Skip to content

Commit

Permalink
revoke: Make check for conflicting files less intrusive
Browse files Browse the repository at this point in the history
Ref: commit 38bf2d8

In order to avoid accidentally revoking an issued certificate,
when an expired or renewed certificate is intended, guard command
'revoke' by checking for certificates of the same file-name in
the 'expired' or 'renewed/issued' directories, first.

Move the check to the revoke() function.

Also, pass the target directory as the first argument to the
revoke() function, instead of setting a variable in the command
selection phase.

Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Dec 9, 2024
1 parent c7a0d16 commit 16043e2
Showing 1 changed file with 35 additions and 18 deletions.
53 changes: 35 additions & 18 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -3227,6 +3227,10 @@ Inline file created:

# revoke backend
revoke() {
# Set cert directory (IE. type) to revoke
cert_dir="$1"
shift

# pull filename base:
[ "$1" ] || user_error "\
Error: didn't find a file base name as the first argument.
Expand Down Expand Up @@ -3279,6 +3283,33 @@ Unable to revoke as no certificate was found.
Certificate was expected at:
* $crt_in"

# Set conflicting cert files: issued/ VS expired/ renewed/
crt_iss="$EASYRSA_PKI/issued/${file_name_base}.crt"
crt_exp="$EASYRSA_PKI/expired/${file_name_base}.crt"
crt_ren="$EASYRSA_PKI/renewed/issued/${file_name_base}.crt"

# If the command is 'revoke' then
# if an issued cert exists then check that the others do not
# To ensure that 'revoke' is not called accidentally
if [ "$cmd" = revoke ] && [ -f "$crt_iss" ]; then
if [ -f "$crt_exp" ] || [ -f "$crt_ren" ]; then
msg=
[ -f "$crt_exp" ] && msg="${NL}[Expired] $crt_exp"
[ -f "$crt_ren" ] && msg="${NL}[Renewed] $crt_ren"

# Force user to select revoke type
[ "$EASYRSA_BATCH" ] || user_error "\
Conflicting file(s) found:${msg}

Please select which type of 'revoke' command is required:
* 'revoke-issued' will revoke a current certificate.
* 'revoke-expired' will revoke an old cert, which has been expired.
* 'revoke-renewed' will revoke an old cert, which has been renewed."
fi
fi
# Clear variables no longer in use
unset -v crt_iss crt_exp crt_ren

# Verify certificate
verify_file x509 "$crt_in" || user_error "\
Unable to revoke as the input-file is not a valid certificate.
Expand Down Expand Up @@ -5923,31 +5954,17 @@ case "$cmd" in
export EASYRSA_CRL_DAYS="$alias_days"
gen_crl
;;
revoke)
# Force user to select revoke type
[ "$EASYRSA_BATCH" ] || user_error "\
Please select which type of 'revoke' command is required:
* 'revoke-issued' will revoke a current certificate.
* 'revoke-expired' will revoke an old cert, which has been expired.
* 'revoke-renewed' will revoke an old cert, which has been renewed."
verify_working_env
cert_dir=issued
revoke "$@"
;;
revoke-issued)
revoke|revoke-issued)
verify_working_env
cert_dir=issued
revoke "$@"
revoke 'issued' "$@"
;;
revoke-expired)
verify_working_env
cert_dir=expired
revoke "$@"
revoke 'expired' "$@"
;;
revoke-renewed)
verify_working_env
cert_dir=renewed/issued
revoke "$@"
revoke 'renewed/issued' "$@"
;;
import-req)
verify_working_env
Expand Down

0 comments on commit 16043e2

Please sign in to comment.