Skip to content

Commit f6b43dc

Browse files
TinCanTechTinCanTech
committed
Merge branch 'TinCanTech-san-critical'
Signed-off-by: Richard T Bonhomme <[email protected]>
2 parents 34586ad + a1e90cd commit f6b43dc

File tree

2 files changed

+13
-2
lines changed

2 files changed

+13
-2
lines changed

ChangeLog

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog
22

33
3.2.1 (TBD)
44

5+
* Introduce global option --san-crit, mark SAN critical (dd69f50) (#1179)
56
* Introduce new global options: --ku-crit and --bc-crit (b79abee) (#1176)
67
* gen-req: Always check for existing request file (7eab98e) (#1177)
78
* revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)

easyrsa3/easyrsa

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -611,6 +611,7 @@ Certificate & Request options: (these impact cert/req field values)
611611
--san|--subject-alt-name=SUBJECT_ALT_NAME
612612
: Add a subjectAltName. Can be used multiple times.
613613
For more info and syntax, see: 'easyrsa help altname'
614+
--san-crit : Mark X509v3 subjectAltName as critical
614615

615616
--new-subject='SUBJECT'
616617
: Specify a new subject field to sign a request with.
@@ -2266,6 +2267,8 @@ $EASYRSA_EXTRA_EXTS"
22662267
> "$adjusted_ssl_cnf_tmp" || \
22672268
die "Writing SSL config to temp file failed"
22682269

2270+
[ "${EASYRSA_SAN_CRIT}" ] && verbose "gen-req: SAN critical OK"
2271+
22692272
# Use this SSL config for the rest of this function
22702273
EASYRSA_SSL_CONF="$adjusted_ssl_cnf_tmp"
22712274
fi
@@ -2567,6 +2570,8 @@ basicConstraints is not defined, cannot use 'pathlen'"
25672570
unset -v ns_cert_type
25682571
esac
25692572

2573+
[ "${EASYRSA_SAN_CRIT}" ] && verbose "sign-req: SAN critical OK"
2574+
25702575
# Generate the extensions file for this cert:
25712576
ext_tmp=""
25722577
easyrsa_mktemp ext_tmp || \
@@ -2601,6 +2606,7 @@ Failed to create temp extension file (bad permissions?) at:
26012606
verbose "sign_req: Generated extensions file OK"
26022607

26032608
# Get request CN
2609+
# EASYRSA_REQ_CN MUST always be set to the CSR CN
26042610
EASYRSA_REQ_CN="$(
26052611
"$EASYRSA_OPENSSL" req -utf8 -in "$req_in" -noout \
26062612
-subject -nameopt multiline | grep 'commonName'
@@ -2663,7 +2669,7 @@ $confirm_dn"
26632669
if [ "$EASYRSA_SAN" ]; then
26642670
confirm_san="\
26652671
X509v3 Subject Alternative Name:
2666-
$EASYRSA_SAN"
2672+
${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
26672673
else
26682674
confirm_san="$req_x509_san"
26692675
fi
@@ -5529,6 +5535,10 @@ while :; do
55295535
EASYRSA_SAN="$val"
55305536
fi
55315537
;;
5538+
--san-crit*)
5539+
empty_ok=1
5540+
export EASYRSA_SAN_CRIT='critical,'
5541+
;;
55325542
--new-subj*)
55335543
export EASYRSA_NEW_SUBJECT="$val"
55345544
;;
@@ -5587,7 +5597,7 @@ done
55875597
if [ "$EASYRSA_SAN" ]; then
55885598
EASYRSA_EXTRA_EXTS="\
55895599
$EASYRSA_EXTRA_EXTS
5590-
subjectAltName = $EASYRSA_SAN"
5600+
subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
55915601
fi
55925602

55935603
# Set cmd now

0 commit comments

Comments
 (0)