Merge branch 'index-expire' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-index-expire

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
2022-12-10 00:21:20 +00:00 · 2022-12-10 00:21:20 +00:00 · fcac1fe499
commit fcac1fe499
parent 3ce9272e3a 01ded61201
1 changed files with 100 additions and 54 deletions
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@ -3447,7 +3447,7 @@ fixed_cert_dates() {
 	# Check offset range
 	if [ 1 -gt "$start_fix_day_n" ] || [ 365 -lt "$start_fix_day_n" ]
 	then
-		die "Fixed off-set out of range [1-365 days]: $start_fix_day_n"
+		die "Fixed off-set range [1-365 days]: $start_fix_day_n"
 	fi

 	# Set the end fixed day-number of the Year
@ -3478,8 +3478,12 @@ The fixed date will be rolled backward by one year."
 			busybox date -u -d "${this_year_n}01010000.01" '+%s'
 			)"

-		start_fix_day_s="$(( New_Year_day_s + start_fix_day_n * 86400 ))"
-		end_fix_day_s="$(( start_fix_day_s + EASYRSA_CERT_EXPIRE * 86400 ))"
+		start_fix_day_s="$((
+			New_Year_day_s + start_fix_day_n * 86400
+			))"
+		end_fix_day_s="$((
+			start_fix_day_s + EASYRSA_CERT_EXPIRE * 86400
+			))"

 		# Convert to date-stamps for SSL input
 		start_fix_day_d="$(
@ -3525,8 +3529,7 @@ The fixed date will be rolled backward by one year."
 				"$New_Year_day_d" +%s
 			)"

-	# Linux and Windows
-	# Windows date.exe does not support format +%s as input
+	# Linux and Windows: date.exe does not allow +%s as input
 	# MacPorts GNU date
 	elif this_year_n="$(date -u +%y)"; then

@ -3546,15 +3549,18 @@ The fixed date will be rolled backward by one year."

 		# New Years day date
 		New_Year_day_d="$(
-			date -u -d "${this_year_n}-01-01 00:00:01Z" '+%Y-%m-%d %H:%M:%SZ'
+			date -u -d "${this_year_n}-01-01 00:00:01Z" \
+				'+%Y-%m-%d %H:%M:%SZ'
 			)"

 		# Convert to date-stamps for SSL input
 		start_fix_day_d="$(
-			date -u -d "$New_Year_day_d +${start_fix_day_n}days" +%Y%m%d%H%M%SZ
+			date -u -d "$New_Year_day_d +${start_fix_day_n}days" \
+				+%Y%m%d%H%M%SZ
 			)"
 		end_fix_day_d="$(
-			date -u -d "$New_Year_day_d +${end_fix_day_n}days" +%Y%m%d%H%M%SZ
+			date -u -d "$New_Year_day_d +${end_fix_day_n}days" \
+				+%Y%m%d%H%M%SZ
 			)"
 		end_fix_day_s="$(
 			date -u -d "$New_Year_day_d +${end_fix_day_n}days" +%s
@ -3590,7 +3596,7 @@ cert_date_to_timestamp_s() {
 	then return

 	# OS dependencies
-	# Linux and Windows (FTR: date.exe does not support format +%s as input)
+	# Linux and Windows: date.exe does not allow +%s as input
 	# MacPorts GNU date
 	elif timestamp_s="$(
 		date -d "$in_date" +%s \
@ -3606,7 +3612,7 @@ cert_date_to_timestamp_s:
 	fi
 } # => cert_date_to_timestamp_s()

-# Convert system date/time to X509 certificate style date/time (+)offset
+# Convert system date to X509 certificate style date (+)offset
 # TODO minus (-)offset
 offset_days_to_cert_date() {

@ -3616,9 +3622,9 @@ offset_days_to_cert_date() {
 	if busybox date --help > /dev/null 2>&1
 	then
 		cert_type_date="$(
-			busybox date -u -d "@$(( $(busybox date +%s) + offset * 86400 ))" \
-				"+%b %d %H:%M:%S %Y %Z" \
-				2>/dev/null
+			busybox date -u -d \
+				"@$(( $(busybox date +%s) + offset * 86400 ))" \
+				"+%b %d %H:%M:%S %Y %Z" 2>/dev/null
 			)"
 		return

