Skip to content

forbid_selfsign(): Compare cert serial to signing cert serial #1342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 5, 2025
Merged

forbid_selfsign(): Compare cert serial to signing cert serial #1342

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
29b2779
forbid_selfsign(): Compare cert serial to signing cert serial
TinCanTech Jun 5, 2025
6c51b9d
ChangeLog: forbid_selfsign(): Compare cert serial to signing cert serial
TinCanTech Jun 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog

3.2.3 (TBD)

* forbid_selfsign(): Compare cert serial to signing cert serial (29b2779) (#1342)
* Unit-test: Minimize Windows test (dc60c8b) (#1339)
* ssl_cert_x509v3_eku(): Localize variables and minor improvements (8c19a95) (#1337)
* inline_file(): Always use ssl_cert_x509v3_eku() to set $inline_crt_type (e1a2880) (#1337)
Expand Down
27 changes: 20 additions & 7 deletions easyrsa3/easyrsa
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3584,17 +3584,30 @@ It is now possible to sign a new certificate for '$file_name_base'"
# Forbid a self-signed cert from being expired/renewed/revoked
# by a CA that has nothing to do with the cert
forbid_selfsign() {
fn_name="$fn_name; forbid_selfsign"
# cert temp-file
forbid_selfsign_tmp=
easyrsa_mktemp forbid_selfsign_tmp
forbid_ss_tmp=
easyrsa_mktemp forbid_ss_tmp

forbid_serial=
ssl_cert_serial "$1" forbid_serial || \
die "$fn_name - ssl_cert_serial"

# SSL text
"$EASYRSA_OPENSSL" x509 -in "$1" -noout -text \
> "$forbid_selfsign_tmp" || \
die "forbid_selfsign - ssl text"

# test for CA:TRUE
grep -q "^[[:blank:]]*CA:TRUE$" "$forbid_selfsign_tmp"
> "$forbid_ss_tmp" || die "$fn_name - ssl text"

# Extract signing cert serial
signing_serial="$(
grep "^[[:blank:]]*serial:.*$" "$forbid_ss_tmp" | \
sed -e 's/^[[:blank:]]*serial//' -e 's/://g'
)" || die "$fn_name - signing_serial subshell"
[ "$signing_serial" ] || die "$fn_name - signing_serial"

verbose "$fn_name: $forbid_serial = $signing_serial"
fn_name="${fn_name%; forbid_selfsign}"
# Compare $ssl_cert_serial to $signing_serial
[ "$forbid_serial" = "$signing_serial" ]
} # => forbid_selfsign()

# gen-crl backend
Expand Down