Merge branch 'forbid_selfsign-Compare-signing_serial' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-forbid_selfsign-Compare-signing_serial

Signed-off-by: Richard T Bonhomme <[email protected]>

Author: TinCanTech

ChangeLog

@@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog
 
 3.2.3 (TBD)
 
+   * forbid_selfsign(): Compare cert serial to signing cert serial (29b2779) (#1342)
    * Unit-test: Minimize Windows test (dc60c8b) (#1339)
    * ssl_cert_x509v3_eku(): Localize variables and minor improvements (8c19a95) (#1337)
    * inline_file(): Always use ssl_cert_x509v3_eku() to set $inline_crt_type (e1a2880) (#1337)

easyrsa3/easyrsa

@@ -3584,17 +3584,30 @@ It is now possible to sign a new certificate for '$file_name_base'"
 # Forbid a self-signed cert from being expired/renewed/revoked
 # by a CA that has nothing to do with the cert
 forbid_selfsign() {
+	fn_name="$fn_name; forbid_selfsign"
 	# cert temp-file
-	forbid_selfsign_tmp=
-	easyrsa_mktemp forbid_selfsign_tmp
+	forbid_ss_tmp=
+	easyrsa_mktemp forbid_ss_tmp
+
+	forbid_serial=
+	ssl_cert_serial "$1" forbid_serial || \
+		die "$fn_name - ssl_cert_serial"
 
 	# SSL text
 	"$EASYRSA_OPENSSL" x509 -in "$1" -noout -text \
-		> "$forbid_selfsign_tmp" || \
-			die "forbid_selfsign - ssl text"
-
-	# test for CA:TRUE
-	grep -q "^[[:blank:]]*CA:TRUE$" "$forbid_selfsign_tmp"
+		> "$forbid_ss_tmp" || die "$fn_name - ssl text"
+
+	# Extract signing cert serial
+	signing_serial="$(
+			grep "^[[:blank:]]*serial:.*$" "$forbid_ss_tmp" | \
+				sed -e 's/^[[:blank:]]*serial//' -e 's/://g'
+		)" || die "$fn_name - signing_serial subshell"
+	[ "$signing_serial" ] || die "$fn_name - signing_serial"
+
+	verbose "$fn_name: $forbid_serial = $signing_serial"
+	fn_name="${fn_name%; forbid_selfsign}"
+	# Compare $ssl_cert_serial to $signing_serial
+	[ "$forbid_serial" = "$signing_serial" ]
 } # => forbid_selfsign()
 
 # gen-crl backend