From 7b891ac12ed24aca1bf8ce7e1ad72c05c9df7518 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Wed, 9 Jan 2013 11:55:38 +0100 Subject: [PATCH 1/1] - easy-rsa as separate package --- easy-rsa.spec | 63 +++++++++ easy-rsa2.patch | 342 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 405 insertions(+) create mode 100644 easy-rsa.spec create mode 100644 easy-rsa2.patch diff --git a/easy-rsa.spec b/easy-rsa.spec new file mode 100644 index 0000000..3295d0c --- /dev/null +++ b/easy-rsa.spec @@ -0,0 +1,63 @@ +Summary: Small RSA key management package +Summary(pl.UTF-8): Mały pakiet do zarządzania kluczami RSA +Name: easy-rsa +Version: 2.2.0 +Release: 1 +License: GPL +Group: Applications +Source0: http://build.openvpn.net/downloads/releases/%{name}-%{version}_master.tar.gz +# Source0-md5: fbf818b6e1f212e77b9ce0e6d92584a1 +Patch0: %{name}2.patch +URL: http://openvpn.net/easyrsa.html +Requires: grep +Requires: openssl-tools +BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) + +%description +This is a small RSA key management package, based on the openssl +command line tool, that can be found in the easy-rsa subdirectory of +the OpenVPN distribution. While this tool is primary concerned with +key management for the SSL VPN application space, it can also be used +for building web certificates. + +%description -l pl.UTF-8 +To jest mały pakiet do zarządzania kluczami RSA, oparty na narzędziu +linii poleceń openssl. Pakiet ten pochodzi z podkatalogu easy-rsa +dystrybucji OpenVPN. + +%prep +%setup -q -n %{name}-%{version}_master +%patch0 -p1 + +%build +%configure + +%{__make} + +%install +rm -rf $RPM_BUILD_ROOT + +install -d $RPM_BUILD_ROOT{%{_sbindir},%{_sysconfdir}/easy-rsa/keys} + +%{__make} install \ + DESTDIR="$RPM_BUILD_ROOT" + +mv $RPM_BUILD_ROOT%{_datadir}/easy-rsa/openssl-1.0.0.cnf $RPM_BUILD_ROOT%{_sysconfdir}/easy-rsa/openssl.cnf +rm $RPM_BUILD_ROOT%{_datadir}/easy-rsa/openssl-*.cnf +mv $RPM_BUILD_ROOT%{_datadir}/easy-rsa/vars $RPM_BUILD_ROOT%{_sysconfdir}/easy-rsa/ +mv $RPM_BUILD_ROOT%{_datadir}/easy-rsa/pkitool $RPM_BUILD_ROOT%{_sbindir} + + +%clean +rm -rf $RPM_BUILD_ROOT + +%files +%defattr(644,root,root,755) +%doc doc/README-2.0 +%dir %{_sysconfdir}/easy-rsa +%attr(700,root,root) %dir %{_sysconfdir}/easy-rsa/keys +%config(noreplace) %attr(640,root,root) %verify(not md5 mtime size) %{_sysconfdir}/easy-rsa/vars +%config(noreplace) %attr(640,root,root) %verify(not md5 mtime size) %{_sysconfdir}/easy-rsa/openssl.cnf +%attr(755,root,root) %{_sbindir}/pkitool +%dir %{_datadir}/easy-rsa +%attr(755,root,root) %{_datadir}/easy-rsa/* diff --git a/easy-rsa2.patch b/easy-rsa2.patch new file mode 100644 index 0000000..3d63b38 --- /dev/null +++ b/easy-rsa2.patch @@ -0,0 +1,342 @@ +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-ca openvpn-2.2.0/easy-rsa/2.0/build-ca +--- openvpn-2.2.0-orig/easy-rsa/2.0/build-ca 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/build-ca 2011-04-27 22:34:59.357652908 +0200 +@@ -4,5 +4,5 @@ + # Build a root certificate + # + +-export EASY_RSA="${EASY_RSA:-.}" +-"$EASY_RSA/pkitool" --interact --initca $* ++export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" ++/usr/sbin/pkitool --interact --initca $* +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-dh openvpn-2.2.0/easy-rsa/2.0/build-dh +--- openvpn-2.2.0-orig/easy-rsa/2.0/build-dh 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/build-dh 2011-04-27 22:36:11.867656490 +0200 +@@ -3,8 +3,12 @@ + # Build Diffie-Hellman parameters for the server side + # of an SSL/TLS connection. + ++if [ -z "$EASY_RSA" ]; then ++ . /etc/easy-rsa/vars ++fi ++ + if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then +- $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} ++ openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE} + else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-inter openvpn-2.2.0/easy-rsa/2.0/build-inter +--- openvpn-2.2.0-orig/easy-rsa/2.0/build-inter 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/build-inter 2011-04-27 22:37:59.789289422 +0200 +@@ -3,5 +3,5 @@ + # Make an intermediate CA certificate/private key pair using a locally generated + # root certificate. + +-export EASY_RSA="${EASY_RSA:-.