Skip to content

Commit

Permalink
Remove function 'rewind_renew'
Browse files Browse the repository at this point in the history
Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Dec 7, 2023
1 parent 6a88edd commit 72b4079
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 122 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
Easy-RSA 3 ChangeLog

3.2.0 (TBD)
* Remove command 'rewind-renew' (#1045)'
* Remove command 'rebuild' (#1045)'
* Remove command 'upgrade' (#1045)'
* Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (#1043)
Expand Down
122 changes: 0 additions & 122 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -3171,128 +3171,6 @@ revoke_renewed_move() {
return 0
} # => revoke_renewed_move()

# Move renewed certs_by_serial to the new renew layout
rewind_renew() {
# pull filename base: serial number
[ "$1" ] || user_error "\
Error: didn't find a serial number as the first argument.
Run easyrsa without commands for usage and command help."

# Assign file_name_base and dust off!
file_name_base="$1"
shift "$#" # No options supported

cert_serial="$file_name_base"
in_dir="$EASYRSA_PKI/renewed"
crt_in="$in_dir/certs_by_serial/${file_name_base}.crt"
key_in="$in_dir/private_by_serial/${file_name_base}.key"
req_in="$in_dir/reqs_by_serial/${file_name_base}.req"

# referenced cert must exist:
[ -f "$crt_in" ] || user_error "\
Unable to rewind as no certificate was found.
Certificate was expected at:
* $crt_in"

# Verify certificate
verify_file x509 "$crt_in" || user_error "\
Unable to rewind as the input file is not a valid certificate.
Certificate was expected at:
* $crt_in"

# Verify request
if [ -e "$req_in" ]; then
verify_file req "$req_in" || user_error "\
Unable to verify request. The file is not a valid request.
Request was expected at:
* $req_in"
fi

# get the commonName of the certificate via DN
crt_cn="$(
easyrsa_openssl x509 -in "$crt_in" -noout \
-subject -nameopt utf8,multiline | grep \
'^[[:blank:]]*commonName[[:blank:]]*=[[:blank:]]'
)" || die "Failed to find commonName in certificate"
crt_cn="${crt_cn#*= }"

# Set out_dir
out_dir="$EASYRSA_PKI/renewed"
crt_out="$out_dir/issued/${crt_cn}.crt"
key_out="$out_dir/private/${crt_cn}.key"
req_out="$out_dir/reqs/${crt_cn}.req"

# Create out_dir
for newdir in issued private reqs; do
mkdir -p "$out_dir/$newdir" || \
die "Failed to create: $out_dir/$newdir"
done

# NEVER over-write a renewed cert, revoke it first
deny_msg="\
Cannot rewind this certificate, a conflicting file exists.
*"
[ -e "$crt_out" ] && \
user_error "$deny_msg certificate: $crt_out"
[ -e "$key_out" ] && \
user_error "$deny_msg private key: $key_out"
[ -e "$req_out" ] && \
user_error "$deny_msg request : $req_out"
unset -v deny_msg

warn "\
This process is destructive!

These files will be MOVED to the 'renewed' sub-directory:
* $crt_in
* $key_in
* $req_in"

confirm " Continue with rewind-renew: " "yes" "
Please confirm you wish to rewind-renew the certificate
with the following subject:

$(display_dn x509 "$crt_in")

serial-number: $cert_serial
" # => confirm end

# move crt, key and req file to renewed folders
mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in"

# only move the key if we have it
if [ -e "$key_in" ]; then
if mv "$key_in" "$key_out"; then
: # ok
else
# Attempt restore
mv -f "$crt_out" "$crt_in"
die "Failed to move: $key_in"
fi
fi

# only move the req if we have it
if [ -e "$req_in" ]; then
if mv "$req_in" "$req_out"; then
: # ok
else
# Attempt restore
mv -f "$crt_out" "$crt_in"
mv -f "$key_out" "$key_in"
die "Failed to move: $req_in"
fi
fi

# Success message
notice "\
Rewind is successful.

Common Name : $crt_cn
Serial number: $cert_serial

To revoke use: 'revoke-renewed $crt_cn'"
} # => rewind_renew()

# gen-crl backend
gen_crl() {
out_file="$EASYRSA_PKI/crl.pem"
Expand Down

0 comments on commit 72b4079

Please sign in to comment.