Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Export PKCS: Expand usage for incomplete PKI #991

Merged
merged 3 commits into from Jul 25, 2023
Merged

Export PKCS: Expand usage for incomplete PKI #991

merged 3 commits into from Jul 25, 2023

Conversation

TinCanTech
Copy link
Collaborator

The current export functions only allow use on a complete PKI, with CA.

This change allows the following:

  • Server - Export P12/P7 without client key
  • Client - Export P12/P7 without CA, P8/P1 without PKI

Due to the relative obscurity of the command options 'noca' and 'nokey', exporting P12/P7 with incorrect options can be adjusted on-the-fly with confirmation from the user.

Correct behaviour of export-p1 with OpenSSL v3 by using -legacy option. Otherwise, OpenSSL v3 outputs a PKCS#8 format file.

Minor improvements to comments.

@TinCanTech
Export PKCS: Expand usage for incomplete PKI
aaa4455 
The current export functions only allow use on a complete PKI, with CA.

This change allows the following:
* Server - Export P12/P7 without client key
* Client - Export P12/P7 without CA, P8/P1 without PKI

Due to the relative obscurity of the command options 'noca' and 'nokey',
exporting P12/P7 with incorrect options can be adjusted on-the-fly with
confirmation from the user.

Correct behaviour of export-p1 with OpenSSL v3 by using -legacy option.
Otherwise, OpenSSL v3 outputs a PKCS#8 format file.

Minor improvements to comments.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech self-assigned this Jul 25, 2023
@TinCanTech TinCanTech added this to the v3.1.6 milestone Jul 25, 2023
@TinCanTech TinCanTech linked an issue Jul 25, 2023 that may be closed by this pull request
EasyRSA export-p1 behaviour is OpenSSL version dependent #990
Closed
@TinCanTech
Export PKCS: Rename variable $short_name to $file_name_base
e60b5e2 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Export PKCS: Improve user messages, re-arrange p12 command
ef793f1 
Re-arranging the p12 command to follow the standard:
- In file
- out file

Followed by
- Conditional: -nokeys
- Unconditional: -inkey file

This is a reminder that '-inkey' is subordinate to '-nokeys' but
is ALWAYS required.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Jul 25, 2023
edited

Note: The unit-test does exercise export-p12 foo nokey.

Option nokey was previously under suspicion.

@TinCanTech TinCanTech merged commit 0f5689f into OpenVPN:master Jul 25, 2023
3 checks passed
@TinCanTech
Copy link
Collaborator Author

The unit test now includes a test for export-p12 with and without a key.

Manually kicked off Test has also successfully completed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
BUG-FIX improvement Version 3.1.6
Projects
None yet
Milestone
v3.1.6
Development

Successfully merging this pull request may close these issues.

EasyRSA export-p1 behaviour is OpenSSL version dependent
1 participant
@TinCanTech