head 1.6; access; symbols pkgsrc-2026Q1:1.6.0.16 pkgsrc-2026Q1-base:1.6 pkgsrc-2025Q4:1.6.0.14 pkgsrc-2025Q4-base:1.6 pkgsrc-2025Q3:1.6.0.12 pkgsrc-2025Q3-base:1.6 pkgsrc-2025Q2:1.6.0.10 pkgsrc-2025Q2-base:1.6 pkgsrc-2025Q1:1.6.0.8 pkgsrc-2025Q1-base:1.6 pkgsrc-2024Q4:1.6.0.6 pkgsrc-2024Q4-base:1.6 pkgsrc-2024Q3:1.6.0.4 pkgsrc-2024Q3-base:1.6 pkgsrc-2024Q2:1.6.0.2 pkgsrc-2024Q2-base:1.6 pkgsrc-2024Q1:1.5.0.4 pkgsrc-2024Q1-base:1.5 pkgsrc-2023Q4:1.5.0.2 pkgsrc-2023Q4-base:1.5 pkgsrc-2023Q3:1.4.0.4 pkgsrc-2023Q3-base:1.4 pkgsrc-2023Q2:1.4.0.2 pkgsrc-2023Q2-base:1.4 pkgsrc-2023Q1:1.2.0.36 pkgsrc-2023Q1-base:1.2 pkgsrc-2022Q4:1.2.0.34 pkgsrc-2022Q4-base:1.2 pkgsrc-2022Q3:1.2.0.32 pkgsrc-2022Q3-base:1.2 pkgsrc-2022Q2:1.2.0.30 pkgsrc-2022Q2-base:1.2 pkgsrc-2022Q1:1.2.0.28 pkgsrc-2022Q1-base:1.2 pkgsrc-2021Q4:1.2.0.26 pkgsrc-2021Q4-base:1.2 pkgsrc-2021Q3:1.2.0.24 pkgsrc-2021Q3-base:1.2 pkgsrc-2021Q2:1.2.0.22 pkgsrc-2021Q2-base:1.2 pkgsrc-2021Q1:1.2.0.20 pkgsrc-2021Q1-base:1.2 pkgsrc-2020Q4:1.2.0.18 pkgsrc-2020Q4-base:1.2 pkgsrc-2020Q3:1.2.0.16 pkgsrc-2020Q3-base:1.2 pkgsrc-2020Q2:1.2.0.14 pkgsrc-2020Q2-base:1.2 pkgsrc-2020Q1:1.2.0.10 pkgsrc-2020Q1-base:1.2 pkgsrc-2019Q4:1.2.0.12 pkgsrc-2019Q4-base:1.2 pkgsrc-2019Q3:1.2.0.8 pkgsrc-2019Q3-base:1.2 pkgsrc-2019Q2:1.2.0.6 pkgsrc-2019Q2-base:1.2 pkgsrc-2019Q1:1.2.0.4 pkgsrc-2019Q1-base:1.2 pkgsrc-2018Q4:1.2.0.2 pkgsrc-2018Q4-base:1.2 pkgsrc-2018Q3:1.1.0.4 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.2 pkgsrc-2018Q2-base:1.1; locks; strict; comment @# @; 1.6 date 2024.06.08.07.14.37; author adam; state Exp; branches; next 1.5; commitid gaoy6QMncatWj9dF; 1.5 date 2023.12.05.18.29.16; author adam; state Exp; branches; next 1.4; commitid qRKiC3JFBRJh2jPE; 1.4 date 2023.06.07.11.10.38; author leot; state Exp; branches; next 1.3; commitid 9gG4N0gaykayq0sE; 1.3 date 2023.06.06.16.15.25; author leot; state Exp; branches; next 1.2; commitid Tc7H9dosil8p8UrE; 1.2 date 2018.10.11.09.13.30; author adam; state Exp; branches; next 1.1; commitid 8XLylmqQc6kaqwVA; 1.1 date 2018.06.24.07.31.09; author adam; state Exp; branches; next ; commitid 5RieoiRB24HimvHA; desc @@ 1.6 log @easy-rsa: updated to 3.2.0 EasyRSA v3.2.0 - Most significant changes New commands: self-sign-server and self-sign-client Create self-signed certificates for use with OpenVPN Peer Fingerprint mode. These certificates comply with other EasyRSA signing policies. expire Selectively move certificates from the issued/ to expired/ directory. This allows a new certificate to be signed from the original signing request file. This allows all custom signing options to be applied as required. This replaces the old command renew, which has been removed. Further details: doc/EasyRSA-Renew-and-Revoke.md write Create legacy support files: openssl-easyrsa.cnf, x509-types/* and vars.example. This allows EasyRSA to be used without having copies of the support files installed. Removed commands: renew Replaced by command