New global option --eku-crit: Mark X509 extendedKeyUsage as critical

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
OpenVPN · Jul 17, 2024 · ca09211 · ca09211
1 parent 49723bd
commit ca09211
Showing 1 changed file with 28 additions and 6 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -615,8 +615,9 @@ Certificate & Request options: (these impact cert/req field values)
                   If commonName is 'n.n.n.n' then set 'IP:commonName'
 
 --san-crit      : Mark X509v3 subjectAltName as critical
---ku-crit       : Add X509 'keyUsage = critical' attribute.
 --bc-crit       : Add X509 'basicContraints = critical' attribute.
+--ku-crit       : Add X509 'keyUsage = critical' attribute.
+--eku-crit      : Add X509 'extendedKeyUsage = critical' attribute.
 
 --new-subject='SUBJECT'
                 : Specify a new subject field to sign a request with.
@@ -2515,6 +2516,22 @@ Writing 'copy_exts' to SSL config temp-file failed"
 		verbose "sign_req: basicConstraints critical OK"
 	fi
 
+	# extendedKeyUsage critical
+	confirm_eku_crit=
+	if [ "$EASYRSA_EKU_CRIT" ]; then
+		crit_tmp=
+		easyrsa_mktemp crit_tmp || \
+			die "sign-req - easyrsa_mktemp EKU crit_tmp"
+
+		add_critical_attrib extendedKeyUsage "$x509_type_file" \
+			"$crit_tmp" || die "sign-req - EKU add_critical_attrib"
+
+		# Use the new tmp-file with critical attribute
+		x509_type_file="$crit_tmp"
+		confirm_eku_crit="  extendedKeyUsage: 'critical'${NL}"
+		verbose "sign_req: extendedKeyUsage critical OK"
+	fi
+
 	# Find or create x509 COMMON file
 	if [ -f "$EASYRSA_EXT_DIR/COMMON" ]; then
 		# Use the x509-types/COMMON file
@@ -2683,7 +2700,8 @@ Failed to create temp extension file (bad permissions?) at:
 
 	# Set confirm details
 	confirm_critical_attribs="
-${confirm_san_crit}${confirm_ku_crit}${confirm_bc_crit}"
+${confirm_bc_crit}${confirm_ku_crit}\
+${confirm_eku_crit}${confirm_san_crit}"
 
 	confirm_details="\
 ${confirm_CN}
@@ -2764,14 +2782,14 @@ Certificate created at:
 # Add 'critical' attribute to X509-type file
 add_critical_attrib() {
 	case "$1" in
-		basicConstraints|keyUsage) : ;; # ok
+		basicConstraints|keyUsage|extendedKeyUsage) : ;; # ok
 		*) die "add_critical_attrib - usage: '$1'"
 	esac
 
 	[ -f "$2" ] || die "add_critical_attrib - file-2: '$2'"
 	[ -f "$3" ] || die "add_critical_attrib - file-3: '$3'"
 
-	sed s/"$1 = "/"$1 = "critical,/g "$2" > "$3"
+	sed s/"$1 = "/"$1 = critical,"/g "$2" > "$3"
 } # => add_critical_attrib()
 
 # Check serial in db
@@ -5605,13 +5623,17 @@ while :; do
 			empty_ok=1
 			export EASYRSA_SAN_CRIT='critical,'
 			;;
+		--bc-crit*)
+			empty_ok=1
+			export EASYRSA_BC_CRIT=1
+			;;
 		--ku-crit*)
 			empty_ok=1
 			export EASYRSA_KU_CRIT=1
 			;;
-		--bc-crit*)
+		--eku-crit*)
 			empty_ok=1
-			export EASYRSA_BC_CRIT=1
+			export EASYRSA_EKU_CRIT=1
 			;;
 		--new-subj*)
 			export EASYRSA_NEW_SUBJECT="$val"