nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Require unique random serial number for certificate or fail

Browse Source 
Squashed commit of the following:

commit 7bdc3cdfbf4ac11dc5ff6377b1b32306fc50bc66
Merge: 320a324 7fa4ec9
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date:   Thu Nov 10 19:41:31 2022 +0000

    Merge branch 'fix-random-cert-serial' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-fix-random-cert-serial

    Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>

commit 7fa4ec9e3155f8b54648226397ef73f9086779d1
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date:   Thu Nov 10 19:27:37 2022 +0000

    Require unique random serial number for certificate or fail

    This only effects Random certificate serial numbers: EASYRSA_RAND_SN
    (EASYRSA_RAND_SN is the Easy-RSA default mode)

    Previously, no matter if a _unique_ random serial number was generated,
    sign_req() would always use the last random number generated, as serial
    number for the new certificate.

    This behaviour also allowed _complete failure_ of the SSL serial number
    check to pass without error.

    This change allows signing a request to succeed ONLY when a unique serial
    number has been generated and validated.

    A failure of the SSL CA unique serial number check will NOT be ignored.

    Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-11-10 20:41:55 +00:00
parent 320a324965
commit 00e93d0abd
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
easyrsa3/easyrsa
View File

@ -1637,6 +1637,7 @@ sign_req() {
i=""
serial=""
check_serial=""
unset -v unique_serial
for i in 1 2 3 4 5; do
serial="$(
easyrsa_random 16
@ -1645,17 +1646,23 @@ sign_req() {
# Print random $serial to pki/serial file for use by SSL config
print "$serial" > "$EASYRSA_PKI/serial" || die "sign_req - serial"
# Calls LibreSSL directly with a broken config and still works
# Check for duplicate serial in CA db
check_serial="$(
"$EASYRSA_OPENSSL" ca -config "$EASYRSA_SSL_CONF" \
-status "$serial" 2>&1
)"
easyrsa_openssl ca -status "$serial" 2>&1
)" # Always errors out - Do not capture error
case "$check_serial" in
*"not present in db"*) break ;;
*) continue
*"not present in db"*)
unique_serial=1
break
esac
done
# Check for unique_serial
[ "$unique_serial" ] || die "\
sign_req - Randomize Serial number failed:
$check_serial"
fi
verify_ca_init