- add BR: pkcs11-helper-devel

[packages/openvpn.git] / easy-rsa2.patch

--- openvpn-2.1_rc4/easy-rsa/2.0/build-ca       2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-ca  2007-09-18 14:08:03.688714502 +0300
@@ -1,8 +1,8 @@
-#!/bin/bash
+#!/bin/sh
 
 #
 # Build a root certificate
 #
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --initca $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --initca $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-dh       2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-dh  2007-09-18 14:08:03.688714502 +0300
@@ -1,10 +1,13 @@
-#!/bin/bash
+#!/bin/sh
 
 # Build Diffie-Hellman parameters for the server side
 # of an SSL/TLS connection.
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
 
 if [ -d $KEY_DIR ] && [ $KEY_SIZE ]; then
-    $OPENSSL dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
+    openssl dhparam -out ${KEY_DIR}/dh${KEY_SIZE}.pem ${KEY_SIZE}
 else
     echo 'Please source the vars script first (i.e. "source ./vars")'
     echo 'Make sure you have edited it to reflect your configuration.'
--- openvpn-2.1_rc4/easy-rsa/2.0/build-inter    2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-inter       2007-09-18 14:08:03.688714502 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Make an intermediate CA certificate/private key pair using a locally generated
 # root certificate.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --inter $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --inter $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-key      2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key 2007-09-18 14:08:03.688714502 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Make a certificate/private key pair using a locally generated
 # root certificate.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-key-pass 2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-pass    2007-09-18 14:08:03.688714502 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Similar to build-key, but protect the private key
 # with a password.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --pass $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --pass $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-key-pkcs12       2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-pkcs12  2007-09-18 14:08:03.698714729 +0300
@@ -1,8 +1,8 @@
-#!/bin/bash
+#!/bin/sh
 
 # Make a certificate/private key pair using a locally generated
 # root certificate and convert it to a PKCS #12 file including the
 # the CA certificate as well.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --pkcs12 $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --pkcs12 $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-key-server       2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-key-server  2007-09-18 14:08:03.698714729 +0300
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 # Make a certificate/private key pair using a locally generated
 # root certificate.
@@ -6,5 +6,5 @@
 # Explicitly set nsCertType to server using the "server"
 # extension in the openssl.cnf file.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --server $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --server $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-req      2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-req 2007-09-18 14:08:03.698714729 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Build a certificate signing request and private key.  Use this
 # when your root certificate and key is not available locally.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --csr $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --csr $*
--- openvpn-2.1_rc4/easy-rsa/2.0/build-req-pass 2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/build-req-pass    2007-09-18 14:08:03.698714729 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Like build-req, but protect your private key
 # with a password.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --csr --pass $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --csr --pass $*
--- openvpn-2.1_rc4/easy-rsa/2.0/clean-all      2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/clean-all 2007-09-18 14:08:03.698714729 +0300
@@ -1,9 +1,13 @@
-#!/bin/bash
+#!/bin/sh
 
 # Initialize the $KEY_DIR directory.
 # Note that this script does a
 # rm -rf on $KEY_DIR so be careful!
 
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
+
 if [ "$KEY_DIR" ]; then
     rm -rf "$KEY_DIR"
     mkdir "$KEY_DIR" && \
--- openvpn-2.1_rc4/easy-rsa/2.0/inherit-inter  2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/inherit-inter     2007-09-18 14:08:03.698714729 +0300
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 # Build a new PKI which is rooted on an intermediate certificate generated
 # by ./build-inter or ./pkitool --inter from a parent PKI.  The new PKI should
@@ -9,6 +9,10 @@
 # To build an intermediate CA, follow the same steps for a regular PKI but
 # replace ./build-key or ./pkitool --initca with this script.
 
