Skip to content

Commit

Permalink
Merge branch 'forbid-ss-exp-rev-ren' of ssh://github.com/TinCanTech/e…
Browse files Browse the repository at this point in the history
…asy-rsa into TinCanTech-forbid-ss-exp-rev-ren

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Dec 10, 2024
2 parents 1e8a5fa + eb1b644 commit 7eadcc5
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 0 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog

3.2.2 (TBD)

* Forbid self-signed certificate from being expired/renewed/revoked (ab45ae7) (#1274)
* Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf (c788423) (#1270)
* bugfix: Save and Restore $EASYRSA_SSL_CONF for compound commands (7cdb14d) (#1270)
* bugfix: Always use locate_support_files() after secure_session() (d530bc3) (#1270)
Expand Down
27 changes: 27 additions & 0 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -3316,6 +3316,11 @@ Unable to revoke as the input-file is not a valid certificate.
Certificate was expected at:
* $crt_in"

# Forbid self-signed cert from being expired/renewed/revoked
if forbid_selfsign "$crt_in"; then
user_error "Cannot $cmd a self-signed certificate."
fi

# Verify request
if [ -f "$req_in" ]; then
verify_file req "$req_in" || user_error "\
Expand Down Expand Up @@ -3508,6 +3513,11 @@ Missing certificate file:
* $crt_in"
fi

# Forbid self-signed cert from being expired/renewed/revoked
if forbid_selfsign "$crt_in"; then
user_error "Cannot $cmd a self-signed certificate."
fi

# get the serial number of the certificate
cert_serial=
ssl_cert_serial "$crt_in" cert_serial || \
Expand Down Expand Up @@ -3553,6 +3563,23 @@ It can be revoked with command 'revoke-expired'.
It is now possible to sign a new certificate for '$file_name_base'"
} # => expire_cert()

# Forbid a self-signed cert from being expired/renewed/revoked
# by a CA that has nothing to do with the cert
forbid_selfsign() {
# cert temp-file
forbid_selfsign_tmp=
easyrsa_mktemp forbid_selfsign_tmp || \
die "easyrsa_mktemp forbid_selfsign_tmp"

# SSL text
"$EASYRSA_OPENSSL" x509 -in "$1" -noout -text \
> "$forbid_selfsign_tmp" || \
die "forbid_selfsign - ssl text"

# test for CA:TRUE
grep -q "^[[:blank:]]*CA:TRUE$" "$forbid_selfsign_tmp"
} # => forbid_selfsign()

# gen-crl backend
gen_crl() {
out_file="$EASYRSA_PKI/crl.pem"
Expand Down
5 changes: 5 additions & 0 deletions easyrsa3/easyrsa-tools.lib
Original file line number Diff line number Diff line change
Expand Up @@ -731,6 +731,11 @@ Missing certificate file:
* $crt_in"
fi

# Forbid self-signed cert from being expired/renewed/revoked
if forbid_selfsign "$crt_in"; then
user_error "Cannot $cmd a self-signed certificate."
fi

# Verify request
if [ -f "$req_in" ]; then
verify_file req "$req_in" || user_error "\
Expand Down

0 comments on commit 7eadcc5

Please sign in to comment.