Skip to content

Commit

Permalink
Merge branch 'revoke-does-not-remove-dup-crt' of ssh://github.com/Tin…
Browse files Browse the repository at this point in the history
…CanTech/easy-rsa into TinCanTech-revoke-does-not-remove-dup-crt

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Jun 27, 2024
2 parents e84ec69 + d6c5e52 commit 4510178
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 26 deletions.
3 changes: 3 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ Easy-RSA 3 ChangeLog

3.2.1 (TBD)

* gen-req: Always check for existing request file (7eab98e) (#1177)
* revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
* revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)
* revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173)
* build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170)
* gen-req: Re-enable use of --req-cn (5cf8c46) (#1170)
Expand Down
62 changes: 36 additions & 26 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -2178,15 +2178,25 @@ Run easyrsa without commands for usage and commands."
shift
done

# don't wipe out an existing request without confirmation
[ -f "$req_out" ] && confirm "Confirm request overwrite: " "yes" "\

WARNING!!!

An existing request file was found at
* $req_out

Continuing with key generation will replace this request."

# don't wipe out an existing private key without confirmation
if [ -f "$key_out" ]; then
confirm "Confirm key overwrite: " "yes" "\
[ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\

WARNING!!!

An existing private key was found at $key_out
An existing private key was found at
* $key_out

Continuing with key generation will replace this key."
fi

# When EASYRSA_EXTRA_EXTS is defined,
# append it to openssl's [req] section:
Expand Down Expand Up @@ -3029,9 +3039,13 @@ issued certificate:${NL}
Expiry: ${crt_endd%%${NL}serial=*}
Serial: ${crt_endd##*serial=}"
fi

# Revoking an issued cert forces req/key to be moved
move_req_and_key=1
;;
expired|renewed)
: # ok
# Revoke-expired/renewed cert means req/key can remain
move_req_and_key=
;;
*)
die "Invalid cert_dir: '$cert_dir'"
Expand All @@ -3050,10 +3064,6 @@ Request was expected at:
ssl_cert_serial "$crt_in" cert_serial || \
die "$cmd: Failed to get cert serial number!"

# Duplicate cert by serial file
dup_dir="$EASYRSA_PKI/certs_by_serial"
dup_crt_by_serial="$dup_dir/${cert_serial}.pem"

# Set out_dir
out_dir="$EASYRSA_PKI/revoked"
crt_out="$out_dir/certs_by_serial/${cert_serial}.crt"
Expand All @@ -3074,10 +3084,15 @@ Cannot revoke this certificate, a conflicting file exists.

# Check for key and request files
unset -v if_exist_key_in if_exist_req_in
[ -e "$key_in" ] && if_exist_key_in="
if [ "$move_req_and_key" ] && [ -e "$key_in" ]; then
if_exist_key_in="
* $key_in"
[ -e "$req_in" ] && if_exist_req_in="
fi

if [ "$move_req_and_key" ] && [ -e "$req_in" ]; then
if_exist_req_in="
* $req_in"
fi

# Set confirm DN and serial
confirm_dn="$(display_dn x509 "$crt_in")" || \
Expand All @@ -3096,10 +3111,7 @@ All PKCS files for commonName : $file_name_base

The inline credentials files:
* $creds_in
* $inline_in

The duplicate certificate:
* $dup_crt_by_serial"
* $inline_in"

confirm " Continue with revocation: " "yes" "
Please confirm that you wish to revoke the certificate
Expand Down Expand Up @@ -3137,19 +3149,24 @@ certificate from being accepted."
revoke_move() {
parent_dir="$EASYRSA_PKI"/revoked
easyrsa_mkdir "$parent_dir"
for i in certs_by_serial private_by_serial
for i in reqs_by_serial certs_by_serial private_by_serial
do
easyrsa_mkdir "${parent_dir}/$i"
done
parent_dir=

# do NOT move the req - can be signed again
# only move the req when revoking an issued cert
# and if we have the req
if [ "$move_req_and_key" ] && [ -e "$req_in" ]; then
mv "$req_in" "$req_out" || warn "Failed to move: $req_in"
fi

# move crt to revoked folder
mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in"

# only move the key if we have it
if [ -e "$key_in" ]; then
# only move the key when revoking an issued cert
# and if we have the key
if [ "$move_req_and_key" ] && [ -e "$key_in" ]; then
mv "$key_in" "$key_out" || warn "Failed to move: $key_in"
fi

Expand All @@ -3168,13 +3185,6 @@ revoke_move() {
fi
done

# remove the duplicate certificate
if [ -e "$dup_crt_by_serial" ]; then
rm "$dup_crt_by_serial" || warn "\
Failed to remove the duplicate certificate:
* $dup_crt_by_serial"
fi

# remove credentials file
if [ -e "$creds_in" ]; then
rm "$creds_in" || warn "\
Expand Down

0 comments on commit 4510178

Please sign in to comment.