pool/easy-rsa
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update to version 3.0.3

Browse Source 
OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=14
This commit is contained in:
Olav Reinert 2017-10-16 06:44:30 +00:00 committed by Git OBS Bridge
parent 5cb1c57f89
commit d21ed10036
17 changed files with 11 additions and 676 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
29d4dee.patch
View File

@ -1,22 +0,0 @@
From 29d4dee508706a34b50c20d338b3f2d452446716 Mon Sep 17 00:00:00 2001
From: Thomas Szteliga <ts@websafe.pl>
Date: Mon, 21 Mar 2016 17:25:58 +0100
Subject: [PATCH] Fixes #91 basename: invalid option -- 's'.
---
build/build-dist.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/build/build-dist.sh b/build/build-dist.sh
index 2f11fb2..dca4b9a 100755
--- a/build/build-dist.sh
+++ b/build/build-dist.sh
@@ -88,7 +88,7 @@ stage_win() {
for f in `ls $SRC_ROOT/doc/*.md`;
do
- fname=`basename -s .md $f`
+ fname=`basename $f .md`
python -m markdown $f > $DIST_ROOT/windows/$PV/doc/$fname.html
done

3
3.0.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a1fff75a27ea7da3f37fbfed715633f55b9ca25f5b14cac38e525c5c995e68ae
size 44242

34
4eac410.patch
View File

@ -1,34 +0,0 @@
From 4eac410bce13a4730aa160ba48e6fa0aef7edd7c Mon Sep 17 00:00:00 2001
From: azvyagintsev <azvyagintsev@mirantis.com>
Date: Tue, 4 Jul 2017 20:14:57 +0300
Subject: [PATCH] Fix string comprehension
- "[[" syntax work only in "Bash"
---
easyrsa3/easyrsa | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index e004e2b..901a52f 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -641,8 +641,7 @@ $(display_dn req "$req_in")
# If type is server and no subjectAltName was requested,
# add one to the extensions file
- if [[ "$crt_type" == 'server' ]]
- then
+ if [ "$crt_type" = 'server' ]; then
echo "$EASYRSA_EXTRA_EXTS" |
grep -q subjectAltName ||
print $(default_server_san "$req_in")
@@ -941,8 +940,7 @@ default_server_san() {
awk -F'=' '/^ *CN=/{print $2}'
)
echo "$cn" | egrep -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
- if [[ $? -eq 0 ]]
- then
+ if [ $? -eq 0 ]; then
print "subjectAltName = IP:$cn"
else
print "subjectAltName = DNS:$cn"

72
534f673.patch
View File

@ -1,72 +0,0 @@
From 534f67345997603e3b1fbf6b673bbaa65937019e Mon Sep 17 00:00:00 2001
From: Olav Reinert <seroton10@gmail.com>
Date: Mon, 5 Jun 2017 23:30:57 +0200
Subject: [PATCH] Make $PWD/pki the default PKI location
---
doc/EasyRSA-Advanced.md | 3 ++-
easyrsa3/easyrsa | 14 ++++++++------
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md
index 64b29ae..1bd8c29 100644
--- a/doc/EasyRSA-Advanced.md
+++ b/doc/EasyRSA-Advanced.md
@@ -34,6 +34,7 @@ Configuration Reference
1. File referenced by the --vars CLI option
2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
3. The `EASYRSA_PKI` directory
+ 4. The default PKI directory at $PWD/pki (usually will be the same as above)
4. The `EASYRSA` directory
5. The location of the easyrsa program (usually will be the same as above)
@@ -80,7 +81,7 @@ possible terse description is shown below:
* `EASYRSA` - should point to the Easy-RSA top-level dir, normally $PWD
* `EASYRSA_OPENSSL` - command to invoke openssl
* `EASYRSA_SSL_CONF` - the openssl config file to use
- * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files
+ * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, normally $PWD/pki.
* `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to
alter the fields to include in the req DN
* `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 088faeb..8adc8fc 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -989,13 +989,15 @@ vars_setup() {
# set up program path
local prog_vars="${0%/*}/vars"
+ # set up PKI path
+ local pki_vars="${EASYRSA_PKI:-$PWD/pki}/vars"
# command-line path:
if [ -f "$EASYRSA_VARS_FILE" ]; then
vars="$EASYRSA_VARS_FILE"
- # EASYRSA_PKI, if defined:
- elif [ -n "$EASYRSA_PKI" ] && [ -f "$EASYRSA_PKI/vars" ]; then
- vars="$EASYRSA_PKI/vars"
+ # PKI location, if present:
+ elif [ -f "$pki_vars" ]; then
+ vars="$pki_vars"
# EASYRSA, if defined:
elif [ -n "$EASYRSA" ] && [ -f "$EASYRSA/vars" ]; then
vars="$EASYRSA/vars"
@@ -1013,9 +1015,9 @@ Note: using Easy-RSA configuration from: $vars"
fi
# Set defaults, preferring existing env-vars if present
- set_var EASYRSA "$PWD"
+ set_var EASYRSA "${0%/*}"
set_var EASYRSA_OPENSSL openssl
- set_var EASYRSA_PKI "$EASYRSA/pki"
+ set_var EASYRSA_PKI "$PWD/pki"
set_var EASYRSA_DN cn_only
set_var EASYRSA_REQ_COUNTRY "US"
set_var EASYRSA_REQ_PROVINCE "California"
@@ -1225,4 +1227,4 @@ case "$cmd" in
;;
esac
-# vim: ft=sh nu ai sw=8 ts=8
+# vim: ft=sh nu ai sw=8 ts=8 noet

