Merge branch 'TinCanTech-expose-sign-req-serial-check'

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
2023-07-13 17:08:17 +01:00 · 2023-07-13 17:08:17 +01:00 · 1d9370c00e
commit 1d9370c00e
parent 1ebf4a2f9c a0ea8ac5c1
2 changed files with 83 additions and 24 deletions
--- a/2
+++ b/2
@ -1,6 +1,8 @@
 Easy-RSA 3 ChangeLog

 3.1.6 (2023-10-13)
+   * Expose serial-check, display-dn, display-san and default-san to
+     command line. (#980) (Debugging functions, which remain undocumented)
   * Expand default status to include vars-file and CA status (#973)
   * sign-req: Allow the CSR DN-field order to be preserved (#970)

--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -868,6 +868,7 @@ Temporary session not preserved."
 	# Exit: Known errors
 	# -> confirm(): aborted
 	# -> verify_cert(): verify failed --batch mode
+	# -> check_serial_unique(): not unique --batch mode
 	if [ "$easyrsa_exit_with_error" ]; then
 		verbose "Exit: Known errors = true"
 		exit 1
@ -2395,32 +2396,21 @@ The certificate request file is not in a valid X509 format:
 	if [ "$EASYRSA_RAND_SN" != "no" ]; then
 		serial=""
 		check_serial=""
-		unset -v unique_serial
+		unset -v serial_is_unique
 		for i in 1 2 3 4 5; do
 			serial="$(
 				easyrsa_random 16
 				)" || die "sign_req - easyrsa_random"

 			# Check for duplicate serial in CA db
-			# Always errors out - Do not capture error
-			# unset EASYRSA_SILENT_SSL to capure all output
-			check_serial="$(
-				unset -v EASYRSA_SILENT_SSL
-				easyrsa_openssl ca -status "$serial" 2>&1
-				)" || :
-
-			case "$check_serial" in
-				*"not present in db"*)
-					unique_serial=1
-					break
-				;;
-				*)
-					verbose "check_serial: $check_serial"
-			esac
+			if check_serial_unique "$serial" batch; then
+				serial_is_unique=1
+				break
+			fi
 		done

 		# Check for unique_serial
-		[ "$unique_serial" ] || die "\
+		[ "$serial_is_unique" ] || die "\
 sign_req - Randomize Serial number failed:

 $check_serial"
@ -2659,6 +2649,56 @@ Certificate created at:
 	return 0
 } # => sign_req()

+# Check serial in db
+check_serial_unique() {
+	serial="$1"
+	[ "$serial" ] || user_error "Serial number required!"
+
+	[ "$2" = batch ] && internal_batch=1
+
+	unset -v unique_serial
+
+	# Check for openssl -status of serial number
+	# Always errors out - Do not capture error
+	# unset EASYRSA_SILENT_SSL to capure all output
+	check_serial="$(
+		unset -v EASYRSA_SILENT_SSL
+		easyrsa_openssl ca -status "$serial" 2>&1
+		)" || :
+
+	# Check for duplicate serial in CA db
+	case "$check_serial" in
+		(*"not present in db"*)
+			unique_serial=1
+			verbose "check_serial_unique: unique_serial=true"
+		;;
+		*)
+			: # Some other response
+			verbose "check_serial_unique: unique_serial=false"
+	esac
+
+	# In batch mode return result only
+	if [ "$internal_batch" ] || [ "$EASYRSA_BATCH" ]
+	then
+		if [ "$unique_serial" ]; then
+			return 0
+		else
+			return 1
+		fi
+	fi
+
+	# Otherwise, show result to user
+	# and do not return any error code
+	print "
+check_serial_status RESULT:
+========================================
+
+$check_serial
+
+========================================
+COMPLETE"
+} # => check_serial_unique()
+
 # common build backend
 # used to generate+sign in 1 step
 build_full() {
@ -6545,7 +6585,7 @@ unset -v \
 	working_safe_ssl_conf \
 	user_san_true \
 	alias_days \
-	do_build_full \
+	do_build_full internal_batch \
 	found_vars no_new_vars user_vars_true

 	# Used by build-ca->cleanup to restore prompt
@ -6896,12 +6936,6 @@ case "$cmd" in
 	show-ca)
 		show_ca "$@"
 		;;
-	verify|verify-cert)
-		# Called with --batch, this will return error
-		# when the certificate fails verification.
-		# Therefore, on error, go directly to cleanup.
-		verify_cert "$@" || cleanup
-		;;
 	show-expire)
 		[ -z "$alias_days" ] || \
 			export EASYRSA_PRE_EXPIRY_WINDOW="$alias_days"
@ -6919,6 +6953,29 @@ case "$cmd" in
 	make-safe-ssl)
 		make_safe_ssl "$@"
 		;;
+	verify|verify-cert)
+		# Called with --batch, this will return error
+		# when the certificate fails verification.
+		# Therefore, on error, exit with error.
+		verify_cert "$@" || \
+			easyrsa_exit_with_error=1
+		;;
+	serial|check-serial)
+		# Called with --batch, this will return error
+		# when the serial number is not unique.
+		# Therefore, on error, exit with error.
+		check_serial_unique "$@" || \
+			easyrsa_exit_with_error=1
+		;;
+	display-dn)
+		display_dn "$@"
+		;;
+	display-san)
+		display_san "$@"
+		;;
+	default-san)
+		default_server_san "$@"
+		;;
 	upgrade)
 		up23_manage_upgrade_23 "$@"
 		;;