openvpn-easy-rsa: update to 3.0.1

easy-rsa v3 is now a single script. It expects a 'vars'
configuration file which path can be set using easy-rsa
options, environment variables or just looking in the
current directory.

The default usage would be:

 # cd /etc/easy-rsa
 # easy-rsa COMMAND [command-options]

Following upstream changes, /etc/easy-rsa/pki replaces
/etc/easy-rsa/keys directory.

The default /etc/easy-rsa/pki dir is marked to be kept during
upgrade (WARN: priv keys are saved in the system backup)
/etc/easy-rsa/openssl.1.0.cnf is now marked as config file while
index and serial got removed.

Signed-off-by: Luiz Angelo Daros de Luca <[email protected]>

package/network/services/openvpn-easy-rsa/Makefile

@@ -9,19 +9,18 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn-easy-rsa
 
-PKG_RELEASE=2
-
-PKG_SOURCE_PROTO:=git
-PKG_SOURCE_URL:=https://github.com/OpenVPN/easy-rsa.git
-PKG_SOURCE_DATE:=2013-01-30
-PKG_SOURCE_VERSION:=ff5bfd1dd8e548cb24d302742af3894f893ef92f
-PKG_MIRROR_HASH:=c87704b3906a0c14f51c6677151a9389f698523c7ec07f7c75489ca31786f128
+PKG_VERSION:=3.0.1
+PKG_RELEASE:=1
+PKG_SOURCE_URL:=https://github.com/OpenVPN/easy-rsa/releases/download/$(PKG_VERSION)/
+PKG_SOURCE:=EasyRSA-$(PKG_VERSION).tgz
+PKG_HASH:=dbdaf5b9444b99e0c5221fd4bcf15384c62380c1b63cea23d42239414d7b2d4e
 PKG_LICENSE:=GPL-2.0
+PKG_BUILD_DIR:=$(BUILD_DIR)/EasyRSA-$(PKG_VERSION)
 
 include $(INCLUDE_DIR)/package.mk
 
 define Package/openvpn-easy-rsa
-  TITLE:=Simple shell scripts to manage a Certificate Authority
+  TITLE:=CLI utility to build and manage a PKI CA.
   SECTION:=net
   CATEGORY:=Network
   URL:=http://openvpn.net
@@ -30,9 +29,8 @@ define Package/openvpn-easy-rsa
 endef
 
 define Package/openvpn-easy-rsa/conffiles
-/etc/easy-rsa/keys/serial
-/etc/easy-rsa/keys/index.txt
 /etc/easy-rsa/vars
+/etc/easy-rsa/openssl-1.0.cnf
 endef
 
 define Build/Configure
@@ -45,13 +43,24 @@ endef
 
 define Package/openvpn-easy-rsa/install
 	$(INSTALL_DIR) $(1)/usr/sbin
-	$(CP) $(PKG_BUILD_DIR)/easy-rsa/2.0/{build-*,clean-all,inherit-inter,list-crl,pkitool,revoke-full,sign-req,whichopensslcnf} $(1)/usr/sbin/
+
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/easyrsa $(1)/usr/sbin/
 	$(INSTALL_DIR) $(1)/etc/easy-rsa
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/easy-rsa/2.0/openssl-1.0.0.cnf $(1)/etc/easy-rsa/openssl-1.0.0.cnf
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/easy-rsa/2.0/vars $(1)/etc/easy-rsa/vars
-	$(INSTALL_DIR) $(1)/etc/easy-rsa/keys
-	$(INSTALL_DATA) files/easy-rsa.index $(1)/etc/easy-rsa/keys/index.txt
-	$(INSTALL_DATA) files/easy-rsa.serial $(1)/etc/easy-rsa/keys/serial
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/openssl-1.0.cnf $(1)/etc/easy-rsa/openssl-1.0.cnf
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/vars.example $(1)/etc/easy-rsa/vars
+
+	$(INSTALL_DIR) $(1)/etc/easy-rsa/pki
+	chmod 700 $(1)/etc/easy-rsa/pki
+	$(INSTALL_DIR) $(1)/etc/easy-rsa/pki/private
+	chmod 700 $(1)/etc/easy-rsa/pki/private
+	$(INSTALL_DIR) $(1)/etc/easy-rsa/pki/reqs
+	chmod 700 $(1)/etc/easy-rsa/pki/reqs
+
+	$(INSTALL_DIR) $(1)/etc/easy-rsa/x509-types
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/x509-types/* $(1)/etc/easy-rsa/x509-types/
+
+	$(INSTALL_DIR) $(1)/lib/upgrade/keep.d
+	$(INSTALL_DATA) files/openvpn-easy-rsa.upgrade $(1)/lib/upgrade/keep.d/$(PKG_NAME)
 endef
 
 $(eval $(call BuildPackage,openvpn-easy-rsa))

