@@ -1893,27 +1893,15 @@ Raw CA mode
18931893
18941894 # keyUsage critical
18951895 if [ "$EASYRSA_KU_CRIT" ]; then
1896- crit_tmp=
1897- easyrsa_mktemp crit_tmp
1898-
1899- add_critical_attrib keyUsage "$x509_type_file" \
1900- "$crit_tmp" || die "build-ca - KU add_critical_attrib"
1901-
1902- # Use the new tmp-file with critical attribute
1903- x509_type_file="$crit_tmp"
1896+ add_critical_attrib_v2 keyUsage "$x509_type_file" || \
1897+ die "build-ca - add_critical_attrib_v2 keyUsage"
19041898 verbose "build_ca: keyUsage critical OK"
19051899 fi
19061900
19071901 # basicConstraints critical
19081902 if [ "$EASYRSA_BC_CRIT" ]; then
1909- crit_tmp=
1910- easyrsa_mktemp crit_tmp
1911-
1912- add_critical_attrib basicConstraints "$x509_type_file" \
1913- "$crit_tmp" || die "build-ca - BC add_critical_attrib"
1914-
1915- # Use the new tmp-file with critical attribute
1916- x509_type_file="$crit_tmp"
1903+ add_critical_attrib_v2 basicConstraints "$x509_type_file" || \
1904+ die "build-ca - add_critical_attrib_v2 basicConstraints"
19171905 verbose "build_ca: basicConstraints critical OK"
19181906 fi
19191907
@@ -2609,44 +2597,26 @@ Writing 'copy_exts' to SSL config temp-file failed"
26092597 # keyUsage critical
26102598 confirm_ku_crit=
26112599 if [ "$EASYRSA_KU_CRIT" ]; then
2612- crit_tmp=
2613- easyrsa_mktemp crit_tmp
2614-
2615- add_critical_attrib keyUsage "$x509_type_file" \
2616- "$crit_tmp" || die "sign-req - KU add_critical_attrib"
2617-
2618- # Use the new tmp-file with critical attribute
2619- x509_type_file="$crit_tmp"
2600+ add_critical_attrib_v2 keyUsage "$x509_type_file" || \
2601+ die "sign-req - add_critical_attrib_v2 keyUsage"
26202602 confirm_ku_crit=" keyUsage: 'critical'${NL}"
26212603 verbose "sign_req: keyUsage critical OK"
26222604 fi
26232605
26242606 # basicConstraints critical
26252607 confirm_bc_crit=
26262608 if [ "$EASYRSA_BC_CRIT" ]; then
2627- crit_tmp=
2628- easyrsa_mktemp crit_tmp
2629-
2630- add_critical_attrib basicConstraints "$x509_type_file" \
2631- "$crit_tmp" || die "sign-req - BC add_critical_attrib"
2632-
2633- # Use the new tmp-file with critical attribute
2634- x509_type_file="$crit_tmp"
2609+ add_critical_attrib_v2 basicConstraints "$x509_type_file" || \
2610+ die "sign-req - add_critical_attrib_v2 basicConstraints"
26352611 confirm_bc_crit=" basicConstraints: 'critical'${NL}"
26362612 verbose "sign_req: basicConstraints critical OK"
26372613 fi
26382614
26392615 # extendedKeyUsage critical
26402616 confirm_eku_crit=
26412617 if [ "$EASYRSA_EKU_CRIT" ]; then
2642- crit_tmp=
2643- easyrsa_mktemp crit_tmp
2644-
2645- add_critical_attrib extendedKeyUsage "$x509_type_file" \
2646- "$crit_tmp" || die "sign-req - EKU add_critical_attrib"
2647-
2648- # Use the new tmp-file with critical attribute
2649- x509_type_file="$crit_tmp"
2618+ add_critical_attrib_v2 extendedKeyUsage "$x509_type_file" || \
2619+ die "sign-req - add_critical_attrib_v2 extendedKeyUsage"
26502620 confirm_eku_crit=" extendedKeyUsage: 'critical'${NL}"
26512621 verbose "sign_req: extendedKeyUsage critical OK"
26522622 fi
@@ -2900,22 +2870,31 @@ Certificate created at:
29002870} # => sign_req()
29012871
29022872# Add 'critical' attribute to X509-type file
2903- add_critical_attrib() {
2873+ add_critical_attrib_v2() {
2874+ fn_name="$fn_name; add_critical_attrib_v2"
29042875 case "$1" in
29052876 basicConstraints|keyUsage|extendedKeyUsage) : ;; # ok
2906- *) die "add_critical_attrib - usage: '$1'"
2877+ *) die "$fn_name - usage: '$1'"
29072878 esac
29082879
2909- [ -f "$2" ] || die "add_critical_attrib - file-2: '$2'"
2910- [ -f "$3" ] || die "add_critical_attrib - file-3: '$3'"
2880+ [ -f "$2" ] || die "$fn_name - missing output file"
2881+
2882+ crit_tmp=
2883+ easyrsa_mktemp crit_tmp
29112884
29122885 # Insert 'critical,' attrib, ONLY if NOT present
29132886 srch="${1}[[:blank:]]*=[[:blank:]]*critical"
29142887 repl="${1}[[:blank:]]*=[[:blank:]]*"
29152888 with="${1} = critical,"
2916- sed /"$srch"/!s/"$repl"/"$with"/g "$2" > "$3" || return 1
2917- unset -v srch repl with
2918- } # => add_critical_attrib()
2889+ sed /"$srch"/!s/"$repl"/"$with"/g \
2890+ "$2" > "$crit_tmp" || return 1
2891+
2892+ # Use the new tmp-file:$crit_tmp with critical attribute
2893+ mv -f "$crit_tmp" "$2" || return 1
2894+
2895+ fn_name="${fn_name%; add_critical_attrib_v2}"
2896+ unset -v srch repl with crit_tmp
2897+ } # => add_critical_attrib_v2()
29192898
29202899# Check serial in db
29212900check_serial_unique() {
@@ -5052,28 +5031,16 @@ $cmd does not support setting an external commonName."
50525031 # basicConstraints critical
50535032 if grep -q 'Basic Constraints: critical' "$old_cert_tmp"
50545033 then
5055- crit_tmp=
5056- easyrsa_mktemp crit_tmp
5057-
5058- add_critical_attrib basicConstraints "$x509_type_file" \
5059- "$crit_tmp" || die "$f_name BC add_critical_attrib"
5060-
5061- # Use the new tmp-file with critical attribute
5062- x509_type_file="$crit_tmp"
5034+ add_critical_attrib_v2 basicConstraints "$x509_type_file" || \
5035+ die "$f_name BC add_critical_attrib_v2"
50635036 verbose "renew_ca_cert: basicConstraints critical OK"
50645037 fi
50655038
50665039 # keyUsage critical
50675040 if grep -q 'Key Usage: critical' "$old_cert_tmp"
50685041 then
5069- crit_tmp=
5070- easyrsa_mktemp crit_tmp
5071-
5072- add_critical_attrib keyUsage "$x509_type_file" \
5073- "$crit_tmp" || die "$f_name KU add_critical_attrib"
5074-
5075- # Use the new tmp-file with critical attribute
5076- x509_type_file="$crit_tmp"
5042+ add_critical_attrib_v2 keyUsage "$x509_type_file" || \
5043+ die "$f_name KU add_critical_attrib_v2"
50775044 verbose "renew_ca_cert: keyUsage critical OK"
50785045 fi
50795046
0 commit comments