SSL config ENV-VARS for KDC-Realm are not expanded for safe SSL config

[TinCanTech]

${ENV::EASYRSA_KDC_REALM} is used in x509-types/kdc but is not expanded by easyrsa_openssl(). This is true of versions All versions, that I can ascertain.

Original PR #322 does not appear to cover this either.

[TinCanTech]

Linking: OpenVPN/easyrsa-unit-tests#35

[TinCanTech]

https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/x509-types/kdc

The only x509-type which requires expansion.

It may be better to deprecate kdc as a supported x509-type.
This is a niche feature, which technically does not work correctly in Easy-RSA.

[TinCanTech]

Let us see how social github is:

• @xavierba can you provide a PR which provides FULL support for kdc
  Add support for generating KDC server certificates #322 ?

[TinCanTech]

Linking #596

[TinCanTech]

FTR:

• kdc format: ${ENV::EASYRSA_KDC_REALM}
• easyrsa format: $ENV::EASYRSA_REQ_CITY

[TinCanTech]

I believe that EasyRSA should remove x509-types/kdc.

Unofficially deprecate x509-types/kdc.

[TinCanTech]

If there is no community support for this then it will be removed before the official Release of version 3.1.1

Last chance ..

[TinCanTech]

Using LibreSSL to build a kdc X509 type:

tct@home:~/git/easy-rsa/test/installed/test D$ EASYRSA_OPENSSL=/home/tct/libressl/libressl-3.5.3/apps/openssl/openssl easyrsa init-pki

WARNING!!!

You are about to remove the EASYRSA_PKI at:
* /home/tct/git/easy-rsa/test/installed/test D/pki

and initialize a fresh PKI here.

Type the word 'yes' to continue, or any other input to abort.
  Confirm removal: yes


Notice
------
'init-pki' complete; you may now create a CA or requests.

Your newly created PKI dir is:
* /home/tct/git/easy-rsa/test/installed/test D/pki

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test D/pki/vars

* IMPORTANT: Easy-RSA 'vars' template file has been created in your new PKI.
             Edit this 'vars' file to customise the settings for your PKI.

* Using x509-types directory: /usr/local/share/easy-rsa/x509-types

tct@home:~/git/easy-rsa/test/installed/test D$ EASYRSA_OPENSSL=/home/tct/libressl/libressl-3.5.3/apps/openssl/openssl easyrsa build-ca nopass
* Using SSL: /home/tct/libressl/libressl-3.5.3/apps/openssl/openssl LibreSSL 3.5.3

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test D/pki/vars

.............................................+++++
................+++++
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [Easy-RSA CA]:

Notice
------
CA creation complete and you may now import and sign cert requests.
Your new CA certificate file for publishing is at:
/home/tct/git/easy-rsa/test/installed/test D/pki/ca.crt

tct@home:~/git/easy-rsa/test/installed/test D$ EASYRSA_OPENSSL=/home/tct/libressl/libressl-3.5.3/apps/openssl/openssl easyrsa gen-req kdc nopass
* Using SSL: /home/tct/libressl/libressl-3.5.3/apps/openssl/openssl LibreSSL 3.5.3

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test D/pki/vars

Generating a 2048 bit RSA private key
........................................+++++
...............+++++
writing new private key to '/home/tct/git/easy-rsa/test/installed/test D/pki/0f32750c/temp.7cb88861'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg: your user, host, or server name) [kdc]:

Notice
------
Keypair and certificate request completed. Your files are:
req: /home/tct/git/easy-rsa/test/installed/test D/pki/reqs/kdc.req
key: /home/tct/git/easy-rsa/test/installed/test D/pki/private/kdc.key

tct@home:~/git/easy-rsa/test/installed/test D$ EASYRSA_OPENSSL=/home/tct/libressl/libressl-3.5.3/apps/openssl/openssl easyrsa sign-req kdc kdc 
* Using SSL: /home/tct/libressl/libressl-3.5.3/apps/openssl/openssl LibreSSL 3.5.3

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test D/pki/vars


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a kdc certificate for 825 days:

subject=
    commonName                = kdc


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

Using configuration from /home/tct/git/easy-rsa/test/installed/test D/pki/217f3d33/temp.9944a5e7
ERROR: on line 24 of config file '/home/tct/git/easy-rsa/test/installed/test D/pki/217f3d33/temp.02b72db9'
139633620413312:error:0EFFF06C:configuration file routines:CRYPTO_internal:no value:conf/conf_lib.c:322:group= name=unique_subject
139633620413312:error:0EFFF068:configuration file routines:CRYPTO_internal:variable has no value:conf/conf_def.c:566:line 24

Easy-RSA error:

signing failed (openssl output above may have more detail)


EasyRSA Version Information
Version:     ~VER~
Generated:   ~DATE~
SSL Lib:     LibreSSL 3.5.3
Git Commit:  ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: dev | nix | Linux | /bin/bash | LibreSSL 3.5.3

[TinCanTech]

The root cause of this problem:
No x509-types/* files are expanded for use by LibreSSL.
The x509-types template in use is not fed to SSL via -config, it is fed via -extfile, none of which are expanded.

