From: Alexander Aring <alex.aring@gmail.com>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCHv2 3/4] easy-rsa: initial commit
Date: Wed, 28 Jan 2015 09:50:47 +0100 [thread overview]
Message-ID: <20150128085045.GA6903@omega> (raw)
In-Reply-To: <20150126150050.GB20195@pengutronix.de>
Hi,
On Mon, Jan 26, 2015 at 04:00:51PM +0100, Michael Olbrich wrote:
> On Sun, Jan 25, 2015 at 08:56:23PM +0100, Alexander Aring wrote:
> > This patch adds easy-rsa. Some scripting framework to generate a PKI
> > CA "correctly".
> >
> > Signed-off-by: Alexander Aring <alex.aring@gmail.com>
> > ---
> > patches/easy-rsa-2.2.2/autogen.sh | 1 +
> > rules/easy-rsa.in | 17 +++++++++++
> > rules/easy-rsa.make | 62 +++++++++++++++++++++++++++++++++++++++
> > 3 files changed, 80 insertions(+)
> > create mode 120000 patches/easy-rsa-2.2.2/autogen.sh
> > create mode 100644 rules/easy-rsa.in
> > create mode 100644 rules/easy-rsa.make
> >
> > diff --git a/patches/easy-rsa-2.2.2/autogen.sh b/patches/easy-rsa-2.2.2/autogen.sh
> > new file mode 120000
> > index 0000000..9f8a4cb
> > --- /dev/null
> > +++ b/patches/easy-rsa-2.2.2/autogen.sh
> > @@ -0,0 +1 @@
> > +../autogen.sh
> > \ No newline at end of file
> > diff --git a/rules/easy-rsa.in b/rules/easy-rsa.in
> > new file mode 100644
> > index 0000000..25aebb4
> > --- /dev/null
> > +++ b/rules/easy-rsa.in
> > @@ -0,0 +1,17 @@
> > +## SECTION=security
> > +
> > +config EASY_RSA
> > + tristate
> > + prompt "easy-rsa"
> > + select GREP if !BUSYBOX_GREP && RUNTIME
> > + select GCCLIBS_GCC_S if !BUSYBOX_GREP && RUNTIME
> > + select OPENSSL
>
> select OPENSSL if RUNTIME
>
> right?
>
okay if we need RUNTIME when some binary will be called at runtime only.
Then this is right, because the easy-rsa are some helper scripts only
which call openssl and grep.
> > + select OPENSSL_BIN
> > + help
> > + easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's
> > + terms, this means to create a root certificate authority, and request
> > + and sign certificates, including sub-CAs and certificate revokation
> > + lists (CRL). This is for people which don't know how to generate
> > + all PKI files with openssl tool. Additional this is for people which
> > + have a enough less paranoia to generate keys on an embedded device.
> > + The easy-rsa scripts will be placed at /usr/share/easy-rsa aferwards.
> > diff --git a/rules/easy-rsa.make b/rules/easy-rsa.make
> > new file mode 100644
> > index 0000000..e6b18f8
> > --- /dev/null
> > +++ b/rules/easy-rsa.make
> > @@ -0,0 +1,62 @@
> > +# -*-makefile-*-
> > +#
> > +# Copyright (C) 2014 by Alexander Aring <aar@pengutronix.de>
> > +#
> > +# See CREDITS for details about who has contributed to this project.
> > +#
> > +# For further information about the PTXdist project and license conditions
> > +# see the README file.
> > +#
> > +
> > +#
> > +# We provide this package
> > +#
> > +PACKAGES-$(PTXCONF_EASY_RSA) += easy-rsa
> > +
> > +#
> > +# Paths and names
> > +#
> > +EASY_RSA_VERSION := 2.2.2
> > +EASY_RSA_MD5 := 040238338980617bc9c2df4274349593
> > +EASY_RSA := easy-rsa-$(EASY_RSA_VERSION)
> > +EASY_RSA_SUFFIX := tar.gz
> > +EASY_RSA_TARBALL := $(EASY_RSA_VERSION).$(EASY_RSA_SUFFIX)
> > +EASY_RSA_URL := https://github.com/OpenVPN/easy-rsa/archive/$(EASY_RSA_TARBALL)
> > +EASY_RSA_SOURCE := $(SRCDIR)/$(EASY_RSA).$(EASY_RSA_SUFFIX)
> > +EASY_RSA_DIR := $(BUILDDIR)/$(EASY_RSA)
> > +EASY_RSA_LICENSE := GPLv2
> > +
> > +EASY_RSA_INSTALL_SCRIPTS := \
> > + build-ca build-dh build-inter build-key build-key-pass build-key-pkcs12 \
> > + build-key-server build-req build-req-pass clean-all inherit-inter \
> > + list-crl pkitool revoke-full sign-req whichopensslcnf
> > +
> > +EASY_RSA_INSTALL_FILES := \
> > + openssl-0.9.6.cnf openssl-0.9.8.cnf openssl-1.0.0.cnf vars
>
> I don't think we need openssl-0.9.6.cnf and openssl-0.9.8.cnf. We just have
> 1.0.x in ptxdist.
>
I would remove the whole list and copy "vars" only. I tried to use
openssl-1.0.0.cnf at first when I found that some openssl.cnf was
missing. Result: it didn't work, then I used the shipped openssl one and
it worked. I didn't looked deeper inside the possibilities to making
openssl.cnf changes.
- Alex
--
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2015-01-28 8:50 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-25 19:56 [ptxdist] [PATCHv2 0/4] openvpn: cleanups, extras and version bumps Alexander Aring
2015-01-25 19:56 ` [ptxdist] [PATCHv2 1/4] liblzo: rework and version bump Alexander Aring
2015-01-27 8:21 ` Michael Olbrich
2015-01-25 19:56 ` [ptxdist] [PATCHv2 2/4] openssl: allow to install openssl.cnf Alexander Aring
2015-01-26 15:03 ` Michael Olbrich
2015-01-28 8:51 ` Alexander Aring
2015-01-25 19:56 ` [ptxdist] [PATCHv2 3/4] easy-rsa: initial commit Alexander Aring
2015-01-26 15:00 ` Michael Olbrich
2015-01-28 8:50 ` Alexander Aring [this message]
2015-01-25 19:56 ` [ptxdist] [PATCHv2 4/4] openvpn: rework and version bump Alexander Aring
2015-01-26 15:24 ` Michael Olbrich
2015-01-28 8:52 ` Alexander Aring
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150128085045.GA6903@omega \
--to=alex.aring@gmail.com \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox