[packages/easy-rsa.git] / easy-rsa2.patch

diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-ca openvpn-2.2.0/easy-rsa/2.0/build-ca
--- openvpn-2.2.0-orig/easy-rsa/2.0/build-ca	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/build-ca	2011-04-27 22:34:59.357652908 +0200
@@ -4,5 +4,5 @@
 # Build a root certificate
 #
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --initca $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --initca $*
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-dh openvpn-2.2.0/easy-rsa/2.0/build-dh
--- openvpn-2.2.0-orig/easy-rsa/2.0/build-dh	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/build-dh	2011-04-27 22:36:11.867656490 +0200
@@ -3,8 +3,12 @@
 # Build Diffie-Hellman parameters for the server side
 # of an SSL/TLS connection.
 
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
+
 if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
-    $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+    openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
 else
     echo 'Please source the vars script first (i.e. "source ./vars")'
     echo 'Make sure you have edited it to reflect your configuration.'
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-inter openvpn-2.2.0/easy-rsa/2.0/build-inter
--- openvpn-2.2.0-orig/easy-rsa/2.0/build-inter	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/build-inter	2011-04-27 22:37:59.789289422 +0200
@@ -3,5 +3,5 @@
 # Make an intermediate CA certificate/private key pair using a locally generated
 # root certificate.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --inter $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --inter $*
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key openvpn-2.2.0/easy-rsa/2.0/build-key
--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/build-key	2011-04-27 22:38:35.330924876 +0200
@@ -3,5 +3,5 @@
 # Make a certificate/private key pair using a locally generated
 # root certificate.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact $*
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pass openvpn-2.2.0/easy-rsa/2.0/build-key-pass
--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pass	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/build-key-pass	2011-04-27 22:39:23.919827311 +0200
@@ -3,5 +3,5 @@
 # Similar to build-key, but protect the private key
 # with a password.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --pass $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --pass $*
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pkcs12 openvpn-2.2.0/easy-rsa/2.0/build-key-pkcs12
--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pkcs12	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/build-key-pkcs12	2011-04-27 22:40:10.288627524 +0200
@@ -4,5 +4,5 @@
 # root certificate and convert it to a PKCS #12 file including the
 # the CA certificate as well.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --pkcs12 $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --pkcs12 $*
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-server openvpn-2.2.0/easy-rsa/2.0/build-key-server
--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-server	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/build-key-server	2011-04-27 22:41:24.715385295 +0200
@@ -6,5 +6,5 @@
 # Explicitly set nsCertType to server using the "server"
 # extension in the openssl.cnf file.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --server $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --server $*
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-req openvpn-2.2.0/easy-rsa/2.0/build-req
--- openvpn-2.2.0-orig/easy-rsa/2.0/build-req	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/build-req	2011-04-27 22:41:59.636992013 +0200
@@ -3,5 +3,5 @@
 # Build a certificate signing request and private key.  Use this
 # when your root certificate and key is not available locally.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --csr $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --csr $*
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-req-pass openvpn-2.2.0/easy-rsa/2.0/build-req-pass
--- openvpn-2.2.0-orig/easy-rsa/2.0/build-req-pass	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/build-req-pass	2011-04-27 22:43:36.938135257 +0200
@@ -3,5 +3,5 @@
 # Like build-req, but protect your private key
 # with a password.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --csr --pass $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --csr --pass $*
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/clean-all openvpn-2.2.0/easy-rsa/2.0/clean-all
--- openvpn-2.2.0-orig/easy-rsa/2.0/clean-all	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/clean-all	2011-04-27 22:44:36.544210785 +0200
@@ -4,6 +4,10 @@
 # Note that this script does a
 # rm -rf on $KEY_DIR so be careful!
 
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
+
 if [ "$KEY_DIR" ]; then
     rm -rf "$KEY_DIR"
     mkdir "$KEY_DIR" && \
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/inherit-inter openvpn-2.2.0/easy-rsa/2.0/inherit-inter
--- openvpn-2.2.0-orig/easy-rsa/2.0/inherit-inter	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/inherit-inter	2011-04-27 22:45:20.809580498 +0200
@@ -9,6 +9,10 @@
 # To build an intermediate CA, follow the same steps for a regular PKI but
 # replace ./build-key or ./pkitool --initca with this script.
 
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
+
 # The EXPORT_CA file will contain the CA certificate chain and should be
 # referenced by the OpenVPN "ca" directive in config files.  The ca.crt file
 # will only contain the local intermediate CA -- it's needed by the easy-rsa
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/list-crl openvpn-2.2.0/easy-rsa/2.0/list-crl
--- openvpn-2.2.0-orig/easy-rsa/2.0/list-crl	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/list-crl	2011-04-27 22:46:23.149114937 +0200
@@ -2,11 +2,15 @@
 
 # list revoked certificates
 
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
+
 CRL="${1:-crl.pem}"
 
 if [ "$KEY_DIR" ]; then
     cd "$KEY_DIR" && \
-	$OPENSSL crl -text -noout -in "$CRL"
+	openssl crl -text -noout -in "$CRL"
 else
     echo 'Please source the vars script first (i.e. "source ./vars")'
     echo 'Make sure you have edited it to reflect your configuration.'
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/pkitool openvpn-2.2.0/easy-rsa/2.0/pkitool
--- openvpn-2.2.0-orig/easy-rsa/2.0/pkitool	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/pkitool	2011-04-27 22:53:35.735697923 +0200
@@ -42,6 +42,10 @@
     exit 1
 }
 
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
+
 need_vars()
 {
     echo '  Please edit the vars script to reflect your configuration,'
@@ -172,16 +176,16 @@
 		     if [ -z "$PKCS11_LABEL" ]; then
 		       die "Please specify library name, slot and label"
 		     fi
-		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
+		     pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
 		     	--label "$PKCS11_LABEL" &&
-			$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
+			pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
 		     exit $?;;
 	--pkcs11-slots)
 	             PKCS11_MODULE_PATH="$2"
 		     if [ -z "$PKCS11_MODULE_PATH" ]; then
 		       die "Please specify library name"
 		     fi
-		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
+		     pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-slots
 		     exit 0;;
 	--pkcs11-objects)
 	             PKCS11_MODULE_PATH="$2"
@@ -189,7 +193,7 @@
 		     if [ -z "$PKCS11_SLOT" ]; then
 		       die "Please specify library name and slot"
 		     fi
-		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
+		     pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
 		     exit 0;;
 
         --help|--usage)
@@ -206,7 +210,7 @@
 done
 
 if ! [ -z "$BATCH" ]; then
-	if $OPENSSL version | grep 0.9.6 > /dev/null; then
+	if openssl version | grep 0.9.6 > /dev/null; then
 		die "Batch mode is unsupported in openssl<0.9.7"
 	fi
 fi
@@ -311,7 +315,7 @@
 
     # Make sure $KEY_CONFIG points to the correct version
     # of openssl.cnf
-    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
+    if grep -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
 	:
     else
 	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
@@ -322,7 +326,7 @@
 
     # Build root CA
     if [ $DO_ROOT -eq 1 ]; then
-	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
+	openssl req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
 	    -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
 	    chmod 0600 "$CA.key"
     else        
@@ -345,7 +349,7 @@
 		export PKCS11_PIN
 
 		echo "Generating key pair on PKCS#11 token..."
-		$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
+		pkcs11-tool --module "$PKCS11_MODULE_PATH" --keypairgen \
 			--login --pin "$PKCS11_PIN" \
 			--key-type rsa:1024 \
 			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
@@ -353,19 +357,19 @@
 	fi
 
