Skip to content

Commit

Permalink
Prohibit --req-cn for gen-req, sign-req and build-*-full
Browse files Browse the repository at this point in the history 
This correct behavior of build-*-full, which uses nested commands
gen-req and sign-req.  EASYRSA_REQ_CN must be prohibited and reset
during build.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
  • Loading branch information
@TinCanTech
TinCanTech committed Mar 27, 2024
1 parent 8165d31 commit 7227909
Showing 1 changed file with 20 additions and 3 deletions.
23 changes: 20 additions & 3 deletions easyrsa3/easyrsa
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1922,6 +1922,11 @@ Run easyrsa without commands for usage and commands."
ssl_batch=1
fi

# Prohibit --req-cn
[ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\
Option conflict --req-cn:
* '$cmd' does not support setting an external commonName"

# Enforce commonName
export EASYRSA_REQ_CN="$file_name_base"

Expand Down Expand Up @@ -2067,6 +2072,14 @@ expected 2, got $# (see command help for usage)"
crt_out="$EASYRSA_PKI/issued/$file_name_base.crt"
shift 2

# Prohibit --req-cn
[ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\
Option conflict --req-cn:
* '$cmd' does not support setting an external commonName"

# Enforce commonName
export EASYRSA_REQ_CN="$file_name_base"

# Check for preserve-dn
while [ "$1" ]; do
case "$1" in
Expand Down Expand Up @@ -2487,17 +2500,21 @@ An inline file for name '$name' already exists:

# Set commonName
[ "$EASYRSA_REQ_CN" = ChangeMe ] || user_error "\
Option conflict:
Option conflict --req-cn:
* '$cmd' does not support setting an external commonName"
EASYRSA_REQ_CN="$name"

# create request
# Set to modify sign-req confirmation message
do_build_full=1

# create request
gen_req "$name" batch

# Require --copy-ext
export EASYRSA_CP_EXT=1

# Must be reset for nested commmands
export EASYRSA_REQ_CN=ChangeMe

# Sign it
error_build_full_cleanup=1
if sign_req "$crt_type" "$name"; then
Expand Down

0 comments on commit 7227909

Please sign in to comment.