From 0765921676cc2007c02816924be9006b37202f02 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri, 29 Apr 2022 20:23:06 +0100
Subject: [PATCH 1/2] Add 'verify' - SSL Verify certificate against CA

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index cd24375..fb7e746 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -43,6 +43,7 @@ Here is the list of commands available with a short syntax reminder. Use the
   show-cert <filename_base> [ cmd-opts ]
   show-ca [ cmd-opts ]
   show-crl
+  verify <filename_base>
   import-req <request_file_path> <short_basename>
   export-p1 <filename_base> [ cmd-opts ]
   export-p7 <filename_base> [ cmd-opts ]
@@ -168,6 +169,9 @@ cmd_help() {
       Shows details of the current certificate revocation list (CRL)
 
       Human-readable output is shown." ;;
+		verify) text="
+  verify <filename_base>
+      Verify certificate against CA" ;;
 		import-req) text="
   import-req <request_file_path> <short_basename>
       Import a certificate request from a file
@@ -2255,6 +2259,39 @@ default_server_san() {
 	fi
 } # => default_server_san()
 
+# Verify certificate against CA
+verify_cert() {
+	# pull filename base:
+	[ "$1" ] || die "\
+Error: didn't find a file base name as the first argument.
+Run easyrsa without commands for usage and command help."
+
+	verify_ca_init
+
+	# Assign file_name_base and dust off!
+	file_name_base="$1"
+	shift
+
+	in_dir="$EASYRSA_PKI"
+	ca_crt="$in_dir/ca.crt"
+	crt_in="$in_dir/issued/$file_name_base.crt"
+
+	# Test and show SSL out
+	if easyrsa_openssl verify -CAfile "$ca_crt" "$crt_in"; then
+		[ "$EASYRSA_SILENT" ] || print # Separate Notice below
+		notice "\
+  Certificate name:   $file_name_base
+  Verfication status: GOOD"
+		exit 0
+	fi
+
+	[ "$EASYRSA_SILENT" ] || print # Separate Notice below
+	warn "\
+  Certificate name:   $file_name_base
+  Verfication status: FAILED"
+	exit 1
+} # => verify_cert()
+
 # verify a file seems to be a valid req/X509
 verify_file() {
 	format="$1"
@@ -3513,6 +3550,9 @@ case "$cmd" in
 	show-ca)
 		show_ca "$@"
 		;;
+	verify)
+		verify_cert "$@"
+		;;
 	upgrade)
 		up23_manage_upgrade_23 "$@"
 		;;

From 854002ae4da9f9e1853240d050d2903f6ac86c96 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri, 29 Apr 2022 21:29:47 +0100
Subject: [PATCH 2/2] Verify input file is a valid certificate

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index fb7e746..f3e0535 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2276,6 +2276,14 @@ Run easyrsa without commands for usage and command help."
 	ca_crt="$in_dir/ca.crt"
 	crt_in="$in_dir/issued/$file_name_base.crt"
 
+	# Cert file must exist
+	[ -f "$crt_in" ] || die "\
+No certificate found for the input: '$crt_in'"
+
+	# Verify file is a valid cert
+	verify_file x509 "$crt_in" || die "\
+Input is not a valid certificate: $crt_in"
+
 	# Test and show SSL out
 	if easyrsa_openssl verify -CAfile "$ca_crt" "$crt_in"; then
 		[ "$EASYRSA_SILENT" ] || print # Separate Notice below