[packages/openvpn.git] / easy-rsa2.patch

--- openvpn-2.1_rc4/easy-rsa/2.0/build-ca	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-ca	2007-09-18 14:08:03.688714502 +0300
@@ -1,8 +1,8 @@
-#!/bin/bash
+#!/bin/sh
 
 #
 # Build a root certificate
 #
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --initca $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --initca $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-dh	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-dh	2007-09-18 14:08:03.688714502 +0300
@@ -1,10 +1,13 @@
-#!/bin/bash
+#!/bin/sh
 
 # Build Diffie-Hellman parameters for the server side
 # of an SSL/TLS connection.
+if [ -z "$EASY_RSA" ]; then
+	. /etc/easy-rsa/vars
+fi
 
 if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
-    $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+    openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
 else
     echo 'Please source the vars script first (i.e. "source ./vars")'
     echo 'Make sure you have edited it to reflect your configuration.'
--- openvpn-2.1_rc4/easy-rsa/2.0/build-inter	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-inter	2007-09-18 14:08:03.688714502 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Make an intermediate CA certificate/private key pair using a locally generated
 # root certificate.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --inter $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --inter $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-key	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key	2007-09-18 14:08:03.688714502 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Make a certificate/private key pair using a locally generated
 # root certificate.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-key-pass	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-pass	2007-09-18 14:08:03.688714502 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Similar to build-key, but protect the private key
 # with a password.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --pass $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --pass $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-key-pkcs12	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-pkcs12	2007-09-18 14:08:03.698714729 +0300
@@ -1,8 +1,8 @@
-#!/bin/bash
+#!/bin/sh
 
 # Make a certificate/private key pair using a locally generated
 # root certificate and convert it to a PKCS #12 file including the
 # the CA certificate as well.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --pkcs12 $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --pkcs12 $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-key-server	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-server	2007-09-18 14:08:03.698714729 +0300
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 # Make a certificate/private key pair using a locally generated
 # root certificate.
@@ -6,5 +6,5 @@
 # Explicitly set nsCertType to server using the "server"
 # extension in the openssl.cnf file.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --server $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --server $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-req	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-req	2007-09-18 14:08:03.698714729 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Build a certificate signing request and private key.  Use this
 # when your root certificate and key is not available locally.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --csr $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --csr $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-req-pass	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-req-pass	2007-09-18 14:08:03.698714729 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Like build-req, but protect your private key
 # with a password.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --csr --pass $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --csr --pass $*
--- openvpn-2.1_rc4/easy-rsa/2.0/clean-all	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/clean-all	2007-09-18 14:08:03.698714729 +0300
@@ -1,9 +1,13 @@
-#!/bin/bash
+#!/bin/sh
 
 # Initialize the $KEY_DIR directory.
 # Note that this script does a
 # rm -rf on $KEY_DIR so be careful!
 
+if [ -z "$EASY_RSA" ]; then
+	. /etc/easy-rsa/vars
+fi
+
 if [ "$KEY_DIR" ]; then
     rm -rf "$KEY_DIR"
     mkdir "$KEY_DIR" && \
--- openvpn-2.1_rc4/easy-rsa/2.0/inherit-inter	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/inherit-inter	2007-09-18 14:08:03.698714729 +0300
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 # Build a new PKI which is rooted on an intermediate certificate generated
 # by ./build-inter or ./pkitool --inter from a parent PKI.  The new PKI should
@@ -9,6 +9,10 @@
 # To build an intermediate CA, follow the same steps for a regular PKI but
 # replace ./build-key or ./pkitool --initca with this script.
 
