Use inline pass phrase arguments

It doesn't seem more or less secure to embed the password as an argument than an environment variable written at the begining of the line.
2020-05-05 10:46:15 +02:00 · 2020-05-05 10:46:15 +02:00 · 706608ca4a
parent bb20053ba0
commit 706608ca4a
2 changed files with 35 additions and 30 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * Extract cert_end_date() function
 * Extract is_user() and is_group() functions
 * Extract variables for files
+* Use inline pass phrase arguments

 ### Deprecated

--- a/64
+++ b/64
@ -73,14 +73,14 @@ init() {
    fi

    if [ ! -f "${CA_CERT}" ]; then
-        CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" req \
+        "${OPENSSL_BIN}" req \
            -new \
            -batch \
            -sha512 \
            -x509 \
            -days 3650 \
            -extensions v3_ca \
-            -passin env:CA_PASSWORD \
+            -passin pass:${CA_PASSWORD} \
            -key "${CA_KEY}" \
            -out "${CA_CERT}" \
            -config /dev/stdin <<EOF
@ -127,11 +127,11 @@ EOF
    fi

    if [ ! -f "${OCSP_CERT}" ]; then
-        CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
+        "${OPENSSL_BIN}" ca \
            -extensions v3_ocsp \
            -in "${ocsp_csr_file}" \
            -out "${OCSP_CERT}" \
-            -passin env:CA_PASSWORD \
+            -passin pass:${CA_PASSWORD} \
            -config "${CONF_FILE}"
    fi

@ -191,9 +191,9 @@ warning() {
 }

 verify_ca_password() {
-    CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" rsa \
+    "${OPENSSL_BIN}" rsa \
        -in "${CA_KEY}"    \
-        -passin env:CA_PASSWORD \
+        -passin pass:${CA_PASSWORD} \
        >/dev/null 2>&1
 }

@ -400,10 +400,10 @@ create() {
        fi

        # ca sign and generate cert
-        CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
+        "${OPENSSL_BIN}" ca \
            -config "${CONF_FILE}" \
            -in "${csr_file}" \
-            -passin env:CA_PASSWORD \
+            -passin pass:${CA_PASSWORD} \
            -out "${crt_file}" \
            ${crt_expiration_arg}

@ -448,30 +448,25 @@ create() {
        fi

        # generate private key
-        OPENSSL_ENV=""
        PASS_ARGS=""
        if [ -n "${password_file}" ]; then
            PASS_ARGS="-aes256 -passout file:${password_file}"
        elif [ -n "${PASSWORD}" ]; then
-            OPENSSL_ENV="PASSWORD=${PASSWORD}"
-            PASS_ARGS="-aes256 -passout env:PASSWORD"
+            PASS_ARGS="-aes256 -passout pass:${PASSWORD}"
        fi
-        "${OPENSSL_ENV}" "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genrsa \
            -out "${key_file}" \
            ${PASS_ARGS} \
-            ${KEY_LENGTH} \
-            >/dev/null 2>&1
+            ${KEY_LENGTH}

        # generate csr req
-        OPENSSL_ENV=""
        PASS_ARGS=""
        if [ -n "${password_file}" ]; then
            PASS_ARGS="-passin file:${password_file}"
        elif [ -n "${PASSWORD}" ]; then
-            OPENSSL_ENV="PASSWORD=${PASSWORD}"
-            PASS_ARGS="-passin env:PASSWORD"
+            PASS_ARGS="-passin pass:${PASSWORD}"
        fi
-        "${OPENSSL_ENV}" "${OPENSSL_BIN}" req \
+        "${OPENSSL_BIN}" req \
            -batch \
            -new \
            -key "${key_file}" \
@ -483,9 +478,9 @@ commonName_default = ${cn}
 EOF

        # ca sign and generate cert
-        CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
+        "${OPENSSL_BIN}" ca \
            -config "${CONF_FILE}" \
-            -passin env:CA_PASSWORD \
+            -passin pass:${CA_PASSWORD} \
            -in "${csr_file}" \
            -out "${crt_file}" \
            ${crt_expiration_arg}
@ -508,24 +503,33 @@ EOF
        echo "The CRT file is available in ${crt_file}"

        # generate pkcs12 format
-        OPENSSL_ENV=""
        PASS_ARGS=""
        if [ -n "${password_file}" ]; then
-            PASS_ARGS="-passin file:${password_file} -passout file:${password_file}"
+            # Hack for pkcs12 :
+            # If passin and passout files are the same path, it expects 2 lines
+            # so we make a temporary copy of the password file
+            password_file_out=$(mktemp)
+            cp "${password_file}" "${password_file_out}"
+            PASS_ARGS="-passin file:${password_file} -passout file:${password_file_out}"
        elif [ -n "${PASSWORD}" ]; then
-            OPENSSL_ENV="PASSWORD=${PASSWORD}"
-            PASS_ARGS="-passin env:PASSWORD -passout env:PASSWORD"
+            PASS_ARGS="-passin pass:${PASSWORD} -passout pass:${PASSWORD}"
        else
            PASS_ARGS="-passout pass:"
        fi
-        "${OPENSSL_ENV}" "${OPENSSL_BIN}" pkcs12 \
+        "${OPENSSL_BIN}" pkcs12 \
            -export \
            -nodes \
            -inkey "${key_file}" \
            -in "${crt_file}" \
-            -out "${pkcs12_file}"
+            -out "${pkcs12_file}" \
            ${PASS_ARGS}

+        if [ -n "${password_file_out}" ]; then
+            # Hack for pkcs12 :
+            # Destroy the temporary file
+            rm -f "${password_file_out}"
+        fi
+
        chmod 640 "${pkcs12_file}"
        echo "The PKCS12 config file is available in ${pkcs12_file}"

@ -579,17 +583,17 @@ revoke() {
    ask_ca_password 0

    echo "Revoke certificate ${crt_file} :"
-    CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
+    "${OPENSSL_BIN}" ca \
        -config "${CONF_FILE}" \
-        -passin env:CA_PASSWORD \
+        -passin pass:${CA_PASSWORD} \
        -revoke "${crt_file}"
    if [ "$?" -eq 0 ]; then
        rm "${crt_file}"
    fi

-    CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
+    "${OPENSSL_BIN}" ca \
        -config "${CONF_FILE}" \
-        -passin env:CA_PASSWORD \
+        -passin pass:${CA_PASSWORD} \
        -gencrl \
        -out "${CRL}"
 }