easy-rsa icon indicating copy to clipboard operation
easy-rsa copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

Using --subject-alt-name AND enviorment variable "EASYRSA_EXTRA_EXTS" could lead to undesired results

Open dekeonus opened this issue 3 years ago • 4 comments

In https://github.com/OpenVPN/easy-rsa/blob/917d0780451dcf926d00f5dcac66627bd81d680d/easyrsa3/easyrsa#L4845-L4849 the subjectAltName = $val is added after $EASYRSA_EXTRA_EXTS This prohibits the user from using openssl [sections] in EASYRSA_EXTRA_EXTS. eg. adding subjectAltName = whatever:foo to the following will not generate the certificate the user is expecting.

[section]
mybar = blah

While it is possible a user has a environment variable $EASYRSA_EXTRA_EXTS with a sAN they want to override, I suspect that wanting a sAN added in addition to the $EASYRSA_EXTRA_EXTS is the more likely desired result.

I suggest the better order would be

 		export EASYRSA_EXTRA_EXTS="\ 
 subjectAltName = $val
 $EASYRSA_EXTRA_EXTS"

dekeonus avatar Sep 03 '22 11:09 dekeonus

@dekeonus considering your point, what would you make of this: https://github.com/OpenVPN/easy-rsa/blob/8ebb013339dd921156ea687e3fa49b107dbd6774/easyrsa3/easyrsa#L2239-L2242

Looks like amplification to me, although,

  • this is renew I may have bitten off more than I can chew..

TinCanTech avatar Sep 08 '22 19:09 TinCanTech

Also, considering your point, I need a working example before any conclusion can be drawn.

TinCanTech avatar Sep 08 '22 19:09 TinCanTech

Looks like amplification to me, although,

Indeed, but renew() needs a lot of work to be functional. Luckily openssl will only keep the last encountered extension = value it encounters, so that snippet has worked in the simple cases.

Does the follow lay out a usage case, or would you like some other example? (I am trying to write something that would support pkinit client certs)

x509-types/COMMON

# X509 extensions added to every signed cert
certificatePolicies = @cert_pol_any

policy_any.pol

# "any" certificate policy
[cert_pol_any]
policyIdentifier = 2.5.29.32.0
CPS.1 = "http://localhost/policy"

EASYRSA_EXTRA_EXTS="$(cat policy_any.pol)" easyrsa --san "DNS:foo.local,DNS:bar.local,email:admin@local" sign-req server foo_base_name

dekeonus avatar Sep 08 '22 19:09 dekeonus

I note in the server and serverClient type cases the ordering is safe due to the sAN coming before EASYRSA_EXTRA_EXTS https://github.com/OpenVPN/easy-rsa/blob/8ebb013339dd921156ea687e3fa49b107dbd6774/easyrsa3/easyrsa#L1737-L1749

dekeonus avatar Sep 08 '22 19:09 dekeonus

I think this is another part related to: #576

Overall, I think EASYRSA_EXTRA_EXTS should be configured separately to a SAN.

If done separately then may be the grep | sed || awk can be replaced. eg: display_san(), display_dn() and default_server_san().

TinCanTech avatar Feb 11 '23 20:02 TinCanTech

Example

EASYRSA_EXTRA_EXTS="nsCertType = sslCA" easyrsa --nopass --verbose --san=DNS:a.eg.org build-ca

LGTM.

@dekeonus if the example works for you then please close this issue.

TinCanTech avatar Jul 17 '23 23:07 TinCanTech