From 52022d9cdcd35bebb1f6ae2396216f040c26070b Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 6 Aug 2024 01:31:34 +0100 Subject: [PATCH] Inline self-sign certificate: Use new inline_file() function Requires ssl_cert_x509v3_eku(): Check for self signed certificate. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 32 ++++++++++++-------------------- 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 3711c839..0b576ce8 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1904,9 +1904,11 @@ self_sign() { case "$1" in server) selfsign_eku=serverAuth + crt_type=self-signed-server ;; client) selfsign_eku=clientAuth + crt_type=self-signed-client ;; *) die "self_sign: Unknown EKU '$1'" @@ -2083,15 +2085,6 @@ self-sign: Use ALGO:'$EASYRSA_ALGO' / CURVE:'$EASYRSA_CURVE'" die "Failed to move new key/cert files." fi - # Generate fingerprint for inline file - crt_fingerprint="$( - "$EASYRSA_OPENSSL" x509 -in "$crt_out" -noout \ - -sha256 -fingerprint - )" || die "self_sign - Failed -fingerprint" - - # strip fingerprint prefix - crt_fingerprint="${crt_fingerprint#*=}" - # User info notice "\ Self-signed '$EASYRSA_ALGO/$EASYRSA_CURVE' \ @@ -2103,15 +2096,7 @@ SHA256 fingerprint (See inline file below): * $crt_fingerprint" # inline key/cert/fingerprint - if inline_creds "$file_name_base" > "$inline_out"; then - notice "\ -Inline file created: -* $inline_out" - else - warn "\ -INCOMPLETE Inline file created: -* $inline_out" - fi + inline_file "$file_name_base" } # => self_sign() # gen-dh backend: @@ -4078,11 +4063,11 @@ ssl_cert_x509v3_eku() { [ "$1" ] || die "ssl_cert_x509v3_eku - Missing input" # check input file name - if [ -e "$1" ]; then + if [ -f "$1" ]; then __crt="$1" else __crt="${EASYRSA_PKI}/issued/${1}.crt" - [ -e "$__crt" ] || \ + [ -f "$__crt" ] || \ die "ssl_cert_x509v3_eku - Missing cert '$__crt'" fi @@ -4137,6 +4122,13 @@ ssl_cert_x509v3_eku() { __type="'$__eku'" esac + # Check for self-sign + if "$EASYRSA_OPENSSL" x509 -in "$__crt" -noout -text | \ + grep -q 'CA:TRUE' + then + __type="self-signed-$__type" + fi + # Set variable to return if [ "$__var" ]; then verbose "ssl_cert_x509v3_eku - EKU: $__type"