         # Build cert/key
-	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
+	( [ $DO_REQ -eq 0 ] || openssl req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
 	        -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
-	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
+	    ( [ $DO_CA -eq 0 ]  || openssl ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
 	        -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
-	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
+	    ( [ $DO_P12 -eq 0 ] || openssl pkcs12 -export -inkey "$FN.key" \
 	        -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
 	    ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$FN.key" ) && \
 	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
 
 	# Load certificate into PKCS#11 token
 	if [ $DO_P11 -eq 1 ]; then
-		$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
-		  $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
+		openssl x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
+		  pkcs11-tool --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
 			--login --pin "$PKCS11_PIN" \
 			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" 
 		[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/revoke-full openvpn-2.2.0/easy-rsa/2.0/revoke-full
--- openvpn-2.2.0-orig/easy-rsa/2.0/revoke-full	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/revoke-full	2011-04-27 22:56:07.449351374 +0200
@@ -3,6 +3,10 @@
 # revoke a certificate, regenerate CRL,
 # and verify revocation
 
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
+
 CRL="crl.pem"
 RT="revoke-test.pem"
 
@@ -21,11 +25,11 @@
     export KEY_NAME=""
 
     # revoke key and generate a new CRL
-    $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
+    openssl ca -revoke "$1" -config "$KEY_CONFIG"
 
     # generate a new CRL -- try to be compatible with
     # intermediate PKIs
-    $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
+    openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
     if [ -e export-ca.crt ]; then
 	cat export-ca.crt "$CRL" >"$RT"
     else
@@ -33,7 +37,7 @@
     fi
     
     # verify the revocation
-    $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
+    openssl verify -CAfile "$RT" -crl_check "$1"
 else
     echo 'Please source the vars script first (i.e. "source ./vars")'
     echo 'Make sure you have edited it to reflect your configuration.'
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/sign-req openvpn-2.2.0/easy-rsa/2.0/sign-req
--- openvpn-2.2.0-orig/easy-rsa/2.0/sign-req	2011-04-06 18:05:52.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/sign-req	2011-04-27 22:56:46.124465700 +0200
@@ -3,5 +3,5 @@
 # Sign a certificate signing request (a .csr file)
 # with a local root certificate and key.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --sign $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --sign $*
diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/vars openvpn-2.2.0/easy-rsa/2.0/vars
--- openvpn-2.2.0-orig/easy-rsa/2.0/vars	2010-10-21 11:18:17.000000000 +0200
+++ openvpn-2.2.0/easy-rsa/2.0/vars	2011-04-27 22:58:41.789791888 +0200
@@ -12,21 +12,12 @@
 # This variable should point to
 # the top level of the easy-rsa
 # tree.
-export EASY_RSA="`pwd`"
-
-#
-# This variable should point to
-# the requested executables
-#
-export OPENSSL="openssl"
-export PKCS11TOOL="pkcs11-tool"
-export GREP="grep"
-
+export EASY_RSA="/etc/easy-rsa"
 
 # This variable should point to
 # the openssl.cnf file included
 # with easy-rsa.
-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+export KEY_CONFIG="$EASY_RSA/openssl.cnf"
 
 # Edit this variable to point to
 # your soon-to-be-created key
@@ -38,9 +29,6 @@
 # it correctly!
 export KEY_DIR="$EASY_RSA/keys"
 
