If the certificate does not exist then the database date is used.
The database date is a shortened ISO-8601 date, the certifcate date
is presented in a completely different format.
Omit the calculated "seconds since epoch" double check via 'date',
when the certificate does not exist.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit df0a19e7ebaba5cb6fd2787ce4747d6338447a0a
Merge: e3e9f9e a7e58dd
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 8 14:30:46 2023 +0100
Merge branch 'easyrsa_mktemp-increase-depth' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-easyrsa_mktemp-increase-depth
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit a7e58dd70cb2aeb06ebee39c6b2c438e9ac76cdc
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 8 02:43:20 2023 +0100
verify_algo_params(): Edwards Curve, call OpenSSL directly
This allows the output to be discarded via /dev/null, because
there is no use of temp-files and verbose messages.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit d64dfcc16676b1e1b3fda7090667aea76bd718fc
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 8 02:13:29 2023 +0100
easyrsa_mktemp(): Windows, 'set -o noclobber' to control 'mv.exe'
Currently, mv.exe will always prompt before over-writing a file.
When creating temp-files, mv.exe must NEVER prompt but silently
fail and try again with a new, sequentially numbered, file-name.
Using 'set -o noclobber' causes mv.exe to behave correctly here.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 948e1a1fbb338a32cf9b42d6fe9801b0fe7bfde9
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 8 01:22:47 2023 +0100
easyrsa_mktemp(): Allow nine (9) test files
Use of easyrsa_openssl() creates temp-files by default
and is used in subshells. This requires maximum of (7)
seven test files to move the shot-file to. (Currently)
Raise the the number of test-files to maximum nine (9).
Status reports, read_db(): Recreate temporary session
directory for each record. 'easyrsa' is designed to run
one command and then exit, removing the temp session.
Status reports run 'easyrsa' for the number of records
in the database, before exiting. Therefore, the temp
session MUST be reset for eash record read.
Add verbose output to help debug easyrsa_mktemp problems.
Improve comments.
Complete renaming of
- EASYRSA_CERT_RENEW -to- EASYRSA_PRE_EXPIRY_WINDOW
Split vars_setup(), add verify_working_env()
- vars_setup() now only processes vars file.
- verify_working_env() does the rest.
The split does not change any of the enclosed code.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Insert the day "February 29th" only after "Feb-28" during leap years.
Prepend century (eg. 20 or 19) to a two digit Year value. ISO-8601
Require four digit 'yyyy'
Improve verbose output.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The preferred way to set a user defined 'vars' file is to use global
option '--vars=<vars-file>'. Therefore, the current code erronously
does not check for externally set 'EASYRSA_VARS_FILE'.
This change now looks for a user defined 'vars' file by checking if
'EASYRSA_VARS_FILE' is defined, instead of 'user_vars_true'.
Also, move other automated 'vars' file locating to after the check
for user defined 'vars'.
Wrap long lines in set_var().
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 423a478dcaf941476f1d8ea339657e2efeb86dec
Merge: 2cadb05 52ebec8
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Apr 2 19:29:40 2023 +0100
Merge branch 'iso_8601-date-code' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-iso_8601-date-code
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 52ebec824febbcd8eb7f338a997dcbc513e9efa6
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 1 14:32:56 2023 +0100
Status reports: Rename EASYRSA_CERT_EXPIRE: EASYRSA_PRE_EXPIRY_WINDOW
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit ec8267afad8bf2c074b7c47e40f300a64d0be4a0
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 1 12:19:54 2023 +0100
Status reports: Re-order functions (NFC)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 72e682d6e9934726ceaf2d4553a456113a57f382
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat Apr 1 12:16:59 2023 +0100
Status reports: Improve comments
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit dccb8c6773aa778404040865640feeccb6d843f7
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Mar 30 20:41:20 2023 +0100
Status reports: Move force_set_var() to a suitable place (NFC)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 9c48513f4adcb30f0f73db72b4fcf156aeeddffd
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Mar 30 20:39:55 2023 +0100
Status reports: Remove ff_date_to_cert_date() (Unused)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 93f51fd0aa2321dd1c511351eec69b4301dd7a80
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Mar 30 20:34:50 2023 +0100
Status reports: Introduce cert_date_to_iso_8601_date()
Terminate use of ff_date_to_cert_date() (To be removed).
