From 8ae6bca3dc3f2ca6eead3fbae82cccf901ca0daf Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun, 11 Dec 2022 18:17:26 +0000
Subject: [PATCH 1/4] Windows, build-ca: Add input password to re-open private
 key

Using OpenSSL 3.0.7, packaged by OpenVPN Windows installer, causes
EasyRSA command 'build-ca' to fail, because it does not have an input
password to re-open the private key, which is required to generate
the CA certificate.

Provide the user specified CA passphrase as input password for build-ca.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index e0a584e57..53e691cf8 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1372,6 +1372,8 @@ Please update openssl-easyrsa.cnf to the latest official release."
 		# Assign passphrase vars and temp file
 		p=""
 		q=""
+		in_key_pass_tmp="$(easyrsa_mktemp)" || \
+			die "Failed to create temporary file"
 		out_key_pass_tmp="$(easyrsa_mktemp)" || \
 			die "Failed to create temporary file"
 
@@ -1385,6 +1387,7 @@ Please update openssl-easyrsa.cnf to the latest official release."
 
 		# Validate passphrase
 		if [ "$p" = "$q" ]; then
+			printf "%s" "$p" > "$in_key_pass_tmp"
 			printf "%s" "$p" > "$out_key_pass_tmp"
 			unset -v p q
 		else
@@ -1459,6 +1462,7 @@ Please update openssl-easyrsa.cnf to the latest official release."
 			${EASYRSA_NO_PASS+ "$no_password"} \
 			${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
 			${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
+			${in_key_pass_tmp:+ -passin file:"$in_key_pass_tmp"} \
 			${out_key_pass_tmp:+ -passin file:"$out_key_pass_tmp"} \
 				|| die "Failed to build the CA"
 	;;

From 0063de0d888463c369b77d5d77fdf9911b33db7f Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun, 11 Dec 2022 22:37:40 +0000
Subject: [PATCH 2/4] Allow default CA generation method to be unit-tested

If 'easyrsa' is being run by the unit-test then allow the default method
for 'build-ca' to be exercised.

The default 'easyrsa' method is to use temp-files, generated by EasyRSA,
to pass the CA passphrase, provided by the user, to the SSL command.

The normal 'unit-test' method to use a passphrase is to configure EasyRSA
ommand line options '--passin' and '--passout'.

The change made here is to simulate user-interaction and to supply a
default passphrase, as a user, to the SSL command.
To NOT use EasyRSA command line options to set any passphrase.
ONLY when being run by the unit-test.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 53e691cf8..55f257686 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1370,23 +1370,34 @@ Please update openssl-easyrsa.cnf to the latest official release."
 		: # passphrase defined
 	else
 		# Assign passphrase vars and temp file
-		p=""
-		q=""
 		in_key_pass_tmp="$(easyrsa_mktemp)" || \
 			die "Failed to create temporary file"
 		out_key_pass_tmp="$(easyrsa_mktemp)" || \
 			die "Failed to create temporary file"
 
-		# Get passphrase
-		prompt="Enter New CA Key Passphrase: "
-		get_passphrase p
+		# Dirty way to unit-test default behavior
+		if [ "$ERSA_UTEST_VERSION" ]; then
+		# Prove this works by changing passwords
+		# use: ERSA_UTEST_VERSION=9 easyrsa build-ca
+			p="EasyRSA"
+			q="EasyRSA"
+			unset -v EASYRSA_PASSIN EASYRSA_PASSOUT
+			warn "SPECIAL unit-test CA password!"
 
-		# Confirm passphrase
-		prompt="Confirm New CA Key Passphrase: "
-		get_passphrase q
+		else
+			p=""
+			q=""
+			# Get passphrase p
+			prompt="Enter New CA Key Passphrase: "
+			get_passphrase p
+
+			# Confirm passphrase q
+			prompt="Confirm New CA Key Passphrase: "
+			get_passphrase q
+		fi
 
 		# Validate passphrase
-		if [ "$p" = "$q" ]; then
+		if [ "$p" ] && [ "$p" = "$q" ]; then
 			printf "%s" "$p" > "$in_key_pass_tmp"
 			printf "%s" "$p" > "$out_key_pass_tmp"
 			unset -v p q

From 9a495f7bd34e99671433ac7956a95b3e95c1a179 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Mon, 12 Dec 2022 21:22:44 +0000
Subject: [PATCH 3/4] build-ca: Use OpenSSL '-passout' with EasyRSA '--passout'
 correctly

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 55f257686..6b2f0c313 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1474,7 +1474,7 @@ Please update openssl-easyrsa.cnf to the latest official release."
 			${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
 			${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
 			${in_key_pass_tmp:+ -passin file:"$in_key_pass_tmp"} \
-			${out_key_pass_tmp:+ -passin file:"$out_key_pass_tmp"} \
+			${out_key_pass_tmp:+ -passout file:"$out_key_pass_tmp"} \
 				|| die "Failed to build the CA"
 	;;
 	*)	die "build-ca ssl lib: $osslv_major"

From 0ce126a289d1b939c4cf4db2900747dfb6427786 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue, 13 Dec 2022 00:02:28 +0000
Subject: [PATCH 4/4] build-ca: Error-exit on failure to write
 temp-CA-passphrase files

Also, prototype easyrsa_mktemp() errors.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 6b2f0c313..742f36b49 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1371,9 +1371,9 @@ Please update openssl-easyrsa.cnf to the latest official release."
 	else
 		# Assign passphrase vars and temp file
 		in_key_pass_tmp="$(easyrsa_mktemp)" || \
-			die "Failed to create temporary file"
+			die "in_key_pass_tmp: create"
 		out_key_pass_tmp="$(easyrsa_mktemp)" || \
-			die "Failed to create temporary file"
+			die "out_key_pass_tmp: create"
 
 		# Dirty way to unit-test default behavior
 		if [ "$ERSA_UTEST_VERSION" ]; then
@@ -1398,8 +1398,10 @@ Please update openssl-easyrsa.cnf to the latest official release."
 
 		# Validate passphrase
 		if [ "$p" ] && [ "$p" = "$q" ]; then
-			printf "%s" "$p" > "$in_key_pass_tmp"
-			printf "%s" "$p" > "$out_key_pass_tmp"
+			printf "%s" "$p" > "$in_key_pass_tmp" || \
+				die "in_key_pass_tmp: write"
+			printf "%s" "$p" > "$out_key_pass_tmp" || \
+				die "out_key_pass_tmp: write"
 			unset -v p q
 		else
 			die "Passphrases do not match!"
@@ -1414,7 +1416,7 @@ Please update openssl-easyrsa.cnf to the latest official release."
  {print}
 }'
 
-	conf_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
+	conf_tmp="$(easyrsa_mktemp)" || die "conf_tmp: create"
 	{
 		cat "$EASYRSA_EXT_DIR/ca" "$EASYRSA_EXT_DIR/COMMON"
 		[ "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS"
@@ -1475,7 +1477,7 @@ Please update openssl-easyrsa.cnf to the latest official release."
 			${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
 			${in_key_pass_tmp:+ -passin file:"$in_key_pass_tmp"} \
 			${out_key_pass_tmp:+ -passout file:"$out_key_pass_tmp"} \
-				|| die "Failed to build the CA"
+				|| die "Failed to build the CA certificate"
 	;;
 	*)	die "build-ca ssl lib: $osslv_major"
 	esac