-# Issue rm -rf warning
-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-
 # PKCS11 fixes
 export PKCS11_MODULE_PATH="dummy"
 export PKCS11_PIN="dummy"
Commit	Line	Data
7b891ac1 AM	1	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-ca openvpn-2.2.0/easy-rsa/2.0/build-ca
	2	--- openvpn-2.2.0-orig/easy-rsa/2.0/build-ca 2011-04-06 18:05:52.000000000 +0200
	3	+++ openvpn-2.2.0/easy-rsa/2.0/build-ca 2011-04-27 22:34:59.357652908 +0200
	4	@@ -4,5 +4,5 @@
	5	# Build a root certificate
	6	#
	7
	8	-export EASY_RSA="${EASY_RSA:-.}"
	9	-"$EASY_RSA/pkitool" --interact --initca $*
	10	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	11	+/usr/sbin/pkitool --interact --initca $*
	12	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-dh openvpn-2.2.0/easy-rsa/2.0/build-dh
	13	--- openvpn-2.2.0-orig/easy-rsa/2.0/build-dh 2011-04-06 18:05:52.000000000 +0200
	14	+++ openvpn-2.2.0/easy-rsa/2.0/build-dh 2011-04-27 22:36:11.867656490 +0200
	15	@@ -3,8 +3,12 @@
	16	# Build Diffie-Hellman parameters for the server side
	17	# of an SSL/TLS connection.
	18
	19	+if [ -z "$EASY_RSA" ]; then
	20	+ . /etc/easy-rsa/vars
	21	+fi
	22	+
	23	if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
	24	- $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
	25	+ openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
	26	else
	27	echo 'Please source the vars script first (i.e. "source ./vars")'
	28	echo 'Make sure you have edited it to reflect your configuration.'
	29	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-inter openvpn-2.2.0/easy-rsa/2.0/build-inter
	30	--- openvpn-2.2.0-orig/easy-rsa/2.0/build-inter 2011-04-06 18:05:52.000000000 +0200
	31	+++ openvpn-2.2.0/easy-rsa/2.0/build-inter 2011-04-27 22:37:59.789289422 +0200
	32	@@ -3,5 +3,5 @@
	33	# Make an intermediate CA certificate/private key pair using a locally generated
	34	# root certificate.
	35
	36	-export EASY_RSA="${EASY_RSA:-.}"
	37	-"$EASY_RSA/pkitool" --interact --inter $*
	38	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	39	+/usr/sbin/pkitool --interact --inter $*
	40	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key openvpn-2.2.0/easy-rsa/2.0/build-key
	41	--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key 2011-04-06 18:05:52.000000000 +0200
	42	+++ openvpn-2.2.0/easy-rsa/2.0/build-key 2011-04-27 22:38:35.330924876 +0200
	43	@@ -3,5 +3,5 @@
	44	# Make a certificate/private key pair using a locally generated
	45	# root certificate.
	46
	47	-export EASY_RSA="${EASY_RSA:-.}"
	48	-"$EASY_RSA/pkitool" --interact $*
	49	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	50	+/usr/sbin/pkitool --interact $*
	51	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pass openvpn-2.2.0/easy-rsa/2.0/build-key-pass
	52	--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pass 2011-04-06 18:05:52.000000000 +0200
	53	+++ openvpn-2.2.0/easy-rsa/2.0/build-key-pass 2011-04-27 22:39:23.919827311 +0200
	54	@@ -3,5 +3,5 @@
	55	# Similar to build-key, but protect the private key
	56	# with a password.
	57
	58	-export EASY_RSA="${EASY_RSA:-.}"
	59	-"$EASY_RSA/pkitool" --interact --pass $*
	60	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	61	+/usr/sbin/pkitool --interact --pass $*
	62	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pkcs12 openvpn-2.2.0/easy-rsa/2.0/build-key-pkcs12
	63	--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pkcs12 2011-04-06 18:05:52.000000000 +0200
	64	+++ openvpn-2.2.0/easy-rsa/2.0/build-key-pkcs12 2011-04-27 22:40:10.288627524 +0200
65	@@ -4,5 +4,5 @@
66	# root certificate and convert it to a PKCS #12 file including the
67	# the CA certificate as well.
68
69	-export EASY_RSA="${EASY_RSA:-.}"
