renew: Pass SSL output directly to grep - Remove subshell capture

This change is required to allow unit-test "extreme" 'vars' file to pass. However, this is also the correct way to handle unexpected SSL output, which shell cannot control or manipulate. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech · Mar 27, 2024 · 2cf5526 · 2cf5526
1 parent 7227909
commit 2cf5526
Showing 1 changed file with 3 additions and 9 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -2952,19 +2952,13 @@ This certificate cannot be renewed due to inconsistent Subject."
 		die "renew: display_dn"
 	confirm_sn="    serial-number             = $cert_serial"
 
-	# Get SAN from cert
-	# capture complete cert
-	crt_text="$(
-		easyrsa_openssl x509 -in "$crt_in" -noout -text
-		)" || die "renew: openssl: crt_text"
-
 	# Check cert for SAN
-	if echo "$crt_text" | \
-		grep -s 'X509v3 Subject Alternative Name'
+	if easyrsa_openssl x509 -in "$crt_in" -noout -text | \
+		grep -q '^[[:blank:]]*X509v3 Subject Alternative Name:'
 	then
 		# extract cert SAN
 		crt_x509_san_full="$(
-			echo "$crt_text" | \
+			easyrsa_openssl x509 -in "$crt_in" -noout -text | \
 				grep -A 1 'X509v3 Subject Alternative Name'
 		)" || die "renew: crt_x509_san_full: grep -A 1"