Skip to content

Commit 2a3504b

Browse files
TinCanTechTinCanTech
committed
Merge branch 'TinCanTech-renew-respect-sig-alg'
Signed-off-by: Richard T Bonhomme <[email protected]>
2 parents 4e9b296 + 9aa9148 commit 2a3504b

File tree

2 files changed

+53
-0
lines changed

2 files changed

+53
-0
lines changed

ChangeLog

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog
22

33
3.2.5 (TBD)
44

5+
* New function ssl_cert_sig_digest() (f9d2b49) (#1414)
56
* Add '-b' alias for --batch (575a964) (#1411)
67
* Introduce peer-fingerprint inline lists (94c3690) (#1410)
78
* Create new inline file type 'pfp', peer-fingerprint (353adc5) (#1407)

easyrsa3/easyrsa

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4719,6 +4719,11 @@ Use command 'revoke-renewed' to revoke this certificate."
47194719
cert_type=
47204720
ssl_cert_x509v3_eku "$crt_in" cert_type
47214721

4722+
# Extract Signature digest from old cert
4723+
sig_digest=
4724+
ssl_cert_digest "$crt_in" sig_digest
4725+
export EASYRSA_DIGEST="$sig_digest"
4726+
47224727
# create temp-file for full cert text
47234728
full_crt_tmp=
47244729
easyrsa_mktemp full_crt_tmp
@@ -4991,6 +4996,11 @@ $cmd does not support setting an external commonName."
49914996
)" || die "renew_ca_cert - Failed to get EASYRSA_REQ_CN"
49924997
export EASYRSA_REQ_CN
49934998

4999+
# Extract Signature digest from old cert
5000+
sig_digest=
5001+
ssl_cert_digest "$ca_cert_file" sig_digest
5002+
export EASYRSA_DIGEST="$sig_digest"
5003+
49945004
# Set ssl batch mode, as required
49955005
[ "$EASYRSA_BATCH" ] && ssl_batch=1
49965006

@@ -5371,6 +5381,48 @@ ssl_cert_x509v3_eku() {
53715381
return 1
53725382
} # => ssl_cert_x509v3_eku()
53735383

5384+
# get the digest of the certificate
5385+
ssl_cert_digest() {
5386+
[ "$#" = 2 ] || die "ssl_cert_digest - input error"
5387+
[ -f "$1" ] || die "ssl_cert_digest - missing cert"
5388+
5389+
fn_ssl_out="$(
5390+
"$EASYRSA_OPENSSL" x509 -in "$1" -noout -text \
5391+
-certopt no_header,no_version,no_serial,no_sigdump \
5392+
-certopt no_pubkey,no_validity,no_subject,no_issuer \
5393+
-certopt no_extensions
5394+
)" || die "ssl_cert_digest - failed: digest"
5395+
5396+
# remove the 'Signature Algorithm: ' part
5397+
fn_ssl_out="${fn_ssl_out##*: }"
5398+
5399+
case "$fn_ssl_out" in
5400+
# remove the 'WithRSAEncryption' part
5401+
*WithRSAEncryption)
5402+
fn_ssl_out="${fn_ssl_out%%With*}"
5403+
"$EASYRSA_OPENSSL" dgst "-$fn_ssl_out" "$1" || \
5404+
die "ssl_cert_digest - Bad Sig-Alg: '$fn_ssl_out'"
5405+
;;
5406+
# remove the 'ecdsa-with-' part
5407+
ecdsa-with-*)
5408+
fn_ssl_out="${fn_ssl_out##*with-}"
5409+
"$EASYRSA_OPENSSL" dgst "-$fn_ssl_out" "$1" || \
5410+
die "ssl_cert_digest - Bad Sig-Alg: '$fn_ssl_out'"
5411+
;;
5412+
# remove everything for Edwards Curve
5413+
ED25519|ED448)
5414+
fn_ssl_out=""
5415+
# digest verification is not required
5416+
;;
5417+
*) die "ssl_cert_digest - Bad Sig-Alg: '$fn_ssl_out'"
5418+
esac
5419+
5420+
force_set_var "$2" "$fn_ssl_out" || \
5421+
die "ssl_cert_digest - failed to set var '$*'"
5422+
5423+
unset -v fn_ssl_out
5424+
} # => ssl_cert_digest()
5425+
53745426
# get the serial number of the certificate -> serial=XXXX
53755427
ssl_cert_serial() {
53765428
[ "$#" = 2 ] || die "ssl_cert_serial - input error"

0 commit comments

Comments
 (0)