@ -3630,7 +3636,7 @@ offset_days_to_cert_date() {
 	then return

 	# OS dependencies
-	# Linux and Windows (FTR: date.exe does not support format +%s as input)
+	# Linux and Windows: date.exe does not allow +%s as input
 	# MacPorts GNU date
 	elif cert_type_date="$(
 		date -u -d "+${offset}days" "+%b %d %H:%M:%S %Y %Z" \
@ -3735,9 +3741,9 @@ ssl_cert_not_before_date() {
 	fn_ssl_out="$(
 		unset -v EASYRSA_DEBUG
 		easyrsa_openssl x509 -in "$1" -noout -startdate
-		)" || die "ssl_cert_not_before_date - failed to get startdate"
+		)" || die "ssl_cert_not_before_date - failed: -startdate"
 	# 'cert_not_before_date' is *not* used, at this time..
-	# disable #shellcheck disable=SC2034 # Prefer to keep the warning
+	# disable #shellcheck disable=SC2034 # Prefer to keep warning
 	cert_not_before_date="${fn_ssl_out#*=}"
 	unset -v fn_ssl_out
 } # => ssl_cert_not_before_date()
@ -3748,15 +3754,15 @@ ssl_cert_not_after_date() {
 	fn_ssl_out="$(
 		unset -v EASYRSA_DEBUG
 		easyrsa_openssl x509 -in "$1" -noout -enddate
-		)" || die "ssl_cert_not_after_date - failed to get enddate"
+		)" || die "ssl_cert_not_after_date - failed: -enddate"
 	cert_not_after_date="${fn_ssl_out#*=}"
 	unset -v fn_ssl_out
 } # => ssl_cert_not_after_date()

-# SC2295: (info): Expansions inside ${..} need to be quoted separately,
-# otherwise they match as patterns. (what-ever that means .. ;-)
-# Unfortunately, Windows sh.exe has an absolutely ridiculous bug.
-# Try this in sh.exe: t='   '; s="a${t}b${t}c"; echo "${s%%"${t}"*}"
+# SC2295: Expansion inside ${..} need to be quoted separately,
+# otherwise they match as patterns. (what-ever that means ;-)
+# Unfortunately, Windows sh.exe has an weird bug.
+# Try in sh.exe: t='   '; s="a${t}b${t}c"; echo "${s%%"${t}"*}"

 # Read db
 # shellcheck disable=SC2295
@ -3770,7 +3776,8 @@ read_db() {
 		# Interpret the db/certificate record
 		unset -v db_serial db_cn db_revoke_date db_reason
 		case "$db_status" in
-		V)	# Valid
+		V|E)
+			# Valid
 			db_serial="${db_record%%${TCT}*}"
 			db_record="${db_record#*${TCT}}"
 			db_cn="${db_record#*/CN=}"; db_cn="${db_cn%%/*}"
@ -3778,7 +3785,8 @@ read_db() {
 			cert_r_issued="$pki_r_issued/$db_cn.crt"
 			cert_r_by_sno="$pki_r_by_sno/$db_serial.crt"
 		;;
-		R)	# Revoked
+		R)
+			# Revoked
 			db_revoke_date="${db_record%%${TCT}*}"
 			db_reason="${db_revoke_date#*,}"
 			if [ "$db_reason" = "$db_revoke_date" ]; then
@ -3797,15 +3805,21 @@ read_db() {

 		# Output selected status report for this record
 		case "$report" in
-		expire) # Certs which expire before EASYRSA_CERT_RENEW days
-			if [ "$db_status" = V ]; then
+		expire)
+		# Certs which expire before EASYRSA_CERT_RENEW days
+			case "$db_status" in
+			V|E)
 				case "$target" in
 				'') expire_status ;;
 				*) [ "$target" = "$db_cn" ] && expire_status
 				esac
-			fi
+			;;
+			*)
+				: # Ignore ok
+			esac
 		;;
-		revoke) # Certs which have been revoked
+		revoke)
+		# Certs which have been revoked
 			if [ "$db_status" = R ]; then
 				case "$target" in
 				'') revoke_status ;;
@ -3813,7 +3827,8 @@ read_db() {
 				esac
 			fi
 		;;
-		renew) # Certs which have been renewed but not revoked
+		renew)
+		# Certs which have been renewed but not revoked
 			if [ "$db_status" = V ]; then
 				case "$target" in
 				'') renew_status ;;
@ -3824,7 +3839,6 @@ read_db() {
 		*) die "Unrecognised report: $report"
 		esac
 	done < "$db_in"
-	[ "$EASYRSA_SILENT" ] || print # Separate Notice below
 } # => read_db()

