Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Forbid a self-signed certificate from being expired/renewed/revoked #1274

Merged
merged 2 commits into from
Dec 10, 2024
Merged

Forbid a self-signed certificate from being expired/renewed/revoked #1274

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ab45ae7
Forbid self-signed certificate from being expired/renewed/revoked
TinCanTech Dec 9, 2024
eb1b644
ChangeLog: Forbid self-signed cert. being 'expired/renewed/revoked'
TinCanTech Dec 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog

3.2.2 (TBD)

* Forbid self-signed certificate from being expired/renewed/revoked (ab45ae7) (#1274)
* Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf (c788423) (#1270)
* bugfix: Save and Restore $EASYRSA_SSL_CONF for compound commands (7cdb14d) (#1270)
* bugfix: Always use locate_support_files() after secure_session() (d530bc3) (#1270)
Expand Down
27 changes: 27 additions & 0 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3316,6 +3316,11 @@ Unable to revoke as the input-file is not a valid certificate.
Certificate was expected at:
* $crt_in"

# Forbid self-signed cert from being expired/renewed/revoked
if forbid_selfsign "$crt_in"; then
user_error "Cannot $cmd a self-signed certificate."
fi

# Verify request
if [ -f "$req_in" ]; then
verify_file req "$req_in" || user_error "\
Expand Down Expand Up @@ -3508,6 +3513,11 @@ Missing certificate file:
* $crt_in"
fi

# Forbid self-signed cert from being expired/renewed/revoked
if forbid_selfsign "$crt_in"; then
user_error "Cannot $cmd a self-signed certificate."
fi

# get the serial number of the certificate
cert_serial=
ssl_cert_serial "$crt_in" cert_serial || \
Expand Down Expand Up @@ -3553,6 +3563,23 @@ It can be revoked with command 'revoke-expired'.
It is now possible to sign a new certificate for '$file_name_base'"
} # => expire_cert()

# Forbid a self-signed cert from being expired/renewed/revoked
# by a CA that has nothing to do with the cert
forbid_selfsign() {
# cert temp-file
forbid_selfsign_tmp=
easyrsa_mktemp forbid_selfsign_tmp || \
die "easyrsa_mktemp forbid_selfsign_tmp"

# SSL text
"$EASYRSA_OPENSSL" x509 -in "$1" -noout -text \
> "$forbid_selfsign_tmp" || \
die "forbid_selfsign - ssl text"

# test for CA:TRUE
grep -q "^[[:blank:]]*CA:TRUE$" "$forbid_selfsign_tmp"
} # => forbid_selfsign()

# gen-crl backend
gen_crl() {
out_file="$EASYRSA_PKI/crl.pem"
Expand Down
5 changes: 5 additions & 0 deletions easyrsa3/easyrsa-tools.lib
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -731,6 +731,11 @@ Missing certificate file:
* $crt_in"
fi

# Forbid self-signed cert from being expired/renewed/revoked
if forbid_selfsign "$crt_in"; then
user_error "Cannot $cmd a self-signed certificate."
fi

# Verify request
if [ -f "$req_in" ]; then
verify_file req "$req_in" || user_error "\
Expand Down
Loading