Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce global option --san-crit, mark SAN critical (RFC2459) #1179

Merged
merged 3 commits into from
Jul 1, 2024
Merged

Introduce global option --san-crit, mark SAN critical (RFC2459) #1179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dd69f50
Introduce global option --san-crit, mark SAN critical (RFC2459)
TinCanTech Jun 29, 2024
aa7b158
verbose output: SAN critical notification for gen-req/sign-req
TinCanTech Jun 29, 2024
4e5c5c9
ChangeLog: Introduce global option --san-crit, mark SAN critical
TinCanTech Jun 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog

3.2.1 (TBD)

* Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
* gen-req: Always check for existing request file (7eab98e) (#1177)
* revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
* revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)
Expand Down
14 changes: 12 additions & 2 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -611,6 +611,7 @@ Certificate & Request options: (these impact cert/req field values)
--san|--subject-alt-name=SUBJECT_ALT_NAME
: Add a subjectAltName. Can be used multiple times.
For more info and syntax, see: 'easyrsa help altname'
--san-crit : Mark X509v3 subjectAltName as critical

--new-subject='SUBJECT'
: Specify a new subject field to sign a request with.
Expand Down Expand Up @@ -2235,6 +2236,8 @@ $EASYRSA_EXTRA_EXTS"
> "$adjusted_ssl_cnf_tmp" || \
die "Writing SSL config to temp file failed"

[ "${EASYRSA_SAN_CRIT}" ] && verbose "gen-req: SAN critical OK"

# Use this SSL config for the rest of this function
EASYRSA_SSL_CONF="$adjusted_ssl_cnf_tmp"
fi
Expand Down Expand Up @@ -2508,6 +2511,8 @@ basicConstraints is not defined, cannot use 'pathlen'"
unset -v ns_cert_type
esac

[ "${EASYRSA_SAN_CRIT}" ] && verbose "sign-req: SAN critical OK"

# Generate the extensions file for this cert:
ext_tmp=""
easyrsa_mktemp ext_tmp || \
Expand Down Expand Up @@ -2542,6 +2547,7 @@ Failed to create temp extension file (bad permissions?) at:
verbose "sign_req: Generated extensions file OK"

# Get request CN
# EASYRSA_REQ_CN MUST always be set to the CSR CN
EASYRSA_REQ_CN="$(
"$EASYRSA_OPENSSL" req -utf8 -in "$req_in" -noout \
-subject -nameopt multiline | grep 'commonName'
Expand Down Expand Up @@ -2604,7 +2610,7 @@ $confirm_dn"
if [ "$EASYRSA_SAN" ]; then
confirm_san="\
X509v3 Subject Alternative Name:
$EASYRSA_SAN"
${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
else
confirm_san="$req_x509_san"
fi
Expand Down Expand Up @@ -5457,6 +5463,10 @@ while :; do
EASYRSA_SAN="$val"
fi
;;
--san-crit*)
empty_ok=1
export EASYRSA_SAN_CRIT='critical,'
;;
--new-subj*)
export EASYRSA_NEW_SUBJECT="$val"
;;
Expand Down Expand Up @@ -5507,7 +5517,7 @@ done
if [ "$EASYRSA_SAN" ]; then
EASYRSA_EXTRA_EXTS="\
$EASYRSA_EXTRA_EXTS
subjectAltName = $EASYRSA_SAN"
subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
fi

# Set cmd now
Expand Down