'build-ca' fails if '--passin=file:' and '--passout=file:' use the same filename

[jbrubake]

If you want to pass the passphrase on the command line when running build-ca you have to use both --passin and --passout because creating the private key uses the value of --passout and generating the CSR uses the value of --passin. Both arguments need to have the same value because the involve encrypting and decrypting the private key

However, when easyrsa generates the CSR, its call to openssl req passes both -passout and -passin and openssl req fails (and therefore easyrsa fails) if both of those use the same file:xxx value. openssl req requires the filenames to be different (although the contents can be the same).

As far as I can tell, the way that easyrsa is calling openssl req only requires the -passin argument in order to decrypt the private key. The -passout argument is needed if you are also generating the private key at the same time, which is not what easyrsa is doing.

The portion of the code with the problem involved is here. Deleting line 1443 (containing $EASYRSA_PASSOUT) would fix the problem, but maybe there is some combination of arguments where it is actually required?

build_ca() {     
    ...
Line 1432:
    # Generate the CA keypair:                                         
    # shellcheck disable=SC2086 # Double quote to prevent ..    
    easyrsa_openssl req -utf8 -new \                        
        -key "$out_key_tmp" -keyout "$out_key_tmp" \           
        -out "$out_file_tmp" \                                        
        ${ssl_batch+ -batch} \                                
        ${x509+ -x509} \                            
        ${date_stamp+ -days "$EASYRSA_CA_EXPIRE"} \
        ${EASYRSA_DIGEST+ -"$EASYRSA_DIGEST"} \              
        ${no_password+ "$no_password"} \           
        ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
        ${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \     
        ${out_key_pass_tmp:+ -passin file:"$out_key_pass_tmp"} \      
            || die "Failed to build the CA"    

[TinCanTech]

openssl req requires the filenames to be different

file:pathname

    The first line of pathname is the password. If the same pathname argument is 
    supplied to -passin and -passout arguments then the first line will be used 
    for the input password and the next line for the output password. pathname 
    need not refer to a regular file: it could for example refer to a device or 
    named pipe.

https://www.openssl.org/docs/man3.0/man1/openssl-passphrase-options.html

EasyRSA passes options --passin and --passout directly to openssl. This is required, in order to support the full options which openssl have.

[jbrubake]

openssl req requires the filenames to be different

file:pathname

    The first line of pathname is the password. If the same pathname argument is 
    supplied to -passin and -passout arguments then the first line will be used 
    for the input password and the next line for the output password. pathname 
    need not refer to a regular file: it could for example refer to a device or 
    named pipe.

That may be what the docs say, but if I pass the same filename to both args, openssl req fails

EasyRSA passes options --passin and --passout directly to openssl. This is required, in order to support the full options which openssl have.

Also true, but in the call to openssl req in build-ca the -passout flag does not actually accomplish anything as far as I can tell. Meaning that in that call alone it could be removed

[TinCanTech]

Please be precise about the commands you are using and the error messages returned.

[jbrubake]

--passin and --passout use the same path name:

* Using SSL: openssl OpenSSL 1.1.1q  FIPS 5 Jul 2022

* Using Easy-RSA configuration: /home/jbrubake/src/EasyRSA-3.1.1/pki/vars

........................+++++
......................................................................+++++
Error reading password from BIO
Error getting passwords

Easy-RSA error:

Failed to build the CA

--passin and --passout use different pathnames (but same file contents):

$ ./easyrsa --passin=file:<path> --passout=file:<same file, different path> build-ca

no errors. CA is properly built

As I stated earlier, the issue is that openssl req accepts -passin and -passout and fails if both arguments are given the same path. From what I can tell, openssl req needs to accept both those arguments for the case where you generate a private key and a CSR in the same command. That is not what easyrsa is doing, so I think that easyrsa's call to openssl req does not need to pass -passout and will still work properly. Again, I might be missing something.

Regardless, it took me quite a while to track the error down when I was building a CA, so even if no change is made to the code, easyrsa should probably alert the user to the problem instead of just passing the (unhelpful) openssl req error message

[TinCanTech]

@jbrubake You failed to post the requested details.

My own test:

Welcome to the EasyRSA 3 Shell for Windows.
Easy-RSA 3 is available under a GNU GPLv2 license.
 
Invoke './easyrsa' to call the program. Without commands, help is displayed.
 
EasyRSA Shell
# ./easyrsa init-pki
 
WARNING!!!
 
You are about to remove the EASYRSA_PKI at:
* C:/Users/den/easy-rsa/win-311/pki
 
and initialize a fresh PKI here.
 
Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes
 
 
Notice
------
'init-pki' complete; you may now create a CA or requests.
 
Your newly created PKI dir is:
* C:/Users/den/easy-rsa/win-311/pki
 
* Using Easy-RSA configuration: C:/Users/den/easy-rsa/win-311/pki/vars
 
* IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
             Edit this 'vars' file to customise the settings for your PKI.
 
* Using x509-types directory: C:/Users/den/easy-rsa/win-311/x509-types
 
 
EasyRSA Shell
# ./easyrsa --passin=file:pass.txt --passout:file:pass.txt build-ca
* Using SSL: openssl OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
 
* Using Easy-RSA configuration: C:/Users/den/easy-rsa/win-311/pki/vars
 
 
Easy-RSA error:
 
Unknown command '--passout:file:pass.txt'. Run without commands for usage help.
 
 
EasyRSA Version Information
Version:     ~VER~
Generated:   ~DATE~
SSL Lib:     OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
Git Commit:  ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: dev | win | @(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $ |  | OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
 
EasyRSA Shell
# ./easyrsa --passin=file:pass.txt --passout=file:pass.txt build-ca
* Using SSL: openssl OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
 
* Using Easy-RSA configuration: C:/Users/den/easy-rsa/win-311/pki/vars
 
Using configuration from C:/Users/den/easy-rsa/win-311/pki/safessl-easyrsa.cnf.init-tmp
..+....+..............+.+.....+................+.....+.+..+.+.....................+.....+.+...+..............+.+..+.........+......+.......+...+.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+...............+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+.......+...+......+...+..+......+.......+..+.+..............+.+..+...+.........+.............+........+.......+...........+.+.....+.+...+..+.......+...........+.+...+...+...+.........+..+...+...+.........+......+....+......+..+.+..+..........+..+.+............+..............+.+.....+.......+...........+....+........+.......+..+...+.+.........+...........+..........+.....+......+.+..+.+..+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+............+...+...+.......+...+.....+.+.....+.........+.........+.+.....+...............+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+...+...+....+...+...+.....+.........+......+...+....+......+...........+...................+.....+.+...+......+.....+.........+......+....+.................+.+...+...........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:
 
Notice
------
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
C:/Users/den/easy-rsa/win-311/pki/ca.crt
 
 
EasyRSA Shell
# ./easyrsa show-ca
* Using SSL: openssl OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
 
* Using Easy-RSA configuration: C:/Users/den/easy-rsa/win-311/pki/vars
 
 
Notice
------
 
Showing  details for 'ca'.
 
This file is stored at:
* C:/Users/den/easy-rsa/win-311/pki/ca.crt
 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4e:2d:c4:34:57:f0:4a:dd:74:76:c0:0b:d4:60:b2:da:45:b0:b4:65
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Easy-RSA CA
        Validity
            Not Before: Oct 24 20:25:18 2022 GMT
            Not After : Oct 21 20:25:18 2032 GMT
        Subject:
            commonName                = Easy-RSA CA
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Subject Key Identifier:
                75:08:CA:5A:B1:29:98:27:3C:8E:4B:06:56:3D:30:D2:B3:32:54:C3
            X509v3 Authority Key Identifier:
                keyid:75:08:CA:5A:B1:29:98:27:3C:8E:4B:06:56:3D:30:D2:B3:32:54:C3
                DirName:/CN=Easy-RSA CA
                serial:4E:2D:C4:34:57:F0:4A:DD:74:76:C0:0B:D4:60:B2:DA:45:B0:B4:65
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
 
 
EasyRSA Shell
#

[ecrist]

It is NEVER really a good idea to use the same in/out file. You're depending on too many variables. When do updates flush to disk, is the file being written at the same time it's being read? Did it read in fully before it truncated for write, etc?

Don't do this.

[TinCanTech]

OpenSSL document what will happen if both options point to the same file, even to the extent that it need not be a regular file.

Also, EasyRSA is passing these options directly to OpenSSL.

My testing shows that it works.

All there is now is to figure out what @jbrubake is doing wrong ..

[jbrubake]

It is NEVER really a good idea to use the same in/out file. You're depending on too many variables. When do updates flush to disk, is the file being written at the same time it's being read? Did it read in fully before it truncated for write, etc?