+if [ -z "$EASY_RSA" ]; then
+	. /etc/easy-rsa/vars
+fi
+
 # The EXPORT_CA file will contain the CA certificate chain and should be
 # referenced by the OpenVPN "ca" directive in config files.  The ca.crt file
 # will only contain the local intermediate CA -- it's needed by the easy-rsa
--- openvpn-2.1_rc4/easy-rsa/2.0/list-crl	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/list-crl	2007-09-18 14:08:03.698714729 +0300
@@ -1,12 +1,15 @@
-#!/bin/bash
+#!/bin/sh
 
 # list revoked certificates
+if [ -z "$EASY_RSA" ]; then
+	. /etc/easy-rsa/vars
+fi
 
 CRL="${1:-crl.pem}"
 
 if [ "$KEY_DIR" ]; then
     cd "$KEY_DIR" && \
-	$OPENSSL crl -text -noout -in "$CRL"
+	openssl crl -text -noout -in "$CRL"
 else
     echo 'Please source the vars script first (i.e. "source ./vars")'
     echo 'Make sure you have edited it to reflect your configuration.'
--- openvpn-2.1_rc4/easy-rsa/2.0/pkitool	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/pkitool	2007-09-18 14:08:59.219977182 +0300
@@ -39,6 +39,10 @@
     exit 1
 }
 
+if [ -z "$EASY_RSA" ]; then
+	. /etc/easy-rsa/vars
+fi
+
 need_vars()
 {
     echo '  Please edit the vars script to reflect your configuration,'
@@ -164,16 +168,16 @@
 		     if [ -z "$PKCS11_LABEL" ]; then
 		       die "Please specify library name, slot and label"
 		     fi
-		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
+		     pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
 		     	--label "$PKCS11_LABEL" &&
-			$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
+			pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
 		     exit $?;;
 	--pkcs11-slots)
 	             PKCS11_MODULE_PATH="$2"
 		     if [ -z "$PKCS11_MODULE_PATH" ]; then
 		       die "Please specify library name"
 		     fi
-		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
+		     pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-slots
 		     exit 0;;
 	--pkcs11-objects)
 	             PKCS11_MODULE_PATH="$2"
@@ -181,7 +185,7 @@
 		     if [ -z "$PKCS11_SLOT" ]; then
 		       die "Please specify library name and slot"
 		     fi
-		     $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
+		     pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
 		     exit 0;;
 
 	# errors
@@ -192,7 +196,7 @@
 done
 
 if ! [ -z "$BATCH" ]; then
-	if $OPENSSL version | grep 0.9.6 > /dev/null; then
+	if openssl version | grep 0.9.6 > /dev/null; then
 		die "Batch mode is unsupported in openssl<0.9.7"
 	fi
 fi
@@ -285,7 +289,7 @@
 
     # Make sure $KEY_CONFIG points to the correct version
     # of openssl.cnf
-    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
+    if grep -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
 	:
     else
 	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
@@ -296,7 +300,7 @@
 
     # Build root CA
     if [ $DO_ROOT -eq 1 ]; then
-	$OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
+	openssl req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
 	    -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
 	    chmod 0600 "$CA.key"
     else        
@@ -319,7 +323,7 @@
 		export PKCS11_PIN
 
 		echo "Generating key pair on PKCS#11 token..."
-		$PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
+		pkcs11-tool --module "$PKCS11_MODULE_PATH" --keypairgen \
 			--login --pin "$PKCS11_PIN" \
 			--key-type rsa:1024 \
 			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
@@ -327,19 +331,19 @@
 	fi
 
         # Build cert/key
-	( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
+	( [ $DO_REQ -eq 0 ] || openssl req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
 	        -keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
-	    ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
+	    ( [ $DO_CA -eq 0 ]  || openssl ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
 	        -in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
-	    ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$FN.key" \
+	    ( [ $DO_P12 -eq 0 ] || openssl pkcs12 -export -inkey "$FN.key" \
 	        -in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
 	    ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$FN.key" ) && \
 	    ( [ $DO_P12 -eq 0 ] || chmod 0600 "$FN.p12" )
 
 	# Load certificate into PKCS#11 token
 	if [ $DO_P11 -eq 1 ]; then
-		$OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
-		  $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
+		openssl x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
+		  pkcs11-tool --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
 			--login --pin "$PKCS11_PIN" \
 			--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" 
 		[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
--- openvpn-2.1_rc4/easy-rsa/2.0/revoke-full	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/revoke-full	2007-09-18 14:08:03.698714729 +0300
@@ -1,7 +1,10 @@
-#!/bin/bash
+#!/bin/sh
 
