build-ca: Replace password temp-file method with file-descriptors

[TinCanTech]

Until now, EasyRSA has used temp-files to store the CA password and passed those temp-files to SSL to build a CA keypair, when building a CA manually, with a password.

From now, EasyRSA will use an internal variable to contain the CA password and pass the value of that variable via file-descriptors to SSL, when building a CA keypair.

This file-descriptor method is only used when building a CA with a password manually, when the user enters the password via keyboard. All other build-ca methods remain unchanged.

Also, move keypair temp-files to output files or error out.

Also, minor improvements to comments and verbose messages.

Original-concept: #950

[TinCanTech]

The unit-test does not test this code, so I have manually tested it on Linux and Windows.. and LibreSSL..

[TinCanTech]

I cannot help thinking that this method needs to allow fallback to temp-files, even though it has passed all tests.

Perhaps, this would be better as an option, such as:

easyrsa --pw-via-fd build-ca

Otherwise, it is an extreme change.

[Wolf1098]

good thoughts on the extreme change -- using the default powershell of windows terminal to run the bat

EasyRSA Shell

./easyrsa build-ca

• Using Easy-RSA configuration:
  C:/Users/User/Downloads/EasyRSA-3.1.3/pki/vars

• Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

Enter New CA Key Passphrase:
Passphrase must be at least 4 characters!

Enter New CA Key Passphrase:
Passphrase must be at least 4 characters!

Enter New CA Key Passphrase:

Confirm New CA Key Passphrase:
Using configuration from C:/Users/User/Downloads/EasyRSA-3.1.3/pki/188860fa/temp.5.1
Invalid password argument, starting with "fd:"
Error getting password

Easy-RSA error:

easyrsa_openssl - Command has failed:

• openssl genpkey -config C:/Users/User/Downloads/EasyRSA-3.1.3/pki/188860fa/temp.5.1 -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out C:/Users/User/Downloads/EasyRSA-3.1.3/pki/188860fa/temp.1.1 -aes256 -pass fd:3

EasyRSA Version Information
Version: 3.1.3
Generated: Fri May 19 07:56:29 CDT 2023
SSL Lib: OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
Git Commit: 3fa9cd8
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.1.3 | win | @(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $ |

---

EasyRSA Shell

./easyrsa --ca-via-tf build-ca

• Using Easy-RSA configuration:
  C:/Users/User/Downloads/EasyRSA-3.1.3/pki/vars

• Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

Enter New CA Key Passphrase:
Passphrase must be at least 4 characters!

Enter New CA Key Passphrase:

Confirm New CA Key Passphrase:
Using configuration from C:/Users/User/Downloads/EasyRSA-3.1.3/pki/402bbdff/temp.7.1

Notice

CA creation complete. Your new CA certificate is at:

• C:/Users/User/Downloads/EasyRSA-3.1.3/pki/ca.crt

[Wolf1098]

may want to make some documentation somewhere of the --ca-via-tf workaround other than searching past issues and finding this discussion

[TinCanTech]

@Wolf1098 Thanks for testing and reporting this.

The openssl error Invalid password argument, starting with "fd:" .. I can confirm, also happens in my test.

:embarrassed and annoyed emoji: