nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Introduce global options --startdate and --enddate

Browse Source 
EasyrSA options to pass values directly to SSL options:
* EasyRSA --startdate=YYYYMMDDhhmmssZ -> SSL -startdate YYYYMMDDhhmmssZ
* EasyRSA --enddate=YYYYMMDDhhmmssZ -> SSL -enddate YYYYMMDDhhmmssZ

Note: Use of --enddate over-rides EASYRSA_CERT_EXPIRE (--days).

Establish requirements for use of --startdate and --enddate

Option --startdate MANDATES the use of --enddate. Otherwise, the valid
period counts from NOW.  If --startdate is 6 months into the future and
--days is set to '1' then the certificate will expire in one 1 day but
not be valid for 6 months. Exit on improper use of --startdate.

Option --enddate is ONLY supported by commands which use 'sign-req'.
Warn when command does not support --enddate.

Use of --enddate MANDATES over-ruling --days.
Warn when --enddate will over-rule --days.

Correct user confirmation dialogue to reflect either number of --days
or date specified by --enddate.

Officially terminate support for --fix-offset.

Move "mutual exclusions" to a function.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-03-21 01:29:19 +00:00
parent 31669cbb9d
commit 4a8ec3af15
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 79 additions and 179 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

258
easyrsa3/easyrsa
View File

@ -490,10 +490,8 @@ Certificate & Request options: (these impact cert/req field values)
--no-text : Create certificates without human readable text --no-text : Create certificates without human readable text
--days=# : Sets the signing validity to the specified number of days --days=# : Sets the signing validity to the specified number of days
Also applies to renewal period. For details, see: 'help days' Also applies to renewal period. For details, see: 'help days'
--fix-offset=# : Generate certificate with fixed start and end dates --startdate=DATE: Sets the SSL option '-startdate' (Format 'YYYYMMDDhhmmssZ')
Start-date is 01 January 00:00:01 of the current year --enddate=DATE : Sets the SSL option '-enddate' (Format 'YYYYMMDDhhmmssZ')
plus the --fix-offset=# number of days (Range 1 to 365)
end-date is configured via --days=# (Default: 825 days)
--digest=ALG : Digest to use in the requests & certificates --digest=ALG : Digest to use in the requests & certificates
--keysize=# : Size in bits of keypair to generate (RSA Only) --keysize=# : Size in bits of keypair to generate (RSA Only)
@ -1951,12 +1949,13 @@ basicConstraints is not defined, cannot use 'pathlen'"
Failed to create temp extension file (bad permissions?) at: Failed to create temp extension file (bad permissions?) at:
* $ext_tmp" * $ext_tmp"
# Get fixed dates by --fix-offset # Set valid_period message
valid_days="$EASYRSA_CERT_EXPIRE" if [ "$EASYRSA_END_DATE" ]; then
if [ "$EASYRSA_FIX_OFFSET" ]; then valid_period="
fixed_cert_dates "$EASYRSA_FIX_OFFSET" \ until date '$EASYRSA_END_DATE'"
start_fixdate end_fixdate else
unset -v EASYRSA_CERT_EXPIRE valid_period="
for '$EASYRSA_CERT_EXPIRE' days"
fi fi
# Display the request subject in an easy-to-read format # Display the request subject in an easy-to-read format
@ -1972,7 +1971,7 @@ source or that you have verified the request checksum \
with the sender. with the sender.
Request subject, to be signed as a $crt_type certificate \ Request subject, to be signed as a $crt_type certificate \
for $valid_days days: ${valid_period}:
$(display_dn req "$req_in") $(display_dn req "$req_in")
" # => confirm end " # => confirm end
@ -1989,8 +1988,8 @@ $(display_dn req "$req_in")
${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \ ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
${EASYRSA_NO_TEXT:+ -notext} \ ${EASYRSA_NO_TEXT:+ -notext} \
${EASYRSA_CERT_EXPIRE:+ -days "$EASYRSA_CERT_EXPIRE"} \ ${EASYRSA_CERT_EXPIRE:+ -days "$EASYRSA_CERT_EXPIRE"} \
${EASYRSA_FIX_OFFSET:+ -startdate "$start_fixdate"} \ ${EASYRSA_START_DATE:+ -startdate "$EASYRSA_START_DATE"} \
