Merge branch 'replace-cert_dates' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-replace-cert_dates

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
2022-06-08 15:16:38 +01:00 · 2022-06-08 15:16:38 +01:00 · 3342df6650
commit 3342df6650
parent 72b84c489d 9fda11d04f
1 changed files with 208 additions and 183 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -2415,137 +2415,6 @@ Serial number: $file_name_base
 To revoke use: 'revoke-renewed $crt_cn'"
 } # => rewind_renew()
 # Set certificate expire date, renew date and variables needed for fixdate
 cert_dates() {
 	die "DISABLED: cert_dates()"
 	if [ -e "$1" ]; then
 		# Required for renewal
 		# Call openssl directly, otherwise this is not debug compatible
 		crt_not_before="$("$EASYRSA_OPENSSL" x509 -in "$1" -noout -startdate 2>&1)" \
 			|| die "cert_dates - crt_not_before: $crt_not_before"
 		crt_not_before="${crt_not_before#*=}"
 		crt_not_after="$("$EASYRSA_OPENSSL" x509 -in "$1" -noout -enddate 2>&1)" \
 			|| die "cert_dates - crt_not_after: $crt_not_after"
 		crt_not_after="${crt_not_after#*=}"
 		shift
 	elif [ "$1" ]; then
 		# Required for status
 		crt_not_after="$1"
 	else
 		# Required for --fix-offset
 		# This is a fake date to satisfy the 'if expire_date_s' command test
 		crt_not_after="Jun 12 02:02:02 1999 GMT"
 	fi
 	# Set fixed dates for new certificate
 	case "$EASYRSA_FIX_OFFSET" in
 	'') : ;; # empty ok
 	*[!1234567890]*|0*) die "\
 Non-decimal value for EASYRSA_FIX_OFFSET: '$EASYRSA_FIX_OFFSET'"
 	;;
 	*)
 		# Check offset range
 		if [ 1 -gt "$EASYRSA_FIX_OFFSET" ] || [ 365 -lt "$EASYRSA_FIX_OFFSET" ]
 		then
 			die "Fixed off-set out of range [1-365 days]: $EASYRSA_FIX_OFFSET"
 		fi
 		# initialise fixed dates
 		unset -v start_fixdate end_fixdate
 		# Number of years from default (2 years) plus fixed offset
 		fix_days="$(( (EASYRSA_CERT_EXPIRE / 365) * 365 + EASYRSA_FIX_OFFSET ))"
 		# Current Year and seconds
 		this_year="$(date +%Y)" || die "cert_dates - this_year"
 		now_sec="$(date +%s)" || die "cert_dates - now_sec"
 	esac
 	# OS dependencies
 	case "$easyrsa_uname" in
 	"Darwin"|*"BSD")
 		now_sec="$(date -j +%s)"
 		expire_date="$(date -j -f '%b %d %T %Y %Z' "$crt_not_after")"
 		expire_date_s="$(date -j -f '%b %d %T %Y %Z' "$crt_not_after" +%s)"
 		allow_renew_date_s="$(( now_sec + EASYRSA_CERT_RENEW * 86400 ))"
 		if [ "$EASYRSA_FIX_OFFSET" ]; then
 			start_fix_sec="$(
 				date -j -f '%Y%m%d%H%M%S' "${this_year}0101000000" +%s
 				)"
 			end_fix_sec="$(( start_fix_sec + fix_days * 86400 ))"
 			# Convert to date-stamps for SSL input
 			start_fixdate="$(date -j -r "$start_fix_sec" +%Y%m%d%H%M%SZ)"
 			end_fixdate="$(date -j -r "$end_fix_sec" +%Y%m%d%H%M%SZ)"
 		fi
 	;;
 	*)
 		# Linux and Windows (FTR: date.exe does not support format +%s as input)
