nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add cmd-opt 'batch' to verify_cert() - Allows returning deliberate error

Browse Source 
This allows verify_cert() to show the status and, optionally, return an
error (1) on "failure to verify" to a calling program.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-05-13 22:46:51 +01:00
parent 8c05298f62
commit 3e6478aae4
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 42 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
easyrsa3/easyrsa
View File

@ -34,11 +34,11 @@ Here is the list of commands available with a short syntax reminder. Use the
sign-req <type> <filename_base> sign-req <type> <filename_base>
build-client-full <filename_base> [ cmd-opts ] build-client-full <filename_base> [ cmd-opts ]
build-server-full <filename_base> [ cmd-opts ] build-server-full <filename_base> [ cmd-opts ]
build-serverClient-full <filename_base> [ cmd-opts ]
revoke <filename_base> [cmd-opts] revoke <filename_base> [cmd-opts]
revoke-renewed <filename_base> [cmd-opts] revoke-renewed <filename_base> [cmd-opts]
renew <filename_base> [cmd-opts] renew <filename_base> [cmd-opts]
renewable [ <filename_base> ] renewable [ <filename_base> ]
build-serverClient-full <filename_base> [ cmd-opts ]
gen-crl gen-crl
update-db update-db
show-req <filename_base> [ cmd-opts ] show-req <filename_base> [ cmd-opts ]
@ -193,8 +193,10 @@ cmd_help() {
Human-readable output is shown." ;; Human-readable output is shown." ;;
verify) text=" verify) text="
verify <filename_base> verify <filename_base> [ cmd-opts ]
Verify certificate against CA" ;; Verify certificate against CA"
opts="
batch - On failure to verify, return error (1) to calling program" ;;
import-req) text=" import-req) text="
import-req <request_file_path> <short_basename> import-req <request_file_path> <short_basename>
Import a certificate request from a file Import a certificate request from a file
@ -265,7 +267,8 @@ cmd_help() {
[ "$text" ] && print "$text" [ "$text" ] && print "$text"
[ -n "$opts" ] && print " [ -n "$opts" ] && print "
cmd-opts is an optional set of command options from this list: cmd-opts is an optional set of command options from this list:
$opts" $opts
"
} # => cmd_help() } # => cmd_help()
# Options usage # Options usage
@ -343,7 +346,8 @@ Easy-RSA error:
$1" 1>&2 $1" 1>&2
print "Host: $host_out${EASYRSA_DEBUG+ print "
Host: $host_out${EASYRSA_DEBUG+
*** Disable EASYRSA_DEBUG mode ***}" *** Disable EASYRSA_DEBUG mode ***}"
exit "${2:-1}" exit "${2:-1}"
@ -451,9 +455,15 @@ easyrsa_mktemp() {
# remove temp files and do terminal cleanups # remove temp files and do terminal cleanups
cleanup() { cleanup() {
[ -z "$EASYRSA_TEMP_DIR_session" ] || rm -rf "$EASYRSA_TEMP_DIR_session" if [ "${EASYRSA_TEMP_DIR_session%/*}" ] && [ -d "$EASYRSA_TEMP_DIR_session" ]
[ -n "${EASYRSA_EC_DIR%/*}" ] && [ -d "$EASYRSA_EC_DIR" ] && \ then
rm -rf "$EASYRSA_TEMP_DIR_session"
fi
if [ "${EASYRSA_EC_DIR%/*}" ] && [ -d "$EASYRSA_EC_DIR" ]
then
rm -rf "$EASYRSA_EC_DIR" rm -rf "$EASYRSA_EC_DIR"
fi
# shellcheck disable=SC3040 # In POSIX sh, set option [name] is undefined # shellcheck disable=SC3040 # In POSIX sh, set option [name] is undefined
case "$easyrsa_host_os" in case "$easyrsa_host_os" in
@ -469,7 +479,10 @@ cleanup() {
esac esac
# Exit with error 1, if an error ocured... # Exit with error 1, if an error ocured...
if [ "$1" ]; then if [ "$easyrsa_error_exit" ]; then
# Set by verify_cert() for full error-out
exit 1
elif [ "$1" = ok ]; then
# if there is no error then 'cleanup ok' is called # if there is no error then 'cleanup ok' is called
exit 0 exit 0
else else
@ -1071,6 +1084,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
${EASYRSA_DIGEST+ -"$EASYRSA_DIGEST"} \ ${EASYRSA_DIGEST+ -"$EASYRSA_DIGEST"} \
${no_password+ "$no_password"} \ ${no_password+ "$no_password"} \
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \ ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} \
${out_key_pass_tmp:+ -passin file:"$out_key_pass_tmp"} \ ${out_key_pass_tmp:+ -passin file:"$out_key_pass_tmp"} \
|| die "Failed to build the CA" || die "Failed to build the CA"
;; ;;
@ -2458,6 +2472,18 @@ Run easyrsa without commands for usage and command help."
file_name_base="$1" file_name_base="$1"
shift shift
# function opts support
unset -v exit_with_error
while [ "$1" ]; do
case "$1" in
# batch flag, return status [0/1] to calling program
# Otherwise, exit 0 on successful completion
batch) exit_with_error=1 ;;
*) warn "Ignoring unknown command option: '$1'"
esac
shift
done
in_dir="$EASYRSA_PKI" in_dir="$EASYRSA_PKI"
ca_crt="$in_dir/ca.crt" ca_crt="$in_dir/ca.crt"
crt_in="$in_dir/issued/$file_name_base.crt" crt_in="$in_dir/issued/$file_name_base.crt"
@ -2476,14 +2502,15 @@ Input is not a valid certificate: $crt_in"
notice "\ notice "\
Certificate name: $file_name_base Certificate name: $file_name_base
Verfication status: GOOD" Verfication status: GOOD"
exit 0 # easyrsa_error_exit=1 # Simple 'proof of concept' test
fi else
[ "$EASYRSA_SILENT" ] || print # Separate Notice below [ "$EASYRSA_SILENT" ] || print # Separate Notice below
warn "\ notice "\
Certificate name: $file_name_base Certificate name: $file_name_base
Verfication status: FAILED" Verfication status: FAILED"
exit 1 # Exit with error (cmd-opt: batch), otherwise terminal msg only
[ "$exit_with_error" ] && easyrsa_error_exit=1
fi
} # => verify_cert() } # => verify_cert()
# verify a file seems to be a valid req/X509 # verify a file seems to be a valid req/X509
@ -3731,7 +3758,7 @@ NL='
[ -z "$EASYRSA_NO_UMASK" ] && umask "${EASYRSA_UMASK:-077}" [ -z "$EASYRSA_NO_UMASK" ] && umask "${EASYRSA_UMASK:-077}"
# Initialisation requirements # Initialisation requirements
unset -v user_san_true unset -v easyrsa_error_exit user_san_true
# Parse options # Parse options
while :; do while :; do