From ab45ae75f2619923cf48021ad04b08c617102426 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 9 Dec 2024 22:33:38 +0000 Subject: [PATCH 1/2] Forbid self-signed certificate from being expired/renewed/revoked Example: If a self-signed certificate is revoked then 'index.txt' becomes contaminated by a self-signed certificate serial number, which has not been vetted for duplicates. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 27 +++++++++++++++++++++++++++ easyrsa3/easyrsa-tools.lib | 5 +++++ 2 files changed, 32 insertions(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 385e8963..a62df10b 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3316,6 +3316,11 @@ Unable to revoke as the input-file is not a valid certificate. Certificate was expected at: * $crt_in" + # Forbid self-signed cert from being expired/renewed/revoked + if forbid_selfsign "$crt_in"; then + user_error "Cannot $cmd a self-signed certificate." + fi + # Verify request if [ -f "$req_in" ]; then verify_file req "$req_in" || user_error "\ @@ -3508,6 +3513,11 @@ Missing certificate file: * $crt_in" fi + # Forbid self-signed cert from being expired/renewed/revoked + if forbid_selfsign "$crt_in"; then + user_error "Cannot $cmd a self-signed certificate." + fi + # get the serial number of the certificate cert_serial= ssl_cert_serial "$crt_in" cert_serial || \ @@ -3553,6 +3563,23 @@ It can be revoked with command 'revoke-expired'. It is now possible to sign a new certificate for '$file_name_base'" } # => expire_cert() +# Forbid a self-signed cert from being expired/renewed/revoked +# by a CA that has nothing to do with the cert +forbid_selfsign() { + # cert temp-file + forbid_selfsign_tmp= + easyrsa_mktemp forbid_selfsign_tmp || \ + die "easyrsa_mktemp forbid_selfsign_tmp" + + # SSL text + "$EASYRSA_OPENSSL" x509 -in "$1" -noout -text \ + > "$forbid_selfsign_tmp" || \ + die "forbid_selfsign - ssl text" + + # test for CA:TRUE + grep -q "^[[:blank:]]*CA:TRUE$" "$forbid_selfsign_tmp" +} # => forbid_selfsign() + # gen-crl backend gen_crl() { out_file="$EASYRSA_PKI/crl.pem" diff --git a/easyrsa3/easyrsa-tools.lib b/easyrsa3/easyrsa-tools.lib index e9e4aed2..275c5313 100644 --- a/easyrsa3/easyrsa-tools.lib +++ b/easyrsa3/easyrsa-tools.lib @@ -731,6 +731,11 @@ Missing certificate file: * $crt_in" fi + # Forbid self-signed cert from being expired/renewed/revoked + if forbid_selfsign "$crt_in"; then + user_error "Cannot $cmd a self-signed certificate." + fi + # Verify request if [ -f "$req_in" ]; then verify_file req "$req_in" || user_error "\ From eb1b644c3c0c20993e9d4dd2fd13f2d0fe0031bb Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 9 Dec 2024 22:38:32 +0000 Subject: [PATCH 2/2] ChangeLog: Forbid self-signed cert. being 'expired/renewed/revoked' Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 020c0927..6f768373 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.2 (TBD) + * Forbid self-signed certificate from being expired/renewed/revoked (ab45ae7) (#1274) * Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf (c788423) (#1270) * bugfix: Save and Restore $EASYRSA_SSL_CONF for compound commands (7cdb14d) (#1270) * bugfix: Always use locate_support_files() after secure_session() (d530bc3) (#1270)