easy-rsa icon indicating copy to clipboard operation
easy-rsa copied to clipboard
verified publisher icon OpenVPN

Couple of minor issues on show commands

Open tecoboot opened this issue 3 years ago • 1 comments

When testing PKI database on correctness, a couple of script errors occurred. It has to do with missing mandatory file_name_base and missing CRL. Solution would be:

  • Check mandatory <file_name_base> parameter. Or make it optional and show all or better: list all.
    • The command show-req/cert/ca/crl do show the details.
    • The show-expire/revoke/renew are in fact list commands. Hmm.
  • Accept a PKI without a CRL file. This is not an error, the command should just respond that there isn't a CRL.

I checked all show commands with a test script:

root@host:~/easy-rsa/easyrsa3# cat test-show.sh 
#!/bin/bash

for CMD in $(./easyrsa | grep "show-" | awk '{print $1}')
do
  echo
  echo "... Test $CMD"
  rm -f /tmp/test-show.syserr
  ./easyrsa $CMD 1>/dev/null 2>/tmp/test-show.syserr
  if [ -s /tmp/test-show.syserr ]; then
    echo "#### ERROR on command ./easyrsa $CMD ####"
    echo "#### syserr ####"
    cat /tmp/test-show.syserr
    echo "#### end of syserr ####"
  fi
done
root@host:~/easy-rsa/easyrsa3#

Result:

root@host:~/easy-rsa/easyrsa3# ./test-show.sh 

... Test show-req
#### ERROR on command ./easyrsa show-req ####
#### syserr ####
./easyrsa: 2976: shift: can't shift that many
#### end of syserr ####

... Test show-cert
#### ERROR on command ./easyrsa show-cert ####
#### syserr ####
./easyrsa: 2976: shift: can't shift that many
#### end of syserr ####

... Test show-ca

... Test show-crl
#### ERROR on command ./easyrsa show-crl ####
#### syserr ####

Easy-RSA error:

No such crl file with a basename of 'crl' is present.
Expected to find this file at:
/root/easy-rsa/easyrsa3/pki/crl.pem
#### end of syserr ####

... Test show-expire

... Test show-revoke

... Test show-renew
root@host:~/easy-rsa/easyrsa3#

tecoboot avatar Aug 09 '22 06:08 tecoboot

show-req, show-cert and show-crl need some usage guards.

show-ca could be folded into the show() function (Needs investigation)

show-expire, show-revoke and show-renew look ok to me. Could be renamed to list-* .. undecided.

TinCanTech avatar Aug 15 '22 14:08 TinCanTech

show-req, show-cert and show-crl need some usage guards.

Done #639

show-ca could be folded into the show() function (Needs investigation)

The current way is simple. Not changing.

show-expire, show-revoke and show-renew look ok to me. Could be renamed to list-* .. undecided.

Decided:

  • The intention is to show the status of target certificate
  • They only list, if you don't specify a target certificate.
  • They could equally be called status-* or something else..
  • They could die if you don't specify a target certificate, or worse.. Not changing.

@tecoboot Thank you for your time and feedback.

Closing now, reopen if there is a disturbance in The Force ;-)

TinCanTech avatar Aug 16 '22 23:08 TinCanTech