 # revoke a certificate, regenerate CRL,
 # and verify revocation
+if [ -z "$EASY_RSA" ]; then
+	. /etc/easy-rsa/vars
+fi
 
 CRL="crl.pem"
 RT="revoke-test.pem"
@@ -20,11 +23,11 @@
     export KEY_OU=""
 
     # revoke key and generate a new CRL
-    $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
+    openssl ca -revoke "$1" -config "$KEY_CONFIG"
 
     # generate a new CRL -- try to be compatible with
     # intermediate PKIs
-    $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
+    openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
     if [ -e export-ca.crt ]; then
 	cat export-ca.crt "$CRL" >"$RT"
     else
@@ -32,7 +35,7 @@
     fi
     
     # verify the revocation
-    $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
+    openssl verify -CAfile "$RT" -crl_check "$1"
 else
     echo 'Please source the vars script first (i.e. "source ./vars")'
     echo 'Make sure you have edited it to reflect your configuration.'
--- openvpn-2.1_rc4/easy-rsa/2.0/sign-req	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/sign-req	2007-09-18 14:08:03.698714729 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Sign a certificate signing request (a .csr file)
 # with a local root certificate and key.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --sign $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --sign $*
--- openvpn-2.1_rc4/easy-rsa/2.0/vars	2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/vars	2007-09-18 14:08:03.698714729 +0300
@@ -12,21 +12,12 @@
 # This variable should point to
 # the top level of the easy-rsa
 # tree.
-export EASY_RSA="`pwd`"
-
-#
-# This variable should point to
-# the requested executables
-#
-export OPENSSL="openssl"
-export PKCS11TOOL="pkcs11-tool"
-export GREP="grep"
-
+export EASY_RSA="/etc/easy-rsa"
 
 # This variable should point to
 # the openssl.cnf file included
 # with easy-rsa.
-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+export KEY_CONFIG="$EASY_RSA/openssl.cnf"
 
 # Edit this variable to point to
 # your soon-to-be-created key
@@ -38,9 +29,6 @@
 # it correctly!
 export KEY_DIR="$EASY_RSA/keys"
 
