From 3caf0ec9050a9726082e667fff554c7784023c85 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 3 Dec 2022 19:21:21 +0000 Subject: [PATCH 1/3] Replace SSL calls for serial number with function ssl_cert_serial() Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 71 +++++++++++++++++++++++++++++------------------- 1 file changed, 43 insertions(+), 28 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index bcc6e44..ae26cf6 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -38,7 +38,7 @@ Here is the list of commands available with a short syntax reminder. Use the revoke [ cmd-opts ] renew revoke-renewed [ cmd-opts ] - rewind-renew + rewind-renew rebuild [ cmd-opts ] gen-crl update-db @@ -195,7 +195,7 @@ cmd_help() { ;; rewind|rewind-renew) text=" -* rewind-renew +* rewind-renew Rewind an EasyRSA version 3.0 'style' renewed certificate. Once 'rewind' has completed the certificate can be revoked @@ -2002,10 +2002,9 @@ Unable to verify request. The file is not a valid request. Unexpected input in file: $req_in" fi - # get the serial number of the certificate -> serial=XXXX - cert_serial="$(easyrsa_openssl x509 -in "$crt_in" -noout -serial)" - # remove the serial= part -> we only need the XXXX part - cert_serial="${cert_serial##*=}" + # get the serial number of the certificate + ssl_cert_serial "$crt_in" cert_serial + duplicate_crt_by_serial="$EASYRSA_PKI/certs_by_serial/$cert_serial.pem" # Set out_dir @@ -2175,10 +2174,9 @@ Unable to verify request. The file is not a valid request. Unexpected input in file: $req_in" fi - # get the serial number of the certificate -> serial=XXXX - cert_serial="$(easyrsa_openssl x509 -in "$crt_in" -noout -serial)" - # remove the serial= part -> we only need the XXXX part - cert_serial="${cert_serial##*=}" + # get the serial number of the certificate + ssl_cert_serial "$crt_in" cert_serial + duplicate_crt_by_serial="$EASYRSA_PKI/certs_by_serial/$cert_serial.pem" # Set out_dir @@ -2403,11 +2401,9 @@ Unable to verify request. The file is not a valid request. Unexpected input in file: $req_in" fi - # get the serial number of the certificate -> serial=XXXX - cert_serial="$(easyrsa_openssl x509 -in "$crt_in" -noout -serial)" \ - || die "renew-revoked - Failed to retrieve certificate serial number" - # remove the serial= part -> we only need the XXXX part - cert_serial="${cert_serial##*=}" + # get the serial number of the certificate + ssl_cert_serial "$crt_in" cert_serial + duplicate_crt_by_serial="$EASYRSA_PKI/certs_by_serial/$cert_serial.pem" # output @@ -2656,10 +2652,9 @@ Unable to verify request. The file is not a valid request. Unexpected input in file: $req_in" fi - # get the serial number of the certificate -> serial=XXXX - cert_serial="$(easyrsa_openssl x509 -in "$crt_in" -noout -serial)" - # remove the serial= part -> we only need the XXXX part - cert_serial="${cert_serial##*=}" + # get the serial number of the certificate + ssl_cert_serial "$crt_in" cert_serial + duplicate_crt_by_serial="$EASYRSA_PKI/certs_by_serial/$cert_serial.pem" # Set out_dir @@ -3694,12 +3689,33 @@ db_date_to_ff_date() { ff_date="${yy}-${mm}-${dd} ${HH}:${MM}:${SS}${TZ}" } # => build_ff_date_string() +# get the serial number of the certificate -> serial=XXXX +ssl_cert_serial() { + [ "$#" = 2 ] || die "ssl_cert_serial - invalid input" + [ -f "$1" ] || die "ssl_cert_serial - missing cert" + verify_file x509 "$1" || die "ssl_cert_serial - invalid