Expose 'sign-req' unique, random serial number check to command line

Problem: EasyRSA uses SSL CA command parameter '-serial $serial_number', to check if a serial-number exists within the database. The primary function of the SSL CA command parameter '-serial' is to check if a certificate is Valid or has been Revoked. EasyRSA abuses the SSL output to infer that a serial-number must be unique because that output contains the text 'not present in db'. SSL CA command parameter '-serial' ALWAYS returns an error, reagrdless of what-ever check it does. Likely, an SSL bug. As a step-in-the-right direction: To ease this needless-headache, expose the unique, random serial-number check to the command line. This helps to understand what is going on under-the-hood. The command 'sign-req' remains the same; except the unique, random serial-number check is moved to a separate, stand-alone function, which is also exposed to the command line for validation. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
2023-07-12 23:15:35 +01:00 · 2023-07-12 23:15:35 +01:00 · cdad3a7844
commit cdad3a7844
parent 1ebf4a2f9c
1 changed files with 59 additions and 17 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -2395,32 +2395,21 @@ The certificate request file is not in a valid X509 format:
 	if [ "$EASYRSA_RAND_SN" != "no" ]; then
 		serial=""
 		check_serial=""
-		unset -v unique_serial
+		unset -v serial_is_unique
 		for i in 1 2 3 4 5; do
 			serial="$(
 				easyrsa_random 16
 				)" || die "sign_req - easyrsa_random"

 			# Check for duplicate serial in CA db
-			# Always errors out - Do not capture error
-			# unset EASYRSA_SILENT_SSL to capure all output
-			check_serial="$(
-				unset -v EASYRSA_SILENT_SSL
-				easyrsa_openssl ca -status "$serial" 2>&1
-				)" || :
-
-			case "$check_serial" in
-				*"not present in db"*)
-					unique_serial=1
-					break
-				;;
-				*)
-					verbose "check_serial: $check_serial"
-			esac
+			if check_serial_status "$serial" batch; then
+				serial_is_unique=1
+				break
+			fi
 		done

 		# Check for unique_serial
-		[ "$unique_serial" ] || die "\
+		[ "$serial_is_unique" ] || die "\
 sign_req - Randomize Serial number failed:

 $check_serial"
@ -2659,6 +2648,56 @@ Certificate created at:
 	return 0
 } # => sign_req()

+# Check serial in db
+check_serial_status() {
+	serial="$1"
+	[ "$serial" ] || user_error "Serial number required!"
+
+	[ "$2" = batch ] && internal_batch=1
+
+	unset -v unique_serial
+
+	# Check for openssl -status of serial number
+	# Always errors out - Do not capture error
+	# unset EASYRSA_SILENT_SSL to capure all output
+	check_serial="$(
+		unset -v EASYRSA_SILENT_SSL
+		easyrsa_openssl ca -status "$serial" 2>&1
+		)" || :
+
+	# Check for duplicate serial in CA db
+	case "$check_serial" in
+		(*"not present in db"*)
+			unique_serial=1
+			verbose "check_serial_status: unique_serial=true"
+		;;
+		*)
+			: # Some other response
+	esac
+
+	# In batch return result only
+	if [ "$internal_batch" ] || [ "$EASYRSA_BATCH" ]
+	then
+		[ "$unique_serial" ] && return
+		return 1
+	fi
+
+	# Otherwise, show result to user
+	print "
+check_serial_status() RESULT:
+========================================
+
+$check_serial
+
+========================================
+Complete"
+
+	# Force cleanup() to exit with error,
+	# if the serial number is not unique.
+	# OpenSSL always exits with error, regardless..
+	[ "$unique_serial" ] || easyrsa_exit_with_error=1
+} # => check_serial_status()
+
 # common build backend
 # used to generate+sign in 1 step
 build_full() {
@ -6813,6 +6852,9 @@ case "$cmd" in
 	gen-req)
 		gen_req "$@"
 		;;
+	serial|check-serial)
+		check_serial_status "$@"
+		;;
 	sign|sign-req)
 		[ -z "$alias_days" ] || \
 			export EASYRSA_CERT_EXPIRE="$alias_days"