52
6436eaf.patch
View File

@ -1,52 +0,0 @@
From 6436eaf8c1e5e3c44d23c1c7a0a5fef14f19d375 Mon Sep 17 00:00:00 2001
From: Martin Schmitt <mas@scsy.de>
Date: Fri, 30 Jun 2017 16:12:13 +0200
Subject: [PATCH] Add CN as SAN (if none requested) on server certs by default
---
easyrsa3/easyrsa | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 088faeb..f5ec797 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -627,6 +627,15 @@ $(display_dn req "$req_in")
esac
fi
+ # If type is server and no subjectAltName was requested,
+ # add one to the extensions file
+ if [[ "$crt_type" == 'server' ]]
+ then
+ echo "$EASYRSA_EXTRA_EXTS" |
+ grep -q subjectAltName ||
+ print $(default_server_san "$req_in")
+ fi
+
# Add any advanced extensions supplied by env-var:
[ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"
@@ -923,6 +932,22 @@ display_dn() {
print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)"
} # => display_dn()
+# generate default SAN from req/X509, passed by full pathname
+default_server_san() {
+ local path="$1"
+ local cn=$(
+ "$EASYRSA_OPENSSL" req -in "$path" -noout -subject -nameopt sep_multiline |
+ awk -F'=' '/^ *CN=/{print $2}'
+ )
+ echo "$cn" | egrep -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
+ if [[ $? -eq 0 ]]
+ then
+ print "subjectAltName = IP:$cn"
+ else
+ print "subjectAltName = DNS:$cn"
+ fi
+} # => default_server_san()
+
# verify a file seems to be a valid req/X509
verify_file() {
local format="$1" path="$2"

