Version 34 (modified by 2 years ago) (diff) | ,
---|
diff:
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 812e8eb..66a43b4 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -668,7 +668,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first." fi fi - # create the CA key using AES256 + # Append password IO crypto_opts="" if [ ! $nopass ]; then crypto_opts="$crypto" @@ -680,6 +680,98 @@ current CA keypair. If you intended to start a new CA, run init-pki first." fi fi fi + + # verify_ssl_lib major version number + if verify_ssl_lib; then + case "$osslv_major" in + 1|3) : ;; + *) die "build-ca ssl lib: $osslv_major" + esac + else + die "build-ca ssl lib: $osslv_major" + fi + + # Generate the CA with AES256 + case "$osslv_major" in + # => BEGIN SSL lib version + + # BEGIN SSL V3 + 3) + + # OSSL3 uses -noenc not -nodes + if [ -n "$nopass" ]; then + noenc="-noenc" + unset -v crypto_opts + else + # Password file - This can be done cleaner + cp "$out_key_pass_tmp" "${out_key_pass_tmp}.2" + passin="-passin file:$out_key_pass_tmp" + passout="-passout file:${out_key_pass_tmp}.2" + crypto_opts="$passin $passout" + fi + + case "$EASYRSA_ALGO" in + rsa) + easyrsa_openssl req \ + -newkey "$EASYRSA_ALGO":"$EASYRSA_KEY_SIZE" \ + -keyout "$out_key_tmp" \ + -out "$out_file_tmp" \ + -utf8 ${noenc} \ + $opts $crypto_opts || \ + die "Failed to build the CA" + ;; + ec) + # EC params + param_file="$(easyrsa_mktemp)" + easyrsa_openssl ecparam -name "$EASYRSA_CURVE" > "$param_file" + + easyrsa_openssl req \ + -newkey "$EASYRSA_ALGO":"$param_file" \ + -keyout "$out_key_tmp" -out "$out_file_tmp" \ + -utf8 ${noenc} $opts $crypto_opts || \ + die "Failed to build the CA" + ;; + ed) + passin="-pass file:$out_key_pass_tmp" + crypto_opts="$passin" + case "$EASYRSA_CURVE" in + ed25519) + "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 \ + -out $out_key_tmp $crypto_opts \ + ${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \ + die "Failed create CA private key" + ;; + ed448) + "$EASYRSA_OPENSSL" genpkey -algorithm ED448 \ + -out $out_key_tmp $crypto_opts \ + ${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \ + die "Failed create CA private key" + ;; + *) + die "Unknown curve: $EASYRSA_CURVE" + esac + + # Pass files - This can be done cleaner + passin="-passin file:$out_key_pass_tmp" + passout="-passout file:${out_key_pass_tmp}.2" + crypto_opts="$passin $passout" + + #shellcheck disable=SC2086 + easyrsa_openssl req ${noenc} -utf8 -new -key "$out_key_tmp" \ + -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \ + ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \ + die "Failed to build the CA" + + ;; + *) + die "Unknown algorithm: $EASYRSA_ALGO" + esac + ;; + # END SSL V3 + + # BEGIN SSL V1 + 1) + if [ "$EASYRSA_ALGO" = "rsa" ]; then #shellcheck disable=SC2086 "$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} "$EASYRSA_ALGO_PARAMS" || \ @@ -704,9 +796,17 @@ current CA keypair. If you intended to start a new CA, run init-pki first." [ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ] && crypto_opts="-passin file:$out_key_pass_tmp" #shellcheck disable=SC2086 - easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \ - -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \ - die "Failed to build the CA" + easyrsa_openssl req ${noenc} -utf8 -new -key "$out_key_tmp" \ + -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \ + ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \ + die "Failed to build the CA" + ;; + # END SSL V1 + + *) die "build-ca ssl lib: $osslv_major" + + # => END SSL lib version + esac mv "$out_key_tmp" "$out_key" mv "$out_file_tmp" "$out_file"