 		if expire_date_s="$(date -d "$crt_not_after" +%s)"
 		then
 			# Note: date.exe is Year 2038 end 32bit
 			expire_date="$(date -d "$crt_not_after")"
 			allow_renew_date_s="$(date -d "+${EASYRSA_CERT_RENEW}day" +%s)"
 			if [ "$EASYRSA_FIX_OFFSET" ]; then
 				# New Years Day, this year
 				New_Year_day="$(
 					date -d "${this_year}-01-01 00:00:00Z" '+%Y-%m-%d %H:%M:%SZ'
 					)"
 				# Convert to date-stamps for SSL input
 				start_fixdate="$(
 					date -d "$New_Year_day" +%Y%m%d%H%M%SZ
 					)"
 				end_fixdate="$(
 					date -d "$New_Year_day +${fix_days}days" +%Y%m%d%H%M%SZ
 					)"
 				end_fix_sec="$(
 					date -d "$New_Year_day +${fix_days}days" +%s
 					)"
 			fi
 		# Alpine Linux and busybox
 		elif expire_date_s="$(date -D "%b %e %H:%M:%S %Y" -d "$crt_not_after" +%s)"
 		then
 			expire_date="$(date -D "%b %e %H:%M:%S %Y" -d "$crt_not_after")"
 			allow_renew_date_s="$(( now_sec + EASYRSA_CERT_RENEW * 86400 ))"
 			if [ "$EASYRSA_FIX_OFFSET" ]; then
 				start_fix_sec="$(date -d "${this_year}01010000.00" +%s)"
 				end_fix_sec="$(( start_fix_sec + fix_days * 86400 ))"
 				# Convert to date-stamps for SSL input
 				start_fixdate="$(date -d @"$start_fix_sec" +%Y%m%d%H%M%SZ)"
 				end_fixdate="$(date -d @"$end_fix_sec" +%Y%m%d%H%M%SZ)"
 			fi
 		# Something else
 		else
 			die "Date failed"
 		fi
 	esac
 	# Do not generate an expired, fixed date certificate
 	if [ "$EASYRSA_FIX_OFFSET" ]; then
 		for date_stamp in "${now_sec}" "${end_fix_sec}"; do
 			case "${date_stamp}" in
 			''|*[!1234567890]*|0*)
 				die "Undefined: '$now_sec', '$end_fix_sec'"
 			;;
 			*)
 				[ "${#date_stamp}" -eq 10 ] \
 					|| die "Undefined: $now_sec, $end_fix_sec"
 			esac
 		done
 		[ "$now_sec" -lt "$end_fix_sec" ] || die "\
 The lifetime of the certificate will expire before the date today."
 		[ "$start_fixdate" ] || die "Undefined: start_fixdate"
 		[ "$end_fixdate" ] || die "Undefined: end_fixdate"
 		unset -v crt_not_after
 	fi
 } # => cert_dates()
 # gen-crl backend
 gen_crl() {
 	verify_ca_init
@ -3034,9 +2903,120 @@ OpenSSL failure to process the input"
 	[ "$EASYRSA_SILENT" ] || print # Separate certificate above
 } # => show_ca()
 # Convert certificate date to timestamp seconds since epoch
 cert_date_to_timestamp_s() {
 	in_date="$1"
 	# OS dependencies
 	# Linux and Windows (FTR: date.exe does not support format +%s as input)
 	# MacPorts GNU date
 	if timestamp_s="$(
 		date -d "$in_date" +%s \
 			2>/dev/null
 		)"
 	then return
 	# Darwin, BSD
 	elif timestamp_s="$(
 		date -j -f '%b %d %T %Y %Z' "$in_date" +%s \
 			2>/dev/null
 		)"
 	then return
 	# busybox
 	elif timestamp_s="$(
 		date -D "%b %e %H:%M:%S %Y" -d "$in_date" +%s \
 			2>/dev/null
 		)"
 	then return
 	# Something else
 	else
 		die "\
 cert_date_to_timestamp_s:
 'date' failed for 'in_date': $in_date"
 	fi
 } # => cert_date_to_timestamp_s()
 # Convert system date/time to X509 certificate style date/time (+)offset
 # TODO minus (-)offset
 offset_days_to_cert_date() {
 	offset="$1"
 	# OS dependencies
 	# Linux and Windows (FTR: date.exe does not support format +%s as input)
 	# MacPorts GNU date
 	if cert_type_date="$(
 		date -u -d "+${offset}days" "+%b %d %H:%M:%S %Y %Z" \
 			2>/dev/null
 		)"
 	then return
 	# Darwin, BSD
 	elif cert_type_date="$(
 		date -u -j -v "+${offset}days" "+%b %d %H:%M:%S %Y %Z" \
 			2>/dev/null
 		)"
 	then return
 	# busybox (Alpine)
 	elif cert_type_date="$(
 		date -u -d "@$(( $(date +%s) + offset * 86400 ))" \
 			"+%b %d %H:%M:%S %Y %Z" \
 			2>/dev/null
 		)"
 	then return
 	# Something else
 	else
 		: # ok
 		die "\
 ff_date_to_cert_date:
 'date' failed for 'offset': $offset"
 	fi
 } # => offset_days_to_cert_date()
 # Convert fixed format date to X509 certificate style date
 ff_date_to_cert_date() {
 	in_date="$1"
 	# OS dependencies
 	# Linux and Windows (FTR: date.exe does not support format +%s as input)
 	# MacPorts GNU date
 	if cert_type_date="$(
 		date -u -d "$in_date" "+%b %d %H:%M:%S %Y %Z" \
 			2>/dev/null
 		)"
 	then return
 	# Darwin, BSD
 	elif cert_type_date="$(
 		date -u -j -f '%y-%m-%d %TZ' "$in_date" "+%b %d %H:%M:%S %Y %Z" \
 			2>/dev/null
 		)"
 	then return
 	# busybox
 	elif cert_type_date="$(
 		date -u -D "%b %e %H:%M:%S %Y" -d "$in_date" "+%b %d %H:%M:%S %Y %Z" \
 			2>/dev/null
 		)"
 	then return
 	# Something else
 	else
 		die "\
 ff_date_to_cert_date:
 'date' failed for 'in_date': $in_date"
 	fi
 } # => ff_date_to_cert_date()
 # Fixed format date
 # Build a Windows date.exe compatible input field
-build_ff_date_string() {
+db_date_to_ff_date() {
 	unset -v ff_date
 	ff_date="$1"
 	[ "$ff_date" ] || die "ff_date: '$ff_date'"
@ -3056,6 +3036,28 @@ build_ff_date_string() {
 	ff_date="${yy}-${mm}-${dd} ${HH}:${MM}:${SS}${TZ}"
 } # => build_ff_date_string()
 # Get certificate start date
 ssl_cert_not_before_date() {
 	[ "$1" ] || die "ssl_cert_not_before_date - Invalid input"
 	unset -v ssl_out cert_not_before_date
 	ssl_out="$("$EASYRSA_OPENSSL" x509 -in "$1" -noout -startdate)" \
 		|| die "ssl_cert_not_before_date - ssl_out: $ssl_out"
 	# 'cert_not_before_date' is *not* used, at this time..
 	# disable #shellcheck disable=SC2034 # Prefer to keep the warning
 	cert_not_before_date="${ssl_out#*=}"
 	unset -v ssl_out
 } # => ssl_cert_not_before_date()
 # Get certificate end date
 ssl_cert_not_after_date() {
 	[ "$1" ] || die "ssl_cert_not_after_date - Invalid input"
 	unset -v ssl_out cert_not_after_date
 	ssl_out="$("$EASYRSA_OPENSSL" x509 -in "$1" -noout -enddate)" \
 		|| die "ssl_cert_not_after_date - ssl_out: $ssl_out"
 	cert_not_after_date="${ssl_out#*=}"
 	unset -v ssl_out
 } # => ssl_cert_not_after_date()
 # SC2295: (info): Expansions inside ${..} need to be quoted separately,
 # otherwise they match as patterns. (what-ever that means .. ;-)
 # Unfortunately, Windows sh.exe has an absolutely ridiculous bug.
@ -3075,7 +3077,8 @@ read_db() {
 			db_serial="${db_record%%${TCT}*}"
 			db_record="${db_record#*${TCT}}"
 			db_cn="${db_record#*/CN=}"; db_cn="${db_cn%%/*}"
-			crt_file="$EASYRSA_PKI/issued/$db_cn.crt"
+			cert_issued="$EASYRSA_PKI/issued/$db_cn.crt"
 			cert_renewed="$EASYRSA_PKI/renewed/issued/$db_cn.crt"
 		;;
 		R)	# Revoked
 			db_revoke_date="${db_record%%${TCT}*}"
@ -3128,76 +3131,86 @@ read_db() {
 # Expire status
 expire_status() {
-	crt_file="$EASYRSA_PKI/issued/$db_cn.crt"
+	if [ -e "$cert_issued" ]; then
-	if [ -e "$crt_file" ]; then
+
-		# Use cert date
+		# get the serial number of the certificate
-		cert_dates "$crt_file"
+		cert_serial="$(easyrsa_openssl x509 -in "$cert_issued" -noout -serial)"
 		cert_serial="${cert_serial##*=}"
 		# db serial must match certificate serial, otherwise this
 		# should be a renewed cert, which index.txt cannot differentiate
 		[ "$db_serial" = "$cert_serial" ] || return 0
 		#cert_source=issued
 		ssl_cert_not_after_date "$cert_issued" # Assigns cert_not_after_date
 	else
 		# Translate db date to usable date
-		build_ff_date_string "$db_notAfter"
+		#cert_source=database
-		db_notAfter="$ff_date"
+		db_date_to_ff_date "$db_notAfter" # Assigns ff_date
 		ff_date_to_cert_date "$ff_date" # Assigns cert_type_date
 		# Use db translated date
-		cert_dates "$db_notAfter"
+		cert_not_after_date="$cert_type_date"
 	fi
-	if [ "$expire_date_s" -lt "$allow_renew_date_s" ]; then
+	# Get timestamp seconds for certificate expiry date
 	cert_date_to_timestamp_s "$cert_not_after_date" # Assigns timestamp_s
 	cert_expire_date_s="$timestamp_s"
 	# Set the cutoff date for expiry comparison
 	offset_days_to_cert_date "$EASYRSA_CERT_RENEW" # Assigns cert_type_date
 	cert_date_to_timestamp_s "$cert_type_date" # Assigns timestamp_s
 	cutoff_date_s="$timestamp_s"
 	if [ "$cert_expire_date_s" -lt "$cutoff_date_s" ]; then
 		# Cert expires in less than grace period
 		printf '%s%s\n' "$db_status | Serial: $db_serial | " \
-			"Expires: $expire_date | CN: $db_cn"
+			"Expires: $cert_not_after_date | CN: $db_cn"
 	fi
 } # => expire_status()
 # Revoke status
 revoke_status() {
 	# Translate db date to usable date
-	build_ff_date_string "$db_revoke_date"
+	#source_date=database
-	db_revoke_date="$ff_date"
+	db_date_to_ff_date "$db_revoke_date" # Assigns ff_date
 	ff_date_to_cert_date "$ff_date" # Assigns cert_type_date
 	# Use db translated date
-	# ff db_revoke_date returns db_revoke_date as full expire_date
+	cert_revoke_date="$cert_type_date"
 	cert_dates "$db_revoke_date"
 	crt_revoke_date="$expire_date"
 	printf '%s%s\n' "$db_status | Serial: $db_serial | " \
-		"Revoked: $crt_revoke_date | Reason: $db_reason | CN: $db_cn"
+		"Revoked: $cert_revoke_date | Reason: $db_reason | CN: $db_cn"
 } # => revoke_status()
 # Renewed status
 # renewed certs only remain in the renewed folder until they are revoked
 # Only ONE renewed cert with unique CN can exist in the renewed folder
 renew_status() {
 	build_ff_date_string "$db_notAfter"
