From 7d41c58ae5b06b0a8decd0439459755a04af5aa4abe2859dd7d7bdf49efc5f55 Mon Sep 17 00:00:00 2001
From: Stefan Jakobs <projects@localside.net>
Date: Mon, 24 Jul 2017 19:37:33 +0000
Subject: [PATCH] Accepting request 511298 from
 home:oreinert:branches:network:vpn

Include upstream patches:
 + Add CN as SAN (if none requested) on server certs by default
 + Moved @ValdikSS's serial randomization to sign_req

OBS-URL: https://build.opensuse.org/request/show/511298
OBS-URL: https://build.opensuse.org/package/show/network:vpn/easy-rsa?expand=0&rev=8
---
 6436eaf.patch    | 49 ++++++++++++++++++++++++++++++++++++++++++++++++
 e9e8e27.patch    | 47 ++++++++++++++++++++++++++++++++++++++++++++++
 easy-rsa.changes |  9 +++++++++
 easy-rsa.spec    |  6 ++++++
 4 files changed, 111 insertions(+)
 create mode 100644 6436eaf.patch
 create mode 100644 e9e8e27.patch

diff --git a/6436eaf.patch b/6436eaf.patch
new file mode 100644
index 0000000..d567672
--- /dev/null
+++ b/6436eaf.patch
@@ -0,0 +1,49 @@
+commit 6436eaf8c1e5e3c44d23c1c7a0a5fef14f19d375
+Author: Martin Schmitt <mas@scsy.de>
+Date:   Fri Jun 30 16:12:13 2017 +0200
+
+    Add CN as SAN (if none requested) on server certs by default
+
+diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
+index 088faeb..f5ec797 100755
+--- a/easyrsa3/easyrsa
++++ b/easyrsa3/easyrsa
+@@ -627,6 +627,15 @@ $(display_dn req "$req_in")
+ 			esac
+ 		fi
+ 
++		# If type is server and no subjectAltName was requested,
++		# add one to the extensions file
++		if [[ "$crt_type" == 'server' ]]
++		then
++			echo "$EASYRSA_EXTRA_EXTS" | 
++				grep -q subjectAltName || 
++				print $(default_server_san "$req_in")
++		fi
++
+ 		# Add any advanced extensions supplied by env-var:
+ 		[ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"
+ 		
+@@ -923,6 +932,22 @@ display_dn() {
+ 	print "$("$EASYRSA_OPENSSL" $format -in "$path" -noout -subject -nameopt multiline)"
+ } # => display_dn()
+ 
++# generate default SAN from req/X509, passed by full pathname
++default_server_san() {
++	local path="$1"
++	local cn=$(
++		"$EASYRSA_OPENSSL" req -in "$path" -noout -subject -nameopt sep_multiline |
++		awk -F'=' '/^  *CN=/{print $2}'
++		)
++	echo "$cn" | egrep -q '^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$'
++	if [[ $? -eq 0 ]]
++	then
++		print "subjectAltName = IP:$cn"
++	else
++		print "subjectAltName = DNS:$cn"
++	fi
++} # => default_server_san()
++
+ # verify a file seems to be a valid req/X509
+ verify_file() {
+ 	local format="$1" path="$2"
diff --git a/e9e8e27.patch b/e9e8e27.patch
new file mode 100644
index 0000000..56a5899
--- /dev/null
+++ b/e9e8e27.patch
@@ -0,0 +1,47 @@
+commit e9e8e272e0eb5225ecfb0d8a0953a5b480c5e85d
+Author: Martin Schmitt <mas@scsy.de>
+Date:   Fri Jun 30 17:04:31 2017 +0200
+
+    Moved @ValdikSS's serial randomization to sign_req
+
+diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
+index f5ec797..cff63f2 100755
+--- a/easyrsa3/easyrsa
++++ b/easyrsa3/easyrsa
+@@ -569,6 +569,18 @@ sign_req() {
+ 	local req_in="$EASYRSA_PKI/reqs/$2.req"
+ 	local crt_out="$EASYRSA_PKI/issued/$2.crt"
+ 
++	# Randomize Serial number
++	local i= serial= check_serial=
++	for i in 1 2 3 4 5; do
++		"$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial"
++		serial="$(cat "$EASYRSA_PKI/serial")"
++		check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
++		case "$check_serial" in
++			*"not present in db"*) break ;;
++			*) continue ;;
++		esac
++	done
++
+ 	# Support batch by internal caller:
+ 	[ "$3" = "batch" ] && local EASYRSA_BATCH=1
+ 
+@@ -661,17 +673,6 @@ Certificate created at: $crt_out
+ build_full() {
+ 	verify_ca_init
+ 
+-	local i= serial= check_serial=
+-	for i in 1 2 3 4 5; do
+-		"$EASYRSA_OPENSSL" rand -hex 16 -out "$EASYRSA_PKI/serial"
+-		serial="$(cat "$EASYRSA_PKI/serial")"
+-		check_serial="$("$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" -status "$serial" 2>&1)"
+-		case "$check_serial" in
+-			*"not present in db"*) break ;;
+-			*) continue ;;
+-		esac
+-	done
+-
+ 	# pull filename base:
+ 	[ -n "$2" ] || die "\
+ Error: didn't find a file base name as the first argument.
diff --git a/easy-rsa.changes b/easy-rsa.changes
index dcc33a1..bb53b64 100644
--- a/easy-rsa.changes
+++ b/easy-rsa.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Jul 18 18:32:22 UTC 2017 - seroton10@gmail.com
+
+- Include upstream patches:
+  + 6436eaf.patch
+     Add CN as SAN (if none requested) on server certs by default
+  + e9e8e27.patch
+     Moved @ValdikSS's serial randomization to sign_req
+
 -------------------------------------------------------------------
 Mon Jun  5 18:38:00 UTC 2017 - seroton10@gmail.com
 
diff --git a/easy-rsa.spec b/easy-rsa.spec
index eab248a..ab44748 100644
--- a/easy-rsa.spec
+++ b/easy-rsa.spec
@@ -36,6 +36,10 @@ Patch2:         https://github.com/OpenVPN/easy-rsa/commit/b93d0a1.patch
 Patch3:         https://github.com/OpenVPN/easy-rsa/commit/fb4d8d8.patch
 # Convert README and COPYING into markdown files
 Patch4:         https://github.com/OpenVPN/easy-rsa/commit/b75faa4.patch
+# Add CN as SAN (if none requested) on server certs by default
+Patch5:         https://github.com/OpenVPN/easy-rsa/commit/6436eaf.patch
+# Moved @ValdikSS's serial randomization to sign_req
+Patch6:         https://github.com/OpenVPN/easy-rsa/commit/e9e8e27.patch
 # openSUSE specific
 Patch100:       easy-rsa-packaging.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -53,6 +57,8 @@ certificates, including sub-CAs and certificate revokation lists (CRL).
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1
 %patch100 -p0
 sed -i 's;#\(set_var EASYRSA	\)"$PWD";\1"%{_sysconfdir}/easy-rsa";' easyrsa3/vars.example