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
+
 # The EXPORT_CA file will contain the CA certificate chain and should be
 # referenced by the OpenVPN "ca" directive in config files.  The ca.crt file
 # will only contain the local intermediate CA -- it's needed by the easy-rsa
--- openvpn-2.1_rc4/easy-rsa/2.0/list-crl       2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/list-crl  2007-09-18 14:08:03.698714729 +0300
@@ -1,12 +1,15 @@
-#!/bin/bash
+#!/bin/sh
 
 # list revoked certificates
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
 
 CRL="${1:-crl.pem}"
 
 if [ "$KEY_DIR" ]; then
     cd "$KEY_DIR" && \
-       $OPENSSL crl -text -noout -in "$CRL"
+       openssl crl -text -noout -in "$CRL"
 else
     echo 'Please source the vars script first (i.e. "source ./vars")'
     echo 'Make sure you have edited it to reflect your configuration.'
--- openvpn-2.1_rc4/easy-rsa/2.0/pkitool        2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/pkitool   2007-09-18 14:08:59.219977182 +0300
@@ -39,6 +39,10 @@
     exit 1
 }
 
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
+
 need_vars()
 {
     echo '  Please edit the vars script to reflect your configuration,'
@@ -164,16 +168,16 @@
                     if [ -z "$PKCS11_LABEL" ]; then
                       die "Please specify library name, slot and label"
                     fi
-                    $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
+                    pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-token --slot "$PKCS11_SLOT" \
                        --label "$PKCS11_LABEL" &&
-                       $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
+                       pkcs11-tool --module "$PKCS11_MODULE_PATH" --init-pin --slot "$PKCS11_SLOT"
                     exit $?;;
        --pkcs11-slots)
                     PKCS11_MODULE_PATH="$2"
                     if [ -z "$PKCS11_MODULE_PATH" ]; then
                       die "Please specify library name"
                     fi
-                    $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-slots
+                    pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-slots
                     exit 0;;
        --pkcs11-objects)
                     PKCS11_MODULE_PATH="$2"
@@ -181,7 +185,7 @@
                     if [ -z "$PKCS11_SLOT" ]; then
                       die "Please specify library name and slot"
                     fi
-                    $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
+                    pkcs11-tool --module "$PKCS11_MODULE_PATH" --list-objects --login --slot "$PKCS11_SLOT"
                     exit 0;;
 
        # errors
@@ -192,7 +196,7 @@
 done
 
 if ! [ -z "$BATCH" ]; then
-       if $OPENSSL version | grep 0.9.6 > /dev/null; then
+       if openssl version | grep 0.9.6 > /dev/null; then
                die "Batch mode is unsupported in openssl<0.9.7"
        fi
 fi
@@ -285,7 +289,7 @@
 
     # Make sure $KEY_CONFIG points to the correct version
     # of openssl.cnf
-    if $GREP -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
+    if grep -i 'easy-rsa version 2\.[0-9]' "$KEY_CONFIG" >/dev/null; then
        :
     else
        echo "$PROGNAME: KEY_CONFIG (set by the ./vars script) is pointing to the wrong"
@@ -296,7 +300,7 @@
 
     # Build root CA
     if [ $DO_ROOT -eq 1 ]; then
-       $OPENSSL req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
+       openssl req $BATCH -days $CA_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE -sha1 \
            -x509 -keyout "$CA.key" -out "$CA.crt" -config "$KEY_CONFIG" && \
            chmod 0600 "$CA.key"
     else        
@@ -319,7 +323,7 @@
                export PKCS11_PIN
 
                echo "Generating key pair on PKCS#11 token..."
-               $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --keypairgen \
+               pkcs11-tool --module "$PKCS11_MODULE_PATH" --keypairgen \
                        --login --pin "$PKCS11_PIN" \
                        --key-type rsa:1024 \
                        --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" || exit 1
@@ -327,19 +331,19 @@
        fi
 
         # Build cert/key
-       ( [ $DO_REQ -eq 0 ] || $OPENSSL req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
+       ( [ $DO_REQ -eq 0 ] || openssl req $BATCH -days $KEY_EXPIRE $NODES_REQ -new -newkey rsa:$KEY_SIZE \
                -keyout "$KEY_CN.key" -out "$KEY_CN.csr" $REQ_EXT -config "$KEY_CONFIG" $PKCS11_ARGS ) && \
-           ( [ $DO_CA -eq 0 ]  || $OPENSSL ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
+           ( [ $DO_CA -eq 0 ]  || openssl ca $BATCH -days $KEY_EXPIRE -out "$KEY_CN.crt" \
                -in "$KEY_CN.csr" $CA_EXT -md sha1 -config "$KEY_CONFIG" ) && \
-           ( [ $DO_P12 -eq 0 ] || $OPENSSL pkcs12 -export -inkey "$KEY_CN.key" \
+           ( [ $DO_P12 -eq 0 ] || openssl pkcs12 -export -inkey "$KEY_CN.key" \
                -in "$KEY_CN.crt" -certfile "$CA.crt" -out "$KEY_CN.p12" $NODES_P12 ) && \
            ( [ $DO_CA -eq 0 -o $DO_P11 -eq 1 ]  || chmod 0600 "$KEY_CN.key" ) && \
            ( [ $DO_P12 -eq 0 ] || chmod 0600 "$KEY_CN.p12" )
 
