Bug#1032270: regression in --req-cn option

Wed, 15 Mar 2023 08:45:22 -0700 

On Thu, 2 Mar 2023 16:23:01 +0100 
Dennis Camera <dennis.camera+deb...@riiengineering.ch> wrote:
> The correct behaviour of the --req-cn option was restored in upstream
> version 3.1.1.

I attached a patch based on upstream commit
fe3cced16c62de5dd33f3a230ee03e904306a55b which fixes the behaviour of
--req-cn.

--- a/easyrsa3/easyrsa	2023-03-02 16:44:48.526049371 +0100
+++ b/easyrsa3/easyrsa	2023-03-02 16:49:00.478040360 +0100
@@ -1130,18 +1130,29 @@
 	[ -n "$1" ] || die "\
 Error: gen-req must have a file base as the first argument.
 Run easyrsa without commands for usage and commands."
+
+	# Initialisation
+	unset -v text nopass ssl_batch
+
+	# Set ssl batch mode and Default commonName, as required
+	if [ "$EASYRSA_BATCH" ]; then
+		ssl_batch=1
+		[ "$EASYRSA_REQ_CN" = ChangeMe ] && export EASYRSA_REQ_CN="$1"
+	else
+		# --req-cn must be used with --batch, otherwise use default
+		export EASYRSA_REQ_CN="$1"
+	fi
+
+	# Output files
 	key_out="$EASYRSA_PKI/private/$1.key"
 	req_out="$EASYRSA_PKI/reqs/$1.req"
 
-	# Set the request commonName
-	EASYRSA_REQ_CN="$1"
-	shift
+	shift # scrape off file-name
 
 	# Require SSL Lib version for 'nopass' -> $no_password
 	verify_pki_init
 
 	# function opts support
-	unset -v text nopass ssl_batch
 	while [ -n "$1" ]; do
 		case "$1" in
 			text) text=1 ;;
@@ -1365,7 +1376,7 @@
 	rm -f "$ext_tmp"
 
 	[ "$EASYRSA_SILENT" ] || print # Separate Notice below
-	unset -v EASYRSA_BATCH # This is why batch mode should not silence output
+	#unset -v EASYRSA_BATCH # This is why batch mode should not silence output
 	notice "\
 Certificate created at: $crt_out"
 
@@ -1406,12 +1417,16 @@
 	[ -f "$key_out" ] && die "Key $err_exists $key_out"
 	[ -f "$crt_out" ] && die "Certificate $err_exists $crt_out"
 
-	# create request
+	# Set commonName
+	[ "$EASYRSA_REQ_CN" = ChangeMe ] || die "\
+Option conflict: '$cmd' does not support setting an external commonName"
 	EASYRSA_REQ_CN="$name"
+
+	# create request
 	gen_req "$name" batch ${nopass+ nopass}
 
 	# Sign it
-	( sign_req "$crt_type" "$name" batch ) || {
+	( sign_req "$crt_type" "$name" ) || {
 		rm -f "$req_out" "$key_out"
 		die "Failed to sign '$name' - See error messages above for details."
 	}

Reply via email to