Introduce new global options: --ku-critical and --bc-critical

TinCanTech commented 8 months ago

These option allow X509 'critical' attributes to be used.

--ku-critical (--ku-crit): Configure 'keyUsage' to set 'critical' attribute.

--bc-critical (--bc-crit): Configure 'basicContraints' to set 'critical' attribute.

Use of these options is left to the discretion of the the user task.

Supported certificate types does not include 'email', 'codeSigning' or 'kdc'.

TinCanTech commented 8 months ago

No unit-test.

Early manual test, failed for CA:

tct@home:/dev/shm/easyrsa-ut$ easyrsa init-pki

WARNING!!!

You are about to remove the EASYRSA_PKI at:
* /dev/shm/easyrsa-ut/pki

and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /dev/shm/easyrsa-ut/pki

Using Easy-RSA configuration:
* undefined
tct@home:/dev/shm/easyrsa-ut$ easyrsa --nopass --ku-crit --bc-crit build-ca
...+++++
....................................+++++
Can't load /dev/shm/easyrsa-ut/pki/.rnd into RNG
140700229961024:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:98:Filename=/dev/shm/easyrsa-ut/pki/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

Notice
------
CA creation complete. Your new CA certificate is at:
* /dev/shm/easyrsa-ut/pki/ca.crt

tct@home:/dev/shm/easyrsa-ut$ easyrsa --nopass --ku-crit --bc-crit build-server-full s1
Generating a RSA private key
........+++++
.............+++++
writing new private key to '/dev/shm/easyrsa-ut/pki/58acae36/temp.1.1'
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /dev/shm/easyrsa-ut/pki/reqs/s1.req
* key: /dev/shm/easyrsa-ut/pki/private/s1.key 

You are about to sign the following certificate:
Request subject, to be signed as a server certificate 
for '825' days:

subject=
    commonName                = s1

X509v3 Subject Alternative Name:
    DNS:s1

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from /usr/share/easy-rsa/openssl-easyrsa.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'s1'
Certificate is to be certified until Apr 18 00:59:07 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated

Notice
------
Certificate created at:
* /dev/shm/easyrsa-ut/pki/issued/s1.crt

Notice
------
Inline file created:
* /dev/shm/easyrsa-ut/pki/inline/s1.inline

tct@home:/dev/shm/easyrsa-ut$ easyrsa show-ca

Notice
------
Showing details for CA certificate, at:
* /dev/shm/easyrsa-ut/pki/ca.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            36:35:23:5d:90:db:f8:96:dd:fc:6c:6f:60:0c:2c:a0:22:67:65:64
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Easy-RSA CA
        Validity
            Not Before: Jan 14 00:58:53 2024 GMT
            Not After : Jan 11 00:58:53 2034 GMT
        Subject:
            commonName                = Easy-RSA CA
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                DA:40:C0:D9:C4:12:92:F2:EC:EB:67:9C:D1:20:51:CE:71:2B:44:3D
            X509v3 Authority Key Identifier: 
                keyid:DA:40:C0:D9:C4:12:92:F2:EC:EB:67:9C:D1:20:51:CE:71:2B:44:3D
                DirName:/CN=Easy-RSA CA
                serial:36:35:23:5D:90:DB:F8:96:DD:FC:6C:6F:60:0C:2C:A0:22:67:65:64

            X509v3 Basic Constraints: 
                CA:TRUE
            X509v3 Key Usage: 
                Certificate Sign, CRL Sign
tct@home:/dev/shm/easyrsa-ut$ easyrsa show-cert s1

Notice
------
Showing 'cert' details for: 's1'

This file is stored at:
* /dev/shm/easyrsa-ut/pki/issued/s1.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1255548484 (0x4ad62644)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Easy-RSA CA
        Validity
            Not Before: Jan 14 00:59:07 2024 GMT
            Not After : Apr 18 00:59:07 2026 GMT
        Subject:
            commonName                = s1
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                D3:CF:2C:64:CC:30:2E:5D:61:74:52:FB:02:04:6B:5A:7B:02:6E:CF
            X509v3 Authority Key Identifier: 
                keyid:DA:40:C0:D9:C4:12:92:F2:EC:EB:67:9C:D1:20:51:CE:71:2B:44:3D
                DirName:/CN=Easy-RSA CA
                serial:36:35:23:5D:90:DB:F8:96:DD:FC:6C:6F:60:0C:2C:A0:22:67:65:64

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:s1

TinCanTech commented 2 months ago

Superseded-by: #1176

OpenVPN / easy-rsa

Introduce new global options: --ku-critical and --bc-critical #1063