Skip to content

Commit a1033a5

Browse files
TinCanTechTinCanTech
committedNov 10, 2024
show-expire: Allow --days to be zero
easyrsa: Allow --days to be zero for command 'show-expire' only. easyrsa-tools.lib: expire_status_v2(), will_cert_be_valid(); rewrite these functions to avoid the need to redirect output and allow zero days as input. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
1 parent 8afdc1b commit a1033a5

File tree

2 files changed

+32
-6
lines changed

2 files changed

+32
-6
lines changed
 

‎dev/easyrsa-tools.lib

+23-6
Original file line numberDiff line numberDiff line change
@@ -369,13 +369,31 @@ db_date_to_iso_8601_date: force_set_var - $2 - $out_date"
369369

370370
# Certificate expiry
371371
will_cert_be_valid() {
372-
[ -f "$1" ] || die "will_cert_be_valid - Missing file"
373-
case "$2" in (*[!1234567890]*|0*)
374-
die "will_cert_be_valid - Non-decimal" ;;
372+
# Verify file exists and is a valid cert
373+
[ -f "$1" ] || \
374+
die "will_cert_be_valid - Missing file: $1"
375+
verify_file x509 "$1" || \
376+
die "will_cert_be_valid - Invalid file: $1"
377+
378+
# Verify --days
379+
case "$2" in
380+
0) : ;; # ok
381+
''|*[!1234567890]*|0*)
382+
die "will_cert_be_valid - Non-decimal value: $2"
375383
esac
376384

377385
# is the cert still valid at this future date
378-
"$EASYRSA_OPENSSL" x509 -in "$1" -noout -checkend "$2"
386+
ssl_out="$(
387+
"$EASYRSA_OPENSSL" x509 -in "$1" -noout \
388+
-checkend "$2"
389+
)"
390+
391+
# analyse SSL output
392+
case "$ssl_out" in
393+
'Certificate will not expire') return 0 ;;
394+
'Certificate will expire') return 1 ;;
395+
*) die "will_cert_be_valid - Failure"
396+
esac
379397
} # => will_cert_be_valid()
380398

381399
# SC2295: Expansion inside ${..} need to be quoted separately,
@@ -535,8 +553,7 @@ expire_status_v2() {
535553
if [ -f "$1" ]; then
536554
verbose "expire_status: cert exists"
537555

538-
if will_cert_be_valid "$1" "$pre_expire_window_s" \
539-
1>/dev/null
556+
if will_cert_be_valid "$1" "$pre_expire_window_s"
540557
then
541558
: # cert will still be valid by expiry window
542559
else

‎easyrsa3/easyrsa

+9
Original file line numberDiff line numberDiff line change
@@ -4338,6 +4338,14 @@ Option --passout cannot be used with --nopass|nopass."
43384338
prohibit_no_pass=1
43394339
fi
43404340

4341+
# Restrict --days=0 to 'show-expire'
4342+
if [ "$alias_days" = 0 ]; then
4343+
case "$cmd" in
4344+
show-expire) : ;; # ok
4345+
*) user_error "Cannot use --days=0 for command $cmd"
4346+
esac
4347+
fi
4348+
43414349
# --silent-ssl requires --batch
43424350
if [ "$EASYRSA_SILENT_SSL" ]; then
43434351
[ "$EASYRSA_BATCH" ] || warn "\
@@ -5582,6 +5590,7 @@ while :; do
55825590
case "$opt" in
55835591
--days)
55845592
number_only=1
5593+
zero_allowed=1
55855594
# Set the appropriate date variable
55865595
# when called by command later
55875596
alias_days="$val"

0 commit comments

Comments
 (0)