From a1033a56bf6bc789f5875039b573cfcad6b093d1 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 10 Nov 2024 19:34:31 +0000 Subject: [PATCH 1/5] show-expire: Allow --days to be zero easyrsa: Allow --days to be zero for command 'show-expire' only. easyrsa-tools.lib: expire_status_v2(), will_cert_be_valid(); rewrite these functions to avoid the need to redirect output and allow zero days as input. Signed-off-by: Richard T Bonhomme --- dev/easyrsa-tools.lib | 29 +++++++++++++++++++++++------ easyrsa3/easyrsa | 9 +++++++++ 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib index 53d59155..8eefe470 100644 --- a/dev/easyrsa-tools.lib +++ b/dev/easyrsa-tools.lib @@ -369,13 +369,31 @@ db_date_to_iso_8601_date: force_set_var - $2 - $out_date" # Certificate expiry will_cert_be_valid() { - [ -f "$1" ] || die "will_cert_be_valid - Missing file" - case "$2" in (*[!1234567890]*|0*) - die "will_cert_be_valid - Non-decimal" ;; + # Verify file exists and is a valid cert + [ -f "$1" ] || \ + die "will_cert_be_valid - Missing file: $1" + verify_file x509 "$1" || \ + die "will_cert_be_valid - Invalid file: $1" + + # Verify --days + case "$2" in + 0) : ;; # ok + ''|*[!1234567890]*|0*) + die "will_cert_be_valid - Non-decimal value: $2" esac # is the cert still valid at this future date - "$EASYRSA_OPENSSL" x509 -in "$1" -noout -checkend "$2" + ssl_out="$( + "$EASYRSA_OPENSSL" x509 -in "$1" -noout \ + -checkend "$2" + )" + + # analyse SSL output + case "$ssl_out" in + 'Certificate will not expire') return 0 ;; + 'Certificate will expire') return 1 ;; + *) die "will_cert_be_valid - Failure" + esac } # => will_cert_be_valid() # SC2295: Expansion inside ${..} need to be quoted separately, @@ -535,8 +553,7 @@ expire_status_v2() { if [ -f "$1" ]; then verbose "expire_status: cert exists" - if will_cert_be_valid "$1" "$pre_expire_window_s" \ - 1>/dev/null + if will_cert_be_valid "$1" "$pre_expire_window_s" then : # cert will still be valid by expiry window else diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 1a3f2134..340f5ebe 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -4338,6 +4338,14 @@ Option --passout cannot be used with --nopass|nopass." prohibit_no_pass=1 fi + # Restrict --days=0 to 'show-expire' + if [ "$alias_days" = 0 ]; then + case "$cmd" in + show-expire) : ;; # ok + *) user_error "Cannot use --days=0 for command $cmd" + esac + fi + # --silent-ssl requires --batch if [ "$EASYRSA_SILENT_SSL" ]; then [ "$EASYRSA_BATCH" ] || warn "\ @@ -5582,6 +5590,7 @@ while :; do case "$opt" in --days) number_only=1 + zero_allowed=1 # Set the appropriate date variable # when called by command later alias_days="$val" From 45707a54f0422e112ec25df72643f5f7c1b40572 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 10 Nov 2024 19:43:51 +0000 Subject: [PATCH 2/5] easyrsa-tools.lib: show-expire, correct 'printf' format Signed-off-by: Richard T Bonhomme --- dev/easyrsa-tools.lib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib index 8eefe470..5e9e5e28 100644 --- a/dev/easyrsa-tools.lib +++ b/dev/easyrsa-tools.lib @@ -530,7 +530,7 @@ read_db() { : # cert will still be valid by expiry window else # Print CA expiry date - printf '%s%s\n' \ + printf '\n%s\n\n' \ "CA certificate will expire on $ca_enddate" fi esac From 9d85b77214cc57362692e6b9082c1da8d1267fb3 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 10 Nov 2024 20:02:25 +0000 Subject: [PATCH 3/5] ChangeLog: easyrsa-tools.lib: show-expire, allow --days to be zero Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 390ba5ca..738ddf92 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.2 (TBD) + * easyrsa-tools.lib: show-expire, allow --days to be zero (a1033a5) (#1254) * Command 'help': Ignore EASYRSA_SILENT (8804d6b) (#1249) * bugfix: easyrsa-tools.lib: renew SAN, remove excess word 'Address' (af17492) (#1251) * New global variable 'EASYRSA_DISABLE_INLINE' (ad257ab) (#1245) From 808b014eb9108314dd4b4cf81d4e38c18d914d51 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 11 Nov 2024 01:47:27 +0000 Subject: [PATCH 4/5] easyrsa-tools.lib, show-expire: CA status, remove output redirection Signed-off-by: Richard T Bonhomme --- dev/easyrsa-tools.lib | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib index 5e9e5e28..583c57bf 100644 --- a/dev/easyrsa-tools.lib +++ b/dev/easyrsa-tools.lib @@ -525,7 +525,7 @@ read_db() { # Check CA for expiry if will_cert_be_valid "$EASYRSA_PKI"/ca.crt \ - "$pre_expire_window_s" 1>/dev/null + "$pre_expire_window_s" then : # cert will still be valid by expiry window else From acbe21c5f9c346b3658a9f28227a88ed82c8fa2a Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 11 Nov 2024 22:18:14 +0000 Subject: [PATCH 5/5] easyrsa-tools.lib, show-expire: Use $openssl_v3 flag to choose SSL lib Signed-off-by: Richard T Bonhomme --- dev/easyrsa-tools.lib | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib index 583c57bf..f9f8505c 100644 --- a/dev/easyrsa-tools.lib +++ b/dev/easyrsa-tools.lib @@ -553,15 +553,16 @@ expire_status_v2() { if [ -f "$1" ]; then verbose "expire_status: cert exists" + # Check if cert will be valid else print details if will_cert_be_valid "$1" "$pre_expire_window_s" then - : # cert will still be valid by expiry window + verbose "cert will still be valid by expiry window" else - # cert will expire - # ISO8601 date - OpenSSL v3 only - if ! iso_8601_cert_enddate "$1" cert_not_after_date \ - 2>/dev/null - then + # cert expiry date + if [ "$openssl_v3" ]; then + # ISO8601 date - OpenSSL v3 only + iso_8601_cert_enddate "$1" cert_not_after_date + else # Standard date - OpenSSL v1 ssl_cert_not_after_date "$1" cert_not_after_date fi @@ -572,7 +573,7 @@ expire_status_v2() { "$cert_not_after_date | CN: $db_cn" fi else - : # issued cert does not exist, ignore other certs + verbose "issued cert does not exist, ignore other certs" fi } # => expire_status_v2()