From 5dfeff898409cf3d5497c39452fa7e6ce00f4aa3 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Mon, 15 Aug 2022 13:13:55 +0100
Subject: [PATCH] sign--req: Prohibit COMMON as a certificate type

The command 'sign-req COMMON client1 nopass' would generate an invalid
certificate. Do not allow COMMON as a $cert_type.

Also, improve comment and user output for existing certificate check.

Closese: #634

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 16d5165..3cd4805 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1563,14 +1563,18 @@ expected 2, got $# (see command help for usage)"
 	[ -e "$EASYRSA_EXT_DIR/$crt_type" ] || die "\
 Unknown cert type '$crt_type'"
 
+	# Cert type must NOT be COMMON
+	[ "$crt_type" != COMMON ] || die "\
+Invalid certificate type: '$crt_type'"
+
 	# Request file must exist
 	[ -e "$req_in" ] || die "\
 No request found for the input: '$2'
 Expected to find the request at: $req_in"
 
-	# Existing certificate file must NOT exist
+	# Certificate file must NOT exist
 	[ ! -e "$crt_out" ] || die "\
-Cannot sign this request for '$2' because a certificate for it already exists
+Cannot sign this request for '$2', a certificate already exists
 at: $crt_out"
 
 	# Confirm input is a cert req