expire, followed by command sign-req. This allows all custom options to be used when signing, which renew did not. rebuild and rewind-renew No longer required. upgrade No longer supported. New Global Option: --new-subject -- Command sign-req option: newsubj Edit Request Subject during command sign-req New files: easyrsa-tools.lib Moved code for commands show-expire, show-revoke and show-renew to the new file. easyrsa-tools.lib is auto-loaded, if it is found in a supported location. eg. $pwd @ text @$NetBSD: patch-easyrsa,v 1.5 2023/12/05 18:29:16 adam Exp $ Set a sane default for config file. Needs to be SUBSTed. --- easyrsa.orig 2024-05-18 12:20:59.000000000 +0000 +++ easyrsa @@@@ -1475,7 +1475,7 @@@@ locate_support_files() { "${0%/*}" \ '/usr/local/share/easy-rsa' \ '/usr/share/easy-rsa' \ - '/etc/easy-rsa' \ + '@@SYSCONFDIR@@' \ # EOL do # Find x509-types @ 1.5 log @easy-rsa: updated to 3.1.7 3.1.7 (2023-10-13) Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md Under the hood, this is a considerable change but there are no user noticable differences. With the exception of: Caveat: The default '$PWD/pki/vars' file is forbidden to change either EASYRSA or EASYRSA_PKI, which are both implied by default. EasyRSA-Advanced.md: Correct vars-auto-detect hierarchy Commit: ecd6506 EASYRSA/vars is moved to a higher priority than a default PKI. vars-auto-detect no longer searches 'easyrsa' program directory. gen-crl: preserve existing crl.pem ownership+mode New command: make-vars - Print vars.example (here-doc) to stdout show-expire: Calculate cert. expire seconds from DB date Update OpenSSL to 3.1.2 @ text @d1 1 a1 1 $NetBSD: patch-easyrsa,v 1.4 2023/06/07 11:10:38 leot Exp $ d5 1 a5 1 --- easyrsa.orig 2023-10-13 22:27:51.000000000 +0000 d7 1 a7 10 @@@@ -1443,7 +1443,7 @@@@ install_data_to_pki() { # '/usr/local/share/easy-rsa' - Default user installed # '/usr/share/easy-rsa' - Default system installed # Room for more.. - # '/etc/easy-rsa' - Last resort + # '@@SYSCONFDIR@@' - Last resort # Find and optionally copy data-files, in specific order for area in \ @@@@ -1453,7 +1453,7 @@@@ install_data_to_pki() { d15 1 a15 1 if [ "$context" = x509-types-only ]; then @ 1.4 log @easyrsa: Update to 3.1.4 3.1.4 ----- * build-ca: New option --ca-via-stdin, use SSL -pass* argument 'stdin' * build-ca: Revert manual CA password method to temp-files Release v3.1.3 was fatally flawed, it would fail to build a CA under Windows. Release v3.1.4 is specifically a bugfix ONLY, to resolve the Windows problem. See the following commits for further details: 5d7ad1306d5ebf1588aef77eb3445e70cf5b4ebc build-ca: Revert manual CA password method to temp-files c11135d19b2e7e7385d28abb1132978c849dfa74 build-ca: Use OpenSSL password I/O argument 'stdin' 27870d695a324e278854146afdac5d6bdade9bba build-ca: Replace password temp-file method with file-descriptors Superseded by 5d7ad13 above. 