${EASYRSA_FIX_OFFSET:+ -enddate "$end_fixdate"} \ ${EASYRSA_END_DATE:+ -enddate "$EASYRSA_END_DATE"} \
|| die "\ || die "\
Signing failed (openssl output above may have more detail)" Signing failed (openssl output above may have more detail)"
@ -3703,157 +3702,6 @@ OpenSSL failure to process the input"
} # => show_ca() } # => show_ca()
# Set fixed offset dates
fixed_cert_dates() {
# check input
[ "$#" = 3 ] || die "\
fixed_cert_dates - input error"
# Set the start fixed day-number of the Year
start_fix_day_n="$1"
# Check offset range
if [ "$start_fix_day_n" -lt 1 ] || \
[ "$start_fix_day_n" -gt 365 ]
then
die "\
Fixed off-set range [1-365 days]: $start_fix_day_n"
fi
# Final offset is off-by-one, adjust now
start_fix_day_n="$(( start_fix_day_n - 1 ))"
# Set the end fixed day-number of the Year
end_fix_day_n="$((
start_fix_day_n + EASYRSA_CERT_EXPIRE
))"
# OS dependencies
# busybox
if busybox date --help > /dev/null 2>&1; then
this_year_n="$(busybox date -u +%y)"
#today_n="$(busybox date -u +%j)"
New_Year_day_s="$(
busybox date -u -d \
"${this_year_n}01010000.01" '+%s'
)" || die "\
fixed_cert_dates - New_Year_day_s - busybox"
start_fix_day_s="$((
New_Year_day_s + start_fix_day_n * 86400
))"
end_fix_day_s="$((
start_fix_day_s + EASYRSA_CERT_EXPIRE * 86400
))"
# Convert to date-stamps for SSL input
start_fix_day_d="$(
busybox date -u -d @"${start_fix_day_s}" \
+%Y%m%d%H%M%SZ
)" || die "\
fixed_cert_dates - start_fix_day_d - busybox"
end_fix_day_d="$(
busybox date -u -d @"${end_fix_day_s}" \
+%Y%m%d%H%M%SZ
)" || die "\
fixed_cert_dates - end_fix_day_d - busybox"
# Darwin, BSD
elif date -j > /dev/null 2>&1; then
this_year_n="$(date -j +%y)"
#today_n="$(date -u -j +%j)"
New_Year_day_d="$(
date -u -j -f %y%m%d%H%M%S \
"${this_year_n}0101000001" \
+%Y%m%d%H%M.%SZ
)" || die "\
fixed_cert_dates - New_Year_day_d - Darwin"
# Convert to date-stamps for SSL input
start_fix_day_d="$(
date -u -j -f %Y%m%d%H%M.%SZ -v \
"+${start_fix_day_n}d" \
"$New_Year_day_d" +%Y%m%d%H%M%SZ
)" || die "\
fixed_cert_dates - start_fix_day_d - Darwin"
end_fix_day_d="$(
date -u -j -f %Y%m%d%H%M.%SZ -v \
"+${end_fix_day_n}d" \
"$New_Year_day_d" +%Y%m%d%H%M%SZ
)" || die "\
fixed_cert_dates - end_fix_day_d - Darwin"
end_fix_day_s="$(
date -u -j -f %Y%m%d%H%M.%SZ -v \
"+${end_fix_day_n}d" \
"$New_Year_day_d" +%s
)" || die "\
fixed_cert_dates - end_fix_day_s - Darwin"
# Linux and Windows
# date.exe does not allow +%s as input
# MacPorts GNU date
elif this_year_n="$(date -u +%y)"; then
# Day of Year number today
#today_n="$(date -u +%j)"
# New Years day date
New_Year_day_d="$(
date -u -d \
"${this_year_n}-01-01 00:00:01Z" \
'+%Y-%m-%d %H:%M:%SZ'
)" || die "\
fixed_cert_dates - New_Year_day_d - Linux"
# Convert to date-stamps for SSL input
start_fix_day_d="$(
date -u -d "$New_Year_day_d \
+${start_fix_day_n}days" \
+%Y%m%d%H%M%SZ
)" || die "\
fixed_cert_dates - start_fix_day_d - Linux"
end_fix_day_d="$(
date -u -d "$New_Year_day_d \
+${end_fix_day_n}days" \
+%Y%m%d%H%M%SZ
)" || die "\
fixed_cert_dates - end_fix_day_d - Linux"
end_fix_day_s="$(
date -u -d "$New_Year_day_d \
+${end_fix_day_n}days" +%s
)" || die "\
fixed_cert_dates - end_fix_day_s - Linux"
else
die "\
Unsupported 'date' program, upgrade your Matrix."
fi
# Return FINAL dates for use in the certificate
force_set_var "$2" "$start_fix_day_d" || die "\
fixed_cert_dates - force_set_var - $2 - $start_fix_day_d"
force_set_var "$3" "$end_fix_day_d" || die "\
fixed_cert_dates - force_set_var - $3 - $end_fix_day_d"
# cleanup
unset -v start_fix_day_n start_fix_day_d \
end_fix_day_d end_fix_day_s \
this_year_n New_Year_day_d
} # => fixed_cert_dates()
# Convert certificate date to timestamp seconds since epoch # Convert certificate date to timestamp seconds since epoch
cert_date_to_timestamp_s() { cert_date_to_timestamp_s() {
# check input # check input
@ -4213,6 +4061,10 @@ read_db() {
# Expire status # Expire status
expire_status() { expire_status() {
#warn "status report '$cmd' is unavailable"
#return 0
if [ -e "$cert_issued" ]; then if [ -e "$cert_issued" ]; then
# get the serial number of the certificate # get the serial number of the certificate
@ -4283,6 +4135,10 @@ serial mismatch:
# Revoke status # Revoke status
revoke_status() { revoke_status() {
#warn "status report '$cmd' is unavailable"
#return 0
# Translate db date to usable date # Translate db date to usable date
#source_date=database #source_date=database
ff_date= ff_date=
@ -4303,6 +4159,10 @@ revoke_status() {
# renewed certs only remain in the renewed folder until revoked # renewed certs only remain in the renewed folder until revoked
# Only ONE renewed cert with unique CN can exist in renewed folder # Only ONE renewed cert with unique CN can exist in renewed folder
renew_status() { renew_status() {
#warn "status report '$cmd' is unavailable"
#return 0
# Does a Renewed cert exist ? # Does a Renewed cert exist ?
# files in issued are file name, or in serial are SerialNumber # files in issued are file name, or in serial are SerialNumber
unset -v cert_file_in cert_is_issued cert_is_serial renew_is_old unset -v cert_file_in cert_is_issued cert_is_serial renew_is_old
@ -4545,6 +4405,49 @@ Alg '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'"
esac esac
} # => verify_algo_params() } # => verify_algo_params()
# Check for conflicting input options
mutual_exclusions() {
# --nopass cannot be used with --passout
if [ "$EASYRSA_PASSOUT" ]; then
# --passout MUST take priority over --nopass
[ "$EASYRSA_NO_PASS" ] && warn "\
Option --passout cannot be used with --nopass|nopass."
unset -v EASYRSA_NO_PASS
prohibit_no_pass=1
fi
# --silent-ssl requires --batch
if [ "$EASYRSA_SILENT_SSL" ]; then
[ "$EASYRSA_BATCH" ] || warn "\
Option --silent-ssl requires batch mode --batch."
fi
# --startdate requires --enddate
# otherwise, --days counts from now
if [ "$EASYRSA_START_DATE" ]; then
[ "$EASYRSA_END_DATE" ] || die "\
Use of --startdate requires use of --enddate."
fi
# --enddate may over-rule EASYRSA_CERT_EXPIRE
if [ "$EASYRSA_END_DATE" ]; then
case "$cmd" in
sign-req|build-*-full|renew|rebuild)
# User specified alias_days IS over-ruled
if [ "$alias_days" ]; then
warn "\
Option --days is over-ruled by option --enddate."
fi
unset -v EASYRSA_CERT_EXPIRE alias_days
;;
*)
warn "\
EasyRSA '$cmd' does not support --startdate or --enddate"
unset -v EASYRSA_START_DATE EASYRSA_END_DATE
esac
fi
} # => mutual_exclusions()
# vars setup # vars setup
# Here sourcing of 'vars' if present occurs. If not present, defaults are used # Here sourcing of 'vars' if present occurs. If not present, defaults are used
# to support running without a sourced config format # to support running without a sourced config format
@ -5496,9 +5399,11 @@ while :; do
# when called by command later # when called by command later
alias_days="$val" alias_days="$val"
;; ;;
--fix-offset) --startdate)
number_only=1 export EASYRSA_START_DATE="$val"
export EASYRSA_FIX_OFFSET="$val" ;;
--enddate)
export EASYRSA_END_DATE="$val"
;; ;;
--pki-dir) --pki-dir)
export EASYRSA_PKI="$val" export EASYRSA_PKI="$val"
@ -5627,6 +5532,11 @@ subjectAltName = $val"
set -- "$@" "version" set -- "$@" "version"
break break
;; ;;
# Unsupported options
--fix-offset)
die "Option $opt is not supported.
Use options --startdate and --enddate for fixed dates."
;;
*) *)
break break
esac esac
@ -5672,18 +5582,8 @@ esac
# Intelligent env-var detection and auto-loading: # Intelligent env-var detection and auto-loading:
vars_setup vars_setup
# Mutual exclusions: # Check for conflicting input options
# --nopass cannot be used with --passout mutual_exclusions
if [ "$EASYRSA_PASSOUT" ]; then
# --passout MUST take priority over --nopass
unset -v EASYRSA_NO_PASS
prohibit_no_pass=1
fi
# --silent-ssl requires --batch
if [ "$EASYRSA_SILENT_SSL" ]; then
[ "$EASYRSA_BATCH" ] || warn "\
Option --silent-ssl requires batch mode --batch."
fi
# Hand off to the function responsible # Hand off to the function responsible
case "$cmd" in case "$cmd" in