        # Load certificate into PKCS#11 token
        if [ $DO_P11 -eq 1 ]; then
-               $OPENSSL x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
-                 $PKCS11TOOL --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
+               openssl x509 -in "$KEY_CN.crt" -inform PEM -out "$KEY_CN.crt.der" -outform DER && \
+                 pkcs11-tool --module "$PKCS11_MODULE_PATH" --write-object "$KEY_CN.crt.der" --type cert \
                        --login --pin "$PKCS11_PIN" \
                        --slot "$PKCS11_SLOT" --id "$PKCS11_ID" --label "$PKCS11_LABEL" 
                [ -e "$KEY_CN.crt.der" ]; rm "$KEY_CN.crt.der"
--- openvpn-2.1_rc4/easy-rsa/2.0/revoke-full    2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/revoke-full       2007-09-18 14:08:03.698714729 +0300
@@ -1,7 +1,10 @@
-#!/bin/bash
+#!/bin/sh
 
 # revoke a certificate, regenerate CRL,
 # and verify revocation
+if [ -z "$EASY_RSA" ]; then
+       . /etc/easy-rsa/vars
+fi
 
 CRL="crl.pem"
 RT="revoke-test.pem"
@@ -20,11 +23,11 @@
     export KEY_OU=""
 
     # revoke key and generate a new CRL
-    $OPENSSL ca -revoke "$1.crt" -config "$KEY_CONFIG"
+    openssl ca -revoke "$1" -config "$KEY_CONFIG"
 
     # generate a new CRL -- try to be compatible with
     # intermediate PKIs
-    $OPENSSL ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
+    openssl ca -gencrl -out "$CRL" -config "$KEY_CONFIG"
     if [ -e export-ca.crt ]; then
        cat export-ca.crt "$CRL" >"$RT"
     else
@@ -32,7 +35,7 @@
     fi
     
     # verify the revocation
-    $OPENSSL verify -CAfile "$RT" -crl_check "$1.crt"
+    openssl verify -CAfile "$RT" -crl_check "$1"
 else
     echo 'Please source the vars script first (i.e. "source ./vars")'
     echo 'Make sure you have edited it to reflect your configuration.'
--- openvpn-2.1_rc4/easy-rsa/2.0/sign-req       2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/sign-req  2007-09-18 14:08:03.698714729 +0300
@@ -1,7 +1,7 @@
-#!/bin/bash
+#!/bin/sh
 
 # Sign a certificate signing request (a .csr file)
 # with a local root certificate and key.
 
-export EASY_RSA="${EASY_RSA:-.}"
-"$EASY_RSA/pkitool" --interact --sign $*
+export EASY_RSA="${EASY_RSA:-/etc/easy-rsa}"
+/usr/sbin/pkitool --interact --sign $*
--- openvpn-2.1_rc4/easy-rsa/2.0/vars   2007-04-26 00:38:44.000000000 +0300
+++ openvpn-2.1_rc4-rsa2/easy-rsa/2.0/vars      2007-09-18 14:08:03.698714729 +0300
@@ -12,21 +12,12 @@
 # This variable should point to
 # the top level of the easy-rsa
 # tree.
-export EASY_RSA="`pwd`"
-
-#
-# This variable should point to
-# the requested executables
-#
-export OPENSSL="openssl"
-export PKCS11TOOL="pkcs11-tool"
-export GREP="grep"
-
+export EASY_RSA="/etc/easy-rsa"
 
 # This variable should point to
 # the openssl.cnf file included
 # with easy-rsa.
-export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
+export KEY_CONFIG="$EASY_RSA/openssl.cnf"
 
 # Edit this variable to point to
 # your soon-to-be-created key
@@ -38,9 +29,6 @@
 # it correctly!
 export KEY_DIR="$EASY_RSA/keys"
 
-# Issue rm -rf warning
-echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
-
 # PKCS11 fixes
 export PKCS11_MODULE_PATH="dummy"
 export PKCS11_PIN="dummy"