Merge branch 'TinCanTech-verify-cert'

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
2022-05-05 20:42:37 +01:00 · 2022-05-05 20:42:37 +01:00 · 7a7302c4b0
commit 7a7302c4b0
parent 12eecc5d6a b862799f19
1 changed files with 48 additions and 0 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -44,6 +44,7 @@ Here is the list of commands available with a short syntax reminder. Use the
  show-cert <filename_base> [ cmd-opts ]
  show-ca [ cmd-opts ]
  show-crl
+  verify <filename_base>
  import-req <request_file_path> <short_basename>
  export-p1 <filename_base> [ cmd-opts ]
  export-p7 <filename_base> [ cmd-opts ]
@ -169,6 +170,9 @@ cmd_help() {
      Shows details of the current certificate revocation list (CRL)

      Human-readable output is shown." ;;
+		verify) text="
+  verify <filename_base>
+      Verify certificate against CA" ;;
 		import-req) text="
  import-req <request_file_path> <short_basename>
      Import a certificate request from a file
@ -2373,6 +2377,47 @@ default_server_san() {
 	fi
 } # => default_server_san()

+# Verify certificate against CA
+verify_cert() {
+	# pull filename base:
+	[ "$1" ] || die "\
+Error: didn't find a file base name as the first argument.
+Run easyrsa without commands for usage and command help."
+
+	verify_ca_init
+
+	# Assign file_name_base and dust off!
+	file_name_base="$1"
+	shift
+
+	in_dir="$EASYRSA_PKI"
+	ca_crt="$in_dir/ca.crt"
+	crt_in="$in_dir/issued/$file_name_base.crt"
+
+	# Cert file must exist
+	[ -f "$crt_in" ] || die "\
+No certificate found for the input: '$crt_in'"
+
+	# Verify file is a valid cert
+	verify_file x509 "$crt_in" || die "\
+Input is not a valid certificate: $crt_in"
+
+	# Test and show SSL out
+	if easyrsa_openssl verify -CAfile "$ca_crt" "$crt_in"; then
+		[ "$EASYRSA_SILENT" ] || print # Separate Notice below
+		notice "\
+  Certificate name:   $file_name_base
+  Verfication status: GOOD"
+		exit 0
+	fi
+
+	[ "$EASYRSA_SILENT" ] || print # Separate Notice below
+	warn "\
+  Certificate name:   $file_name_base
+  Verfication status: FAILED"
+	exit 1
+} # => verify_cert()
+
 # verify a file seems to be a valid req/X509
 verify_file() {
 	format="$1"
@ -3645,6 +3690,9 @@ case "$cmd" in
 	show-ca)
 		show_ca "$@"
 		;;
+	verify)
+		verify_cert "$@"
+		;;
 	upgrade)
 		up23_manage_upgrade_23 "$@"
 		;;