Don't do this.

-passin and -passout not -in and -out. If I were doing the later, yes, you'd be right

[jbrubake]

OpenSSL document what will happen if both options point to the same file, even to the extent that it need not be a regular file.

Also, EasyRSA is passing these options directly to OpenSSL.

My testing shows that it works.

All there is now is to figure out what @jbrubake is doing wrong ..

I run ./easyrsa --passin=file:PATH --passout=file:SAMEPATH build-ca and I get:

* Using SSL: openssl OpenSSL 1.1.1q  FIPS 5 Jul 2022

* Using Easy-RSA configuration: /home/jbrubake/src/EasyRSA-3.1.1/pki/vars

........................+++++
......................................................................+++++
Error reading password from BIO
Error getting passwords

Easy-RSA error:

Failed to build the CA

I understand that OpenSSL says -passin and -passout cannot refer to the same file. What I am saying, is that, given the way easyrsa build-ca is calling openssl req I don't believe the value of easyrsa --passout is actually being used. And even if it's decided that nothing in the call to openssl req is changed, I am recommending that easyrsa print out an error message if --passin and --passout use the same file path (because the OpenSSL docs say you shouldn't do this), because the error returned by openssl req was not helpful at all

[TinCanTech]

Closed: Cannot reproduce.

@jbrubake Please state the exact commands that you are using.

[sideeffect42]

I believe what @jbrubake is referring to is this (running on an up-to-date Debian bookworm VM with a fresh download of EasyRSA 3.1.2):

root@vpn:~# easyrsa --pki-dir=/tmp/easy-rsa/pki init-pki

Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /tmp/easy-rsa/pki

* Using Easy-RSA configuration:

* IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
             Edit this 'vars' file to customise the settings for your PKI.
             To use a global vars file, use global option --vars=<YOUR_VARS>

* Using x509-types directory: /usr/share/easy-rsa/x509-types

root@vpn:~# echo password >mypass
root@vpn:~# easyrsa --pki-dir=/tmp/easy-rsa/pki --passin=file:mypass --passout=file:mypass build-ca

* Using SSL: openssl OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

* Using Easy-RSA configuration: /tmp/easy-rsa/pki/vars

Using configuration from /tmp/easy-rsa/pki/1e765e65/temp.59c73b04
.....................+....+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*............+.+...+.....+...+.......+..+.........+.......+...+.....+.+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+..+.......+...+.....+...................+......+........+.+........+...+...+..........+..+............+.+.........+..................+........+.......+..+.+.....+............+...+.+...........+....+...+........+...+....+..+..........+..............+.+........+..........+.....+......+...................+..+...............+....+........................+..+...+...+.............+..+....+......+...+......+........+...+.......+...........+.+......+.....+...+....+...+.........+...........+....+......+.........+...+...+..+......+......+.+............+..+.........+...................+..+......+.............+..+...+.+.........+.....+...............................+.....+..........+...+......+...............+..+..................+.......+........+.......+...+...........+.+..+.+.....................+.....+.........+....+.....................+..+...+....+...+...+..+.........+....+.....+...................+...............+..+......+...+......+.+..+.+.........+.....................+.........+...+...+.....+.+......+.....+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+........+...+....+.....+......+...+.+...+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.....+....+..+.........+.+..+.+..+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.................+....+......+...+..+....+.....+.+...+.....+.+.....+...+.+..+...+.......+........+..........+...........+.+.....+....+...+.....+.+.....+..........+......+.....+.........+............+...............+.............+.....................+.....+....+...............+.....+.+.....+..........+.....+.+.................+......+.+..............+...................+...........+.+......+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Error reading password from BIO
Error getting passwords

Easy-RSA error:

Failed to build the CA certificate

If I may add my two cents: I find it very confusing that both --passin and --passout have to be set even if there is no "input" to build-ca (i.e. the CA is a root CA).

[TinCanTech]

FTR, easyrsa allows offering settings directly to openssl, without further interpretation, because the SSL library is responsible for its own options.

I cannot fix version 3.1.2 because of the Easy-RSA release process. However, an exclusion for the specific case of --passin and --passout using the same filename, may possibly be added to git/master (a.k.a. v313).

On reflection, this should only be a warning, because OpenSSL say that using the same file is fine, provided you follow what OpenSSL expects.

Linking #838

[sideeffect42]

I propose the patch #950 to fix this issue.