52
83a1a21.patch
View File

@ -1,52 +0,0 @@
From 83a1a21e7a90e8666498dec2fa35ee5b8f67920c Mon Sep 17 00:00:00 2001
From: Eric F Crist <ecrist@secure-computing.net>
Date: Tue, 22 Aug 2017 20:52:26 -0500
Subject: [PATCH] Add --copy-ext option
Adding the --copy-ext option to copy request extension data. This will
resolve #60 and other Subject Alternative Name "issues" that have been
created.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
---
easyrsa3/easyrsa | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 81618d3..55de809 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -199,6 +199,7 @@ Certificate & Request options: (these impact cert/req field values)
./easyrsa help altname
--use-algo=ALG : crypto alg to use: choose rsa (default) or ec
--curve=NAME : for elliptic curve, sets the named curve to use
+--copy-ext : Copy included request X509 extensions (namely subjAltName
Organizational DN options: (only used with the 'org' DN mode)
(values may be blank for org DN options)
@@ -623,6 +624,8 @@ $(display_dn req "$req_in")
# Append first any COMMON file (if present) then the cert-type extensions
cat "$EASYRSA_EXT_DIR/COMMON"
cat "$EASYRSA_EXT_DIR/$crt_type"
+ # copy req extensions
+ [ $EASYRSA_CP_EXT ] && print "copy_extensions = copy"
# Support a dynamic CA path length when present:
[ "$crt_type" = "ca" ] && [ -n "$EASYRSA_SUBCA_LEN" ] && \
@@ -1063,6 +1066,7 @@ Note: using Easy-RSA configuration from: $vars"
set_var EASYRSA_TEMP_FILE_3 ""
set_var EASYRSA_REQ_CN ChangeMe
set_var EASYRSA_DIGEST sha256
+ set_var EASYRSA_CP_EXT 0
# Detect openssl config, preferring EASYRSA_PKI over EASYRSA
if [ -f "$EASYRSA_PKI/openssl-1.0.cnf" ]; then
@@ -1165,6 +1169,8 @@ while :; do
export EASYRSA_SUBCA_LEN="$val" ;;
--vars)
export EASYRSA_VARS_FILE="$val" ;;
+ --copy-ext)
+ export EASYRSA_CP_EXT=1 ;;
--subject-alt-name)
export EASYRSA_EXTRA_EXTS="\
$EASYRSA_EXTRA_EXTS

22
a138c0d.patch
View File

@ -1,22 +0,0 @@
From a138c0d83b0ff1feed385c5d2d7a1c25422fe04d Mon Sep 17 00:00:00 2001
From: Uwe Hermann <uwe@hermann-uwe.de>
Date: Sat, 19 Aug 2017 18:17:43 +0200
Subject: [PATCH] Fix incorrect "openssl rand" usage (#138).
---
easyrsa3/easyrsa | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index e004e2b..f73b375 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -572,7 +572,7 @@ sign_req() {
# Randomize Serial number
local i= serial= check_serial=
for i in 1 2 3 4 5; do
- "$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial"
+ "$EASYRSA_OPENSSL" rand -hex -out "$EASYRSA_PKI/serial 16"
serial="$(cat "$EASYRSA_PKI/serial")"
check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
case "$check_serial" in

102
b75faa4.patch
View File

@ -1,102 +0,0 @@
From b75faa475f22af55202d4b2be429cd30f16f15ac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Samuli=20Sepp=C3=A4nen?= <samuli@openvpn.net>
Date: Wed, 22 Jun 2016 18:51:48 +0300
Subject: [PATCH] Convert README and COPYING into markdown files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
---
COPYING => COPYING.md | 5 +++--
README => README.md | 25 +++++++++++++------------
2 files changed, 16 insertions(+), 14 deletions(-)
rename COPYING => COPYING.md (91%)
rename README => README.md (68%)
diff --git a/COPYING b/COPYING.md
similarity index 91%
rename from COPYING
rename to COPYING.md
index 25b910e..39bce08 100644
--- a/COPYING
+++ b/COPYING.md
@@ -1,15 +1,16 @@
Easy-RSA -- A Shell-based CA Utility
+====================================
Copyright (C) 2013 by the Open-Source OpenVPN development community
-Easy-RSA 3 license: GPLv2:
+Easy-RSA 3 license: GPLv2
-------------------------
All the Easy-RSA code contained in this project falls under a GPLv2 license with
full text available in the Licensing/ directory. Additional components used by
this project fall under additional licenses:
-Additional licenses for external components:
+Additional licenses for external components
-------------------------------------------
The following components are under different licenses; while not part of the
diff --git a/README b/README.md
similarity index 68%
rename from README
rename to README.md
index 325e7e6..5a574e5 100644
--- a/README
+++ b/README.md
@@ -1,39 +1,40 @@
-OVERVIEW:
+# Overview
+
easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's terms,
this means to create a root certificate authority, and request and sign
certificates, including sub-CAs and certificate revokation lists (CRL).
-DOWNLOADS:
+# Downloads
If you are looking for release downloads, please see the releases section on
GitHub. Releases are also available as source checkouts using named tags.
-DOCUMENTATION:
+# Documentation
-For 3.x project documentation and usage, see the README.quickstart.md file or
+For 3.x project documentation and usage, see the [README.quickstart.md](README.quickstart.md) file or
the more detailed docs under the doc/ directory. The .md files are in Markdown
format and can be converted to html files as desired for release packages, or
read as-is in plaintext.
-GETTING HELP USING EASY-RSA:
+# Getting help using easy-rsa
Currently, Easy-RSA development co-exists with OpenVPN even though they are
separate projects. The following resources are good places as of this writing to
seek help using Easy-RSA:
-The openvpn-users mailing list is a good place to post usage or help questions:
-https://lists.sourceforge.net/lists/listinfo/openvpn-users
+The [openvpn-users mailing list](https://lists.sourceforge.net/lists/listinfo/openvpn-users)
+is a good place to post usage or help questions.
You can also try IRC at Freenode/#openvpn
-BRANCH STRUCTURE:
+# Branch structure
The easy-rsa master branch is currently tracking development for the 3.x release
cycle. The prior 2.x and 1.x versions are available as release branches for
tracking and possible back-porting of relevant fixes. Branch layout is:
- master <- 3.x, at present
- release/2.x
- release/1.x
+ master <- 3.x, at present
+ release/2.x
+ release/1.x
-LICENSING info for 3.x is in the COPYING file
+LICENSING info for 3.x is in the [COPYING.md](COPYING.md) file