cert" + + f_ssl_out="$( + easyrsa_openssl x509 -in "$1" -noout -serial + )" || die "ssl_cert_serial - failed to get serial" + shift + + # remove the serial= part -> we only need the XXXX part + f_ssl_out="${f_ssl_out##*=}" + + unset -v "$@" + set_var "$@" "$f_ssl_out" || \ + die "ssl_cert_serial - failed to set variable '$@'" + unset -v f_ssl_out +} # => ssl_cert_serial() + # Get certificate start date ssl_cert_not_before_date() { [ "$1" ] || die "ssl_cert_not_before_date - Invalid input" unset -v ssl_out cert_not_before_date - ssl_out="$("$EASYRSA_OPENSSL" x509 -in "$1" -noout -startdate)" \ - || die "ssl_cert_not_before_date - ssl_out: $ssl_out" + ssl_out="$( + easyrsa_openssl x509 -in "$1" -noout -startdate + )" || die "ssl_cert_not_before_date - ssl_out: $ssl_out" # 'cert_not_before_date' is *not* used, at this time.. # disable #shellcheck disable=SC2034 # Prefer to keep the warning cert_not_before_date="${ssl_out#*=}" @@ -3710,8 +3726,9 @@ ssl_cert_not_before_date() { ssl_cert_not_after_date() { [ "$1" ] || die "ssl_cert_not_after_date - Invalid input" unset -v ssl_out cert_not_after_date - ssl_out="$("$EASYRSA_OPENSSL" x509 -in "$1" -noout -enddate)" \ - || die "ssl_cert_not_after_date - ssl_out: $ssl_out" + ssl_out="$( + easyrsa_openssl x509 -in "$1" -noout -enddate + )" || die "ssl_cert_not_after_date - ssl_out: $ssl_out" cert_not_after_date="${ssl_out#*=}" unset -v ssl_out } # => ssl_cert_not_after_date() @@ -3795,8 +3812,7 @@ expire_status() { if [ -e "$cert_issued" ]; then # get the serial number of the certificate - cert_serial="$(easyrsa_openssl x509 -in "$cert_issued" -noout -serial)" - cert_serial="${cert_serial##*=}" + ssl_cert_serial "$cert_issued" cert_serial # db serial must match certificate serial, otherwise this # is a renewed cert which has been replaced by an issued cert @@ -3855,7 +3871,7 @@ revoke_status() { # Only ONE renewed cert with unique CN can exist in the renewed folder renew_status() { # Does a Renewed cert exist ? - # files in issued are CommonName, files by-serial are SerialNumber + # files in issued are CommonName, files by serial are SerialNumber unset -v cert_file_in cert_is_issued cert_is_serial renew_is_old # Find renewed/issued/CN if [ -e "$cert_r_issued" ]; then @@ -3876,8 +3892,7 @@ renew_status() { # If a renewed cert exists if [ "$cert_file_in" ]; then # get the serial number of the certificate - cert_serial="$(easyrsa_openssl x509 -in "$cert_file_in" -noout -serial)" - cert_serial="${cert_serial##*=}" + ssl_cert_serial "$cert_file_in" cert_serial # db serial must match certificate serial, otherwise this # is an issued cert that replaces a renewed cert From c3943edd28aace53c83d8dbe91f086d3e9f0fc45 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sat, 3 Dec 2022 21:34:31 +0000 Subject: [PATCH 2/3] Replace use of $EASYRSA_OPENSSL with easyrsa_openssl() Use replaced in display_san() and display_dn(). verify_file(): Return status of SSL command. Wrap long lines x4. