Separate SAN from DN - Refactor display_dn() #1096
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TinCanTech
force-pushed
the
separate-san-from-extra-exts
branch
from
d7a8cc9
to
ac02521
Compare
4 tasks
This change is required to allow the correct confirmation details to be presented, for commands: sign-req, revoke, renew and revoke-renewed. This change also removes unnecessarily nested sub-shells. Refactor display_dn(): To separate SAN from DN, 'display_dn()' must not include SAN details. SAN is now handled individually, by the Easy-RSA command in use. This also allows global option '--san' to take priority over a SAN created in the request [CSR]. Remove 'display_san()', replaced by options '--san' and '--copy-ext'. The SAN to be used now adheres to the following order: * Global option '--san' always takes priority. * Global option '--copy-ext' will copy request extensions. Only SAN extension is supported by Easy-RSA. Other extensions can be set externally via env-var EASYRSA_EXTRA_EXTS. * If '--san' and '--copy-ext' are not used then NO extensions will be used or copied from the request. * This effects use of commands: sign-req and renew, only. The majority of this change is to present the correct confirmation details to commands: sign-req, revoke, renew and revoke-renewed. Which means that behavior is mostly unchanged. The other change is to allow multiple use of global option '--san'. Example: '--san=DNS:example.net --san=IP:10.0.0.1' Equivalent to: '--san=DNS:example.net,IP:10.0.0.1' Both versions of '--san' above can be used, even at the same time. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech
force-pushed
the
separate-san-from-extra-exts
branch
from
ac02521
to
5a06f94
Compare
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This is required for SSL command 'req', to provide a working SSL config. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Sanity checks: * Check that request 'Subject' is hash identical to certificate. This is to ensure that generating a new certificate from the original CSR will create the old certificate 'Subject'. * Prohibit use of --san The only x509v3 extension currently supported is SubjectAltName. The new SAN is auto-generated from the old certificate. This SAN cannot be changed by renewal. * Prohibit use of --copy-ext --copy-ext is not required because SAN is taken care of above and SAN is the only supported extention. Certificates using unsupported x509v3 extensions are not renewable. Format confirmation text: * Show the correct new certificate details, prior to renewing. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech
force-pushed
the
separate-san-from-extra-exts
branch
from
46763b3
to
ca2aad7
Compare
|
FTR: FULL Windows unit-tests have now been enabled. ca2aad7 above was fully tested by Windows. It is possible that there are hidden errors, however, this PR has already solved two hidden errors. |
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
|
FTR: Windows unit-test now runs a full test but only for RSA not EC or ED. |
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This was referenced Mar 26, 2024
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change is required to allow the correct confirmation details to be presented, for commands: sign-req, revoke, renew and revoke-renewed.
This change also removes unnecessarily nested sub-shells.
Refactor display_dn():
To separate SAN from DN, 'display_dn()' must not include SAN details. SAN is now handled individually, by the Easy-RSA command in use. This also allows global option '--san' to take priority over a SAN created in the request [CSR].
Remove 'display_san()', replaced by options '--san' and '--copy-ext'.
The SAN to be used now adheres to the following order:
The majority of this change is to present the correct confirmation details to commands: sign-req, revoke, renew and revoke-renewed. Which means that behavior is mostly unchanged.
The other change is to allow multiple use of global option '--san'.
Example:
'--san=DNS:example.net --san=IP:10.0.0.1'
Equivalent to:
'--san=DNS:example.net,IP:10.0.0.1'
Both versions of '--san' above can be used, even at the same time.