New diagnostic command 'display-cn'

Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Nov 2, 2023 · 4fec8a7 · 4fec8a7
1 parent 5571aac
commit 4fec8a7
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,7 @@
 Easy-RSA 3 ChangeLog
 
 3.2.0 (TBD)
+   * New diagnostic command 'display-cn' (#1040)
    * Expand renewable certificate types to include code-signing (#1039)
 
 3.1.7 (2023-10-13)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -475,6 +475,9 @@ cmd_help() {
   Check <SERIAL> number is unique:
     serial|check-serial <SERIAL>
 
+  Display CN of certificate: <form> = req|x509
+    display-cn <form> <file_name_base>
+
   Display DN of certificate:
     display-dn <file_name_base>
 
@@ -615,9 +618,9 @@ Easy-RSA error:
 
 $1
 "
-	# error_info is currently unused
+	# error_info is for hard-to-spot errors!
 	if [ "$error_info" ]; then
-		print "${error_info}${NL}"
+		print "  * $cmd: ${error_info}${NL}"
 	fi
 
 	# show host info
@@ -4077,6 +4080,79 @@ update_db() {
 			die "Failed to perform update-db."
 } # => update_db()
 
+# Display commonName
+display_cn() {
+	format="$1"
+	path="$2"
+	var_name="$3"
+	shift "$#"
+
+	case "$format" in
+	req)
+		def_dir=reqs
+		dot_3=req
+	;;
+	x509)
+		def_dir=issued
+		dot_3=crt
+	;;
+	'')
+		user_error "display_cn - Unspecified format"
+	;;
+	*)
+		user_error "display_cn - Unknown format: '$format'"
+	esac
+
+	# Check for absolute or relative file name
+	if [ -e "$path" ]; then
+		: # ok
+	else
+		in_file="${EASYRSA_PKI}/${def_dir}/${path}.${dot_3}"
+		in_file_1="${EASYRSA_PKI}/${def_dir}/${path}"
+		if [ -e "$in_file" ]; then
+			path="$in_file"
+		elif [ -e "$in_file_1" ]; then
+			path="$in_file_1"
+		else
+			user_error "\
+display_cn - Type '$format', missing: '$path'"
+		fi
+	fi
+
+	# Extract commonName
+	error_info="Certs require form 'x509'; Reqs require form 'req'"
+	if ssl_cn="$(
+		export OPENSSL_CONF=/dev/null
+		"$EASYRSA_OPENSSL" "$format" -in "$path" -noout -subject \
+			-nameopt utf8,sep_multiline,space_eq,lname,align | \
+				grep '^[[:blank:]]*commonName'
+		)"
+	then
+		unset -v error_info
+	else
+		 die "display_cn - ssl_cn: Not found 'commonName'"
+	fi
+
+	# Return commonName
+	if [ "$internal_batch" ] || [ "$EASYRSA_BATCH" ]; then
+		# Remove the label
+		ssl_cn="${ssl_cn#*= }"
+		# if set then return CN via variable
+		if [ "$var_name" ]; then
+			verbose "display_cn - force_set_var '$var_name' '$ssl_cn'"
+			force_set_var "$var_name" "$ssl_cn" || \
+				die "display_cn - force_set_var '$var_name' '$ssl_cn'"
+		else
+			print "$ssl_cn"
+		fi
+	else
+		print "$ssl_cn"
+	fi
+
+	unset -v ssl_cn var_name in_file in_file_1 \
+		def_dir dot_3 path format internal_batch
+} # => display_cn()
+
 # Display subjectAltName
 display_san() {
 	[ "$#" = 2 ] || die "\
@@ -7376,6 +7452,10 @@ case "$cmd" in
 		check_serial_unique "$@" || \
 			easyrsa_exit_with_error=1
 		;;
+	display-cn)
+		verify_working_env
+		display_cn "$@"
+		;;
 	display-dn)
 		verify_working_env
 		display_dn "$@"