Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

export-p12, OpenSSL v1.x: Upgrade PBE and MAC options #1083

Closed
wants to merge 2 commits into from
Closed

export-p12, OpenSSL v1.x: Upgrade PBE and MAC options #1083

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dd64668
export-p12, OpenSSL v1.x: Upgrade PBE and MAC options
TinCanTech Mar 4, 2024
40d7644
ChangeLog: export-p12, OpenSSL v1.x: Upgrade PBE and MAC options
TinCanTech Mar 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ Easy-RSA 3 ChangeLog

3.2.0 (TBD)

* export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (dd64668)
(#1083 - Based on #1081)
* Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
* LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
* Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)
Expand Down
29 changes: 23 additions & 6 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,10 +333,10 @@ Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]"
(Equivalent to global option '--nopass|--no-pass')
* noca - Do not include the ca.crt file in the PKCS12 output
* nokey - Do not include the private key in the PKCS12 output
* nofn - Do not set 'freindlyName'
* nofn - Do not set 'friendlyName'
For more, see: 'easyrsa help friendly'
* legacy - Use legacy encryption algorithm RC2_CBC or 3DES_CBC
OpenSSL V3 ONLY: Default algorithm is AES-256-CBC"
(Default algorithm is AES-256-CBC)"
;;
friendly)
text_only=1
Expand Down Expand Up @@ -3274,6 +3274,19 @@ Run easyrsa without commands for usage and command help."
want_ca=1
want_key=1
unset -v nokeys legacy

# Under OpenSSL 1.1, use the PBE/MAC algorithms OpenSSL 3.0 uses,
# unless "legacy" is set. This makes the .p12 files readable by
# OpenSSL 3.0 without needing '-legacy'.
if [ "$openssl_v3" ]; then
# No cipher opts required
p12_cipher_opts=""
else
# Upgrade PBE & MAC opts - Reset by option 'legacy'
p12_cipher_opts="-keypbe AES-256-CBC -certpbe AES-256-CBC"
p12_cipher_opts="${p12_cipher_opts} -macalg sha256"
fi

while [ "$1" ]; do
case "$1" in
noca)
Expand All @@ -3290,12 +3303,15 @@ Run easyrsa without commands for usage and command help."
[ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1
;;
nofn)
unset friendly_name
friendly_name=""
;;
legacy)
[ "$openssl_v3" ] || \
user_error "Option 'legacy' requires SSL version 3"
legacy=-legacy
if [ "$openssl_v3" ]; then
legacy=-legacy
else
# Downgrade PBE & MAC opts
p12_cipher_opts=""
fi
;;
*)
warn "Ignoring unknown option: '$1'"
Expand Down Expand Up @@ -3421,6 +3437,7 @@ Missing User Certificate, expected at:
-inkey "$key_in" \
${nokeys} \
${legacy} \
${p12_cipher_opts} \
${friendly_name:+ -name "$friendly_name"} \
${want_ca:+ -certfile "$crt_ca"} \
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
Expand Down