package/network/services/openvpn-easy-rsa/files/easy-rsa.serial

@@ -1 +0,0 @@
-01

package/network/services/openvpn-easy-rsa/files/openvpn-easy-rsa.upgrade

@@ -0,0 +1 @@
+/etc/easy-rsa/pki/

package/network/services/openvpn-easy-rsa/patches/100-run-ootb.patch

@@ -1,152 +0,0 @@
---- a/easy-rsa/2.0/build-ca
-+++ b/easy-rsa/2.0/build-ca
-@@ -5,4 +5,4 @@
- #
- 
- export EASY_RSA="${EASY_RSA:-.}"
--"$EASY_RSA/pkitool" --interact --initca $*
-+"/usr/sbin/pkitool" --interact --initca $*
---- a/easy-rsa/2.0/build-dh
-+++ b/easy-rsa/2.0/build-dh
-@@ -1,5 +1,7 @@
- #!/bin/sh
- 
-+. /etc/easy-rsa/vars
-+
- # Build Diffie-Hellman parameters for the server side
- # of an SSL/TLS connection.
- 
---- a/easy-rsa/2.0/build-inter
-+++ b/easy-rsa/2.0/build-inter
-@@ -4,4 +4,4 @@
- # root certificate.
- 
- export EASY_RSA="${EASY_RSA:-.}"
--"$EASY_RSA/pkitool" --interact --inter $*
-+"/usr/sbin/pkitool" --interact --inter $*
---- a/easy-rsa/2.0/build-key
-+++ b/easy-rsa/2.0/build-key
-@@ -4,4 +4,4 @@
- # root certificate.
- 
- export EASY_RSA="${EASY_RSA:-.}"
--"$EASY_RSA/pkitool" --interact $*
-+"/usr/sbin/pkitool" --interact $*
---- a/easy-rsa/2.0/build-key-pass
-+++ b/easy-rsa/2.0/build-key-pass
-@@ -4,4 +4,4 @@
- # with a password.
- 
- export EASY_RSA="${EASY_RSA:-.}"
--"$EASY_RSA/pkitool" --interact --pass $*
-+"/usr/sbin/pkitool" --interact --pass $*
---- a/easy-rsa/2.0/build-key-pkcs12
-+++ b/easy-rsa/2.0/build-key-pkcs12
-@@ -5,4 +5,4 @@
- # the CA certificate as well.
- 
- export EASY_RSA="${EASY_RSA:-.}"
--"$EASY_RSA/pkitool" --interact --pkcs12 $*
-+"/usr/sbin/pkitool" --interact --pkcs12 $*
---- a/easy-rsa/2.0/build-key-server
-+++ b/easy-rsa/2.0/build-key-server
-@@ -7,4 +7,4 @@
- # extension in the openssl.cnf file.
- 
- export EASY_RSA="${EASY_RSA:-.}"
--"$EASY_RSA/pkitool" --interact --server $*
-+"/usr/sbin/pkitool" --interact --server $*
---- a/easy-rsa/2.0/build-req
-+++ b/easy-rsa/2.0/build-req
-@@ -4,4 +4,4 @@
- # when your root certificate and key is not available locally.
- 
- export EASY_RSA="${EASY_RSA:-.}"
--"$EASY_RSA/pkitool" --interact --csr $*
-+"/usr/sbin/pkitool" --interact --csr $*
---- a/easy-rsa/2.0/build-req-pass
-+++ b/easy-rsa/2.0/build-req-pass
-@@ -4,4 +4,4 @@
- # with a password.
- 
- export EASY_RSA="${EASY_RSA:-.}"
--"$EASY_RSA/pkitool" --interact --csr --pass $*
-+"/usr/sbin/pkitool" --interact --csr --pass $*
---- a/easy-rsa/2.0/clean-all
-+++ b/easy-rsa/2.0/clean-all
-@@ -1,5 +1,7 @@
- #!/bin/sh
- 
-+. /etc/easy-rsa/vars
-+
- # Initialize the $KEY_DIR directory.
- # Note that this script does a
- # rm -rf on $KEY_DIR so be careful!
---- a/easy-rsa/2.0/inherit-inter
-+++ b/easy-rsa/2.0/inherit-inter
-@@ -1,5 +1,7 @@
- #!/bin/sh
- 
-+. /etc/easy-rsa/vars
-+
- # Build a new PKI which is rooted on an intermediate certificate generated
- # by ./build-inter or ./pkitool --inter from a parent PKI.  The new PKI should
- # have independent vars settings, and must use a different KEY_DIR directory
---- a/easy-rsa/2.0/list-crl
-+++ b/easy-rsa/2.0/list-crl
-@@ -1,5 +1,7 @@
- #!/bin/sh
- 
-+. /etc/easy-rsa/vars
-+
- # list revoked certificates
- 
- CRL="${1:-crl.pem}"
---- a/easy-rsa/2.0/pkitool
-+++ b/easy-rsa/2.0/pkitool
-@@ -1,5 +1,7 @@
- #!/bin/sh
- 
-+. /etc/easy-rsa/vars
-+
- #  OpenVPN -- An application to securely tunnel IP networks
- #             over a single TCP/UDP port, with support for SSL/TLS-based
- #             session authentication and key exchange,
---- a/easy-rsa/2.0/revoke-full
-+++ b/easy-rsa/2.0/revoke-full
-@@ -1,5 +1,7 @@
- #!/bin/sh
- 
-+. /etc/easy-rsa/vars
-+
- # revoke a certificate, regenerate CRL,
- # and verify revocation
- 
---- a/easy-rsa/2.0/sign-req
-+++ b/easy-rsa/2.0/sign-req
-@@ -4,4 +4,4 @@
- # with a local root certificate and key.
- 
- export EASY_RSA="${EASY_RSA:-.}"
--"$EASY_RSA/pkitool" --interact --sign $*
-+"/usr/sbin/pkitool" --interact --sign $*
---- a/easy-rsa/2.0/vars
-+++ b/easy-rsa/2.0/vars
-@@ -12,7 +12,7 @@
- # This variable should point to
- # the top level of the easy-rsa
- # tree.
--export EASY_RSA="`pwd`"
-+export EASY_RSA="/etc/easy-rsa"
- 
- #
- # This variable should point to
-@@ -26,7 +26,7 @@
- # This variable should point to
- # the openssl.cnf file included
- # with easy-rsa.
--export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
-+export KEY_CONFIG=`/usr/sbin/whichopensslcnf $EASY_RSA`
- 
- # Edit this variable to point to
- # your soon-to-be-created key