-# Issue rm -rf warning
-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-
 # PKCS11 fixes
 export PKCS11_MODULE_PATH="dummy"
 export PKCS11_PIN="dummy"
Commit	Line	Data
0c809860	1	--- openvpn-2.1_rc4/easy-rsa/2.0/build-ca 2007-04-26 00:38:44.000000000 +0300
198d1d7f	2	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-ca 2007-09-18 14:08:03.688714502 +0300
b488f9d4 ER	3	@@ -1,8 +1,8 @@
	4	-#!/bin/bash
	5	+#!/bin/sh
	6
	7	#
c7b7600d ER	8	# Build a root certificate
	9	#
	10
	11	-export EASY_RSA="${EASY_RSA:-.}"
	12	-"$EASY_RSA/pkitool" --interact --initca $*
	13	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	14	+/usr/sbin/pkitool --interact --initca $*
0c809860	15	--- openvpn-2.1_rc4/easy-rsa/2.0/build-dh 2007-04-26 00:38:44.000000000 +0300
198d1d7f	16	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-dh 2007-09-18 14:08:03.688714502 +0300
58e28305	17	@@ -1,10 +1,13 @@
b488f9d4 ER	18	-#!/bin/bash
b488f9d4 ER	19	+#!/bin/sh
c7b7600d ER	20
	21	# Build Diffie-Hellman parameters for the server side
	22	# of an SSL/TLS connection.
	23	+if [ -z "$EASY_RSA" ]; then
	24	+ . /etc/easy-rsa/vars
	25	+fi
	26
	27	if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
58e28305 ER	28	- $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
	29	+ openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
	30	else
	31	echo 'Please source the vars script first (i.e. "source ./vars")'
	32	echo 'Make sure you have edited it to reflect your configuration.'
0c809860	33	--- openvpn-2.1_rc4/easy-rsa/2.0/build-inter 2007-04-26 00:38:44.000000000 +0300
198d1d7f	34	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-inter 2007-09-18 14:08:03.688714502 +0300
b488f9d4 ER	35	@@ -1,7 +1,7 @@
	36	-#!/bin/bash
	37	+#!/bin/sh
	38
c7b7600d ER	39	# Make an intermediate CA certificate/private key pair using a locally generated
	40	# root certificate.
	41
	42	-export EASY_RSA="${EASY_RSA:-.}"
	43	-"$EASY_RSA/pkitool" --interact --inter $*
	44	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	45	+/usr/sbin/pkitool --interact --inter $*
0c809860	46	--- openvpn-2.1_rc4/easy-rsa/2.0/build-key 2007-04-26 00:38:44.000000000 +0300
198d1d7f	47	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key 2007-09-18 14:08:03.688714502 +0300
b488f9d4 ER	48	@@ -1,7 +1,7 @@
	49	-#!/bin/bash
	50	+#!/bin/sh
	51
c7b7600d ER	52	# Make a certificate/private key pair using a locally generated
	53	# root certificate.
	54
	55	-export EASY_RSA="${EASY_RSA:-.}"
	56	-"$EASY_RSA/pkitool" --interact $*
	57	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	58	+/usr/sbin/pkitool --interact $*
0c809860	59	--- openvpn-2.1_rc4/easy-rsa/2.0/build-key-pass 2007-04-26 00:38:44.000000000 +0300
198d1d7f	60	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-pass 2007-09-18 14:08:03.688714502 +0300
b488f9d4 ER	61	@@ -1,7 +1,7 @@
	62	-#!/bin/bash
	63	+#!/bin/sh
	64
c7b7600d ER	65	# Similar to build-key, but protect the private key
	66	# with a password.
	67
	68	-export EASY_RSA="${EASY_RSA:-.}"
	69	-"$EASY_RSA/pkitool" --interact --pass $*
	70	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	71	+/usr/sbin/pkitool --interact --pass $*
0c809860	72	--- openvpn-2.1_rc4/easy-rsa/2.0/build-key-pkcs12 2007-04-26 00:38:44.000000000 +0300
198d1d7f	73	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-pkcs12 2007-09-18 14:08:03.698714729 +0300
b488f9d4 ER	74	@@ -1,8 +1,8 @@
	75	-#!/bin/bash
	76	+#!/bin/sh
	77
	78	# Make a certificate/private key pair using a locally generated
c7b7600d ER	79	# root certificate and convert it to a PKCS #12 file including the
	80	# the CA certificate as well.
	81
	82	-export EASY_RSA="${EASY_RSA:-.}"
	83	-"$EASY_RSA/pkitool" --interact --pkcs12 $*
	84	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	85	+/usr/sbin/pkitool --interact --pkcs12 $*
0c809860	86	--- openvpn-2.1_rc4/easy-rsa/2.0/build-key-server 2007-04-26 00:38:44.000000000 +0300