70	-"$EASY_RSA/pkitool" --interact --pkcs12 $*
71	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
72	+/usr/sbin/pkitool --interact --pkcs12 $*
73	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-server openvpn-2.2.0/easy-rsa/2.0/build-key-server
74	--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-server 2011-04-06 18:05:52.000000000 +0200
75	+++ openvpn-2.2.0/easy-rsa/2.0/build-key-server 2011-04-27 22:41:24.715385295 +0200
76	@@ -6,5 +6,5 @@
77	# Explicitly set nsCertType to server using the "server"
78	# extension in the openssl.cnf file.
79
80	-export EASY_RSA="${EASY_RSA:-.}"
81	-"$EASY_RSA/pkitool" --interact --server $*
82	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
83	+/usr/sbin/pkitool --interact --server $*
84	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-req openvpn-2.2.0/easy-rsa/2.0/build-req
85	--- openvpn-2.2.0-orig/easy-rsa/2.0/build-req 2011-04-06 18:05:52.000000000 +0200
86	+++ openvpn-2.2.0/easy-rsa/2.0/build-req 2011-04-27 22:41:59.636992013 +0200
87	@@ -3,5 +3,5 @@
88	# Build a certificate signing request and private key. Use this
89	# when your root certificate and key is not available locally.
90
91	-export EASY_RSA="${EASY_RSA:-.}"
92	-"$EASY_RSA/pkitool" --interact --csr $*
93	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
94	+/usr/sbin/pkitool --interact --csr $*
95	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-req-pass openvpn-2.2.0/easy-rsa/2.0/build-req-pass
96	--- openvpn-2.2.0-orig/easy-rsa/2.0/build-req-pass 2011-04-06 18:05:52.000000000 +0200
97	+++ openvpn-2.2.0/easy-rsa/2.0/build-req-pass 2011-04-27 22:43:36.938135257 +0200
98	@@ -3,5 +3,5 @@
99	# Like build-req, but protect your private key
100	# with a password.
101
102	-export EASY_RSA="${EASY_RSA:-.}"
103	-"$EASY_RSA/pkitool" --interact --csr --pass $*
104	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
105	+/usr/sbin/pkitool --interact --csr --pass $*
106	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/clean-all openvpn-2.2.0/easy-rsa/2.0/clean-all
107	--- openvpn-2.2.0-orig/easy-rsa/2.0/clean-all 2011-04-06 18:05:52.000000000 +0200
108	+++ openvpn-2.2.0/easy-rsa/2.0/clean-all 2011-04-27 22:44:36.544210785 +0200
109	@@ -4,6 +4,10 @@
110	# Note that this script does a
111	# rm -rf on $KEY_DIR so be careful!
112
113	+if [ -z "$EASY_RSA" ]; then
114	+ . /etc/easy-rsa/vars
115	+fi
116	+
117	if [ "$KEY_DIR" ]; then
118	rm -rf "$KEY_DIR"
119	mkdir "$KEY_DIR" && \
120	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/inherit-inter openvpn-2.2.0/easy-rsa/2.0/inherit-inter
121	--- openvpn-2.2.0-orig/easy-rsa/2.0/inherit-inter 2011-04-06 18:05:52.000000000 +0200
122	+++ openvpn-2.2.0/easy-rsa/2.0/inherit-inter 2011-04-27 22:45:20.809580498 +0200
123	@@ -9,6 +9,10 @@
124	# To build an intermediate CA, follow the same steps for a regular PKI but
125	# replace ./build-key or ./pkitool --initca with this script.
126
127	+if [ -z "$EASY_RSA" ]; then
128	+ . /etc/easy-rsa/vars
129	+fi
130	+
131	# The EXPORT_CA file will contain the CA certificate chain and should be
132	# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
133	# will only contain the local intermediate CA -- it's needed by the easy-rsa
134	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/list-crl openvpn-2.2.0/easy-rsa/2.0/list-crl
135	--- openvpn-2.2.0-orig/easy-rsa/2.0/list-crl 2011-04-06 18:05:52.000000000 +0200
136	+++ openvpn-2.2.0/easy-rsa/2.0/list-crl 2011-04-27 22:46:23.149114937 +0200
137	@@ -2,11 +2,15 @@
138
139	# list revoked certificates
140
141	+if [ -z "$EASY_RSA" ]; then
142	+ . /etc/easy-rsa/vars
143	+fi
144	+
145	CRL="${1:-crl.pem}"
146
147	if [ "$KEY_DIR" ]; then
148	cd "$KEY_DIR" && \
