From 3da7f663a3336f60be68dadbe6a19757b4d491e5 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 26 Jun 2024 01:18:18 +0100 Subject: [PATCH 1/4] Command revoke: Do not remove duplicate certificate by serial Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 16 +--------------- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b9ab7afdb..39893ec58 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3050,10 +3050,6 @@ Request was expected at: ssl_cert_serial "$crt_in" cert_serial || \ die "$cmd: Failed to get cert serial number!" - # Duplicate cert by serial file - dup_dir="$EASYRSA_PKI/certs_by_serial" - dup_crt_by_serial="$dup_dir/${cert_serial}.pem" - # Set out_dir out_dir="$EASYRSA_PKI/revoked" crt_out="$out_dir/certs_by_serial/${cert_serial}.crt" @@ -3096,10 +3092,7 @@ All PKCS files for commonName : $file_name_base The inline credentials files: * $creds_in -* $inline_in - -The duplicate certificate: -* $dup_crt_by_serial" +* $inline_in" confirm " Continue with revocation: " "yes" " Please confirm that you wish to revoke the certificate @@ -3168,13 +3161,6 @@ revoke_move() { fi done - # remove the duplicate certificate - if [ -e "$dup_crt_by_serial" ]; then - rm "$dup_crt_by_serial" || warn "\ -Failed to remove the duplicate certificate: -* $dup_crt_by_serial" - fi - # remove credentials file if [ -e "$creds_in" ]; then rm "$creds_in" || warn "\ From 4537ae7636a72f9abab3c200a75c760a673c6cf7 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 27 Jun 2024 00:16:42 +0100 Subject: [PATCH 2/4] Command revoke: Conditionally move request and key files For 'revoke', always move the req/key files. It is assumed that revoking an issued cert implies that renewal is not desired. For 'revoke-expired' and 'revoke-renewed', never move the req/key files. It is assumed that revoking an expired or renewed cert implies that renewal is desired. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 39893ec58..d80c61ec5 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3029,9 +3029,13 @@ issued certificate:${NL} Expiry: ${crt_endd%%${NL}serial=*} Serial: ${crt_endd##*serial=}" fi + + # Revoking an issued cert forces req/key to be moved + move_req_and_key=1 ;; expired|renewed) - : # ok + # Revoke-expired/renewed cert means req/key can remain + move_req_and_key= ;; *) die "Invalid cert_dir: '$cert_dir'" @@ -3070,10 +3074,15 @@ Cannot revoke this certificate, a conflicting file exists. # Check for key and request files unset -v if_exist_key_in if_exist_req_in - [ -e "$key_in" ] && if_exist_key_in=" + if [ "$move_req_and_key" ] && [ -e "$key_in" ]; then + if_exist_key_in=" * $key_in" - [ -e "$req_in" ] && if_exist_req_in=" + fi + + if [ "$move_req_and_key" ] && [ -e "$req_in" ]; then + if_exist_req_in=" * $req_in" + fi # Set confirm DN and serial confirm_dn="$(display_dn x509 "$crt_in")" || \ @@ -3130,19 +3139,24 @@ certificate from being accepted." revoke_move() { parent_dir="$EASYRSA_PKI"/revoked easyrsa_mkdir "$parent_dir" - for i in certs_by_serial private_by_serial + for i in reqs_by_serial certs_by_serial private_by_serial do easyrsa_mkdir "${parent_dir}/$i" done parent_dir= - # do NOT move the req - can be signed again + # only move the req when revoking an issued cert + # and if we have the req + if [ "$move_req_and_key" ] && [ -e "$req_in" ]; then + mv "$req_in" "$req_out" || warn "Failed to move: $req_in" + fi # move crt to revoked folder mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in" - # only move the key if we have it - if [ -e "$key_in" ]; then + # only move the key when revoking an issued cert + # and if we have the key + if [ "$move_req_and_key" ] && [ -e "$key_in" ]; then mv "$key_in" "$key_out" || warn "Failed to move: $key_in" fi From 7eab98eed187c2b8c11411e921b042a5e7d8b9b6 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 27 Jun 2024 01:08:01 +0100 Subject: [PATCH 3/4] Command gen-req: Always check for an existing request file Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d80c61ec5..cca9473d3 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2178,15 +2178,25 @@ Run easyrsa without commands for usage and commands." shift done + # don't wipe out an existing request without confirmation + [ -f "$req_out" ] && confirm "Confirm request overwrite: " "yes" "\ + +WARNING!!! + +An existing request file was found at +* $req_out + +Continuing with key generation will replace this request." + # don't wipe out an existing private key without confirmation - if [ -f "$key_out" ]; then - confirm "Confirm key overwrite: " "yes" "\ + [ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\ WARNING!!! -An existing private key was found at $key_out +An existing private key was found at +* $key_out + Continuing with key generation will replace this key." - fi # When EASYRSA_EXTRA_EXTS is defined, # append it to openssl's [req] section: From d6c5e52c5d8f763322c2eeb470131d5e500e35ac Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 27 Jun 2024 11:46:21 +0100 Subject: [PATCH 4/4] ChangeLog: Command revoke/revoke-expired/-renewed: Old file removal revoke: Always remove old req/key files. It is assumed that revoking an issued certificate does not require subsequesnt renewal. revoke-expired/revoke-renewed: Never remove old req/key files. It is assumed that revoking an expired or renewed certificate does require subsequent renewal. Never remove the duplicate certificate by serial, this file must always be unique, so it does not need to be removed. This also allows status reports to have simple access to all signed certificates, regardless of status. Signed-off-by: Richard T Bonhomme --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index a7e625297..5656a029d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ Easy-RSA 3 ChangeLog 3.2.1 (TBD) + * gen-req: Always check for existing request file (7eab98e) (#1177) + * revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177) + * revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177) * revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173) * build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170) * gen-req: Re-enable use of --req-cn (5cf8c46) (#1170)