Verify certificate purpose is appropriate for TLS Crypt V2 keys

Signed-off-by: Richard Bonhomme <[email protected]>
TinCanTech · Jan 21, 2021 · 3856fa1 · 3856fa1 · TinCanTech · Jan 21, 2021
1 parent 8a06774
commit 3856fa1
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/easytls b/easytls
@@ -1118,6 +1118,12 @@ status_easyrsa_renewed ()
 
 } # => status_easyrsa_renewed ()
 
+# Verify certificate purpose
+cert_purpose ()
+{
+	"$EASYRSA_OPENSSL" x509 -in "$1" -noout -purpose | grep -q "$2"
+} # => cert_purpose ()
+
 # Cut to only certificate enddate
 crt_expire_date_only ()
 {
@@ -2232,6 +2238,9 @@ build_tls_crypt_v2_server ()
 		die "Easy-TLS requires that the x509 certificate has been built.
 Missing file: $srv_cert"
 
+	cert_purpose "$srv_cert" 'SSL server : Yes' || \
+		die "Certificate must be a Server: $srv_cert"
+
 	[ -f "$key_file" ] && die "Server file already exists: $key_file"
 
 	"$EASYTLS_OPENVPN" $build_string "$key_file" || \
@@ -2288,6 +2297,9 @@ Missing srv file: $srv_cert"
 		die "Easy-TLS requires that the x509 certificate has been built.
 Missing cli file: $cli_cert"
 
+	cert_purpose "$cli_cert" 'SSL client : Yes' || \
+		die "Certificate must be a Client: $cli_cert"
+
 	in_file="$EASYTLS_PKI/$srv_name-tls-crypt-v2.key"
 	key_file="$EASYTLS_PKI/$cli_name-tls-crypt-v2.key"
 	metadata_debug="$EASYTLS_MD_DIR/$cli_name-tls-crypt-v2.metadata"