Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows, build-ca: Add input password to re-open private key #813

Merged
merged 4 commits into from
Dec 15, 2022
Merged

Windows, build-ca: Add input password to re-open private key #813

merged 4 commits into from
Dec 15, 2022

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Dec 11, 2022
edited
Loading

Using OpenSSL 3.0.7, packaged by OpenVPN Windows installer, causes EasyRSA command 'build-ca' to fail, because it does not have an input password to re-open the private key, which is required to generate the CA certificate or subCA request file.

Provide the user specified CA passphrase as input password for build-ca.

Signed-off-by: Richard T Bonhomme tincantech@protonmail.com

@TinCanTech TinCanTech self-assigned this Dec 11, 2022
@TinCanTech TinCanTech added this to the v3.1.2 - Probably milestone Dec 11, 2022
@TinCanTech TinCanTech linked an issue Dec 11, 2022 that may be closed by this pull request
Windows: build-ca requires req -passin option #812
Closed
@TinCanTech
Copy link
Collaborator Author

Manually tested LibreSSL:

easyrsa-unit-tests.sh version: 3.1.2
easyrsa-unit-tests.sh source:  
easyrsa source:                easyrsa
WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf

* EASYRSA_OPENSSL:
  /home/tct/libressl/libressl-3.6.1/apps/openssl/openssl (env)
  LibreSSL 3.6.1
SSL config: 
WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf
LibreSSL 3.6.1

* Using SSL: /home/tct/libressl/libressl-3.6.1/apps/openssl/openssl LibreSSL 3.6.1

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test D/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
EasyRSA Version Information
Version:     ~VER~
Generated:   ~DATE~
SSL Lib:     LibreSSL 3.6.1
Git Commit:  ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: dev | nix | Linux | /bin/bash
Temp session preserved: /home/tct/git/easy-rsa/test/installed/test D/pki/tmp/utt

Setup .................. ok
>>>>> >>>>> Begin easyrsa rsa tests
WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf

* EASYRSA_OPENSSL:
  /home/tct/libressl/libressl-3.6.1/apps/openssl/openssl (env)
  LibreSSL 3.6.1

rsa: init-pki .. ok
 - rsa: build-ca .. ok
 - rsa: show-ca .. ok
 - rsa: build-server-full s01 .. ok
 - rsa: verify s01 .. ok

<SNIP>

    - ec: revoke-renewed meltdown superseded .. ok
    - ec: revoke meltdown cessationOfOperation .. ok
    - ec: gen-crl .. ok
    - cat crl.pem .. ok
    - ec: show-crl .. ok
    - cat index.txt .. ok
<<<<< <<<<< End easyrsa ec tests
easyrsa-unit-tests.sh version: 3.1.2
easyrsa-unit-tests.sh source:  
easyrsa source:                easyrsa
WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf

* EASYRSA_OPENSSL:
  /home/tct/libressl/libressl-3.6.1/apps/openssl/openssl (env)
  LibreSSL 3.6.1
SSL config: 
WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf
LibreSSL 3.6.1
EasyRSA Version Information
Version:     ~VER~
Generated:   ~DATE~
SSL Lib:     OpenSSL 1.1.1f  31 Mar 2020
Git Commit:  ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa



Unit-test: cleanup
Saving temp dir: SAVE_PKI=1
Completed Sun 11 Dec 18:41:57 GMT 2022 (Total errors: 0)

real	3m20.961s
user	2m32.502s
sys	1m11.987s

@TinCanTech
Copy link
Collaborator Author

Unit-test in development:
OpenVPN/easyrsa-unit-tests#52

@TinCanTech
Windows, build-ca: Add input password to re-open private key
8ae6bca 
Using OpenSSL 3.0.7, packaged by OpenVPN Windows installer, causes
EasyRSA command 'build-ca' to fail, because it does not have an input
password to re-open the private key, which is required to generate
the CA certificate.

Provide the user specified CA passphrase as input password for build-ca.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Allow default CA generation method to be unit-tested
0063de0 
If 'easyrsa' is being run by the unit-test then allow the default method
for 'build-ca' to be exercised.

The default 'easyrsa' method is to use temp-files, generated by EasyRSA,
to pass the CA passphrase, provided by the user, to the SSL command.

The normal 'unit-test' method to use a passphrase is to configure EasyRSA
ommand line options '--passin' and '--passout'.

The change made here is to simulate user-interaction and to supply a
default passphrase, as a user, to the SSL command.
To NOT use EasyRSA command line options to set any passphrase.
ONLY when being run by the unit-test.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Copy link
Collaborator Author

Force push to correct commit message.

Re-committed unit-test related change

@TinCanTech
Copy link
Collaborator Author

The final part of this jigsaw puzzle is to enable the check in the unit-test..

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Dec 11, 2022
edited
Loading

What an un expected result ;-)

Linux failed due to openssl 3.0.5

Windows failed ..... same error.

Not enough input passphrases ............

@TinCanTech TinCanTech mentioned this pull request Dec 11, 2022
Closed
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Dec 12, 2022
edited
Loading

Follow-up: #814

Closed-by: 9a495f7

@TinCanTech
build-ca: Use OpenSSL '-passout' with EasyRSA '--passout' correctly
9a495f7 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Dec 12, 2022
edited
Loading

Summary:

Bug-fix: OpenSSL 3.0.7 requires the input password of the private key to build the CA certificate.

Enhancement: Add unit-test for this specific code.

Manually verified the unit-test log that the test is exercised.

@TinCanTech
build-ca: Error-exit on failure to write temp-CA-passphrase files
0ce126a 
Also, prototype easyrsa_mktemp() errors.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech merged commit 74e5122 into OpenVPN:master Dec 15, 2022
@TinCanTech TinCanTech deleted the win-build-ca branch January 3, 2023 22:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
BUG-FIX openssl Version 3.1.x windows
Projects
None yet
Milestone
v3.1.2 - 13.1.2023
Development

Successfully merging this pull request may close these issues.

Windows: build-ca requires req -passin option
1 participant
@TinCanTech