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ae26cf6..2683963 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3182,15 +3182,21 @@ display_san() { shift 2 if echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName; then - print "$(echo "$EASYRSA_EXTRA_EXTS" | grep subjectAltName | - sed 's/^[[:space:]]*subjectAltName[[:space:]]*=[[:space:]]*//')" - else - san="$( - x509v3san="X509v3 Subject Alternative Name:" - "$EASYRSA_OPENSSL" "$format" -in "$path" -noout -text | - sed -n "/${x509v3san}/{n;s/ //g;s/IPAddress:/IP:/g;s/RegisteredID/RID/;p;}" - )" + # Print user defined SAN + print "$(\ + echo "$EASYRSA_EXTRA_EXTS" | grep subjectAltName | \ + sed 's/^[[:space:]]*subjectAltName[[:space:]]*=[[:space:]]*//' + )" + else + # Generate a SAN + san="$( + x509v3san="X509v3 Subject Alternative Name:" + easyrsa_openssl "$format" -in "$path" -noout -text | sed -n \ + "/${x509v3san}/{n;s/ //g;s/IPAddress:/IP:/g;s/RegisteredID/RID/;p;}" + )" + + # Print auto SAN [ "$san" ] && print "$san" fi } # => display_san() @@ -3205,7 +3211,7 @@ display_dn() { # Display DN name_opts="utf8,sep_multiline,space_eq,lname,align" print "$( - "$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject \ + easyrsa_openssl "$format" -in "$path" -noout -subject \ -nameopt "$name_opts" )" @@ -3226,13 +3232,15 @@ default_server_san() { # Extract CN from DN cn="$( - easyrsa_openssl req -in "$path" -noout -subject -nameopt sep_multiline | - awk -F'=' '/^ *CN=/{print $2}' + easyrsa_openssl req -in "$path" -noout -subject \ + -nameopt sep_multiline | + awk -F'=' '/^ *CN=/{print $2}' )" # See: https://github.com/OpenVPN/easy-rsa/issues/576 # Select default SAN - if echo "$cn" | grep -E -q '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' + if echo "$cn" | grep -q \ + -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' then print "subjectAltName = IP:$cn" else @@ -3281,7 +3289,8 @@ No certificate found for the input: '$crt_in'" Input is not a valid certificate: $crt_in" # Test SSL out - if easyrsa_openssl verify -CAfile "$ca_crt" "$crt_in" 1>/dev/null; then + if easyrsa_openssl verify -CAfile "$ca_crt" "$crt_in" 1>/dev/null + then notice "\ Certificate name: $file_name_base Verfication status: GOOD" @@ -3290,7 +3299,7 @@ Input is not a valid certificate: $crt_in" notice "\ Certificate name: $file_name_base Verfication status: FAILED" - # Exit with error (cmd-opt: batch), otherwise terminal msg only + # Exit with error (batch mode), otherwise term msg only [ "$exit_with_error" ] && easyrsa_error_exit=1 # Return error for internal callers (status reports) return 1 @@ -3301,8 +3310,7 @@ Input is not a valid certificate: $crt_in" verify_file() { format="$1" path="$2" - easyrsa_openssl "$format" -in "$path" -noout 2>/dev/null || return 1 - return 0 + easyrsa_openssl "$format" -in "$path" -noout 2>/dev/null } # => verify_file() # show-* command backend From 886002b089a584a3740280110a2a72128c661846 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 4 Dec 2022 12:17:04 +0000 Subject: [PATCH 3/3] Rename function variable fn_ is preferable to f_ This is to simulate 'local', which was not POSIX, until recently. Baseline: Windows sh.exe Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 2683963..33d2e87 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3703,18 +3703,18 @@ ssl_cert_serial() { [ -f "$1" ] || die "ssl_cert_serial - missing cert" verify_file x509 "$1" || die "ssl_cert_serial - invalid cert" - f_ssl_out="$( + fn_ssl_out="$( easyrsa_openssl x509 -in "$1" -noout -serial )" || die "ssl_cert_serial - failed to get serial" shift # remove the serial= part -> we only need the XXXX part - f_ssl_out="${f_ssl_out##*=}" + fn_ssl_out="${fn_ssl_out##*=}" unset -v "$@" - set_var "$@" "$f_ssl_out" || \ + set_var "$@" "$fn_ssl_out" || \ die "ssl_cert_serial - failed to set variable '$@'" - unset -v f_ssl_out + unset -v fn_ssl_out } # => ssl_cert_serial() # Get certificate start date