}" +-"$EASY_RSA/pkitool" --interact --inter $* ++export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" ++/usr/sbin/pkitool --interact --inter $* +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key openvpn-2.2.0/easy-rsa/2.0/build-key +--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/build-key 2011-04-27 22:38:35.330924876 +0200 +@@ -3,5 +3,5 @@ + # Make a certificate/private key pair using a locally generated + # root certificate. + +-export EASY_RSA="${EASY_RSA:-.}" +-"$EASY_RSA/pkitool" --interact $* ++export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" ++/usr/sbin/pkitool --interact $* +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pass openvpn-2.2.0/easy-rsa/2.0/build-key-pass +--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pass 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/build-key-pass 2011-04-27 22:39:23.919827311 +0200 +@@ -3,5 +3,5 @@ + # Similar to build-key, but protect the private key + # with a password. + +-export EASY_RSA="${EASY_RSA:-.}" +-"$EASY_RSA/pkitool" --interact --pass $* ++export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" ++/usr/sbin/pkitool --interact --pass $* +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pkcs12 openvpn-2.2.0/easy-rsa/2.0/build-key-pkcs12 +--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-pkcs12 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/build-key-pkcs12 2011-04-27 22:40:10.288627524 +0200 +@@ -4,5 +4,5 @@ + # root certificate and convert it to a PKCS #12 file including the + # the CA certificate as well. + +-export EASY_RSA="${EASY_RSA:-.}" +-"$EASY_RSA/pkitool" --interact --pkcs12 $* ++export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" ++/usr/sbin/pkitool --interact --pkcs12 $* +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-key-server openvpn-2.2.0/easy-rsa/2.0/build-key-server +--- openvpn-2.2.0-orig/easy-rsa/2.0/build-key-server 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/build-key-server 2011-04-27 22:41:24.715385295 +0200 +@@ -6,5 +6,5 @@ + # Explicitly set nsCertType to server using the "server" + # extension in the openssl.cnf file. + +-export EASY_RSA="${EASY_RSA:-.}" +-"$EASY_RSA/pkitool" --interact --server $* ++export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" ++/usr/sbin/pkitool --interact --server $* +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-req openvpn-2.2.0/easy-rsa/2.0/build-req +--- openvpn-2.2.0-orig/easy-rsa/2.0/build-req 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/build-req 2011-04-27 22:41:59.636992013 +0200 +@@ -3,5 +3,5 @@ + # Build a certificate signing request and private key. Use this + # when your root certificate and key is not available locally. + +-export EASY_RSA="${EASY_RSA:-.}" +-"$EASY_RSA/pkitool" --interact --csr $* ++export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" ++/usr/sbin/pkitool --interact --csr $* +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/build-req-pass openvpn-2.2.0/easy-rsa/2.0/build-req-pass +--- openvpn-2.2.0-orig/easy-rsa/2.0/build-req-pass 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/build-req-pass 2011-04-27 22:43:36.938135257 +0200 +@@ -3,5 +3,5 @@ + # Like build-req, but protect your private key + # with a password. + +-export EASY_RSA="${EASY_RSA:-.