Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command revoke: Do not remove duplicate certificate by serial #1177

Merged
merged 4 commits into from
Jun 27, 2024
Merged

Command revoke: Do not remove duplicate certificate by serial #1177

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3da7f66
Command revoke: Do not remove duplicate certificate by serial
TinCanTech Jun 26, 2024
4537ae7
Command revoke: Conditionally move request and key files
TinCanTech Jun 26, 2024
7eab98e
Command gen-req: Always check for an existing request file
TinCanTech Jun 27, 2024
d6c5e52
ChangeLog: Command revoke/revoke-expired/-renewed: Old file removal
TinCanTech Jun 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ Easy-RSA 3 ChangeLog

3.2.1 (TBD)

* gen-req: Always check for existing request file (7eab98e) (#1177)
* revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177)
* revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177)
* revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173)
* build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170)
* gen-req: Re-enable use of --req-cn (5cf8c46) (#1170)
Expand Down
62 changes: 36 additions & 26 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2178,15 +2178,25 @@ Run easyrsa without commands for usage and commands."
shift
done

# don't wipe out an existing request without confirmation
[ -f "$req_out" ] && confirm "Confirm request overwrite: " "yes" "\

WARNING!!!

An existing request file was found at
* $req_out

Continuing with key generation will replace this request."

# don't wipe out an existing private key without confirmation
if [ -f "$key_out" ]; then
confirm "Confirm key overwrite: " "yes" "\
[ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\

WARNING!!!

An existing private key was found at $key_out
An existing private key was found at
* $key_out

Continuing with key generation will replace this key."
fi

# When EASYRSA_EXTRA_EXTS is defined,
# append it to openssl's [req] section:
Expand Down Expand Up @@ -3029,9 +3039,13 @@ issued certificate:${NL}
Expiry: ${crt_endd%%${NL}serial=*}
Serial: ${crt_endd##*serial=}"
fi

# Revoking an issued cert forces req/key to be moved
move_req_and_key=1
;;
expired|renewed)
: # ok
# Revoke-expired/renewed cert means req/key can remain
move_req_and_key=
;;
*)
die "Invalid cert_dir: '$cert_dir'"
Expand All @@ -3050,10 +3064,6 @@ Request was expected at:
ssl_cert_serial "$crt_in" cert_serial || \
die "$cmd: Failed to get cert serial number!"

# Duplicate cert by serial file
dup_dir="$EASYRSA_PKI/certs_by_serial"
dup_crt_by_serial="$dup_dir/${cert_serial}.pem"

# Set out_dir
out_dir="$EASYRSA_PKI/revoked"
crt_out="$out_dir/certs_by_serial/${cert_serial}.crt"
Expand All @@ -3074,10 +3084,15 @@ Cannot revoke this certificate, a conflicting file exists.

# Check for key and request files
unset -v if_exist_key_in if_exist_req_in
[ -e "$key_in" ] && if_exist_key_in="
if [ "$move_req_and_key" ] && [ -e "$key_in" ]; then
if_exist_key_in="
* $key_in"
[ -e "$req_in" ] && if_exist_req_in="
fi

if [ "$move_req_and_key" ] && [ -e "$req_in" ]; then
if_exist_req_in="
* $req_in"
fi

# Set confirm DN and serial
confirm_dn="$(display_dn x509 "$crt_in")" || \
Expand All @@ -3096,10 +3111,7 @@ All PKCS files for commonName : $file_name_base

The inline credentials files:
* $creds_in
* $inline_in

The duplicate certificate:
* $dup_crt_by_serial"
* $inline_in"

confirm " Continue with revocation: " "yes" "
Please confirm that you wish to revoke the certificate
Expand Down Expand Up @@ -3137,19 +3149,24 @@ certificate from being accepted."
revoke_move() {
parent_dir="$EASYRSA_PKI"/revoked
easyrsa_mkdir "$parent_dir"
for i in certs_by_serial private_by_serial
for i in reqs_by_serial certs_by_serial private_by_serial
do
easyrsa_mkdir "${parent_dir}/$i"
done
parent_dir=

# do NOT move the req - can be signed again
# only move the req when revoking an issued cert
# and if we have the req
if [ "$move_req_and_key" ] && [ -e "$req_in" ]; then
mv "$req_in" "$req_out" || warn "Failed to move: $req_in"
fi

# move crt to revoked folder
mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in"

# only move the key if we have it
if [ -e "$key_in" ]; then
# only move the key when revoking an issued cert
# and if we have the key
if [ "$move_req_and_key" ] && [ -e "$key_in" ]; then
mv "$key_in" "$key_out" || warn "Failed to move: $key_in"
fi

Expand All @@ -3168,13 +3185,6 @@ revoke_move() {
fi
done

# remove the duplicate certificate
if [ -e "$dup_crt_by_serial" ]; then
rm "$dup_crt_by_serial" || warn "\
Failed to remove the duplicate certificate:
* $dup_crt_by_serial"
fi

# remove credentials file
if [ -e "$creds_in" ]; then
rm "$creds_in" || warn "\
Expand Down