`sign-req ca` does not honour user set critical flag in "ca" type if --subca-len provided

[dekeonus]

in this code

easy-rsa/easyrsa3/easyrsa

Lines 1701 to 1703 in d99bef6

	# Support a dynamic CA path length when present:
	[ "$crt_type" = "ca" ] && [ "$EASYRSA_SUBCA_LEN" ] && \
	print "basicConstraints = CA:TRUE, pathlen:$EASYRSA_SUBCA_LEN"

A basicConstraints line is appended to the generation of the temporary extensions file, overriding whatever line is currently in the ca x509-type file.

[TinCanTech]

A word to the wise;
this, particular, rabbit hole
is a lot deeper
than you realise.

[TinCanTech]

Ref:

• e80c229
• bce4dad

The problem appears to be:

easy-rsa/easyrsa3/easyrsa

Lines 1342 to 1348 in d99bef6

	# Insert x509-types COMMON and 'ca' and EASYRSA_EXTRA_EXTS, if defined.
	# shellcheck disable=SC2016 # vars don't expand in single quote
	awkscript='
	{if ( match($0, "^#%CA_X509_TYPES_EXTRA_EXTS%") )
	{ while ( getline<"/dev/stdin" ) {print} next }
	{print}
	}'

The string #%CA_X509_TYPES_EXTRA_EXTS% is not present in openssl-easyrsa.cnf

[dekeonus]

I'm talking about signing a SUB CA:

cd rootCA
easyrsa import-req path/to/subCA/pki/reqs/ca.req subCA

easyrsa --subca-len="1" sign-req ca subCA

[dekeonus]

Your changes for build_ca() work admirably - they do exactly what I want.

I wanted the sign-req ca to also keep the critical flag if present.
With my PR the temp extension file will look like:
tmp_dir_foo/temp.21ca37bb

# X509 extensions added to every signed cert

# This file is included for every cert signed, and by default does nothing.
# It could be used to add values every cert should have, such as a CDP as
# demonstrated in the following example:

crlDistributionPoints = URI:http://example.net/pki/git_rootCA.crl

# The authority information access extension gives details about how to access
# certain information relating to the CA.

authorityInfoAccess = caIssuers;URI:http://example.net/pki/git_rootCA.crt
# X509 extensions for a ca

# Note that basicConstraints will be overridden by Easy-RSA when defining a
# CA_PATH_LEN for CA path length limits. You could also do this here
# manually as in the following example in place of the existing line:
#
# basicConstraints = CA:TRUE, pathlen:1

basicConstraints = critical, CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
keyUsage = cRLSign, keyCertSign
basicConstraints = critical, CA:TRUE, pathlen:1

[TinCanTech]

I had an old openssl-easyrsa.cnf installed.

[dekeonus]

I keep doing the same, and then remembering after looking at the rootCA cert.

[dekeonus]

My issue here is easyrsa is pulling the distro installed data files (3.0.8 in /usr/share). My testing with git-master isn't installed per-se, just staged.

However this is an issue that might need further thought: existing Easy RSA CAs will have an old openssl-easyrsa.cnf in pki/ I wonder if an easyrsa version should be placed into that file and tested?

[TinCanTech]

Agreed, I am drafting a PR and will create an issue soon.