nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Expand status reports to include checking a single certificate

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-05-19 21:14:01 +01:00
parent 968ff0599b
commit 57998c2825
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 70 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
easyrsa3/easyrsa
View File

@ -45,9 +45,9 @@ Here is the list of commands available with a short syntax reminder. Use the
show-cert <filename_base> [ cmd-opts ] show-cert <filename_base> [ cmd-opts ]
show-ca [ cmd-opts ] show-ca [ cmd-opts ]
show-crl show-crl
show-expire show-expire <filename_base> (Optional)
show-revoke show-revoke <filename_base> (Optional)
show-renew show-renew <filename_base> (Optional)
verify <filename_base> verify <filename_base>
import-req <request_file_path> <short_basename> import-req <request_file_path> <short_basename>
export-p1 <filename_base> [ cmd-opts ] export-p1 <filename_base> [ cmd-opts ]
@ -178,20 +178,21 @@ cmd_help() {
Human-readable output is shown." ;; Human-readable output is shown." ;;
show-expire) text=" show-expire) text="
show-expire [ cmd-opts ] show-expire <filename_base> (Optional)
Shows details of expiring certificates
Human-readable output is shown." ;; Shows details of *all* expiring certificates
Use --renew-days=NN to extend the grace period (Default 30 days)
Optionally, check *only* <filename_base> certificate" ;;
show-revoke) text=" show-revoke) text="
show-revoke [ cmd-opts ] show-revoke <filename_base> (Optional)
Shows details of revoked certificates
Human-readable output is shown." ;; Shows details of *all* revoked certificates.
Optionally, check *only* <filename_base> certificate" ;;
show-renew) text=" show-renew) text="
show-renew [ cmd-opts ] show-renew <filename_base> (Optional)
Shows details of renewed certificates, which have not been revoked
Human-readable output is shown." ;; Shows details of renewed certificates, which have not been revoked
Optionally, check *only* <filename_base> certificate" ;;
verify) text=" verify) text="
verify <filename_base> [ cmd-opts ] verify <filename_base> [ cmd-opts ]
Verify certificate against CA" Verify certificate against CA"
@ -264,7 +265,7 @@ cmd_help() {
esac esac
# display the help text # display the help text
[ "$text" ] && print "$text" [ "$text" ] && print "${text}${NL}"
[ -n "$opts" ] && print " [ -n "$opts" ] && print "
cmd-opts is an optional set of command options from this list: cmd-opts is an optional set of command options from this list:
$opts $opts
@ -2537,12 +2538,15 @@ Run easyrsa without commands for usage and command help."
shift shift
# function opts support # function opts support
unset -v exit_with_error unset -v exit_with_error easyrsa_error_exit
while [ "$1" ]; do while [ "$1" ]; do
case "$1" in case "$1" in
# batch flag, return status [0/1] to calling program # batch flag, return status [0/1] to calling program
# Otherwise, exit 0 on successful completion # Otherwise, exit 0 on successful completion
batch) exit_with_error=1 ;; batch)
exit_with_error=1
EASYRSA_SILENT=1
;;
*) warn "Ignoring unknown command option: '$1'" *) warn "Ignoring unknown command option: '$1'"
esac esac
shift shift
@ -2560,8 +2564,8 @@ No certificate found for the input: '$crt_in'"
verify_file x509 "$crt_in" || die "\ verify_file x509 "$crt_in" || die "\
Input is not a valid certificate: $crt_in" Input is not a valid certificate: $crt_in"
# Test and show SSL out # Test SSL out
if easyrsa_openssl verify -CAfile "$ca_crt" "$crt_in"; then if easyrsa_openssl verify -CAfile "$ca_crt" "$crt_in" 1>/dev/null; then
[ "$EASYRSA_SILENT" ] || print # Separate Notice below [ "$EASYRSA_SILENT" ] || print # Separate Notice below
notice "\ notice "\
Certificate name: $file_name_base Certificate name: $file_name_base
@ -2574,6 +2578,7 @@ Input is not a valid certificate: $crt_in"
Verfication status: FAILED" Verfication status: FAILED"
# Exit with error (cmd-opt: batch), otherwise terminal msg only # Exit with error (cmd-opt: batch), otherwise terminal msg only
[ "$exit_with_error" ] && easyrsa_error_exit=1 [ "$exit_with_error" ] && easyrsa_error_exit=1
