Skip to content

Commit

Permalink
Merge branch 'show-expire-allow-zero-days' of ssh://github.com/TinCan…
Browse files Browse the repository at this point in the history
…Tech/easy-rsa into TinCanTech-show-expire-allow-zero-days

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
  • Loading branch information
TinCanTech committed Nov 11, 2024
2 parents 8afdc1b + acbe21c commit c8bf018
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 15 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog

3.2.2 (TBD)

* easyrsa-tools.lib: show-expire, allow --days to be zero (a1033a5) (#1254)
* Command 'help': Ignore EASYRSA_SILENT (8804d6b) (#1249)
* bugfix: easyrsa-tools.lib: renew SAN, remove excess word 'Address' (af17492) (#1251)
* New global variable 'EASYRSA_DISABLE_INLINE' (ad257ab) (#1245)
Expand Down
48 changes: 33 additions & 15 deletions dev/easyrsa-tools.lib
Original file line number Diff line number Diff line change
Expand Up @@ -369,13 +369,31 @@ db_date_to_iso_8601_date: force_set_var - $2 - $out_date"

# Certificate expiry
will_cert_be_valid() {
[ -f "$1" ] || die "will_cert_be_valid - Missing file"
case "$2" in (*[!1234567890]*|0*)
die "will_cert_be_valid - Non-decimal" ;;
# Verify file exists and is a valid cert
[ -f "$1" ] || \
die "will_cert_be_valid - Missing file: $1"
verify_file x509 "$1" || \
die "will_cert_be_valid - Invalid file: $1"

# Verify --days
case "$2" in
0) : ;; # ok
''|*[!1234567890]*|0*)
die "will_cert_be_valid - Non-decimal value: $2"
esac

# is the cert still valid at this future date
"$EASYRSA_OPENSSL" x509 -in "$1" -noout -checkend "$2"
ssl_out="$(
"$EASYRSA_OPENSSL" x509 -in "$1" -noout \
-checkend "$2"
)"

# analyse SSL output
case "$ssl_out" in
'Certificate will not expire') return 0 ;;
'Certificate will expire') return 1 ;;
*) die "will_cert_be_valid - Failure"
esac
} # => will_cert_be_valid()

# SC2295: Expansion inside ${..} need to be quoted separately,
Expand Down Expand Up @@ -507,12 +525,12 @@ read_db() {

# Check CA for expiry
if will_cert_be_valid "$EASYRSA_PKI"/ca.crt \
"$pre_expire_window_s" 1>/dev/null
"$pre_expire_window_s"
then
: # cert will still be valid by expiry window
else
# Print CA expiry date
printf '%s%s\n' \
printf '\n%s\n\n' \
"CA certificate will expire on $ca_enddate"
fi
esac
Expand All @@ -535,16 +553,16 @@ expire_status_v2() {
if [ -f "$1" ]; then
verbose "expire_status: cert exists"

if will_cert_be_valid "$1" "$pre_expire_window_s" \
1>/dev/null
# Check if cert will be valid else print details
if will_cert_be_valid "$1" "$pre_expire_window_s"
then
: # cert will still be valid by expiry window
verbose "cert will still be valid by expiry window"
else
# cert will expire
# ISO8601 date - OpenSSL v3 only
if ! iso_8601_cert_enddate "$1" cert_not_after_date \
2>/dev/null
then
# cert expiry date
if [ "$openssl_v3" ]; then
# ISO8601 date - OpenSSL v3 only
iso_8601_cert_enddate "$1" cert_not_after_date
else
# Standard date - OpenSSL v1
ssl_cert_not_after_date "$1" cert_not_after_date
fi
Expand All @@ -555,7 +573,7 @@ expire_status_v2() {
"$cert_not_after_date | CN: $db_cn"
fi
else
: # issued cert does not exist, ignore other certs
verbose "issued cert does not exist, ignore other certs"
fi
} # => expire_status_v2()

Expand Down
9 changes: 9 additions & 0 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -4338,6 +4338,14 @@ Option --passout cannot be used with --nopass|nopass."
prohibit_no_pass=1
fi

# Restrict --days=0 to 'show-expire'
if [ "$alias_days" = 0 ]; then
case "$cmd" in
show-expire) : ;; # ok
*) user_error "Cannot use --days=0 for command $cmd"
esac
fi

# --silent-ssl requires --batch
if [ "$EASYRSA_SILENT_SSL" ]; then
[ "$EASYRSA_BATCH" ] || warn "\
Expand Down Expand Up @@ -5582,6 +5590,7 @@ while :; do
case "$opt" in
--days)
number_only=1
zero_allowed=1
# Set the appropriate date variable
# when called by command later
alias_days="$val"
Expand Down

0 comments on commit c8bf018

Please sign in to comment.