From 38bf2d8c52f706fdc87caf888c60c2db0e28ca2d Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Dec 2024 01:44:35 +0000 Subject: [PATCH] Introduce new command 'revoke-issued' There exists in easyrsa command 'revoke', the unfortunate possibility to revoke an incorrect certificate, far too easily. For interactive use, require user to specify 'revoke-issued'. revoke: Replace conflicting file checks with specific command selection Remove the checks for accidental use of 'revoke', when 'revoke-expired' or 'revoke-renewed' is intended. Replace these checks by forcing the user to decide which type of revoke command is required. When batch mode is enabled, assume that 'revoke' is intended. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 78 ++++++++---------------------------------------- 1 file changed, 12 insertions(+), 66 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5586ced6..1a721a03 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3252,72 +3252,6 @@ Unable to revoke as the input-file is not a valid certificate. Certificate was expected at: * $crt_in" - # Check for misuse of revoke when revoke-* is intended - case "$cert_dir" in - issued) - # expired cert - exp_exist="${in_dir}/expired/${file_name_base}.crt" - if [ -f "$exp_exist" ]; then - exp_endd="$( - "$EASYRSA_OPENSSL" x509 -in "$exp_exist" -noout \ - -enddate -serial)" || die "revoke - expire -enddate" - # shellcheck disable=SC2295 # Expansions inside ${..} - exp_confirm=" -Expired certificate: -* $exp_exist - Expiry: ${exp_endd%%${NL}serial=*} - Serial: ${exp_endd##*serial=} - Use command 'revoke-expired' to revoke this certificate." - else - unset -v exp_exist exp_endd exp_confirm - fi - - # renewed cert - ren_exist="${in_dir}/renewed/${file_name_base}.crt" - if [ -f "$ren_exist" ]; then - ren_endd="$( - "$EASYRSA_OPENSSL" x509 -in "$ren_exist" -noout \ - -enddate -serial)" || die "revoke - renew -enddate" - # shellcheck disable=SC2295 # Expansions inside ${..} - ren_confirm=" -Renewed certificate: -* $ren_exist - Expiry: ${ren_endd%%${NL}serial=*} - Serial: ${ren_endd##*serial=} - Use command 'revoke-renewed' to revoke this certificate." - else - unset -v ren_exist ren_endd ren_confirm - fi - - # issued cert - crt_endd="$( - "$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout \ - -enddate -serial)" || die "revoke - expire -enddate" - - # Confirm intended use of 'revoke' - if [ "$exp_exist" ] || [ "$ren_exist" ]; then - warn "The following certificate(s) exist: -${exp_exist:+${exp_confirm}${NL}}${ren_exist:+${ren_confirm}${NL}}" - # shellcheck disable=SC2295 # Expansions inside ${..} - confirm " Confirm intended use of 'revoke' ? " yes "\ -Please confirm your intended use of 'revoke' for the following -issued certificate:${NL} -* $crt_in - Expiry: ${crt_endd%%${NL}serial=*} - Serial: ${crt_endd##*serial=}" - fi - - # Revoking an issued cert forces req/key to be moved - move_req_and_key=1 - ;; - expired|renewed/issued) - # Revoke-expired/renewed cert means req/key can remain - move_req_and_key= - ;; - *) - die "Invalid cert_dir: '$cert_dir'" - esac - # Verify request if [ -f "$req_in" ]; then verify_file req "$req_in" || user_error "\ @@ -3380,6 +3314,7 @@ The inline credentials files: * $inline_pub * $inline_pri" + # now confirm confirm " Continue with revocation: " "yes" " Please confirm that you wish to revoke the certificate with the following subject: @@ -5945,6 +5880,17 @@ case "$cmd" in gen_crl ;; revoke) + # Force user to select revoke type + [ "$EASYRSA_BATCH" ] || user_error "\ +Please select which type of 'revoke' command is required: +* 'revoke-issued' will revoke a current certificate. +* 'revoke-expired' will revoke an old cert, which has been expired. +* 'revoke-renewed' will revoke an old cert, which has been renewed." + verify_working_env + cert_dir=issued + revoke "$@" + ;; + revoke-issued) verify_working_env cert_dir=issued revoke "$@"