 	# Does a Renewed cert exist ?
-	crt_file="$EASYRSA_PKI/renewed/issued/${db_cn}.crt"
+	if [ -e "$cert_renewed" ]; then
-	if [ -e "$crt_file" ]; then
+
 		# get the serial number of the certificate
 		cert_serial="$(easyrsa_openssl x509 -in "$cert_renewed" -noout -serial)"
 		cert_serial="${cert_serial##*=}"
 		# db serial must match certificate serial, otherwise this
 		# should be an issued cert, which index.txt cannot differentiate
 		[ "$db_serial" = "$cert_serial" ] || return 0
 		# Use cert date
-		cert_dates "$crt_file"
+		ssl_cert_not_after_date "$cert_renewed" # Assigns cert_not_after_date
 		# get the serial number of the certificate -> serial=XXXX
 		renewed_crt_serial="$(easyrsa_openssl x509 -in "$crt_file" -noout -serial)"
 		# remove the serial= part -> we only need the XXXX part
 		renewed_crt_serial="${renewed_crt_serial##*=}"
 		# db serial must match certificate serial
 		if [ "$db_serial" = "$renewed_crt_serial" ]; then
 		printf '%s%s\n' "$db_status | Serial: $db_serial | " \
-				"Expires: $crt_not_after | CN: $db_cn"
+			"Expires: $cert_not_after_date | CN: $db_cn"
 	else
-			# Cert is valid, this is the replacement cert from renewal
+		# Cert is valid but not renewed
 			: # ok - ignore
 		fi
 	else
 		# Cert is valid but no renewed cert exists or it has been revoked
 		: # ok - ignore
 	fi
 } # => renew_status()
 # cert status reports
 status() {
 	# Disabled until a universal date wrapper is complete
 	unset EASYRSA_BATCH EASYRSA_SILENT
 	message "Status reports are currently disabled."
 	return
 	[ "$#" -gt 0 ] || die "status - Incorrect input parameters"
 	report="$1"
@ -3206,32 +3219,26 @@ status() {
 	verify_ca_init
 	# This does not build certs, so do not need support for fixed dates
-	unset -v EASYRSA_FIX_OFFSET
+	unset -v EASYRSA_FIX_OFFSET EASYRSA_BATCH EASYRSA_SILENT
 	# If no target file then add Notice
 	if [ -z "$target" ]; then
 		# Select correct Notice
 		case "$report" in
 		expire)
-				[ "$EASYRSA_SILENT" ] || notice "\
+			notice "\
 * Showing certificates which expire in less than $EASYRSA_CERT_RENEW days (--renew-days):"
 		;;
 		revoke)
-			[ "$EASYRSA_SILENT" ] || notice "\
+			notice "\
 * Showing certificates which are revoked:"
 		;;
 		renew)
-			[ "$EASYRSA_SILENT" ] || notice "\
+			notice "\
 * Showing certificates which have been renewed but NOT revoked:"
 		;;
 		*) warn "Unrecognised report: $report"
 		esac
 	else
 		# get status for a single cert - Verify cert first
 		in_crt="$EASYRSA_PKI/issued/$target.crt"
 		[ -e "$in_crt" ] || die "File not found: $in_crt"
 		format="x509"
 		verify_file "$format" "$in_crt"
 	fi
 	# Create report
@ -4263,11 +4270,28 @@ while :; do
 		export EASYRSA_CERT_EXPIRE="$val"
 		export EASYRSA_CA_EXPIRE="$val"
 		export EASYRSA_CRL_DAYS="$val"
 		case "$EASYRSA_CERT_EXPIRE" in
 		(*[!1234567890]*|0*)
 			print "--days - Number expected: $EASYRSA_CERT_EXPIRE"
 			exit 1
 		esac
 		;;
 	--fix-offset)
-		export EASYRSA_FIX_OFFSET="$val" ;;
+		export EASYRSA_FIX_OFFSET="$val"
 		case "$EASYRSA_FIX_OFFSET" in
 		(*[!1234567890]*|0*)
 			print "--fix-offset - Number expected: $EASYRSA_FIX_OFFSET"
 			exit 1
 		esac
 		;;
 	--renew-days)
-		export EASYRSA_CERT_RENEW="$val" ;;
+		export EASYRSA_CERT_RENEW="$val"
 		case "$EASYRSA_CERT_RENEW" in
 		(*[!1234567890]*|0*)
 			print "--renew-days - Number expected: $EASYRSA_CERT_RENEW"
 			exit 1
 		esac
 		;;
 	--pki-dir)
 		export EASYRSA_PKI="$val" ;;
 	--tmp-dir)
@ -4335,7 +4359,8 @@ while :; do
 		user_san_true=1
 		export EASYRSA_EXTRA_EXTS="\
 $EASYRSA_EXTRA_EXTS
-subjectAltName = $val" ;;
+subjectAltName = $val"
 		;;
 	--version)
 		shift "$#"
 		set -- "$@" "version"