80
b93d0a1.patch
View File

@ -1,80 +0,0 @@
From b93d0a16759137d68f6ffbf9fd41e9de23eacb71 Mon Sep 17 00:00:00 2001
From: Drew Anderson <d.anderson@beovista.com.au>
Date: Mon, 9 May 2016 10:24:02 +1000
Subject: [PATCH] spelling fixes and setence structure improvements
---
doc/EasyRSA-Advanced.md | 2 +-
doc/EasyRSA-Readme.md | 6 +++---
doc/EasyRSA-Upgrade-Notes.md | 2 +-
doc/Intro-To-PKI.md | 2 +-
4 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md
index 6406946..64b29ae 100644
--- a/doc/EasyRSA-Advanced.md
+++ b/doc/EasyRSA-Advanced.md
@@ -108,7 +108,7 @@ possible terse description is shown below:
extensions
* `EASYRSA_REQ_CN` (CLI: `--req-cn`) - default CN, necessary to set in BATCH
mode
- * `EASYRSA_DIGEST` (CLI: `--digest`) - set a hash diget to use for req/cert
+ * `EASYRSA_DIGEST` (CLI: `--digest`) - set a hash digest to use for req/cert
signing
* `EASYRSA_BATCH` (CLI: `--batch`) - enable batch (no-prompt) mode; set
env-var to non-zero string to enable (CLI takes no options)
diff --git a/doc/EasyRSA-Readme.md b/doc/EasyRSA-Readme.md
index 568c3a6..bece589 100644
--- a/doc/EasyRSA-Readme.md
+++ b/doc/EasyRSA-Readme.md
@@ -74,7 +74,7 @@ Obtaining and Using Easy-RSA
General usage and command help can be shown with:
./easyrsa help [ command ]
-
+
When run without any command, general usage and a list of available commands
are shown; when a command is supplied, detailed help output for that command
is shown.
@@ -135,7 +135,7 @@ you need a more basic description of how a PKI works.
When building a CA, a number of new files are created by a combination of
Easy-RSA and (indirectly) openssl. The important CA files are:
-
+
* `ca.crt` - This is the CA certificate
* `index.txt` - This is the "master database" of all issued certs
* `serial` - Stores the next serial number (serial numbers increment)
@@ -224,7 +224,7 @@ Easy-RSA can generate a keypair and request with the following command:
./easyrsa gen-req nameOfRequest
You will then be given a chance to modify the Subject details of your request.
-By default Easy-RSA uses the short name supplied on the command-line, though you
+Easy-RSA uses the short name supplied on the command-line by default, though you
are free to change it if necessary. After providing a passphrase and Subject
details, the keypair and request files will be shown.
diff --git a/doc/EasyRSA-Upgrade-Notes.md b/doc/EasyRSA-Upgrade-Notes.md
index f5c1514..6cc6df2 100644
--- a/doc/EasyRSA-Upgrade-Notes.md
+++ b/doc/EasyRSA-Upgrade-Notes.md
@@ -54,5 +54,5 @@ Easy-RSA 3 has some new concepts compared to the prior v2 series.
generation as the requester doesn't need to know the CA's values in advance.
Previously in v2, the Country, State, and Org values all had to match or a
- request couldn't be signed. If you want the old behavior your can change the
+ request couldn't be signed. If you want the old behavior you can change the
OpenSSL config to require it or simply look over the DN at signing time.
diff --git a/doc/Intro-To-PKI.md b/doc/Intro-To-PKI.md
index cd8217b..ea56629 100644
--- a/doc/Intro-To-PKI.md
+++ b/doc/Intro-To-PKI.md
@@ -37,7 +37,7 @@ PKI mixed in with one used to generate end-entity certificates, such as clients
or servers (VPN or web servers.)
To start a new PKI, the CA is first created on the secure environment.
-Depending on security needs, this could managed under a locked down account,
+Depending on security needs, this could be managed under a locked down account,
dedicated system, or even a completely offline system or using removable media
to improve security (after all, you can't suffer an online break-in if your
system or PKI is not online.) The exact steps to create a CA are described in a

