Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EASYRSA_NO_PASS conflict with --passin and --passout #835

Closed
seblu opened this issue Jan 2, 2023 · 4 comments · Fixed by #839
Closed

EASYRSA_NO_PASS conflict with --passin and --passout #835

seblu opened this issue Jan 2, 2023 · 4 comments · Fixed by #839
Assignees
@TinCanTech
Labels
BUG feedback welcome Version 3.1.x
Milestone
v3.1.2 - 13.1.2023

Comments

@seblu
Copy link

seblu commented Jan 2, 2023
edited
Loading

In the current master, we can define EASYRSA_NO_PASS in the vars file to enable globally --nopass.

# Set no password mode - This will create the entire PKI without passwords.
# This can be better managed by choosing which entity private keys should be
# encrypted with the following command line options:
# Global option '--no-pass' or command option 'nopass'.
#
set_var EASYRSA_NO_PASS	1

but the code checking for mutual exclusions is before loading variables from the vars file.

# Mutual exclusions
# --nopass cannot be used with --passin and --passout
if [ "$EASYRSA_NO_PASS" ] && \
        { [ "$EASYRSA_PASSIN" ] || [ "$EASYRSA_PASSOUT" ]; }
then
        die "* Cannot use --nopass with --passin or --passout"
fi

# Intelligent env-var detection and auto-loading:
vars_setup

As a consequence, a command exporting a pkcs12 file is generated with blank password with no warning.

./easyrsa --passout=file:<(echo iloveseblu) export-p12 "$cn"

In this case of exporting a p12, most UI do not accept empty password, and the best UX for easyrsa would be to let the global variable EASYRSA_NO_PASS to be overrided by command line when needed.
@TinCanTech
Copy link
Collaborator

@seblu Thank you for reporting this issue.

I understand the issue and think your proposal is a good approach:

  • Remove the mutual exlusion and allow global options --passin/--passout to take priority over --no-pass.

@TinCanTech TinCanTech self-assigned this Jan 2, 2023
@TinCanTech TinCanTech added this to the v3.1.2 - 13.1.2023 milestone Jan 2, 2023
@TinCanTech
Copy link
Collaborator

Here is a draft patch to test:

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index eff4b7b..40914e8 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -5316,17 +5316,19 @@ case "$cmd" in
                unset -v no_pki_required
 esac
 
+# Intelligent env-var detection and auto-loading:
+vars_setup
+
 # Mutual exclusions
 # --nopass cannot be used with --passin and --passout
 if [ "$EASYRSA_NO_PASS" ] && \
        { [ "$EASYRSA_PASSIN" ] || [ "$EASYRSA_PASSOUT" ]; }
 then
-       die "* Cannot use --nopass with --passin or --passout"
+       # Allow --passin/--passout to take priority over --nopass
+       unset -v EASYRSA_NO_PASS
+       #die "* Cannot use --nopass with --passin or --passout"
 fi
 
-# Intelligent env-var detection and auto-loading:
-vars_setup
-
 # determine how we were called, then hand off to the function responsible
 case "$cmd" in
        init-pki|clean-all)

@TinCanTech TinCanTech mentioned this issue Jan 3, 2023
Closed
@TinCanTech TinCanTech linked a pull request Jan 3, 2023 that will close this issue
Global options '--passin/--passout' ALWAYS take priority #837
Closed
@TinCanTech
Copy link
Collaborator

TinCanTech commented Jan 3, 2023
edited
Loading

Testing #839 welcome.

@TinCanTech TinCanTech reopened this Jan 3, 2023
@TinCanTech TinCanTech linked a pull request Jan 4, 2023 that will close this issue
Global option '--passout' always take priority ONLY #839
Merged
@TinCanTech
Copy link
Collaborator

Linking #733

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinCanTech TinCanTech

Labels
BUG feedback welcome Version 3.1.x
Projects
None yet
Milestone
v3.1.2 - 13.1.2023
2 participants
@seblu @TinCanTech