149	- $OPENSSL crl -text -noout -in "$CRL"
150	+ openssl crl -text -noout -in "$CRL"
151	else
152	echo 'Please source the vars script first (i.e. "source ./vars")'
153	echo 'Make sure you have edited it to reflect your configuration.'
154	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/pkitool openvpn-2.2.0/easy-rsa/2.0/pkitool
155	--- openvpn-2.2.0-orig/easy-rsa/2.0/pkitool 2011-04-06 18:05:52.000000000 +0200
156	+++ openvpn-2.2.0/easy-rsa/2.0/pkitool 2011-04-27 22:53:35.735697923 +0200
157	@@ -42,6 +42,10 @@
158	exit 1
159	}
160
161	+if [ -z "$EASY_RSA" ]; then
162	+ . /etc/easy-rsa/vars
163	+fi
164	+
165	need_vars()
166	{
167	echo ' Please edit the vars script to reflect your configuration,'
168	@@ -172,16 +176,16 @@
169	if [ -z "$PKCS11_LABEL" ]; then
170	die "Please specify library name, slot and label"
171	fi
172	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
173	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
174	--label "$PKCS11_LABEL" &&
175	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
176	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
177	exit $?;;
178	--pkcs11-slots)
179	PKCS11_MODULE_PATH="$2"
180	if [ -z "$PKCS11_MODULE_PATH" ]; then
181	die "Please specify library name"
182	fi
183	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
184	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-slots
185	exit 0;;
186	--pkcs11-objects)
187	PKCS11_MODULE_PATH="$2"
188	@@ -189,7 +193,7 @@
189	if [ -z "$PKCS11_SLOT" ]; then
190	die "Please specify library name and slot"
191	fi
192	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
193	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
194	exit 0;;
195
196	--help\|--usage)
197	@@ -206,7 +210,7 @@
198	done
199
200	if ! [ -z "$BATCH" ]; then
201	- if $OPENSSL version \| grep 0.9.6 > /dev/null; then
202	+ if openssl version \| grep 0.9.6 > /dev/null; then
203	die "Batch mode is unsupported in openssl<0.9.7"
204	fi
205	fi
206	@@ -311,7 +315,7 @@
207
208	# Make sure $KEY_CONFIG points to the correct version
209	# of openssl.cnf
210	- if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
211	+ if grep -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
212	:
213	else
214	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
215	@@ -322,7 +326,7 @@
216
217	# Build root CA
218	if [ $DO_ROOT -eq 1 ]; then
219	- $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
220	+ openssl req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
221	-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
222	chmod 0600 "$CA.key"
223	else
224	@@ -345,7 +349,7 @@
225	export PKCS11_PIN
226
227	echo "Generating key pair on PKCS#11 token..."
228	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
229	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --keypairgen \
230	--login --pin "$PKCS11_PIN" \
231	--key-type rsa:1024 \
232	--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" \|\| exit 1
233	@@ -353,19 +357,19 @@
234	fi
235
236	# Build cert/key
237	- ( [ $DO_REQ -eq 0 ] \|\| $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
238	+ ( [ $DO_REQ -eq 0 ] \|\| openssl req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
239	-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
240	- ( [ $DO_CA -eq 0 ] \|\| $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
241	+ ( [ $DO_CA -eq 0 ] \|\| openssl ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
242	-in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
243	- ( [ $DO_P12 -eq 0 ] \|\| $OPENSSL pkcs12 -export -inkey "$FN.key" \
244	+ ( [ $DO_P12 -eq 0 ] \|\| openssl pkcs12 -export -inkey "$FN.key" \
245	-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
