Skip to content

Commit

Permalink
Merge branch 'bugfix-renew-ca-and-renew' of ssh://github.com/TinCanTe…
Browse files Browse the repository at this point in the history
…ch/easy-rsa into TinCanTech-bugfix-renew-ca-and-renew

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Dec 3, 2024
2 parents b9f86a9 + 8d6051a commit bed54d2
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 19 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog

3.2.2 (TBD)

* bugfix: easyrsa-tools.lib: renew, write full metadata to temp-file (b47d2af) (#1267)
* Introduce new command 'revoke-issued' (38bf2d8) (#1266)
Commands 'revoke' and 'revoke-issued' are identical.
Command 'revoke' can ONLY be used in batch mode.
Expand Down
17 changes: 15 additions & 2 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ A list of commands is shown below:
build-serverClient-full <file_name_base> [ cmd-opts ]
inline <file_name_base>
expire <file_name_base>
renew-ca
renew <file_name_base>
revoke <file_name_base> [ cmd-opts ] #(DEPRECATED)
revoke-issued <file_name_base> [ cmd-opts ] #(REPLACEMENT)
Expand Down Expand Up @@ -259,6 +260,16 @@ REQUIRED COMMANDS:
to the 'pki/expired' directory.

Allows an existing request to be signed again."
;;
renew-ca)
text="
* renew-ca

Renew CA certificate.

This will build a new CA certificate and archive the old one.
Before changes are made to the current PKI, user confirmation
is required."
;;
renew)
text="
Expand Down Expand Up @@ -3434,8 +3445,10 @@ Run easyrsa without commands for usage and command help."
# Do not over write existing cert
if [ -f "$crt_out" ]; then
user_error "\
Existing file must be revoked:
* $crt_out"
Cannot expire this certificate, a conflicting file exists:
* certificate: $crt_out

Use command 'revoke-exired' to revoke this certificate."
fi

# deprecate ALL options
Expand Down
45 changes: 28 additions & 17 deletions easyrsa3/easyrsa-tools.lib
Original file line number Diff line number Diff line change
Expand Up @@ -772,26 +772,34 @@ Missing request file:
crt_out="$out_dir/issued/${file_name_base}.crt"

# NEVER over-write a renewed cert, revoke it first
deny_msg="\
if [ -f "$crt_out" ]; then
user_error "\
Cannot renew this certificate, a conflicting file exists:
*"
[ -f "$crt_out" ] && \
user_error "$deny_msg certificate: $crt_out"
unset -v deny_msg
* certificate: $crt_out
# Make inline directory
[ -d "$EASYRSA_PKI/inline" ] || \
mkdir -p "$EASYRSA_PKI/inline" || \
die "Failed to create inline directoy."
Use command 'revoke-renewed' to revoke this certificate."
fi

# Extract certificate usage from old cert
ssl_cert_x509v3_eku "$crt_in" cert_type

# create temp-file for full cert text
full_crt_tmp=
easyrsa_mktemp full_crt_tmp || \
die "easyrsa_mktemp full_crt_tmp"

# write full cert text tempfile data
"$EASYRSA_OPENSSL" x509 -in "$crt_in" \
-noout -text > "$full_crt_tmp" || \
die "write full cert text"

# Use SAN from old cert ONLY
if grep 'X509v3 Subject Alternative Name' "$crt_in"; then
if grep -q 'X509v3 Subject Alternative Name' \
"$full_crt_tmp"
then
EASYRSA_SAN="$(
"$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -text | \
grep -A 1 'X509v3 Subject Alternative Name' | \
grep -A 1 'X509v3 Subject Alternative Name' \
"$full_crt_tmp" | \
sed -e s/'^\ *'// \
-e /'X509v3 Subject Alternative Name'/d \
-e s/'IP Address:'/'IP:'/g
Expand All @@ -801,7 +809,7 @@ Cannot renew this certificate, a conflicting file exists:
# --san-crit
unset -v EASYRSA_SAN_CRIT
if grep -q 'X509v3 Subject Alternative Name: critical' \
"$crt_in"
"$full_crt_tmp"
then
export EASYRSA_SAN_CRIT='critical,'
verbose "renew: --san-crit ENABLED"
Expand All @@ -814,28 +822,31 @@ subjectAltName = ${EASYRSA_SAN_CRIT}${EASYRSA_SAN}"
fi

# --bc-crit
if grep -q 'X509v3 Basic Constraints: critical' "$crt_in"
if grep -q 'X509v3 Basic Constraints: critical' \
"$full_crt_tmp"
then
export EASYRSA_BC_CRIT=1
verbose "renew: --bc-crit ENABLED"
fi

# --ku-crit
if grep -q 'X509v3 Key Usage: critical' "$crt_in"
if grep -q 'X509v3 Key Usage: critical' \
"$full_crt_tmp"
then
export EASYRSA_KU_CRIT=1
verbose "renew: --ku-crit ENABLED"
fi

# --eku-crit
if grep -q 'X509v3 Extended Key Usage: critical' "$crt_in"
if grep -q 'X509v3 Extended Key Usage: critical' \
"$full_crt_tmp"
then
export EASYRSA_EKU_CRIT=1
verbose "renew: --eku-crit ENABLED"
fi

# Disable options not supported by renew
unset -v EASYRSA_CP_EXTS EASYRSA_AUTO_SAN EASYRSA_NEW_SUBJECT
unset -v EASYRSA_AUTO_SAN EASYRSA_NEW_SUBJECT

# confirm operation by displaying Warning
confirm "Continue with 'renew' ? " yes "\
Expand Down

0 comments on commit bed54d2

Please sign in to comment.