easyrsa-tools.lib: expire_status_v2() (show-expire version 2)

Major simplification for command 'show-expire'. 1. Ignore certificates which are not present in 'pki/issued' sub-dir. This includes certs moved to expired, renewed or revoked sub-dirs. These can all be ignored because their validitiy is irrelevant. (Ignore serial number mismatches as irrelevant) 2. Drop all use of 'date' binary. Only use OpenSSL format modifiers to control date format. 3. Try to use ISO8601 date format, as of OpenSSL v3. Otherwise, fallback to default certificate date format. Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Aug 14, 2024 · c296697 · c296697
1 parent 5d84784
commit c296697
Showing 1 changed file with 52 additions and 2 deletions.
diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib
@@ -473,6 +473,17 @@ cert_date_to_iso_8601: force_set_var - $2 - $out_date"
 	unset -v in_date out_date yyyy mmm  mm dd HH MM SS TZ
 } # => cert_date_to_iso_8601()
 
+# Certificate expiry
+will_cert_expire() {
+	[ -f "$1" ] || die "will_cert_expire - Missing file"
+	case "$2" in (*[!1234567890]*|0*)
+		die "will_cert_expire - Non-decimal" ;;
+	esac
+
+	"$EASYRSA_OPENSSL" x509 -in "$1" -noout -checkend "$2"
+} # => will_cert_expire()
+
+
 # SC2295: Expansion inside ${..} need to be quoted separately,
 # otherwise they match as patterns. (what-ever that means ;-)
 # Unfortunately, Windows sh.exe has an weird bug.
@@ -537,10 +548,10 @@ read_db() {
 			case "$db_status" in
 			V|E)
 				case "$target" in
-				'') expire_status ;;
+				'') expire_status_v2 "$cert_issued" ;;
 				*)
 					if [ "$target" = "$db_cn" ]; then
-						expire_status
+						expire_status_v2 "$cert_issued"
 					fi
 				esac
 			;;
@@ -597,8 +608,47 @@ read_db() {
 	fi
 } # => read_db()
 
+# Expire status
+expire_status_v2() {
+	# expiry seconds
+	pre_expire_window_s="$((
+		EASYRSA_PRE_EXPIRY_WINDOW * 60*60*24
+		))"
+
+	# The certificate for CN should exist but may not
+	unset -v expire_status_cert_exists
+	if [ -f "$1" ]; then
+		verbose "expire_status: cert exists"
+
+		if will_cert_expire "$1" "$pre_expire_window_s" \
+			 1>/dev/null
+		then
+			: # cert will NOT expire
+		else
+			# cert will expire
+			# ISO8601 date - OpenSSL v3 only
+			if ! iso_8601_cert_enddate "$1" cert_not_after_date \
+					2>/dev/null
+			then
+				# Standard date - OpenSSL v1
+				ssl_cert_not_after_date "$1" cert_not_after_date
+			fi
+
+			# show expiring cert details
+			printf '%s%s\n' \
+				"$db_status | Serial: $db_serial | " \
+				"$cert_not_after_date | CN: $db_cn"
+		fi
+	else
+		: # issued cert does not exist, ignore other certs
+	fi
+} # => expire_status_v2()
+
 # Expire status
 expire_status() {
+
+	die "expire_status - PROHIBITED"
+
 	unset -v expire_status_cert_exists
 	pre_expire_window_s="$((
 		EASYRSA_PRE_EXPIRY_WINDOW * 60*60*24