nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'expose-sign-req-serial-check' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-expose-sign-req-serial-check

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-07-13 17:07:37 +01:00
commit a0ea8ac5c1
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
2 changed files with 83 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@ -1,6 +1,8 @@
Easy-RSA 3 ChangeLog Easy-RSA 3 ChangeLog
3.1.6 (2023-10-13) 3.1.6 (2023-10-13)
* Expose serial-check, display-dn, display-san and default-san to
command line. (#980) (Debugging functions, which remain undocumented)
* Expand default status to include vars-file and CA status (#973) * Expand default status to include vars-file and CA status (#973)
* sign-req: Allow the CSR DN-field order to be preserved (#970) * sign-req: Allow the CSR DN-field order to be preserved (#970)

105
easyrsa3/easyrsa
View File

@ -868,6 +868,7 @@ Temporary session not preserved."
# Exit: Known errors # Exit: Known errors
# -> confirm(): aborted # -> confirm(): aborted
# -> verify_cert(): verify failed --batch mode # -> verify_cert(): verify failed --batch mode
# -> check_serial_unique(): not unique --batch mode
if [ "$easyrsa_exit_with_error" ]; then if [ "$easyrsa_exit_with_error" ]; then
verbose "Exit: Known errors = true" verbose "Exit: Known errors = true"
exit 1 exit 1
@ -2395,32 +2396,21 @@ The certificate request file is not in a valid X509 format:
if [ "$EASYRSA_RAND_SN" != "no" ]; then if [ "$EASYRSA_RAND_SN" != "no" ]; then
serial="" serial=""
check_serial="" check_serial=""
unset -v unique_serial unset -v serial_is_unique
for i in 1 2 3 4 5; do for i in 1 2 3 4 5; do
serial="$( serial="$(
easyrsa_random 16 easyrsa_random 16
)" || die "sign_req - easyrsa_random" )" || die "sign_req - easyrsa_random"
# Check for duplicate serial in CA db # Check for duplicate serial in CA db
# Always errors out - Do not capture error if check_serial_unique "$serial" batch; then
# unset EASYRSA_SILENT_SSL to capure all output serial_is_unique=1
check_serial="$( break
unset -v EASYRSA_SILENT_SSL fi
easyrsa_openssl ca -status "$serial" 2>&1
)" || :
case "$check_serial" in
*"not present in db"*)
unique_serial=1
break
;;
*)
verbose "check_serial: $check_serial"
esac
done done
# Check for unique_serial # Check for unique_serial
[ "$unique_serial" ] || die "\ [ "$serial_is_unique" ] || die "\
sign_req - Randomize Serial number failed: sign_req - Randomize Serial number failed:
$check_serial" $check_serial"
@ -2659,6 +2649,56 @@ Certificate created at:
return 0 return 0
} # => sign_req() } # => sign_req()
# Check serial in db
check_serial_unique() {
serial="$1"
[ "$serial" ] || user_error "Serial number required!"
[ "$2" = batch ] && internal_batch=1
unset -v unique_serial
# Check for openssl -status of serial number
# Always errors out - Do not capture error
# unset EASYRSA_SILENT_SSL to capure all output
check_serial="$(
unset -v EASYRSA_SILENT_SSL
easyrsa_openssl ca -status "$serial" 2>&1
)" || :
# Check for duplicate serial in CA db
case "$check_serial" in
(*"not present in db"*)
unique_serial=1
verbose "check_serial_unique: unique_serial=true"
;;
*)
: # Some other response
verbose "check_serial_unique: unique_serial=false"
esac
# In batch mode return result only
if [ "$internal_batch" ] || [ "$EASYRSA_BATCH" ]
then
if [ "$unique_serial" ]; then
return 0
else
return 1
fi
fi
# Otherwise, show result to user
# and do not return any error code
print "
check_serial_status RESULT:
========================================
$check_serial
========================================
COMPLETE"
} # => check_serial_unique()
# common build backend # common build backend
# used to generate+sign in 1 step # used to generate+sign in 1 step
build_full() { build_full() {
@ -6545,7 +6585,7 @@ unset -v \
working_safe_ssl_conf \ working_safe_ssl_conf \
user_san_true \ user_san_true \
alias_days \ alias_days \
do_build_full \ do_build_full internal_batch \
found_vars no_new_vars user_vars_true found_vars no_new_vars user_vars_true
# Used by build-ca->cleanup to restore prompt # Used by build-ca->cleanup to restore prompt
@ -6896,12 +6936,6 @@ case "$cmd" in
show-ca) show-ca)
show_ca "$@" show_ca "$@"
;; ;;
verify|verify-cert)
# Called with --batch, this will return error
# when the certificate fails verification.
# Therefore, on error, go directly to cleanup.
verify_cert "$@" || cleanup
;;
show-expire) show-expire)
[ -z "$alias_days" ] || \ [ -z "$alias_days" ] || \
export EASYRSA_PRE_EXPIRY_WINDOW="$alias_days" export EASYRSA_PRE_EXPIRY_WINDOW="$alias_days"
@ -6919,6 +6953,29 @@ case "$cmd" in
make-safe-ssl) make-safe-ssl)
make_safe_ssl "$@" make_safe_ssl "$@"
;; ;;
verify|verify-cert)
# Called with --batch, this will return error
# when the certificate fails verification.
# Therefore, on error, exit with error.
verify_cert "$@" || \
easyrsa_exit_with_error=1
;;
serial|check-serial)
# Called with --batch, this will return error
# when the serial number is not unique.
# Therefore, on error, exit with error.
check_serial_unique "$@" || \
easyrsa_exit_with_error=1
;;
display-dn)
display_dn "$@"
;;
display-san)
display_san "$@"
;;
default-san)
default_server_san "$@"
;;
upgrade) upgrade)
up23_manage_upgrade_23 "$@" up23_manage_upgrade_23 "$@"
;; ;;