[TinCanTech]

This is no longer valid because it is not the unexpanded variables in "safe SSL config" at fault.

Follow-ups: #767

[TinCanTech]

Last comment.

A kdc certificate, spot the implementation mistakes:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            78:a2:e4:bf:38:11:56:b7:af:2a:20:74:fd:6a:89:e3
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=00, ST=home, L=wiscii, O=tct, OU=tct @ $&$, CN=Easy-RSA CA/[email protected]
        Validity
            Not Before: Nov 16 20:38:07 2022 GMT
            Not After : Feb 18 20:38:07 2025 GMT
        Subject: C=00, ST=home, L=wiscii, O=tct, OU=tct @ $&$, CN=kdc/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b9:32:3d:5d:cd:68:a2:71:1d:ef:0a:23:92:01:
                    f4:a8:c9:e6:bf:43:ec:e8:f2:f6:c4:1a:9e:af:ee:
                    7c:af:66:e9:2e:fc:dd:0f:74:81:ec:6e:3f:13:4e:
                    7e:db:de:0c:71:f1:3c:07:a3:b5:b0:44:e1:a9:60:
                    1f:6d:0d:64:fe:d8:ae:71:a3:e9:2d:65:a1:40:b8:
                    df:e6:9a:a8:fd:60:70:a1:e2:5e:31:cd:88:8d:f2:
                    ee:82:2a:5f:6b:c4:06:b0:e7:0d:89:7e:79:47:94:
                    ae:55:27:d0:e5:53:a8:57:a8:64:a9:f9:f2:a5:ff:
                    7d:c0:6e:ff:32:c9:7f:15:50:70:fc:cb:9e:9c:d0:
                    93:56:4c:28:fb:e1:cf:f5:b1:8a:6e:43:2c:4d:42:
                    35:c9:50:3a:a1:ef:64:2e:95:3b:e6:02:e8:e6:5d:
                    c6:94:bc:c8:ae:85:b5:78:e0:57:0f:f6:75:cd:64:
                    4a:18:bb:29:14:bb:d5:2f:d3:4e:37:3f:01:35:dd:
                    ec:44:0a:15:19:62:60:36:1c:0d:01:bb:09:76:54:
                    b4:75:80:b5:88:55:62:8e:94:33:70:47:34:bf:25:
                    05:11:4d:a3:3b:d5:04:29:83:2c:30:d0:27:f8:82:
                    72:3d:2e:10:0f:f4:3f:83:44:6f:6f:ac:7b:47:d3:
                    67:2b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                A8:DB:0B:09:AE:FA:88:C9:D1:C8:A4:BB:E1:0F:B4:67:57:E5:3B:88
            X509v3 Authority Key Identifier: 
                keyid:41:66:69:9D:97:9F:D3:1D:43:B7:4C:F1:3C:B3:96:3D:6C:A9:51:E3
                DirName:/C=00/ST=home/L=wiscii/O=tct/OU=tct @ $&$/CN=Easy-RSA CA/[email protected]
                serial:31:82:B3:0C:0A:29:2D:9B:07:43:F6:6C:0F:87:67:5B:B3:0B:D2:87

            X509v3 Extended Key Usage: 
                Signing KDC Response
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
            X509v3 Issuer Alternative Name: 
                <EMPTY>

            X509v3 Subject Alternative Name: 
                othername:<unsupported>
    Signature Algorithm: sha256WithRSAEncryption
         35:ab:4b:a7:95:47:5b:b6:da:1d:74:89:da:ee:40:42:41:2a:
         54:a4:04:41:fb:97:6b:ff:f0:8f:aa:16:60:f7:22:5b:b6:c1:
         f2:7b:ab:50:17:21:6d:ad:96:71:d9:52:16:71:c8:71:15:71:
         e5:6d:41:a6:91:83:c4:4c:10:f8:66:d3:50:2a:53:00:65:b2:
         8c:ec:38:f4:57:bd:f3:ca:fb:72:27:21:db:a3:3d:a4:d4:20:
         5f:f2:99:8a:b1:2f:2f:1e:f2:22:e1:60:14:d0:fb:b3:37:0b:
         45:78:c5:0a:bf:35:e4:44:8b:a6:3f:67:ce:2b:6e:13:c9:67:
         67:2e:1f:d1:b5:99:0b:75:80:a1:d8:e4:95:05:6c:a0:84:2c:
         95:70:1c:e8:76:23:e2:3c:46:d0:4d:fa:b9:9b:e9:75:16:8b:
         21:16:a4:1f:ab:33:1a:91:21:66:f3:85:d0:5f:5b:9b:6f:2b:
         ef:be:dd:3a:00:46:1f:1d:25:d6:c5:d5:48:87:71:64:9c:f1:
         4a:ad:41:87:43:69:0b:eb:1b:7d:52:d3:72:65:cf:38:0e:1a:
         f7:21:52:41:a2:4e:6a:44:6d:8a:40:0b:91:d6:23:e1:aa:f0:
         00:6c:5f:ec:df:0e:6d:33:df:36:12:0c:66:7a:f4:57:84:7f:
         bb:28:06:f4
-----BEGIN CERTIFICATE-----
<snip>
-----END CERTIFICATE-----