}" +-"$EASY_RSA/pkitool" --interact --csr --pass $* ++export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" ++/usr/sbin/pkitool --interact --csr --pass $* +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/clean-all openvpn-2.2.0/easy-rsa/2.0/clean-all +--- openvpn-2.2.0-orig/easy-rsa/2.0/clean-all 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/clean-all 2011-04-27 22:44:36.544210785 +0200 +@@ -4,6 +4,10 @@ + # Note that this script does a + # rm -rf on $KEY_DIR so be careful! + ++if [ -z "$EASY_RSA" ]; then ++ . /etc/easy-rsa/vars ++fi ++ + if [ "$KEY_DIR" ]; then + rm -rf "$KEY_DIR" + mkdir "$KEY_DIR" && \ +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/inherit-inter openvpn-2.2.0/easy-rsa/2.0/inherit-inter +--- openvpn-2.2.0-orig/easy-rsa/2.0/inherit-inter 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/inherit-inter 2011-04-27 22:45:20.809580498 +0200 +@@ -9,6 +9,10 @@ + # To build an intermediate CA, follow the same steps for a regular PKI but + # replace ./build-key or ./pkitool --initca with this script. + ++if [ -z "$EASY_RSA" ]; then ++ . /etc/easy-rsa/vars ++fi ++ + # The EXPORT_CA file will contain the CA certificate chain and should be + # referenced by the OpenVPN "ca" directive in config files. The ca.crt file + # will only contain the local intermediate CA -- it's needed by the easy-rsa +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/list-crl openvpn-2.2.0/easy-rsa/2.0/list-crl +--- openvpn-2.2.0-orig/easy-rsa/2.0/list-crl 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/list-crl 2011-04-27 22:46:23.149114937 +0200 +@@ -2,11 +2,15 @@ + + # list revoked certificates + ++if [ -z "$EASY_RSA" ]; then ++ . /etc/easy-rsa/vars ++fi ++ + CRL="${1:-crl.pem}" + + if [ "$KEY_DIR" ]; then + cd "$KEY_DIR" && \ +- $OPENSSL crl -text -noout -in "$CRL" ++ openssl crl -text -noout -in "$CRL" + else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/pkitool openvpn-2.2.0/easy-rsa/2.0/pkitool +--- openvpn-2.2.0-orig/easy-rsa/2.0/pkitool 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/pkitool 2011-04-27 22:53:35.735697923 +0200 +@@ -42,6 +42,10 @@ + exit 1 + } + ++if [ -z "$EASY_RSA" ]; then ++ . /etc/easy-rsa/vars ++fi ++ + need_vars() + { + echo ' Please edit the vars script to reflect your configuration,' +@@ -172,16 +176,16 @@ + if [ -z "$PKCS11_LABEL" ]; then + die "Please specify library name, slot and label" + fi +- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ ++ pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \ + --label "$PKCS11_LABEL" && +- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" ++ pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT" + exit $?;; + --pkcs11-slots) + PKCS11_MODULE_PATH="$2" + if [ -z "$PKCS11_MODULE_PATH" ]; then + die "Please specify library name" + fi +- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots ++ pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-slots + exit 0;; + --pkcs11-objects) + PKCS11_MODULE_PATH="$2" +@@ -189,7 +193,7 @@ + if [ -z "$PKCS11_SLOT" ]; then + die "Please specify library name and slot" + fi +- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" ++ pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT" + exit 0;; + + --help|--usage) +@@ -206,7 +210,7 @@ + done + + if ! [ -z "$BATCH" ]; then +- if $OPENSSL version | grep 0.9.6 > /dev/null; then ++ if openssl version | grep 0.9.6 > /dev/null; then + die "Batch mode is unsupported in openssl<0.9.7" + fi + fi +@@ -311,7 +315,7 @@ + + # Make sure $KEY_CONFIG points to the correct version + # of openssl.cnf +- if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then ++ if grep -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then + : + else + echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong" +@@ -322,7 +326,7 @@ + + # Build root CA + if [ $DO_ROOT -eq 1 ]; then +- $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \ ++ openssl req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \ + -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \ + chmod 0600 "$CA.key" + else +@@ -345,7 +349,7 @@ + export PKCS11_PIN + + echo "Generating key pair on PKCS#11 token..." +- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \ ++ pkcs11-tool --module "$PKCS11_MODULE_PATH" --keypairgen \ + --login --pin "$PKCS11_PIN" \ + --key-type rsa:1024 \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1 +@@ -353,19 +357,19 @@ + fi + + # Build cert/key +- ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ ++ ( [ $DO_REQ -eq 0 ] || openssl req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \ + -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \ +- ( [ $DO_CA -eq 0 ] || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ ++ ( [ $DO_CA -eq 0 ] || openssl ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \ + -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \ +- ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \ ++ ( [ $DO_P12 -eq 0 ] || openssl pkcs12 -export -inkey "$FN.key" \ + -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \ + ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] || chmod 0600 "$FN.key" ) && \ + ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" ) + + # Load certificate into PKCS#11 token + if [ $DO_P11 -eq 1 ]; then +- $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ +- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ ++ openssl x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \ ++ pkcs11-tool --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \ + --login --pin "$PKCS11_PIN" \ + --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" + [ -e "$FN.crt.der" ]; rm "$FN.crt.der" +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/revoke-full openvpn-2.2.0/easy-rsa/2.0/revoke-full +--- openvpn-2.2.0-orig/easy-rsa/2.0/revoke-full 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/revoke-full 2011-04-27 22:56:07.449351374 +0200 +@@ -3,6 +3,10 @@ + # revoke a certificate, regenerate CRL, + # and verify revocation + ++if [ -z "$EASY_RSA" ]; then ++ . /etc/easy-rsa/vars ++fi ++ + CRL="crl.pem" + RT="revoke-test.pem" + +@@ -21,11 +25,11 @@ + export KEY_NAME="" + + # revoke key and generate a new CRL +- $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG" ++ openssl ca -revoke "$1" -config "$KEY_CONFIG" + + # generate a new CRL -- try to be compatible with + # intermediate PKIs +- $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG" ++ openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG" + if [ -e export-ca.crt ]; then + cat export-ca.crt "$CRL" >"$RT" + else +@@ -33,7 +37,7 @@ + fi + + # verify the revocation +- $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt" ++ openssl verify -CAfile "$RT" -crl_check "$1" + else + echo 'Please source the vars script first (i.e. "source ./vars")' + echo 'Make sure you have edited it to reflect your configuration.' +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/sign-req openvpn-2.2.0/easy-rsa/2.0/sign-req +--- openvpn-2.2.0-orig/easy-rsa/2.0/sign-req 2011-04-06 18:05:52.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/sign-req 2011-04-27 22:56:46.124465700 +0200 +@@ -3,5 +3,5 @@ + # Sign a certificate signing request (a .csr file) + # with a local root certificate and key. + +-export EASY_RSA="${EASY_RSA:-.}" +-"$EASY_RSA/pkitool" --interact --sign $* ++export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}" ++/usr/sbin/pkitool --interact --sign $* +diff -ur openvpn-2.2.0-orig/easy-rsa/2.0/vars openvpn-2.2.0/easy-rsa/2.0/vars +--- openvpn-2.2.0-orig/easy-rsa/2.0/vars 2010-10-21 11:18:17.000000000 +0200 ++++ openvpn-2.2.0/easy-rsa/2.0/vars 2011-04-27 22:58:41.789791888 +0200 +@@ -12,21 +12,12 @@ + # This variable should point to + # the top level of the easy-rsa + # tree. +-export EASY_RSA="`pwd`" +- +-# +-# This variable should point to +-# the requested executables +-# +-export OPENSSL="openssl" +-export PKCS11TOOL="pkcs11-tool" +-export GREP="grep" +- ++export EASY_RSA="/etc/easy-rsa" + + # This variable should point to + # the openssl.cnf file included + # with easy-rsa. +-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA` ++export KEY_CONFIG="$EASY_RSA/openssl.cnf" + + # Edit this variable to point to + # your soon-to-be-created key +@@ -38,9 +29,6 @@ + # it correctly! + export KEY_DIR="$EASY_RSA/keys" + +-# Issue rm -rf warning +-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR +- + # PKCS11 fixes + export PKCS11_MODULE_PATH="dummy" + export PKCS11_PIN="dummy" -- 2.43.0