From 3856fa132d43c61080b3945c296ff676113c2572 Mon Sep 17 00:00:00 2001
From: Richard Bonhomme <tincanteksup@gmail.com>
Date: Thu, 21 Jan 2021 17:39:40 +0000
Subject: [PATCH] Verify certificate purpose is appropriate for TLS Crypt V2
 keys

Signed-off-by: Richard Bonhomme <tincanteksup@gmail.com>
---
 easytls | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/easytls b/easytls
index ae6834f..b462467 100755
--- a/easytls
+++ b/easytls
@@ -1118,6 +1118,12 @@ status_easyrsa_renewed ()
 
 } # => status_easyrsa_renewed ()
 
+# Verify certificate purpose
+cert_purpose ()
+{
+	"$EASYRSA_OPENSSL" x509 -in "$1" -noout -purpose | grep -q "$2"
+} # => cert_purpose ()
+
 # Cut to only certificate enddate
 crt_expire_date_only ()
 {
@@ -2232,6 +2238,9 @@ build_tls_crypt_v2_server ()
 		die "Easy-TLS requires that the x509 certificate has been built.
 Missing file: $srv_cert"
 
+	cert_purpose "$srv_cert" 'SSL server : Yes' || \
+		die "Certificate must be a Server: $srv_cert"
+
 	[ -f "$key_file" ] && die "Server file already exists: $key_file"
 
 	"$EASYTLS_OPENVPN" $build_string "$key_file" || \
@@ -2288,6 +2297,9 @@ Missing srv file: $srv_cert"
 		die "Easy-TLS requires that the x509 certificate has been built.
 Missing cli file: $cli_cert"
 
+	cert_purpose "$cli_cert" 'SSL client : Yes' || \
+		die "Certificate must be a Client: $cli_cert"
+
 	in_file="$EASYTLS_PKI/$srv_name-tls-crypt-v2.key"
 	key_file="$EASYTLS_PKI/$cli_name-tls-crypt-v2.key"
 	metadata_debug="$EASYTLS_MD_DIR/$cli_name-tls-crypt-v2.metadata"