85
d20d2b3.patch
View File

@ -1,85 +0,0 @@
From d20d2b3c06baed2fc4e098b12331fd203e723f91 Mon Sep 17 00:00:00 2001
From: Olav Reinert <seroton10@gmail.com>
Date: Thu, 27 Jul 2017 08:27:27 +0200
Subject: [PATCH] Update docs and examples to fit changes in 534f673
---
doc/EasyRSA-Advanced.md | 14 +++++++-------
easyrsa3/vars.example | 17 ++++++++++++-----
2 files changed, 19 insertions(+), 12 deletions(-)
diff --git a/doc/EasyRSA-Advanced.md b/doc/EasyRSA-Advanced.md
index 1bd8c29..5bcd526 100644
--- a/doc/EasyRSA-Advanced.md
+++ b/doc/EasyRSA-Advanced.md
@@ -31,12 +31,12 @@ Configuration Reference
The following locations are checked, in this order, for a vars file. Only the
first one found is used:
- 1. File referenced by the --vars CLI option
+ 1. The file referenced by the --vars CLI option
2. The file referenced by the env-var named `EASYRSA_VARS_FILE`
- 3. The `EASYRSA_PKI` directory
- 4. The default PKI directory at $PWD/pki (usually will be the same as above)
- 4. The `EASYRSA` directory
- 5. The location of the easyrsa program (usually will be the same as above)
+ 3. The directory referenced by the `EASYRSA_PKI` env-var
+ 4. The default PKI directory at $PWD/pki
+ 4. The directory referenced by the `EASYRSA` env-var
+ 5. The directory containing the easyrsa program
Defining the env-var `EASYRSA_NO_VARS` will override the sourcing of the vars
file in all cases, including defining it subsequently as a global option.
@@ -78,10 +78,10 @@ Environmental Variables Reference
A list of env-vars, any matching global option (CLI) to set/override it, and a
possible terse description is shown below:
- * `EASYRSA` - should point to the Easy-RSA top-level dir, normally $PWD
+ * `EASYRSA` - should point to the Easy-RSA top-level dir, where the easyrsa script is located.
* `EASYRSA_OPENSSL` - command to invoke openssl
* `EASYRSA_SSL_CONF` - the openssl config file to use
- * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, normally $PWD/pki.
+ * `EASYRSA_PKI` (CLI: `--pki-dir`) - dir to use to hold all PKI-specific files, defaults to $PWD/pki.
* `EASYRSA_DN` (CLI: `--dn-mode`) - set to the string `cn_only` or `org` to
alter the fields to include in the req DN
* `EASYRSA_REQ_COUNTRY` (CLI: `--req-c`) - set the DN country with org mode
diff --git a/easyrsa3/vars.example b/easyrsa3/vars.example
index 2c444d8..c439cba 100644
--- a/easyrsa3/vars.example
+++ b/easyrsa3/vars.example
@@ -39,10 +39,15 @@ fi
# DO YOUR EDITS BELOW THIS POINT
-# This variable should point to the top level of the easy-rsa tree. By default,
-# this is taken to be the directory you are currently in.
+# This variable is used as the base location of configuration files needed by
+# easyrsa. More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
+# may override this default.
+#
+# The default value of this variable is the location of the easyrsa script
+# itself, which is also where the configuration files are located in the
+# easy-rsa tree.
-#set_var EASYRSA "$PWD"
+#set_var EASYRSA "${0%/*}"
# If your OpenSSL command is not in the system PATH, you will need to define the
# path to it here. Normally this means a full path to the executable, otherwise
@@ -57,12 +62,14 @@ fi
# This sample is in Windows syntax -- edit it for your path if not using PATH:
#set_var EASYRSA_OPENSSL "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"
-# Edit this variable to point to your soon-to-be-created key directory.
+# Edit this variable to point to your soon-to-be-created key directory. By
+# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
+# directory you are currently in).
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! (Interactive mode will prompt before acting.)
-#set_var EASYRSA_PKI "$EASYRSA/pki"
+#set_var EASYRSA_PKI "$PWD/pki"
# Define X509 DN mode.
# This is used to adjust what elements are included in the Subject field as the DN