3.1.3 ----- * build-ca: Replace password temp-files with file-descriptors * Replace --fix-offset with --startdate, --enddate * Introduce option -S|--silent-ssl: Silence SSL output * Only create a random serial number file when expected * Always verify SSL lib, for all commands * Option --fix-offset: Adjust off-by-one day * Update OpenSSL to v3.0.8 3.1.2 ----- * build-full: Always enable inline file creation * Make default Edwards curve ED25519 * Allow --fix-offset to create post-dated certificates * Introduce command 'set-pass' * Introduce global option '--nopass|--no-pass' * Introduce global option '--notext|--no-text' * Command 'help': For unknown command, exit with error * Find data-files in the correct order * Update OpenSSL to 3.0.7 for Windows distribution 3.1.1 ----- * Remove command 'renewable' (#715) * Expand 'show-renew', include 'renewed/certs_by_serial' * Resolve long-standing issue with --subca-len=N * ++ NOTICE: Add EasyRSA-Renew-and-Revoke.md * Require 'openssl-easyrsa.cnf' is up to date * Introduce 'renew' (version 3). Only renew cert * Always ensure X509-types files exist * Expand alias '--days' to all suitable options with a period * Introduce --keep-tmp, keep temp files for debugging * Add serialNumber (OID 2.5.4.5) to DN 'org' mode * Support ampersand and dollar-sign in vars file * Introduce 'rewind-renew' * Expand status reports to include checking a single cert * Introduce 'revoke-renewed' * update OpenSSL for Windows to 3.0.5 3.1.0 ----- * Introduce basic support for OpenSSL version 3 * Update regex in grep to be POSIX compliant * Introduce status reporting tools * Display certificates using UTF8 * Allow certificates to be created with fixed date offset * Add 'verify' to verify certificate against CA * Add PKCS#12 alias 'friendlyName' * Support multiple IP-Addresses in SAN * Add option '--renew-days=NN', custom renew grace period * Add 'nopass' option to the 'export-pkcs' functions * Add support for 'busybox' * Add option '--tmp-dir=DIR' to declare Temp-dir 3.0.9 ----- * Upgrade OpenSSL from 1.1.0j to 1.1.1o - We are buliding this ourselves now. * Fix --version so it uses EASYRSA_OPENSSL * Use openssl rand instead of non-POSIX mktemp * Fix paths with spaces * Correct OpenSSL version from Homebrew on macOs * Fix revoking a renewed certificate Follow-up commit: ef22701878bb10df567d60f2ac50dce52a82c9ee * Introduce 'show-crl' * Support Windows-Git 'version of bash' * Disallow use of single quote (') in vars file, Warning * Creating a CA uses x509-types/ca and COMMON * Prefer 'PKI/vars' over all other locations * Introduce 'init-pki soft' option * Warnings are no longer silenced by --batch * Improve packaging options * Update regex for POSIX compliance * Correct date format for Darwin/BSD @ text @d1 1 a1 1 $NetBSD: patch-easyrsa,v 1.3 2023/06/06 16:15:25 leot Exp $ d3 1 a3 1 - Set a sane default for config file. Needs to be SUBSTed. d5 1 a5 1 --- easyrsa.orig 2023-05-24 12:02:30.000000000 +0000 d7 1 a7 1 @@@@ -1308,7 +1308,7 @@@@ install_data_to_pki() { d16 1 