Skip to content

Commit

Permalink
Forbid self-signed certificate from being expired/renewed/revoked
Browse files Browse the repository at this point in the history
Example: If a self-signed certificate is revoked then 'index.txt'
becomes contaminated by a self-signed certificate serial number,
which has not been vetted for duplicates.

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Dec 9, 2024
1 parent 1e8a5fa commit ab45ae7
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 0 deletions.
27 changes: 27 additions & 0 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -3316,6 +3316,11 @@ Unable to revoke as the input-file is not a valid certificate.
Certificate was expected at:
* $crt_in"

# Forbid self-signed cert from being expired/renewed/revoked
if forbid_selfsign "$crt_in"; then
user_error "Cannot $cmd a self-signed certificate."
fi

# Verify request
if [ -f "$req_in" ]; then
verify_file req "$req_in" || user_error "\
Expand Down Expand Up @@ -3508,6 +3513,11 @@ Missing certificate file:
* $crt_in"
fi

# Forbid self-signed cert from being expired/renewed/revoked
if forbid_selfsign "$crt_in"; then
user_error "Cannot $cmd a self-signed certificate."
fi

# get the serial number of the certificate
cert_serial=
ssl_cert_serial "$crt_in" cert_serial || \
Expand Down Expand Up @@ -3553,6 +3563,23 @@ It can be revoked with command 'revoke-expired'.
It is now possible to sign a new certificate for '$file_name_base'"
} # => expire_cert()

# Forbid a self-signed cert from being expired/renewed/revoked
# by a CA that has nothing to do with the cert
forbid_selfsign() {
# cert temp-file
forbid_selfsign_tmp=
easyrsa_mktemp forbid_selfsign_tmp || \
die "easyrsa_mktemp forbid_selfsign_tmp"

# SSL text
"$EASYRSA_OPENSSL" x509 -in "$1" -noout -text \
> "$forbid_selfsign_tmp" || \
die "forbid_selfsign - ssl text"

# test for CA:TRUE
grep -q "^[[:blank:]]*CA:TRUE$" "$forbid_selfsign_tmp"
} # => forbid_selfsign()

# gen-crl backend
gen_crl() {
out_file="$EASYRSA_PKI/crl.pem"
Expand Down
5 changes: 5 additions & 0 deletions easyrsa3/easyrsa-tools.lib
Original file line number Diff line number Diff line change
Expand Up @@ -731,6 +731,11 @@ Missing certificate file:
* $crt_in"
fi

# Forbid self-signed cert from being expired/renewed/revoked
if forbid_selfsign "$crt_in"; then
user_error "Cannot $cmd a self-signed certificate."
fi

# Verify request
if [ -f "$req_in" ]; then
verify_file req "$req_in" || user_error "\
Expand Down

0 comments on commit ab45ae7

Please sign in to comment.