From 706608ca4a1defbc0e9af5fbfc0576483a376d36 Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 5 May 2020 10:46:15 +0200
Subject: [PATCH] Use inline pass phrase arguments

It doesn't seem more or less secure to embed the password as an argument
than an environment variable written at the begining of the line.
---
 CHANGELOG.md |  1 +
 shellpki     | 64 ++++++++++++++++++++++++++++------------------------
 2 files changed, 35 insertions(+), 30 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 10a9483..2be3197 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 * Extract cert_end_date() function
 * Extract is_user() and is_group() functions
 * Extract variables for files
+* Use inline pass phrase arguments
 
 ### Deprecated
 
diff --git a/shellpki b/shellpki
index e05f488..6657358 100755
--- a/shellpki
+++ b/shellpki
@@ -73,14 +73,14 @@ init() {
     fi
 
     if [ ! -f "${CA_CERT}" ]; then
-        CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" req \
+        "${OPENSSL_BIN}" req \
             -new \
             -batch \
             -sha512 \
             -x509 \
             -days 3650 \
             -extensions v3_ca \
-            -passin env:CA_PASSWORD \
+            -passin pass:${CA_PASSWORD} \
             -key "${CA_KEY}" \
             -out "${CA_CERT}" \
             -config /dev/stdin <<EOF
@@ -127,11 +127,11 @@ EOF
     fi
 
     if [ ! -f "${OCSP_CERT}" ]; then
-        CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
+        "${OPENSSL_BIN}" ca \
             -extensions v3_ocsp \
             -in "${ocsp_csr_file}" \
             -out "${OCSP_CERT}" \
-            -passin env:CA_PASSWORD \
+            -passin pass:${CA_PASSWORD} \
             -config "${CONF_FILE}"
     fi
 
@@ -191,9 +191,9 @@ warning() {
 }
 
 verify_ca_password() {
-    CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" rsa \
+    "${OPENSSL_BIN}" rsa \
         -in "${CA_KEY}"    \
-        -passin env:CA_PASSWORD \
+        -passin pass:${CA_PASSWORD} \
         >/dev/null 2>&1
 }
 
@@ -400,10 +400,10 @@ create() {
         fi
 
         # ca sign and generate cert
-        CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
+        "${OPENSSL_BIN}" ca \
             -config "${CONF_FILE}" \
             -in "${csr_file}" \
-            -passin env:CA_PASSWORD \
+            -passin pass:${CA_PASSWORD} \
             -out "${crt_file}" \
             ${crt_expiration_arg}
 
@@ -448,30 +448,25 @@ create() {
         fi
 
         # generate private key
-        OPENSSL_ENV=""
         PASS_ARGS=""
         if [ -n "${password_file}" ]; then
             PASS_ARGS="-aes256 -passout file:${password_file}"
         elif [ -n "${PASSWORD}" ]; then
-            OPENSSL_ENV="PASSWORD=${PASSWORD}"
-            PASS_ARGS="-aes256 -passout env:PASSWORD"
+            PASS_ARGS="-aes256 -passout pass:${PASSWORD}"
         fi
-        "${OPENSSL_ENV}" "${OPENSSL_BIN}" genrsa \
+        "${OPENSSL_BIN}" genrsa \
             -out "${key_file}" \
             ${PASS_ARGS} \
-            ${KEY_LENGTH} \
-            >/dev/null 2>&1
+            ${KEY_LENGTH}
 
         # generate csr req
-        OPENSSL_ENV=""
         PASS_ARGS=""
         if [ -n "${password_file}" ]; then
             PASS_ARGS="-passin file:${password_file}"
         elif [ -n "${PASSWORD}" ]; then
-            OPENSSL_ENV="PASSWORD=${PASSWORD}"
-            PASS_ARGS="-passin env:PASSWORD"
+            PASS_ARGS="-passin pass:${PASSWORD}"
         fi
-        "${OPENSSL_ENV}" "${OPENSSL_BIN}" req \
+        "${OPENSSL_BIN}" req \
             -batch \
             -new \
             -key "${key_file}" \
@@ -483,9 +478,9 @@ commonName_default = ${cn}
 EOF
 
         # ca sign and generate cert
-        CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
+        "${OPENSSL_BIN}" ca \
             -config "${CONF_FILE}" \
-            -passin env:CA_PASSWORD \
+            -passin pass:${CA_PASSWORD} \
             -in "${csr_file}" \
             -out "${crt_file}" \
             ${crt_expiration_arg}
@@ -508,24 +503,33 @@ EOF
         echo "The CRT file is available in ${crt_file}"
 
         # generate pkcs12 format
-        OPENSSL_ENV=""
         PASS_ARGS=""
         if [ -n "${password_file}" ]; then
-            PASS_ARGS="-passin file:${password_file} -passout file:${password_file}"
+            # Hack for pkcs12 :
+            # If passin and passout files are the same path, it expects 2 lines
+            # so we make a temporary copy of the password file
+            password_file_out=$(mktemp)
+            cp "${password_file}" "${password_file_out}"
+            PASS_ARGS="-passin file:${password_file} -passout file:${password_file_out}"
         elif [ -n "${PASSWORD}" ]; then
-            OPENSSL_ENV="PASSWORD=${PASSWORD}"
-            PASS_ARGS="-passin env:PASSWORD -passout env:PASSWORD"
+            PASS_ARGS="-passin pass:${PASSWORD} -passout pass:${PASSWORD}"
         else
             PASS_ARGS="-passout pass:"
         fi
-        "${OPENSSL_ENV}" "${OPENSSL_BIN}" pkcs12 \
+        "${OPENSSL_BIN}" pkcs12 \
             -export \
             -nodes \
             -inkey "${key_file}" \
             -in "${crt_file}" \
-            -out "${pkcs12_file}"
+            -out "${pkcs12_file}" \
             ${PASS_ARGS}
 
+        if [ -n "${password_file_out}" ]; then
+            # Hack for pkcs12 :
+            # Destroy the temporary file
+            rm -f "${password_file_out}"
+        fi
+
         chmod 640 "${pkcs12_file}"
         echo "The PKCS12 config file is available in ${pkcs12_file}"
 
@@ -579,17 +583,17 @@ revoke() {
     ask_ca_password 0
 
     echo "Revoke certificate ${crt_file} :"
-    CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
+    "${OPENSSL_BIN}" ca \
         -config "${CONF_FILE}" \
-        -passin env:CA_PASSWORD \
+        -passin pass:${CA_PASSWORD} \
         -revoke "${crt_file}"
     if [ "$?" -eq 0 ]; then
         rm "${crt_file}"
     fi
 
-    CA_PASSWORD="${CA_PASSWORD}" "${OPENSSL_BIN}" ca \
+    "${OPENSSL_BIN}" ca \
         -config "${CONF_FILE}" \
-        -passin env:CA_PASSWORD \
+        -passin pass:${CA_PASSWORD} \
         -gencrl \
         -out "${CRL}"
 }