a16 1 @@@@ -1318,7 +1318,7 @@@@ install_data_to_pki() { a24 9 @@@@ -5143,6 +5143,8 @@@@ The 'vars' file was not found: # Some other place vars, out of scope. if [ "$EASYRSA" ]; then easy_vars="${EASYRSA}/vars" + elif [ -f "@@SYSCONFDIR@@/vars" ]; then + easy_vars="@@SYSCONFDIR@@/vars" else unset -v easy_vars fi @ 1.3 log @easy-rsa: Add some portability fixes Gracefully handle date(1) calls on NetBSD and stick with POSIX "basic" regular expression when using sed(1). (Not shared upstream because probably both of these problems are solved by a quick code skim.) PKGREVISION++ @ text @d1 1 a1 1 $NetBSD: patch-easyrsa,v 1.2 2018/10/11 09:13:30 adam Exp $ a2 5 - Only FreeBSD and OpenBSD date(1) knowns about `-f' and `-v' option. Exclude possible other *BSD and fallbacks to date(1) `-d' there that is supported by NetBSD. - Stick to POSIX basic regular expression (spell spaces via `[[:blank:]]' instead of `\s' that could be not supported and undefined). d5 1 a5 1 --- easyrsa.orig 2020-09-09 20:59:45.000000000 +0000 d7 6 a12 11 @@@@ -1179,7 +1179,7 @@@@ at: $crt_in" sed 's/^notAfter=//' ) case $(uname 2>/dev/null) in - "Darwin"|*"BSD") + "Darwin"|"FreeBSD"|"OpenBSD") expire_date=$(date -j -f '%b %d %T %Y %Z' "$expire_date" +%s) allow_renew_date=$(date -j -v"+${EASYRSA_CERT_RENEW}d" +%s) ;; @@@@ -1515,7 +1515,7 @@@@ display_san() { echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName d14 20 a33 16 if [ $? -eq 0 ]; then - print "$(echo "$EASYRSA_EXTRA_EXTS" | grep subjectAltName | sed 's/^\s*subjectAltName\s*=\s*//')" + print "$(echo "$EASYRSA_EXTRA_EXTS" | grep subjectAltName | sed 's/^[[:space:]]*subjectAltName[[:space:]]*=[[:space:]]*//')" else san=$( "$EASYRSA_OPENSSL" "$format" -in "$path" -noout -text | @@@@ -1685,6 +1685,9 @@@@ vars_setup() { # EASYRSA, if defined: elif [ -n "$EASYRSA" ] && [ -f "$EASYRSA/vars" ]; then vars="$EASYRSA/vars" + # sysconf location: + elif [ -f "@@SYSCONFDIR@@/vars" ]; then + vars="@@SYSCONFDIR@@/vars" # program location: elif [ -f "$prog_vars" ]; then vars="$prog_vars" @ 1.2 log @easy-rsa: updated to 3.0.5 3.0.5: Fix: use AES256 for CA key Also, don't use read -s, use stty -echo Fix broken "nopass" option Add -r to read to stop errors reported by shellcheck (and to behave) remove overzealous quotes around $pkcs_opts (more SC errors) Support for LibreSSL (now works on latest version of MacOS) EasyRSA version will be reported in certificate comments Client certificates now expire in 3 year (1080 days) by default @ text @d1 1 a1 1 $NetBSD: patch-easyrsa,v 1.1 2018/06/24 07:31:09 adam Exp $ d3 6 a8 1 Set a sane default for config file. Needs to be SUBSTed. d10 1 a10 1 --- easyrsa.orig 2018-09-15 04:21:19.000000000 +0000 d12 19 a30 1 @@@@ -1137,6 +1137,9 @@@@ vars_setup() { @ 1.1 log @easy-rsa: downgraded to 3.0.4 (3.0.5 has not been released) @ text @d1 1 a1 1 $NetBSD$ d5 1 a5 1 --- easyrsa.orig 2017-08-22 12:51:05.000000000 +0000 d7 1 a7 1 @@@@ -1046,6 +1046,9 @@@@ vars_setup() { @