198d1d7f	87	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-server 2007-09-18 14:08:03.698714729 +0300
b488f9d4 ER	88	@@ -1,4 +1,4 @@
	89	-#!/bin/bash
	90	+#!/bin/sh
c7b7600d	91
b488f9d4 ER	92	# Make a certificate/private key pair using a locally generated
b488f9d4 ER	93	# root certificate.
0c809860 ER	94	@@ -6,5 +6,5 @@
	95	# Explicitly set nsCertType to server using the "server"
	96	# extension in the openssl.cnf file.
	97
c7b7600d ER	98	-export EASY_RSA="${EASY_RSA:-.}"
	99	-"$EASY_RSA/pkitool" --interact --server $*
	100	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	101	+/usr/sbin/pkitool --interact --server $*
0c809860	102	--- openvpn-2.1_rc4/easy-rsa/2.0/build-req 2007-04-26 00:38:44.000000000 +0300
198d1d7f	103	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-req 2007-09-18 14:08:03.698714729 +0300
b488f9d4 ER	104	@@ -1,7 +1,7 @@
	105	-#!/bin/bash
	106	+#!/bin/sh
	107
c7b7600d ER	108	# Build a certificate signing request and private key. Use this
	109	# when your root certificate and key is not available locally.
	110
	111	-export EASY_RSA="${EASY_RSA:-.}"
	112	-"$EASY_RSA/pkitool" --interact --csr $*
	113	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	114	+/usr/sbin/pkitool --interact --csr $*
0c809860	115	--- openvpn-2.1_rc4/easy-rsa/2.0/build-req-pass 2007-04-26 00:38:44.000000000 +0300
198d1d7f	116	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-req-pass 2007-09-18 14:08:03.698714729 +0300
b488f9d4 ER	117	@@ -1,7 +1,7 @@
	118	-#!/bin/bash
	119	+#!/bin/sh
	120
c7b7600d ER	121	# Like build-req, but protect your private key
	122	# with a password.
	123
	124	-export EASY_RSA="${EASY_RSA:-.}"
	125	-"$EASY_RSA/pkitool" --interact --csr --pass $*
	126	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	127	+/usr/sbin/pkitool --interact --csr --pass $*
0c809860	128	--- openvpn-2.1_rc4/easy-rsa/2.0/clean-all 2007-04-26 00:38:44.000000000 +0300
198d1d7f	129	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/clean-all 2007-09-18 14:08:03.698714729 +0300
b488f9d4 ER	130	@@ -1,9 +1,13 @@
	131	-#!/bin/bash
	132	+#!/bin/sh
	133
	134	# Initialize the $KEY_DIR directory.
c7b7600d ER	135	# Note that this script does a
	136	# rm -rf on $KEY_DIR so be careful!
	137
	138	+if [ -z "$EASY_RSA" ]; then
	139	+ . /etc/easy-rsa/vars
	140	+fi
	141	+
	142	if [ "$KEY_DIR" ]; then
	143	rm -rf "$KEY_DIR"
	144	mkdir "$KEY_DIR" && \
0c809860	145	--- openvpn-2.1_rc4/easy-rsa/2.0/inherit-inter 2007-04-26 00:38:44.000000000 +0300
198d1d7f	146	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/inherit-inter 2007-09-18 14:08:03.698714729 +0300
b488f9d4 ER	147	@@ -1,4 +1,4 @@
	148	-#!/bin/bash
	149	+#!/bin/sh
	150
	151	# Build a new PKI which is rooted on an intermediate certificate generated
	152	# by ./build-inter or ./pkitool --inter from a parent PKI. The new PKI should
c7b7600d ER	153	@@ -9,6 +9,10 @@
	154	# To build an intermediate CA, follow the same steps for a regular PKI but
	155	# replace ./build-key or ./pkitool --initca with this script.
	156
	157	+if [ -z "$EASY_RSA" ]; then
	158	+ . /etc/easy-rsa/vars
	159	+fi
	160	+
	161	# The EXPORT_CA file will contain the CA certificate chain and should be
	162	# referenced by the OpenVPN "ca" directive in config files. The ca.crt file
	163	# will only contain the local intermediate CA -- it's needed by the easy-rsa
0c809860	164	--- openvpn-2.1_rc4/easy-rsa/2.0/list-crl 2007-04-26 00:38:44.000000000 +0300
198d1d7f	165	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/list-crl 2007-09-18 14:08:03.698714729 +0300
58e28305	166	@@ -1,12 +1,15 @@
b488f9d4 ER	167	-#!/bin/bash
b488f9d4 ER	168	+#!/bin/sh
c7b7600d ER	169
	170	# list revoked certificates
	171	+if [ -z "$EASY_RSA" ]; then
	172	+ . /etc/easy-rsa/vars
	173	+fi
	174
	175	CRL="${1:-crl.pem}"
	176
58e28305 ER	177	if [ "$KEY_DIR" ]; then
	178	cd "$KEY_DIR" && \
	179	- $OPENSSL crl -text -noout -in "$CRL"
	180	+ openssl crl -text -noout -in "$CRL"
	181	else
	182	echo 'Please source the vars script first (i.e. "source ./vars")'
	183	echo 'Make sure you have edited it to reflect your configuration.'
0c809860	184	--- openvpn-2.1_rc4/easy-rsa/2.0/pkitool 2007-04-26 00:38:44.000000000 +0300
198d1d7f	185	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/pkitool 2007-09-18 14:08:59.219977182 +0300
0c809860 ER	186	@@ -39,6 +39,10 @@
	187	exit 1
	188	}
c7b7600d ER	189
	190	+if [ -z "$EASY_RSA" ]; then
	191	+ . /etc/easy-rsa/vars
	192	+fi
	193	+
	194	need_vars()
	195	{
	196	echo ' Please edit the vars script to reflect your configuration,'
198d1d7f ER	197	@@ -164,16 +168,16 @@
	198	if [ -z "$PKCS11_LABEL" ]; then
	199	die "Please specify library name, slot and label"
	200	fi
	201	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
	202	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
	203	--label "$PKCS11_LABEL" &&
	204	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
	205	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
	206	exit $?;;
	207	--pkcs11-slots)
	208	PKCS11_MODULE_PATH="$2"
	209	if [ -z "$PKCS11_MODULE_PATH" ]; then
	210	die "Please specify library name"
	211	fi
	212	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
	213	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-slots
	214	exit 0;;
	215	--pkcs11-objects)
	216	PKCS11_MODULE_PATH="$2"
	217	@@ -181,7 +185,7 @@
	218	if [ -z "$PKCS11_SLOT" ]; then
	219	die "Please specify library name and slot"
	220	fi
	221	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
	222	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
	223	exit 0;;
	224
	225	# errors
58e28305 ER	226	@@ -192,7 +196,7 @@
	227	done
	228
	229	if ! [ -z "$BATCH" ]; then
	230	- if $OPENSSL version \| grep 0.9.6 > /dev/null; then
	231	+ if openssl version \| grep 0.9.6 > /dev/null; then
	232	die "Batch mode is unsupported in openssl<0.9.7"
	233	fi
	234	fi
	235	@@ -285,7 +289,7 @@
	236
	237	# Make sure $KEY_CONFIG points to the correct version
	238	# of openssl.cnf
	239	- if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
	240	+ if grep -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
	241	:
	242	else
	243	echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
	244	@@ -296,7 +300,7 @@
	245
	246	# Build root CA
	247	if [ $DO_ROOT -eq 1 ]; then
	248	- $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
	249	+ openssl req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
	250	-x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
	251	chmod 0600 "$CA.key"
	252	else
198d1d7f ER	253	@@ -319,7 +323,7 @@
	254	export PKCS11_PIN
	255
	256	echo "Generating key pair on PKCS#11 token..."
	257	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
	258	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --keypairgen \
	259	--login --pin "$PKCS11_PIN" \
	260	--key-type rsa:1024 \
	261	--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" \|\| exit 1
	262	@@ -327,19 +331,19 @@
58e28305 ER	263	fi
	264
	265	# Build cert/key
	266	- ( [ $DO_REQ -eq 0 ] \|\| $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
	267	+ ( [ $DO_REQ -eq 0 ] \|\| openssl req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
86204cf2 AM	268	-keyout "$FN.key" -out "$FN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
	269	- ( [ $DO_CA -eq 0 ] \|\| $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
	270	+ ( [ $DO_CA -eq 0 ] \|\| openssl ca $BATCH -days $KEY_EXPIRE -out "$FN.crt" \
	271	-in "$FN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
	272	- ( [ $DO_P12 -eq 0 ] \|\| $OPENSSL pkcs12 -export -inkey "$FN.key" \
	273	+ ( [ $DO_P12 -eq 0 ] \|\| openssl pkcs12 -export -inkey "$FN.key" \
	274	-in "$FN.crt" -certfile "$CA.crt" -out "$FN.p12" $NODES_P12 ) && \
	275	( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ] \|\| chmod 0600 "$FN.key" ) && \
