Merge branch 'inline-private-pkcs12' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-inline-private-pkcs12

TinCanTech · TinCanTech · commit ee6f0c40ead8 · 2025-06-24T16:31:32.000+01:00
Signed-off-by: Richard T Bonhomme &lt;tincantech@protonmail.com&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,11 @@
 Easy-RSA 3 ChangeLog
 
+3.2.4 (TBD)
+
+   * export-p12: Split $p12_cipher_opts into respective parts (48bb8ee) (#1356)
+   * export-p12: Move inline file to 'inline/private' folder (22cabcb) (#1356)
+   * export-p12: Rename inline file extension to '.inline-p12' (22cabcb) (#1356)
+
 3.2.3 (2025-06-12)
 
    * build-ca: Remove TLS Key processing (c1c2a06) (#1351)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -2904,10 +2904,9 @@ $(cat "$crt_source")
 </cert>"
 
 		# Calculate decimal value for serial number
-		# because openvpn uses decimal serial ?!?
+		# because openvpn uses decimal serial
 		# for '--crl-verify /path/to/dir dir'
-		# For reasons unknown..
-		if which bc >/dev/null; then
+		if which bc 1>/dev/null 2>&1; then
 			inline_crt_serial=
 			ssl_cert_serial "$crt_source" inline_crt_serial || \
 				die "inline_file - ssl_cert_serial"
@@ -2927,6 +2926,7 @@ $(cat "$crt_source")
 		crt_fingerprint="${crt_fingerprint#*=}"
 
 		# Certificate type
+		inline_crt_type=
 		ssl_cert_x509v3_eku "$crt_source" inline_crt_type || \
 			die "inline_file: Failed to set inline_crt_type"
 
@@ -3615,11 +3615,12 @@ Run easyrsa without commands for usage and command help."
 	# OpenSSL 3.0 without needing '-legacy'.
 	if [ "$openssl_v3" ]; then
 		# No cipher opts required
-		p12_cipher_opts=""
+		unset -v p12_keypbe p12_certpbe p12_macalg
 	else
 		# Upgrade PBE & MAC opts - Reset by option 'legacy'
-		p12_cipher_opts="-keypbe AES-256-CBC -certpbe AES-256-CBC"
-		p12_cipher_opts="${p12_cipher_opts} -macalg sha256"
+		p12_keypbe=AES-256-CBC
+		p12_certpbe=AES-256-CBC
+		p12_macalg=sha256
 	fi
 
 	while [ "$1" ]; do
@@ -3642,10 +3643,12 @@ Run easyrsa without commands for usage and command help."
 				;;
 			legacy)
 				if [ "$openssl_v3" ]; then
+					# OpenSSL v3 requires providers/legacy.so
+					# EasyRSA can use OPENSSL_MODULES=/path-to/providers
 					legacy=-legacy
 				else
 					# Downgrade PBE & MAC opts
-					p12_cipher_opts=""
+					unset -v p12_keypbe p12_certpbe p12_macalg
 				fi
 				;;
 			*)
@@ -3758,25 +3761,30 @@ Missing User Certificate, expected at:
 	fi
 
 	# Complete export
-	inline_out=
 	inline_msg=
 	case "$pkcs_type" in
 	p12)
-		pkcs_out="$EASYRSA_PKI/private/$file_name_base.p12"
-		inline_out="$EASYRSA_PKI/inline/$file_name_base-p12.inline"
+		pkcs_out="${EASYRSA_PKI}/private/${file_name_base}.p12"
+		# Only PKCS12 can be inlined for OpenVPN
+		inline_dir="$EASYRSA_PKI"/inline/private
+		inline_out="${inline_dir}/${file_name_base}".inline-p12
 
 		[ "$legacy" ] && \
 			error_info="SSL library may not support -legacy mode"
 
+		verbose "export-p12: cipher opts: \
+-keypbe=$p12_keypbe | -certpbe=$p12_certpbe | -macalg=$p12_macalg"
+
 		# export the p12:
-		# shellcheck disable=2086 # Double quote p12_cipher_opts
 		easyrsa_openssl pkcs12 -export \
 			-in "$crt_in" \
 			-out "$pkcs_out" \
 			-inkey "$key_in" \
 			${nokeys} \
 			${legacy} \
-			${p12_cipher_opts} \
+			${p12_keypbe:+ -keypbe "$p12_keypbe"} \
+			${p12_certpbe:+ -certpbe "$p12_certpbe"} \
+			${p12_macalg:+ -macalg "$p12_macalg"} \
 			${friendly_name:+ -name "$friendly_name"} \
 			${want_ca:+ -certfile "$crt_ca"} \
 			${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
