From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mail-wi0-x22e.google.com ([2a00:1450:400c:c05::22e]) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1YGOKx-0000Lc-3i for ptxdist@pengutronix.de; Wed, 28 Jan 2015 09:50:59 +0100 Received: by mail-wi0-f174.google.com with SMTP id n3so10220215wiv.1 for ; Wed, 28 Jan 2015 00:50:53 -0800 (PST) Received: from omega (p20030064A9173413E2CB4EFFFE1BB546.dip0.t-ipconnect.de. [2003:64:a917:3413:e2cb:4eff:fe1b:b546]) by mx.google.com with ESMTPSA id fi10sm1815571wib.13.2015.01.28.00.50.52 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 28 Jan 2015 00:50:52 -0800 (PST) Date: Wed, 28 Jan 2015 09:50:47 +0100 From: Alexander Aring Message-ID: <20150128085045.GA6903@omega> References: <1422215784-25936-1-git-send-email-alex.aring@gmail.com> <1422215784-25936-4-git-send-email-alex.aring@gmail.com> <20150126150050.GB20195@pengutronix.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20150126150050.GB20195@pengutronix.de> Subject: Re: [ptxdist] [PATCHv2 3/4] easy-rsa: initial commit Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de Hi, On Mon, Jan 26, 2015 at 04:00:51PM +0100, Michael Olbrich wrote: > On Sun, Jan 25, 2015 at 08:56:23PM +0100, Alexander Aring wrote: > > This patch adds easy-rsa. Some scripting framework to generate a PKI > > CA "correctly". > > > > Signed-off-by: Alexander Aring > > --- > > patches/easy-rsa-2.2.2/autogen.sh | 1 + > > rules/easy-rsa.in | 17 +++++++++++ > > rules/easy-rsa.make | 62 +++++++++++++++++++++++++++++++++++++++ > > 3 files changed, 80 insertions(+) > > create mode 120000 patches/easy-rsa-2.2.2/autogen.sh > > create mode 100644 rules/easy-rsa.in > > create mode 100644 rules/easy-rsa.make > > > > diff --git a/patches/easy-rsa-2.2.2/autogen.sh b/patches/easy-rsa-2.2.2/autogen.sh > > new file mode 120000 > > index 0000000..9f8a4cb > > --- /dev/null > > +++ b/patches/easy-rsa-2.2.2/autogen.sh > > @@ -0,0 +1 @@ > > +../autogen.sh > > \ No newline at end of file > > diff --git a/rules/easy-rsa.in b/rules/easy-rsa.in > > new file mode 100644 > > index 0000000..25aebb4 > > --- /dev/null > > +++ b/rules/easy-rsa.in > > @@ -0,0 +1,17 @@ > > +## SECTION=security > > + > > +config EASY_RSA > > + tristate > > + prompt "easy-rsa" > > + select GREP if !BUSYBOX_GREP && RUNTIME > > + select GCCLIBS_GCC_S if !BUSYBOX_GREP && RUNTIME > > + select OPENSSL > > select OPENSSL if RUNTIME > > right? > okay if we need RUNTIME when some binary will be called at runtime only. Then this is right, because the easy-rsa are some helper scripts only which call openssl and grep. > > + select OPENSSL_BIN > > + help > > + easy-rsa is a CLI utility to build and manage a PKI CA. In laymen's > > + terms, this means to create a root certificate authority, and request > > + and sign certificates, including sub-CAs and certificate revokation > > + lists (CRL). This is for people which don't know how to generate > > + all PKI files with openssl tool. Additional this is for people which > > + have a enough less paranoia to generate keys on an embedded device. > > + The easy-rsa scripts will be placed at /usr/share/easy-rsa aferwards. > > diff --git a/rules/easy-rsa.make b/rules/easy-rsa.make > > new file mode 100644 > > index 0000000..e6b18f8 > > --- /dev/null > > +++ b/rules/easy-rsa.make > > @@ -0,0 +1,62 @@ > > +# -*-makefile-*- > > +# > > +# Copyright (C) 2014 by Alexander Aring > > +# > > +# See CREDITS for details about who has contributed to this project. > > +# > > +# For further information about the PTXdist project and license conditions > > +# see the README file. > > +# > > + > > +# > > +# We provide this package > > +# > > +PACKAGES-$(PTXCONF_EASY_RSA) += easy-rsa > > + > > +# > > +# Paths and names > > +# > > +EASY_RSA_VERSION := 2.2.2 > > +EASY_RSA_MD5 := 040238338980617bc9c2df4274349593 > > +EASY_RSA := easy-rsa-$(EASY_RSA_VERSION) > > +EASY_RSA_SUFFIX := tar.gz > > +EASY_RSA_TARBALL := $(EASY_RSA_VERSION).$(EASY_RSA_SUFFIX) > > +EASY_RSA_URL := https://github.com/OpenVPN/easy-rsa/archive/$(EASY_RSA_TARBALL) > > +EASY_RSA_SOURCE := $(SRCDIR)/$(EASY_RSA).$(EASY_RSA_SUFFIX) > > +EASY_RSA_DIR := $(BUILDDIR)/$(EASY_RSA) > > +EASY_RSA_LICENSE := GPLv2 > > + > > +EASY_RSA_INSTALL_SCRIPTS := \ > > + build-ca build-dh build-inter build-key build-key-pass build-key-pkcs12 \ > > + build-key-server build-req build-req-pass clean-all inherit-inter \ > > + list-crl pkitool revoke-full sign-req whichopensslcnf > > + > > +EASY_RSA_INSTALL_FILES := \ > > + openssl-0.9.6.cnf openssl-0.9.8.cnf openssl-1.0.0.cnf vars > > I don't think we need openssl-0.9.6.cnf and openssl-0.9.8.cnf. We just have > 1.0.x in ptxdist. > I would remove the whole list and copy "vars" only. I tried to use openssl-1.0.0.cnf at first when I found that some openssl.cnf was missing. Result: it didn't work, then I used the shipped openssl one and it worked. I didn't looked deeper inside the possibilities to making openssl.cnf changes. - Alex -- ptxdist mailing list ptxdist@pengutronix.de