| Version 34 (modified by , 2 years ago) (diff) |
|---|
diff:
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 812e8eb..66a43b4 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -668,7 +668,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
fi
fi
- # create the CA key using AES256
+ # Append password IO
crypto_opts=""
if [ ! $nopass ]; then
crypto_opts="$crypto"
@@ -680,6 +680,98 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
fi
fi
fi
+
+ # verify_ssl_lib major version number
+ if verify_ssl_lib; then
+ case "$osslv_major" in
+ 1|3) : ;;
+ *) die "build-ca ssl lib: $osslv_major"
+ esac
+ else
+ die "build-ca ssl lib: $osslv_major"
+ fi
+
+ # Generate the CA with AES256
+ case "$osslv_major" in
+ # => BEGIN SSL lib version
+
+ # BEGIN SSL V3
+ 3)
+
+ # OSSL3 uses -noenc not -nodes
+ if [ -n "$nopass" ]; then
+ noenc="-noenc"
+ unset -v crypto_opts
+ else
+ # Password file - This can be done cleaner
+ cp "$out_key_pass_tmp" "${out_key_pass_tmp}.2"
+ passin="-passin file:$out_key_pass_tmp"
+ passout="-passout file:${out_key_pass_tmp}.2"
+ crypto_opts="$passin $passout"
+ fi
+
+ case "$EASYRSA_ALGO" in
+ rsa)
+ easyrsa_openssl req \
+ -newkey "$EASYRSA_ALGO":"$EASYRSA_KEY_SIZE" \
+ -keyout "$out_key_tmp" \
+ -out "$out_file_tmp" \
+ -utf8 ${noenc} \
+ $opts $crypto_opts || \
+ die "Failed to build the CA"
+ ;;
+ ec)
+ # EC params
+ param_file="$(easyrsa_mktemp)"
+ easyrsa_openssl ecparam -name "$EASYRSA_CURVE" > "$param_file"
+
+ easyrsa_openssl req \
+ -newkey "$EASYRSA_ALGO":"$param_file" \
+ -keyout "$out_key_tmp" -out "$out_file_tmp" \
+ -utf8 ${noenc} $opts $crypto_opts || \
+ die "Failed to build the CA"
+ ;;
+ ed)
+ passin="-pass file:$out_key_pass_tmp"
+ crypto_opts="$passin"
+ case "$EASYRSA_CURVE" in
+ ed25519)
+ "$EASYRSA_OPENSSL" genpkey -algorithm ED25519 \
+ -out $out_key_tmp $crypto_opts \
+ ${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \
+ die "Failed create CA private key"
+ ;;
+ ed448)
+ "$EASYRSA_OPENSSL" genpkey -algorithm ED448 \
+ -out $out_key_tmp $crypto_opts \
+ ${EASYRSA_PASSOUT:+-pass "$EASYRSA_PASSOUT"} || \
+ die "Failed create CA private key"
+ ;;
+ *)
+ die "Unknown curve: $EASYRSA_CURVE"
+ esac
+
+ # Pass files - This can be done cleaner
+ passin="-passin file:$out_key_pass_tmp"
+ passout="-passout file:${out_key_pass_tmp}.2"
+ crypto_opts="$passin $passout"
+
+ #shellcheck disable=SC2086
+ easyrsa_openssl req ${noenc} -utf8 -new -key "$out_key_tmp" \
+ -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \
+ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \
+ die "Failed to build the CA"
+
+ ;;
+ *)
+ die "Unknown algorithm: $EASYRSA_ALGO"
+ esac
+ ;;
+ # END SSL V3
+
+ # BEGIN SSL V1
+ 1)
+
if [ "$EASYRSA_ALGO" = "rsa" ]; then
#shellcheck disable=SC2086
"$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts ${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} "$EASYRSA_ALGO_PARAMS" || \
@@ -704,9 +796,17 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
[ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ] && crypto_opts="-passin file:$out_key_pass_tmp"
#shellcheck disable=SC2086
- easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
- -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \
- die "Failed to build the CA"
+ easyrsa_openssl req ${noenc} -utf8 -new -key "$out_key_tmp" \
+ -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts \
+ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \
+ die "Failed to build the CA"
+ ;;
+ # END SSL V1
+
+ *) die "build-ca ssl lib: $osslv_major"
+
+ # => END SSL lib version
+ esac
mv "$out_key_tmp" "$out_key"
mv "$out_file_tmp" "$out_file"