50
e9e8e27.patch
View File

@ -1,50 +0,0 @@
From e9e8e272e0eb5225ecfb0d8a0953a5b480c5e85d Mon Sep 17 00:00:00 2001
From: Martin Schmitt <mas@scsy.de>
Date: Fri, 30 Jun 2017 17:04:31 +0200
Subject: [PATCH] Moved @ValdikSS's serial randomization to sign_req
---
easyrsa3/easyrsa | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index f5ec797..cff63f2 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -569,6 +569,18 @@ sign_req() {
local req_in="$EASYRSA_PKI/reqs/$2.req"
local crt_out="$EASYRSA_PKI/issued/$2.crt"
+ # Randomize Serial number
+ local i= serial= check_serial=
+ for i in 1 2 3 4 5; do
+ "$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial"
+ serial="$(cat "$EASYRSA_PKI/serial")"
+ check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
+ case "$check_serial" in
+ *"not present in db"*) break ;;
+ *) continue ;;
+ esac
+ done
+
# Support batch by internal caller:
[ "$3" = "batch" ] && local EASYRSA_BATCH=1
@@ -661,17 +673,6 @@ Certificate created at: $crt_out
build_full() {
verify_ca_init
- local i= serial= check_serial=
- for i in 1 2 3 4 5; do
- "$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial"
- serial="$(cat "$EASYRSA_PKI/serial")"
- check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
- case "$check_serial" in
- *"not present in db"*) break ;;
- *) continue ;;
- esac
- done
-
# pull filename base:
[ -n "$2" ] || die "\
Error: didn't find a file base name as the first argument.

5
easy-rsa.changes
View File

@ -1,3 +1,8 @@
-------------------------------------------------------------------
Mon Oct 16 06:38:49 UTC 2017 - seroton10@gmail.com
- Update to version 3.0.3
-------------------------------------------------------------------
Wed Aug 23 09:06:23 UTC 2017 - seroton10@gmail.com