 # Expire status
@ -3834,13 +3848,15 @@ expire_status() {
 		# get the serial number of the certificate
 		ssl_cert_serial "$cert_issued" cert_serial

-		# db serial must match certificate serial, otherwise this
-		# is a renewed cert which has been replaced by an issued cert
+		# db serial must match certificate serial, otherwise
+		# this is a renewed cert which has been replaced by
+		# an issued cert
 		if [ "$db_serial" != "$cert_serial" ]; then
 			information "\
 serial mismatch:
  db_serial:    $db_serial
  cert_serial:  $cert_serial
+  commonName:   $db_cn
  cert_issued:  $cert_issued"
 			return 0
 		fi
@ -3866,10 +3882,22 @@ serial mismatch:
 	cert_date_to_timestamp_s "$cert_type_date" # Assigns timestamp_s
 	cutoff_date_s="$timestamp_s"

+	# Set NOW date for expiry comparison
+	offset_days_to_cert_date 0 # Assigns cert_type_date
+	cert_date_to_timestamp_s "$cert_type_date" # Assigns timestamp_s
+	now_date_s="$timestamp_s"
+
 	if [ "$cert_expire_date_s" -lt "$cutoff_date_s" ]; then
 		# Cert expires in less than grace period
-		printf '%s%s\n' "$db_status | Serial: $db_serial | " \
-			"Expires: $cert_not_after_date | CN: $db_cn"
+		if [ "$cert_expire_date_s" -gt "$now_date_s" ]; then
+			printf '%s%s\n' \
+				"$db_status | Serial: $db_serial | " \
+				"Expires: $cert_not_after_date | CN: $db_cn"
+		else
+			printf '%s%s\n' \
+				"$db_status | Serial: $db_serial | " \
+				"Expired: $cert_not_after_date | CN: $db_cn"
+		fi
 	fi
 } # => expire_status()

@ -3882,17 +3910,21 @@ revoke_status() {
 	# Use db translated date
 	cert_revoke_date="$cert_type_date"

-	printf '%s%s\n' "$db_status | Serial: $db_serial | " \
-		"Revoked: $cert_revoke_date | Reason: $db_reason | CN: $db_cn"
+	printf '%s%s%s\n' \
+		"$db_status | Serial: $db_serial | " \
+		"Revoked: $cert_revoke_date | " \
+		"Reason: $db_reason | CN: $db_cn"
+
 } # => revoke_status()

 # Renewed status
-# renewed certs only remain in the renewed folder until they are revoked
-# Only ONE renewed cert with unique CN can exist in the renewed folder
+# renewed certs only remain in the renewed folder until revoked
+# Only ONE renewed cert with unique CN can exist in renewed folder
 renew_status() {
 	# Does a Renewed cert exist ?
-	# files in issued are CommonName, files by serial are SerialNumber
+	# files in issued are file name, or in serial are SerialNumber
 	unset -v cert_file_in cert_is_issued cert_is_serial renew_is_old
+
 	# Find renewed/issued/CN
 	if [ -e "$cert_r_issued" ]; then
 		cert_file_in="$cert_r_issued"
@ -3907,15 +3939,17 @@ renew_status() {
 	fi

 	# Both should not exist
-	[ "$cert_is_issued" ] && [ "$cert_is_serial" ] && die "Too many certs"
+	if [ "$cert_is_issued" ] && [ "$cert_is_serial" ]; then
+		die "Too many certs"
+	fi

 	# If a renewed cert exists
 	if [ "$cert_file_in" ]; then
 		# get the serial number of the certificate
 		ssl_cert_serial "$cert_file_in" cert_serial

-		# db serial must match certificate serial, otherwise this
-		# is an issued cert that replaces a renewed cert
+		# db serial must match certificate serial, otherwise
+		# this is an issued cert that replaces a renewed cert
 		if [ "$db_serial" != "$cert_serial" ]; then
 			information "\
 serial mismatch:
@ -3926,14 +3960,17 @@ serial mismatch:
 		fi