Other minor formatting.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit aa79739235e5ae93ff71fd8860f809fef3ae2451
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Mar 30 15:16:56 2023 +0100
Status reports: Remove unsed function offset_days_to_cert_date()
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 6017ae1cefecb6519c15f3a8d5ffd2ba168f744c
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Mar 30 14:43:40 2023 +0100
Status reports: Use iso_8601 date format
These changes ONLY effect status reports.
With OpenSSL v3 there is option '-dateopt iso_8601' which outputs
dates as specified: 'yyyy-mm-dd HH:MM:SSTZ'
Using this format, date related calculations become more managable
because the need to use various 'date' programs is reduced to a
single use. The single use is 'date +%s', to print the current
date/time as a timestamp "seconds since epoch". All supported
versions of date use the same exact command.
Introduce new functions:
- days_to_timestamp_s()
Return current date/time +/- number-of-days (Can be zero)
as a timestamp seconds since epoch.
Use date program in an OS agnostic manner. 'date +%s'
- db_date_to_iso_8601_date()
Renamed db_date_to_ff_date() - No functional changes.
- iso_8601_cert_startdate()
- iso_8601_cert_enddate()
Return certificate -startdate or -enddate in iso_8601 format.
If the SSL lib does not support iso_8601 format then return error
to the calling function, which will fallback to old method.
- iso_8601_timestamp_to_seconds()
Calculate the "seconds since epoch" from iso_8601 date.
If input date is not iso_8601 format then return error
to the calling function, which will fallback to old method.
Notice:
EasyRSA will calculate "seconds since epoch" itself. It will also
use the old method (use various date programs) to get a timestamp
and verify if the two timestamps are an EXACT match.
If they do not match then a configurable margin-of-error can be
used to allow the mismatch to pass. (Not enabled by default)
Testing so far, all timestamps are exact matches.
Introduce new global options:
--verbose: Be very verbose about easyrsa internal activity.
Only currently used by status reports.
--days-margin: Allow a margin of error for a timestamp mismatch.
Only currently used by status reports. (Disabled by default)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
EasyrSA options to pass values directly to SSL options:
* EasyRSA --startdate=YYYYMMDDhhmmssZ -> SSL -startdate YYYYMMDDhhmmssZ
* EasyRSA --enddate=YYYYMMDDhhmmssZ -> SSL -enddate YYYYMMDDhhmmssZ
Note: Use of --enddate over-rides EASYRSA_CERT_EXPIRE (--days).
Establish requirements for use of --startdate and --enddate
Option --startdate MANDATES the use of --enddate. Otherwise, the valid
period counts from NOW. If --startdate is 6 months into the future and
--days is set to '1' then the certificate will expire in one 1 day but
not be valid for 6 months. Exit on improper use of --startdate.
Option --enddate is ONLY supported by commands which use 'sign-req'.
Warn when command does not support --enddate.
Use of --enddate MANDATES over-ruling --days.
Warn when --enddate will over-rule --days.
Correct user confirmation dialogue to reflect either number of --days
or date specified by --enddate.
Officially terminate support for --fix-offset.
Move "mutual exclusions" to a function.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Redirect SSL command error-output to /dev/null (2>/dev/null)
Requires batch mode, otherwise output intended for the user
is also redirected. In batch mode there is no output intended
for the user.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Forbid use of 'export' in 'vars' file.
Use one instance of 'grep' to test for prohibited strings.
Move log-output of 'vars' file location to before sourcing it.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
EasyRSA allows variables to be set to "" [null], therefore, as a
standard, the script now always tests for null or unset.
IE. Include the colon ':'.
The obvious exception to this is set_var(), which remains as test
for unset ONLY.
set_var() ONLY assigns a value if the variable is currently unset,
otherwise, it would over-write a deliberately empty value.
Also, where it helps readability, separate the expansion operator
from the expandable value, with a space.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Add EASYRSA_CRL_DAYS to command to generate a new CRL.
Although this is taken care of in the SSL config file,
it is easier to understand by having the code incuded
in the script.
Honor batch mode and over write an existing CRL, with
out confirmation. An out dated CRL is of little value
and the user has specified batch mode, so honor it.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
