/serial # The current serial number -crl = $conf_EASYRSA_dir/crl.pem # The current CRL -private_key = $conf_EASYRSA_dir/private/ca.key # The private key -RANDFILE = $conf_EASYRSA_dir/.rand # private random number file - -x509_extensions = basic_exts # The extensions to add to the cert - -# A placeholder to handle the --copy-ext feature: -#%COPY_EXTS% # Do NOT remove or change this line as --copy-ext support requires it - -# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA -# is designed for will. In return, we get the Issuer attached to CRLs. -crl_extensions = crl_ext - -# These fields are always configured via the command line. -# These fields are removed from this here-doc but retained -# in 'openssl-easyrsa.cnf' file, in case something breaks. -# default_days is no longer required by Easy-RSA -#default_days = \$ENV::EASYRSA_CERT_EXPIRE # how long to certify for -# default_crl_days is no longer required by Easy-RSA -#default_crl_days = \$ENV::EASYRSA_CRL_DAYS # how long before next CRL - -default_md = $conf_EASYRSA_DIGEST # use public key default MD -preserve = no # keep passed DN ordering - -# This allows to renew certificates which have not been revoked -unique_subject = no - -# A few different ways of specifying how similar the request should look -# For type CA, the listed attributes must be the same, and the optional -# and supplied fields are just that :-) -policy = policy_anything - -# For the 'anything' policy, which defines allowed DN fields -[ policy_anything ] -countryName = optional -stateOrProvinceName = optional -localityName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional -serialNumber = optional - -#################################################################### -# Easy-RSA request handling -# We key off \$DN_MODE to determine how to format the DN -[ req ] -default_bits = $conf_EASYRSA_KEY_SIZE -default_keyfile = privkey.pem -default_md = $conf_EASYRSA_DIGEST -distinguished_name = $conf_EASYRSA_DN -x509_extensions = easyrsa_ca # The extensions to add to the self signed cert - -# A placeholder to handle the \$EXTRA_EXTS feature: -#%EXTRA_EXTS% # Do NOT remove or change this line as \$EXTRA_EXTS support requires it - -#################################################################### -# Easy-RSA DN (Subject) handling - -# Easy-RSA DN for cn_only support: -[ cn_only ] -commonName = Common Name (eg: your user, host, or server name) -commonName_max = 64 -commonName_default = $conf_EASYRSA_REQ_CN - -# Easy-RSA DN for org support: -[ org ] -countryName = Country Name (2 letter code) -countryName_default = $conf_EASYRSA_REQ_COUNTRY -countryName_min = 2 -countryName_max = 2 - -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = $conf_EASYRSA_REQ_PROVINCE - -localityName = Locality Name (eg, city) -localityName_default = $conf_EASYRSA_REQ_CITY - -0.organizationName = Organization Name (eg, company) -0.organizationName_default = $conf_EASYRSA_REQ_ORG - -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = $conf_EASYRSA_REQ_OU - -commonName = Common Name (eg: your user, host, or server name) -commonName_max = 64 -commonName_default = $conf_EASYRSA_REQ_CN - -emailAddress = Email Address -emailAddress_default = $conf_EASYRSA_REQ_EMAIL -emailAddress_max = 64 - -serialNumber = Serial-number (eg, device serial-number) -serialNumber_default = $conf_EASYRSA_REQ_SERIAL - -#################################################################### -# Easy-RSA cert extension handling - -# This section is effectively unused as the main script sets extensions -# dynamically. This core section is left to support the odd usecase where -# a user calls openssl directly. -[ basic_exts ] -basicConstraints = CA:FALSE -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer:always - -# The Easy-RSA CA extensions -[ easyrsa_ca ] - -# PKIX recommendations: - -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always - -# This could be marked critical, but it's nice to support reading by any -# broken clients who attempt to do so. -basicConstraints = CA:true - -# Limit key usage to CA tasks. If you really want to use the generated pair as -# a self-signed cert, comment this out. -keyUsage = cRLSign, keyCertSign - -# nsCertType omitted by default. Let's try to let the deprecated stuff die. -# nsCertType = sslCA - -# A placeholder to handle the \$X509_TYPES and CA extra extensions \$EXTRA_EXTS: -#%CA_X509_TYPES_EXTRA_EXTS% # Do NOT remove or change this line as \$X509_TYPES and EXTRA_EXTS demands it - -# CRL extensions. -[ crl_ext ] - -# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. - -# issuerAltName=issuer:copy -authorityKeyIdentifier=keyid:always,issuer:always +*** DISABLED *** CREATE_SSL_CONFIG ;; *)