 		# Use cert date
-		ssl_cert_not_after_date "$cert_file_in" # Assigns cert_not_after_date
+		# Assigns cert_not_after_date
+		ssl_cert_not_after_date "$cert_file_in"

 		# Highlight renewed/cert_by_serial
 		if [ "$renew_is_old" ]; then
-			printf '%s%s\n' "*** $db_status | Serial: $db_serial | " \
+			printf '%s%s\n' \
+				"*** $db_status | Serial: $db_serial | " \
 				"Expires: $cert_not_after_date | CN: $db_cn"
 		else
-			printf '%s%s\n' "$db_status | Serial: $db_serial | " \
+			printf '%s%s\n' \
+				"$db_status | Serial: $db_serial | " \
 				"Expires: $cert_not_after_date | CN: $db_cn"
 		fi

@ -3952,7 +3989,7 @@ status() {

 	verify_ca_init

-	# This does not build certs, so do not need support for fixed dates
+	# This does not build certs, so do not need fixed dates
 	unset -v EASYRSA_FIX_OFFSET EASYRSA_BATCH EASYRSA_SILENT

 	# If no target file then add Notice
@ -3972,7 +4009,8 @@ $EASYRSA_CERT_RENEW days (--days):"
 			notice "\
 * Showing certificates which have been renewed but NOT revoked:

-*** Marks those which require 'rewind-renew' before they can be revoked."
+*** Marks those which require 'rewind-renew' \
+before they can be revoked."
 		;;
 		*) warn "Unrecognised report: $report"
 		esac
@ -4038,8 +4076,11 @@ detect_host() {
 	[ "${OS}" ] && easyrsa_host_test="${OS}"

 	# shellcheck disable=SC2016 # expansion inside '' blah
-	easyrsa_ksh='@(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $'
-	[ "${KSH_VERSION}" = "${easyrsa_ksh}" ] && easyrsa_host_test="${easyrsa_ksh}"
+	easyrsa_ksh=\
+'@(#)MIRBSD KSH R39-w32-beta14 $Date: 2013/06/28 21:28:57 $'
+
+	[ "${KSH_VERSION}" = "${easyrsa_ksh}" ] && \
+		easyrsa_host_test="${easyrsa_ksh}"
 	unset -v easyrsa_ksh

 	# If not Windows then nix
@ -4052,7 +4093,8 @@ detect_host() {
 			easyrsa_shell="$SHELL (Git)"
 			easyrsa_win_git_bash="${EXEPATH}"
 			# If found then set openssl NOW!
-			#[ -e /usr/bin/openssl ] && set_var EASYRSA_OPENSSL /usr/bin/openssl
+			#[ -e /usr/bin/openssl ] && \
+			#	set_var EASYRSA_OPENSSL /usr/bin/openssl
 		fi
 	else
 		easyrsa_host_os=nix
@ -4067,8 +4109,10 @@ detect_host() {
 		host_out="Host: dev"
 	fi

-	host_out="${host_out} | $easyrsa_host_os | $easyrsa_uname | $easyrsa_shell"
-	host_out="${host_out}${easyrsa_win_git_bash+ | "$easyrsa_win_git_bash"}"
+	host_out="\
+${host_out} | $easyrsa_host_os | $easyrsa_uname | $easyrsa_shell"
+	host_out="\
+${host_out}${easyrsa_win_git_bash+ | "$easyrsa_win_git_bash"}"
 	unset -v easyrsa_ver_test easyrsa_host_test
 } # => detect_host()

@ -4105,10 +4149,12 @@ $EASYRSA_ALGO_PARAMS"
 	;;
 	ed)
 		# Verify Edwards curve
-		easyrsa_openssl genpkey -algorithm "$EASYRSA_CURVE" > /dev/null \
-			|| die "Edwards Curve $EASYRSA_CURVE not found."
+		easyrsa_openssl genpkey -algorithm "$EASYRSA_CURVE" \
+			> /dev/null || \
+				die "Edwards Curve $EASYRSA_CURVE not found."
 	;;
-	*) die "Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed'"
+	*) die "\
+Alg '$EASYRSA_ALGO' is invalid: must be 'rsa', 'ec' or 'ed'"
 	esac
 } # => verify_algo_params()