	276	( [ $DO_P12 -eq 0 ] \|\| chmod 0600 "$FN.p12" )
58e28305 ER	277
	278	# Load certificate into PKCS#11 token
	279	if [ $DO_P11 -eq 1 ]; then
86204cf2 AM	280	- $OPENSSL x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
	281	- $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
	282	+ openssl x509 -in "$FN.crt" -inform PEM -out "$FN.crt.der" -outform DER && \
	283	+ pkcs11-tool --module "$PKCS11_MODULE_PATH" --write-object "$FN.crt.der" --type cert \
58e28305 ER	284	--login --pin "$PKCS11_PIN" \
58e28305 ER	285	--slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL"
86204cf2	286	[ -e "$FN.crt.der" ]; rm "$FN.crt.der"
0c809860	287	--- openvpn-2.1_rc4/easy-rsa/2.0/revoke-full 2007-04-26 00:38:44.000000000 +0300
198d1d7f	288	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/revoke-full 2007-09-18 14:08:03.698714729 +0300
0c809860	289	@@ -1,7 +1,10 @@
b488f9d4 ER	290	-#!/bin/bash
	291	+#!/bin/sh
	292
efaea372 ER	293	# revoke a certificate, regenerate CRL,
	294	# and verify revocation
	295	+if [ -z "$EASY_RSA" ]; then
	296	+ . /etc/easy-rsa/vars
	297	+fi
	298
	299	CRL="crl.pem"
	300	RT="revoke-test.pem"
58e28305	301	@@ -20,11 +23,11 @@
efaea372 ER	302	export KEY_OU=""
	303
	304	# revoke key and generate a new CRL
4add1621	305	- $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
58e28305	306	+ openssl ca -revoke "$1" -config "$KEY_CONFIG"
efaea372 ER	307
	308	# generate a new CRL -- try to be compatible with
	309	# intermediate PKIs
58e28305 ER	310	- $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
	311	+ openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
	312	if [ -e export-ca.crt ]; then
	313	cat export-ca.crt "$CRL" >"$RT"
	314	else
0c809860	315	@@ -32,7 +35,7 @@
efaea372 ER	316	fi
	317
	318	# verify the revocation
4add1621	319	- $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
58e28305	320	+ openssl verify -CAfile "$RT" -crl_check "$1"
efaea372 ER	321	else
	322	echo 'Please source the vars script first (i.e. "source ./vars")'
	323	echo 'Make sure you have edited it to reflect your configuration.'
0c809860	324	--- openvpn-2.1_rc4/easy-rsa/2.0/sign-req 2007-04-26 00:38:44.000000000 +0300
198d1d7f	325	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/sign-req 2007-09-18 14:08:03.698714729 +0300
0c809860 ER	326	@@ -1,7 +1,7 @@
	327	-#!/bin/bash
	328	+#!/bin/sh
	329
	330	# Sign a certificate signing request (a .csr file)
	331	# with a local root certificate and key.
	332
	333	-export EASY_RSA="${EASY_RSA:-.}"
	334	-"$EASY_RSA/pkitool" --interact --sign $*
	335	+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
	336	+/usr/sbin/pkitool --interact --sign $*
	337	--- openvpn-2.1_rc4/easy-rsa/2.0/vars 2007-04-26 00:38:44.000000000 +0300
198d1d7f	338	+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/vars 2007-09-18 14:08:03.698714729 +0300
58e28305	339	@@ -12,21 +12,12 @@
0c809860 ER	340	# This variable should point to
	341	# the top level of the easy-rsa
	342	# tree.
	343	-export EASY_RSA="`pwd`"
58e28305 ER	344	-
	345	-#
	346	-# This variable should point to
	347	-# the requested executables
	348	-#
	349	-export OPENSSL="openssl"
	350	-export PKCS11TOOL="pkcs11-tool"
	351	-export GREP="grep"
	352	-
0c809860 ER	353	+export EASY_RSA="/etc/easy-rsa"
0c809860 ER	354
294ec36a ER	355	# This variable should point to
	356	# the openssl.cnf file included
	357	# with easy-rsa.
	358	-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
	359	+export KEY_CONFIG="$EASY_RSA/openssl.cnf"
	360
	361	# Edit this variable to point to
	362	# your soon-to-be-created key
58e28305	363	@@ -38,9 +29,6 @@
0c809860 ER	364	# it correctly!
	365	export KEY_DIR="$EASY_RSA/keys"
	366
	367	-# Issue rm -rf warning
	368	-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
	369	-
a36b95f8 AG	370	# PKCS11 fixes
	371	export PKCS11_MODULE_PATH="dummy"
	372	export PKCS11_PIN="dummy"