246	( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] \|\| chmod 0600 "$FN.key" ) && \
247	( [ $DO_P12 -eq 0 ] \|\| chmod 0600 "$FN.p12" )
248
249	# Load certificate into PKCS#11 token
250	if [ $DO_P11 -eq 1 ]; then
251	- $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
252	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
253	+ openssl x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
254	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
255	--login --pin "$PKCS11_PIN" \
256	--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
257	[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
258	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/revoke-full openvpn-2.2.0/easy-rsa/2.0/revoke-full
259	--- openvpn-2.2.0-orig/easy-rsa/2.0/revoke-full 2011-04-06 18:05:52.000000000 +0200
260	+++ openvpn-2.2.0/easy-rsa/2.0/revoke-full 2011-04-27 22:56:07.449351374 +0200
261	@@ -3,6 +3,10 @@
262	# revoke a certificate, regenerate CRL,
263	# and verify revocation
264
265	+if [ -z "$EASY_RSA" ]; then
266	+ . /etc/easy-rsa/vars
267	+fi
268	+
269	CRL="crl.pem"
270	RT="revoke-test.pem"
271
272	@@ -21,11 +25,11 @@
273	export KEY_NAME=""
274
275	# revoke key and generate a new CRL
276	- $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
277	+ openssl ca -revoke "$1" -config "$KEY_CONFIG"
278
279	# generate a new CRL -- try to be compatible with
280	# intermediate PKIs
281	- $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
282	+ openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
283	if [ -e export-ca.crt ]; then
284	cat export-ca.crt "$CRL" >"$RT"
285	else
286	@@ -33,7 +37,7 @@
287	fi
288
289	# verify the revocation
290	- $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
291	+ openssl verify -CAfile "$RT" -crl_check "$1"
292	else
293	echo 'Please source the vars script first (i.e. "source ./vars")'
294	echo 'Make sure you have edited it to reflect your configuration.'
295	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/sign-req openvpn-2.2.0/easy-rsa/2.0/sign-req
296	--- openvpn-2.2.0-orig/easy-rsa/2.0/sign-req 2011-04-06 18:05:52.000000000 +0200
297	+++ openvpn-2.2.0/easy-rsa/2.0/sign-req 2011-04-27 22:56:46.124465700 +0200
298	@@ -3,5 +3,5 @@
299	# Sign a certificate signing request (a .csr file)
300	# with a local root certificate and key.
301
302	-export EASY_RSA="${EASY_RSA:-.}"
303	-"$EASY_RSA/pkitool" --interact --sign $*
304	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
305	+/usr/sbin/pkitool --interact --sign $*
306	diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/vars openvpn-2.2.0/easy-rsa/2.0/vars
307	--- openvpn-2.2.0-orig/easy-rsa/2.0/vars 2010-10-21 11:18:17.000000000 +0200
308	+++ openvpn-2.2.0/easy-rsa/2.0/vars 2011-04-27 22:58:41.789791888 +0200
309	@@ -12,21 +12,12 @@
310	# This variable should point to
311	# the top level of the easy-rsa
312	# tree.
313	-export EASY_RSA="`pwd`"
314	-
315	-#
316	-# This variable should point to
317	-# the requested executables
318	-#
319	-export OPENSSL="openssl"
320	-export PKCS11TOOL="pkcs11-tool"
321	-export GREP="grep"
322	-
323	+export EASY_RSA="/etc/easy-rsa"
324
325	# This variable should point to
326	# the openssl.cnf file included
327	# with easy-rsa.
328	-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
329	+export KEY_CONFIG="$EASY_RSA/openssl.cnf"
330
331	# Edit this variable to point to
332	# your soon-to-be-created key
333	@@ -38,9 +29,6 @@
334	# it correctly!
335	export KEY_DIR="$EASY_RSA/keys"
336
337	-# Issue rm -rf warning
338	-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
339	-
340	# PKCS11 fixes
341	export PKCS11_MODULE_PATH="dummy"
342	export PKCS11_PIN="dummy"