From 0765921676cc2007c02816924be9006b37202f02 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Fri, 29 Apr 2022 20:23:06 +0100 Subject: [PATCH] Add 'verify' - SSL Verify certificate against CA Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cd24375..fb7e746 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -43,6 +43,7 @@ Here is the list of commands available with a short syntax reminder. Use the show-cert [ cmd-opts ] show-ca [ cmd-opts ] show-crl + verify import-req export-p1 [ cmd-opts ] export-p7 [ cmd-opts ] @@ -168,6 +169,9 @@ cmd_help() { Shows details of the current certificate revocation list (CRL) Human-readable output is shown." ;; + verify) text=" + verify + Verify certificate against CA" ;; import-req) text=" import-req Import a certificate request from a file @@ -2255,6 +2259,39 @@ default_server_san() { fi } # => default_server_san() +# Verify certificate against CA +verify_cert() { + # pull filename base: + [ "$1" ] || die "\ +Error: didn't find a file base name as the first argument. +Run easyrsa without commands for usage and command help." + + verify_ca_init + + # Assign file_name_base and dust off! + file_name_base="$1" + shift + + in_dir="$EASYRSA_PKI" + ca_crt="$in_dir/ca.crt" + crt_in="$in_dir/issued/$file_name_base.crt" + + # Test and show SSL out + if easyrsa_openssl verify -CAfile "$ca_crt" "$crt_in"; then + [ "$EASYRSA_SILENT" ] || print # Separate Notice below + notice "\ + Certificate name: $file_name_base + Verfication status: GOOD" + exit 0 + fi + + [ "$EASYRSA_SILENT" ] || print # Separate Notice below + warn "\ + Certificate name: $file_name_base + Verfication status: FAILED" + exit 1 +} # => verify_cert() + # verify a file seems to be a valid req/X509 verify_file() { format="$1" @@ -3513,6 +3550,9 @@ case "$cmd" in show-ca) show_ca "$@" ;; + verify) + verify_cert "$@" + ;; upgrade) up23_manage_upgrade_23 "$@" ;;