return 1
fi fi
} # => verify_cert() } # => verify_cert()
@ -2726,8 +2731,6 @@ build_ff_date_string() {
# Read db # Read db
# shellcheck disable=SC2295 # shellcheck disable=SC2295
read_db() { read_db() {
report="$1"; shift
tab_char=' ' tab_char=' '
db_in="$EASYRSA_PKI/index.txt" db_in="$EASYRSA_PKI/index.txt"
while read -r db_status db_notAfter db_record; do while read -r db_status db_notAfter db_record; do
@ -2761,13 +2764,28 @@ read_db() {
# Output selected status report for this record # Output selected status report for this record
case "$report" in case "$report" in
expire) # Certs which expire before EASYRSA_CERT_RENEW days expire) # Certs which expire before EASYRSA_CERT_RENEW days
if [ "$db_status" = V ]; then expire_status; fi if [ "$db_status" = V ]; then
case "$target" in
'') expire_status ;;
*) [ "$target" = "$db_cn" ] && expire_status
esac
fi
;; ;;
revoke) # Certs which have been revoked revoke) # Certs which have been revoked
if [ "$db_status" = R ]; then revoke_status; fi if [ "$db_status" = R ]; then
case "$target" in
'') revoke_status ;;
*) [ "$target" = "$db_cn" ] && revoke_status
esac
fi
;; ;;
renew) # Certs which have been renewed but not revoked renew) # Certs which have been renewed but not revoked
if [ "$db_status" = V ]; then renew_status; fi if [ "$db_status" = V ]; then
case "$target" in
'') renew_status ;;
*) [ "$target" = "$db_cn" ] && renew_status
esac
fi
;; ;;
*) die "Unrecognised report: $report" *) die "Unrecognised report: $report"
esac esac
@ -2843,49 +2861,44 @@ renew_status() {
# cert status reports # cert status reports
status() { status() {
[ "$#" = 2 ] || die "status - Incorrect input parameters" [ "$#" -gt 0 ] || die "status - Incorrect input parameters"
report="$1" report="$1"
in_crt="$2" target="$2"
shift 2
verify_ca_init verify_ca_init
# This does not build certs, so do not need support for fixed dates # This does not build certs, so do not need support for fixed dates
unset -v EASYRSA_FIX_OFFSET unset -v EASYRSA_FIX_OFFSET
case "$report" in # If no target file then add Notice
expire) if [ -z "$target" ]; then
case "$in_crt" in # Select correct Notice
all) case "$report" in
[ "$EASYRSA_SILENT" ] || notice "\ expire)
Showing certificates which expire in less than $EASYRSA_CERT_RENEW days:" [ "$EASYRSA_SILENT" ] || notice "\
read_db expire * Showing certificates which expire in less than $EASYRSA_CERT_RENEW days (--renew-days):"
;; ;;
*) print "Coming soon.." revoke)
esac
;;
revoke)
case "$in_crt" in
all)
[ "$EASYRSA_SILENT" ] || notice "\ [ "$EASYRSA_SILENT" ] || notice "\
* Showing certificates which are revoked:" * Showing certificates which are revoked:"
read_db revoke
;; ;;
*) print "Coming soon.." renew)
esac
;;
renew)
case "$in_crt" in
all)
[ "$EASYRSA_SILENT" ] || notice "\ [ "$EASYRSA_SILENT" ] || notice "\
* Showing certificates which have been renewed but NOT revoked:" * Showing certificates which have been renewed but NOT revoked:"
read_db renew
;; ;;
*) print "Coming soon.." *) warn "Unrecognised report: $report"
esac esac
;; else
*) warn "Unrecognised report: $report" # get status for a single cert - Verify cert first
esac in_crt="$EASYRSA_PKI/issued/$target.crt"
[ -e "$in_crt" ] || die "File not found: $in_crt"
format="x509"
verify_file "$format" "$in_crt"
fi
# Create report
read_db
} # => status() } # => status()
# set_var is not known by shellcheck, therefore: # set_var is not known by shellcheck, therefore:
@ -4091,28 +4104,19 @@ case "$cmd" in
show_ca "$@" show_ca "$@"
;; ;;
verify) verify)
verify_cert "$@" # using internal 'batch' mode, this can return an error
# Ignore the error here, catch the error if used internally
# eg. show-expire/expire_status
verify_cert "$@" || :
;; ;;
show-expire) show-expire)
if [ -z "$*" ]; then status expire "$@"
status expire all
else
status expire "$@"
fi
;; ;;
show-revoke) show-revoke)
if [ -z "$*" ]; then status revoke "$@"
status revoke all
else
status revoke "$@"
fi
;; ;;
show-renew) show-renew)
if [ -z "$*" ]; then status renew "$@"
status renew all
else
status renew "$@"
fi
;; ;;
upgrade) upgrade)
up23_manage_upgrade_23 "$@" up23_manage_upgrade_23 "$@"