Merge branch 'TinCanTech-drop-x509-type-kdc-v2'

Signed-off-by: Richard T Bonhomme <[email protected]>

Author: TinCanTech

ChangeLog

@@ -2,6 +2,8 @@ Easy-RSA 3 ChangeLog
 
 3.2.5 (TBD)
 
+   * inline_file(): Make unknown certificate type non-fatal (b2373e2) (#1399)
+   * Remove 'kdc' as a 'built-in' X509-type (13e37d9) (#1399)
    * peer-fingerprint: Allow 'show-cert' to be used (7cf55e0) (#1397)
    * init-pki: Introduce configurable cryptography (a8da392) (#1397)
 

easyrsa3/easyrsa

@@ -491,7 +491,7 @@ Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]"
       * vars     - Write vars.example file.
       * ssl-cnf  - Write EasyRSA SSL config file.
       * safe-cnf - Write expanded EasyRSA SSL config file for LibreSSL.
-      * COMMON|ca|server|serverClient|client|codeSigning|email|kdc
+      * COMMON|ca|server|serverClient|client|codeSigning|email
                  - Write x509-type <type> file.
 
       * legacy   - Write ALL support files (above) to the PKI directory.
@@ -1012,7 +1012,7 @@ Temporary session not preserved."
 
 	# When prompt is disabled then restore prompt
 	case "$prompt_restore" in
-		0) : ;; # Not required
+		''|0) : ;; # Not required
 		1)
 			[ -t 1 ] && stty echo
 			[ "$EASYRSA_SILENT" ] || print
@@ -2310,7 +2310,7 @@ sign_req() {
 			# Inline file not required for signing a sub CA
 			EASYRSA_DISABLE_INLINE=1
 		;;
-		server|serverClient|client|codeSigning|email|kdc)
+		server|serverClient|client|codeSigning|email)
 			: # All known types
 		;;
 		*)
@@ -2967,7 +2967,7 @@ $(cat "$crt_source")
 		# Certificate type
 		inline_crt_type=
 		ssl_cert_x509v3_eku "$crt_source" inline_crt_type || \
-			die "inline_file: Failed to set inline_crt_type"
+			warn "inline_file: Unknown cert-type: '$inline_crt_type'"
 
 		# commonName
 		inline_crt_CN="$(
@@ -5717,8 +5717,6 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'"
 	set_var EASYRSA_REQ_CN			ChangeMe
 	set_var EASYRSA_DIGEST			sha256
 
-	set_var EASYRSA_KDC_REALM		"CHANGEME.EXAMPLE.COM"
-
 	set_var EASYRSA_MAX_TEMP		1
 
 	verbose "default_vars; COMPLETED"
@@ -5992,7 +5990,7 @@ check_ssl_cnf_known_hash() {
 write_x509_type_tmp() {
 	# Verify x509-type before redirect
 	case "$1" in
-		COMMON|ca|server|serverClient|client|email|codeSigning|kdc)
+		COMMON|ca|server|serverClient|client|email|codeSigning)
 			: # ok
 		;;
 		selfsign)
@@ -6042,7 +6040,7 @@ Legacy files:
 
 	# Create x509-types, except selfsign
 	for legacy_type in COMMON ca server serverClient client \
-		email codeSigning kdc
+		email codeSigning
 	do
 		legacy_target="${x509_types_d}/${legacy_type}"
 		write_legacy_file_v2 "$legacy_type" "$legacy_target" "$1"
@@ -6093,7 +6091,7 @@ write_legacy_file_v2() {
 	vars)
 		;;
 	# This correctly renames 'code-signing' to 'codeSigning'
-	COMMON|ca|server|serverClient|client|codeSigning|email|kdc)
+	COMMON|ca|server|serverClient|client|codeSigning|email)
 		;;
 	selfsign)
 		;;
@@ -6245,30 +6243,6 @@ create_legacy_stream() {
 		keyUsage = digitalSignature,keyEncipherment,nonRepudiation
 		CREATE_X509_TYPE_EMAIL
 		;;
-	kdc)
-	# kdc
-		cat <<- "CREATE_X509_TYPE_KDC"
-basicConstraints = CA:FALSE
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
-extendedKeyUsage = 1.3.6.1.5.2.3.5
-keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-issuerAltName = issuer:copy
-subjectAltName = otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
-
-[kdc_princ_name]
-realm = EXP:0,GeneralString:${ENV::EASYRSA_KDC_REALM}
-principal_name = EXP:1,SEQUENCE:kdc_principal_seq
-
-[kdc_principal_seq]
-name_type = EXP:0,INTEGER:1
-name_string = EXP:1,SEQUENCE:kdc_principals
-
-[kdc_principals]
-princ1 = GeneralString:krbtgt
-princ2 = GeneralString:${ENV::EASYRSA_KDC_REALM}
-CREATE_X509_TYPE_KDC
-		;;
 	vars)
 	# vars
 		cat << "CREATE_VARS_EXAMPLE"
@@ -6638,22 +6612,15 @@ detect_host
 unset -v \
 	OPENSSL_CONF \
 	verify_ssl_lib_ok ssl_batch \
-	secured_session \
-	alias_days text \
-	prohibit_no_pass \
-	ignore_vars \
-	invalid_vars \
+	secured_session write_recursion \
+	alias_days text prohibit_no_pass \
+	quiet_vars ignore_vars invalid_vars \
 	local_request error_build_full_cleanup \
 	selfsign_eku \
 	internal_batch mv_temp_error \
 	easyrsa_exit_with_error error_info \
-	write_recursion require_pki require_ca quiet_vars
-
-	# Used by build-ca->cleanup to restore prompt
-	# after user interrupt when using manual password
-	prompt_restore=0
-	# Sequential temp-file counter
-	mktemp_counter=0
+	require_pki require_ca \
+	prompt_restore mktemp_counter
 
 # Parse options
 while :; do

easyrsa3/x509-types/kdc

@@ -1,3 +1,4 @@
+# Easy-RSA does NOT explicitly support X509 type 'KDC'
 # X509 extensions for a KDC server certificate
 
 basicConstraints = CA:FALSE