Skip to content

Commit f9d2b49

Browse files
TinCanTechTinCanTech
committed
New function ssl_cert_sig_digest(); Extract certificate digest name
This allows certificate renewal to preserve the original digest. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
1 parent 4e9b296 commit f9d2b49

File tree

1 file changed

+47
-0
lines changed

1 file changed

+47
-0
lines changed

easyrsa3/easyrsa

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4719,6 +4719,11 @@ Use command 'revoke-renewed' to revoke this certificate."
47194719
cert_type=
47204720
ssl_cert_x509v3_eku "$crt_in" cert_type
47214721

4722+
# Extract Signature digest from old cert
4723+
sig_digest=
4724+
ssl_cert_digest "$crt_in" sig_digest
4725+
export EASYRSA_DIGEST="$sig_digest"
4726+
47224727
# create temp-file for full cert text
47234728
full_crt_tmp=
47244729
easyrsa_mktemp full_crt_tmp
@@ -4991,6 +4996,11 @@ $cmd does not support setting an external commonName."
49914996
)" || die "renew_ca_cert - Failed to get EASYRSA_REQ_CN"
49924997
export EASYRSA_REQ_CN
49934998

4999+
# Extract Signature digest from old cert
5000+
sig_digest=
5001+
ssl_cert_digest "$ca_cert_file" sig_digest
5002+
export EASYRSA_DIGEST="$sig_digest"
5003+
49945004
# Set ssl batch mode, as required
49955005
[ "$EASYRSA_BATCH" ] && ssl_batch=1
49965006

@@ -5371,6 +5381,43 @@ ssl_cert_x509v3_eku() {
53715381
return 1
53725382
} # => ssl_cert_x509v3_eku()
53735383

5384+
# get the digest of the certificate
5385+
ssl_cert_digest() {
5386+
[ "$#" = 2 ] || die "ssl_cert_digest - input error"
5387+
[ -f "$1" ] || die "ssl_cert_digest - missing cert"
5388+
5389+
fn_ssl_out="$(
5390+
"$EASYRSA_OPENSSL" x509 -in "$1" -noout -text \
5391+
-certopt no_header,no_version,no_serial,no_sigdump \
5392+
-certopt no_pubkey,no_validity,no_subject,no_issuer \
5393+
-certopt no_extensions
5394+
)" || die "ssl_cert_digest - failed: digest"
5395+
5396+
# remove the 'Signature Algorithm: ' part
5397+
fn_ssl_out="${fn_ssl_out##*: }"
5398+
5399+
case "$fn_ssl_out" in
5400+
# remove the 'WithRSAEncryption' part
5401+
*WithRSAEncryption)
5402+
fn_ssl_out="${fn_ssl_out%%With*}"
5403+
;;
5404+
# remove the 'ecdsa-with-' part
5405+
ecdsa-with-*)
5406+
fn_ssl_out="${fn_ssl_out##*with-}"
5407+
;;
5408+
# remove everything for Edwards Curve
5409+
ED25519|ED448)
5410+
fn_ssl_out=""
5411+
;;
5412+
*) die "ssl_cert_digest - Bad Sig-Alg: '$fn_ssl_out'"
5413+
esac
5414+
5415+
force_set_var "$2" "$fn_ssl_out" || \
5416+
die "ssl_cert_digest - failed to set var '$*'"
5417+
5418+
unset -v fn_ssl_out
5419+
} # => ssl_cert_digest()
5420+
53745421
# get the serial number of the certificate -> serial=XXXX
53755422
ssl_cert_serial() {
53765423
[ "$#" = 2 ] || die "ssl_cert_serial - input error"

0 commit comments

Comments
 (0)