diff --git a/ChangeLog b/ChangeLog index 390ba5ca..738ddf92 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.2 (TBD) + * easyrsa-tools.lib: show-expire, allow --days to be zero (a1033a5) (#1254) * Command 'help': Ignore EASYRSA_SILENT (8804d6b) (#1249) * bugfix: easyrsa-tools.lib: renew SAN, remove excess word 'Address' (af17492) (#1251) * New global variable 'EASYRSA_DISABLE_INLINE' (ad257ab) (#1245) diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib index 53d59155..f9f8505c 100644 --- a/dev/easyrsa-tools.lib +++ b/dev/easyrsa-tools.lib @@ -369,13 +369,31 @@ db_date_to_iso_8601_date: force_set_var - $2 - $out_date" # Certificate expiry will_cert_be_valid() { - [ -f "$1" ] || die "will_cert_be_valid - Missing file" - case "$2" in (*[!1234567890]*|0*) - die "will_cert_be_valid - Non-decimal" ;; + # Verify file exists and is a valid cert + [ -f "$1" ] || \ + die "will_cert_be_valid - Missing file: $1" + verify_file x509 "$1" || \ + die "will_cert_be_valid - Invalid file: $1" + + # Verify --days + case "$2" in + 0) : ;; # ok + ''|*[!1234567890]*|0*) + die "will_cert_be_valid - Non-decimal value: $2" esac # is the cert still valid at this future date - "$EASYRSA_OPENSSL" x509 -in "$1" -noout -checkend "$2" + ssl_out="$( + "$EASYRSA_OPENSSL" x509 -in "$1" -noout \ + -checkend "$2" + )" + + # analyse SSL output + case "$ssl_out" in + 'Certificate will not expire') return 0 ;; + 'Certificate will expire') return 1 ;; + *) die "will_cert_be_valid - Failure" + esac } # => will_cert_be_valid() # SC2295: Expansion inside ${..} need to be quoted separately, @@ -507,12 +525,12 @@ read_db() { # Check CA for expiry if will_cert_be_valid "$EASYRSA_PKI"/ca.crt \ - "$pre_expire_window_s" 1>/dev/null + "$pre_expire_window_s" then : # cert will still be valid by expiry window else # Print CA expiry date - printf '%s%s\n' \ + printf '\n%s\n\n' \ "CA certificate will expire on $ca_enddate" fi esac @@ -535,16 +553,16 @@ expire_status_v2() { if [ -f "$1" ]; then verbose "expire_status: cert exists" - if will_cert_be_valid "$1" "$pre_expire_window_s" \ - 1>/dev/null + # Check if cert will be valid else print details + if will_cert_be_valid "$1" "$pre_expire_window_s" then - : # cert will still be valid by expiry window + verbose "cert will still be valid by expiry window" else - # cert will expire - # ISO8601 date - OpenSSL v3 only - if ! iso_8601_cert_enddate "$1" cert_not_after_date \ - 2>/dev/null - then + # cert expiry date + if [ "$openssl_v3" ]; then + # ISO8601 date - OpenSSL v3 only + iso_8601_cert_enddate "$1" cert_not_after_date + else # Standard date - OpenSSL v1 ssl_cert_not_after_date "$1" cert_not_after_date fi @@ -555,7 +573,7 @@ expire_status_v2() { "$cert_not_after_date | CN: $db_cn" fi else - : # issued cert does not exist, ignore other certs + verbose "issued cert does not exist, ignore other certs" fi } # => expire_status_v2() diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 1a3f2134..340f5ebe 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -4338,6 +4338,14 @@ Option --passout cannot be used with --nopass|nopass." prohibit_no_pass=1 fi + # Restrict --days=0 to 'show-expire' + if [ "$alias_days" = 0 ]; then + case "$cmd" in + show-expire) : ;; # ok + *) user_error "Cannot use --days=0 for command $cmd" + esac + fi + # --silent-ssl requires --batch if [ "$EASYRSA_SILENT_SSL" ]; then [ "$EASYRSA_BATCH" ] || warn "\ @@ -5582,6 +5590,7 @@ while :; do case "$opt" in --days) number_only=1 + zero_allowed=1 # Set the appropriate date variable # when called by command later alias_days="$val"