nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'ValdikSS-startdate-year-v3'

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-05-03 20:16:50 +01:00
commit 8c5ee3df1b
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 53 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
easyrsa3/easyrsa
View File

@ -109,8 +109,11 @@ cmd_help() {
This mode uses the <filename_base> as the X509 CN." This mode uses the <filename_base> as the X509 CN."
opts=" opts="
nopass - do not encrypt the private key (default is encrypted) nopass - do not encrypt the private key (default is encrypted)
inline - create an inline credentials file for this node" ;; nodatetime - generate certificate with start date of
01 January 00:00:00 and end date of CA generation
day 00:00:00, changing year only
inline - create an inline credentials file for this node" ;;
revoke) text=" revoke) text="
revoke <filename_base> [reason] revoke <filename_base> [reason]
Revoke a certificate specified by the filename_base, with an optional Revoke a certificate specified by the filename_base, with an optional
@ -1182,6 +1185,7 @@ sign_req() {
crt_type="$1" crt_type="$1"
req_in="$EASYRSA_PKI/reqs/$2.req" req_in="$EASYRSA_PKI/reqs/$2.req"
crt_out="$EASYRSA_PKI/issued/$2.crt" crt_out="$EASYRSA_PKI/issued/$2.crt"
cert_dates "$EASYRSA_PKI/ca.crt"
# Randomize Serial number # Randomize Serial number
if [ "$EASYRSA_RAND_SN" != "no" ]; if [ "$EASYRSA_RAND_SN" != "no" ];
@ -1317,6 +1321,7 @@ $ext_tmp"
# sign request # sign request
crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file" crt_out_tmp="$(easyrsa_mktemp)" || die "Failed to create temporary file"
easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \ easyrsa_openssl ca -utf8 -in "$req_in" -out "$crt_out_tmp" \
$([ "$4" = "nodatetime" ] && echo "-startdate" "$start_date_nodatetime" "-enddate" "$end_date_nodatetime") \
-extfile "$ext_tmp" -days "$EASYRSA_CERT_EXPIRE" -batch \ -extfile "$ext_tmp" -days "$EASYRSA_CERT_EXPIRE" -batch \
${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \ ${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
|| die "signing failed (openssl output above may have more detail)" || die "signing failed (openssl output above may have more detail)"
@ -1351,6 +1356,7 @@ Run easyrsa without commands for usage and commands."
while [ -n "$1" ]; do while [ -n "$1" ]; do
case "$1" in case "$1" in
nopass) nopass=1 ;; nopass) nopass=1 ;;
nodatetime) nodatetime=1 ;;
inline) EASYRSA_INLINE=1 ;; inline) EASYRSA_INLINE=1 ;;
*) warn "Ignoring unknown command option: '$1'" *) warn "Ignoring unknown command option: '$1'"
esac esac
@ -1371,7 +1377,7 @@ Matching file found at: "
gen_req "$name" batch ${nopass+ nopass} gen_req "$name" batch ${nopass+ nopass}
# Sign it # Sign it
( sign_req "$crt_type" "$name" batch ) || { ( sign_req "$crt_type" "$name" batch ${nodatetime+ nodatetime} ) || {
rm -f "$req_out" "$key_out" rm -f "$req_out" "$key_out"
die "Failed to sign '$name'" die "Failed to sign '$name'"
} }
@ -1580,6 +1586,49 @@ revoke_move() {
return 0 return 0
} #= move_revoked() } #= move_revoked()
# Set certificate expire date, renew date and variables needed for nodatetime
cert_dates() {
cert_notbefore_date="$(
easyrsa_openssl x509 -in "$1" -noout -startdate | \
sed 's/^notBefore=//'
)"
cert_notafter_date="$(
easyrsa_openssl x509 -in "$1" -noout -enddate | \
sed 's/^notAfter=//'
)"
case "$easyrsa_uname" in
"Darwin"|*"BSD")
expire_date="$(date -j -f '%b %d %T %Y %Z' "$cert_notafter_date" +%s)"
allow_renew_date="$(( $(date -j +%s) + 86400 * EASYRSA_CERT_RENEW ))"
start_date_nodatetime_md="$(date -j -f '%b %d %T %Y %Z' "$cert_notbefore_date" +%m%d)"
start_date_nodatetime="$(date +%Y)0101000000Z"
end_date_nodatetime="$(date -j -f %s $(( $(date +%s) + 86400 * EASYRSA_CERT_EXPIRE )) +%Y)${start_date_nodatetime_md}000000Z"
;;
*)
# Linux and Windows
if expire_date="$(date -d "$cert_notafter_date" +%s)"
then
allow_renew_date="$(date -d "+${EASYRSA_CERT_RENEW}day" +%s)"
start_date_nodatetime_md="$(date -d "$cert_notbefore_date" +%m%d)"
start_date_nodatetime="$(date +%Y)0101000000Z"
end_date_nodatetime="$(date -d "+${EASYRSA_CERT_EXPIRE}day" +%Y)${start_date_nodatetime_md}000000Z"
# Alpine Linux and busybox
elif expire_date="$(date -D "%b %e %H:%M:%S %Y" -d "$cert_notafter_date" +%s)"
then
allow_renew_date="$(( $(date +%s) + 86400 * EASYRSA_CERT_RENEW ))"
start_date_nodatetime_md="$(date -D "%b %e %H:%M:%S %Y" -d "$cert_notbefore_date" +%m%d)"
start_date_nodatetime="$(date +%Y)0101000000Z"
end_date_nodatetime="$(date -D %s -d $(( $(date +%s) + 86400 * EASYRSA_CERT_EXPIRE )) +%Y)${start_date_nodatetime_md}000000Z"
# Something else
else
die "Date failed"
fi
esac
} #= cert_dates()
# renew backend # renew backend
renew() { renew() {
# pull filename base: # pull filename base:
@ -1654,32 +1703,7 @@ Cannot renew this certificate because a conflicting file exists.
unset -v deny_msg unset -v deny_msg
# Check if old cert is expired or expires within 30 # Check if old cert is expired or expires within 30
cert_expire_date="$( cert_dates "$crt_in"
easyrsa_openssl x509 -in "$crt_in" -noout -enddate | \
sed 's/^notAfter=//'
)"
case "$easyrsa_uname" in
"Darwin"|*"BSD")
expire_date="$(date -j -f '%b %d %T %Y %Z' "$cert_expire_date" +%s)"
allow_renew_date="$(( $(date -j +%s) + 86400 * EASYRSA_CERT_RENEW ))"
;;
*)
# Linux and Windows
if expire_date="$(date -d "$cert_expire_date" +%s)"
then
allow_renew_date="$(date -d "+${EASYRSA_CERT_RENEW}day" +%s)"
# Alpine Linux and busybox
elif expire_date="$(date -D "%b %e %H:%M:%S %Y" -d "$cert_expire_date" +%s)"
then
allow_renew_date="$(( $(date +%s) + 86400 * EASYRSA_CERT_RENEW ))"
# Something else
else
die "Date failed"
fi
esac
[ "$expire_date" -lt "$allow_renew_date" ] || die "\ [ "$expire_date" -lt "$allow_renew_date" ] || die "\
Certificate expires in more than $EASYRSA_CERT_RENEW days. Certificate expires in more than $EASYRSA_CERT_RENEW days.