51
easy-rsa.spec
View File

@ -18,40 +18,14 @@
Name: easy-rsa
Version: 3.0.1
Version: 3.0.3
Release: 0
Summary: CLI utility to build and manage a PKI CA
License: GPL-2.0
Group: Productivity/Networking/Security
Url: https://github.com/OpenVPN/easy-rsa
Source: https://github.com/OpenVPN/easy-rsa/archive/%{version}.tar.gz
# Fixed upstream issues
# Generate random serial number for all certificates
Patch0: https://github.com/OpenVPN/easy-rsa/commit/f174800.patch
# Fixes #91 basename: invalid option -- 's'.
Patch1: https://github.com/OpenVPN/easy-rsa/commit/29d4dee.patch
# spelling fixes and setence structure improvements
Patch2: https://github.com/OpenVPN/easy-rsa/commit/b93d0a1.patch
# Fix comment indicating the end of the function verify_file() comment.
Patch3: https://github.com/OpenVPN/easy-rsa/commit/fb4d8d8.patch
# Convert README and COPYING into markdown files
Patch4: https://github.com/OpenVPN/easy-rsa/commit/b75faa4.patch
# Add CN as SAN (if none requested) on server certs by default
Patch5: https://github.com/OpenVPN/easy-rsa/commit/6436eaf.patch
# Moved @ValdikSS's serial randomization to sign_req
Patch6: https://github.com/OpenVPN/easy-rsa/commit/e9e8e27.patch
# Make $PWD/pki the default PKI location
Patch7: https://github.com/OpenVPN/easy-rsa/commit/534f673.patch
# Update docs and examples to fit changes in 534f673
Patch8: https://github.com/OpenVPN/easy-rsa/commit/d20d2b3.patch
# Fix string comprehension
Patch9: https://github.com/OpenVPN/easy-rsa/commit/4eac410.patch
# Fix incorrect "openssl rand" usage
Patch10: https://github.com/OpenVPN/easy-rsa/commit/a138c0d.patch
# Add --copy-ext option
Patch11: https://github.com/OpenVPN/easy-rsa/commit/83a1a21.patch
# openSUSE specific
Patch100: easy-rsa-packaging.patch
Source: https://github.com/OpenVPN/easy-rsa/archive/v%{version}.tar.gz
Patch100: suse-packaging.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
@ -62,27 +36,8 @@ certificates, including sub-CAs and certificate revokation lists (CRL).
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch100 -p0
# Add this for SLE11, patch tool can't rename file.
# Next release we should publish .md documentation.
%if 0%{?sles_version} > 0 && 0%{?sles_version} < 12
mv -v COPYING COPYING.md
mv -v README README.md
%endif
%build
%install

31
f174800.patch
View File

@ -1,31 +0,0 @@
From d309c6aaa23f661ccd2563df6a184e1351293b61 Mon Sep 17 00:00:00 2001
From: ValdikSS <iam@valdikss.org.ru>
Date: Mon, 11 Jan 2016 01:53:32 +0300
Subject: [PATCH] Generate random serial number for all certificates
---
easyrsa3/easyrsa | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 6fec288..bcb3aeb 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -652,6 +652,17 @@ Certificate created at: $crt_out
build_full() {
verify_ca_init
+ local i= serial= check_serial=
+ for i in 1 2 3 4 5; do
+ "$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial"
+ serial="$(cat "$EASYRSA_PKI/serial")"
+ check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
+ case "$check_serial" in
+ *"not present in db"*) break ;;
+ *) continue ;;
+ esac
+ done
+
# pull filename base:
[ -n "$2" ] || die "\
Error: didn't find a file base name as the first argument.

23
fb4d8d8.patch
View File

@ -1,23 +0,0 @@
From fb4d8d8e26dd83b0782a3e92fded1cd9ca3aa0cd Mon Sep 17 00:00:00 2001
From: Jiri Tyr <jtyr@users.noreply.github.com>
Date: Tue, 21 Jun 2016 14:16:45 +0100
Subject: [PATCH] Fix comment indicating the end of the function
This patch corrects the comment indicating the end of the `verify_file()` function.
---
easyrsa3/easyrsa | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index bcb3aeb..088faeb 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -928,7 +928,7 @@ verify_file() {
local format="$1" path="$2"
"$EASYRSA_OPENSSL" $format -in "$path" -noout 2>/dev/null || return 1
return 0
-} # => verify_x509()
+} # => verify_file()
# show-* command backend
# Prints req/cert details in a readable format

0
easy-rsa-packaging.patch → suse-packaging.patch
View File

3
v3.0.3.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3e41c0dfebe04332cdc07f13bf48a69e25dfc31d059e94071a9cfb9f3bba6f9a
size 636592