From be2f4e8b807a5c5e6342c1b6da96be51c65a05e2 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue, 9 Jan 2024 19:15:54 +0000
Subject: [PATCH] write: Always use verify_working_env()

Move the creation of secure_session and openssl-easyrsa.cnf (Temp)
to verify_working_env(). Create a session and temp-file in the temp-dir
EASRSA_TEMP_DIR, provided that the directory exists.

By default, EASYRSA_TEMP_DIR is set to the current PKI but that can be
decoupled and command 'write' can be run without a PKI, so long as a
valid temp-dir exists.

Correction to error message about 'write <type>' being unknown.

ChangeLog: Add warning about DELETING default openssl-easrsa.cnf

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 ChangeLog        |  1 +
 easyrsa3/easyrsa | 35 ++++++++++++++++++-----------------
 2 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index feb13fce6..6e47f26ca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,7 @@ Easy-RSA 3 ChangeLog
    PENDING: Branch-merge: v3.2.0-beta2 (#1055)
    * Always use here-doc version of openssl-easyrsa.cnf (2a8c0de)
      Only use here-doc if the current version is recognised by sha256 hash.
+     This will DELETE any default version of openssl-easyrsa.cnf
    * export-p12: New command option 'legacy'. OpenSSL V3 Only (f8514de)
      Fallback to encryption algorithm RC2_CBC or 3DES_CBC
    * export-p12: Always set 'friendlyName' to file-name-base (da9e594)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 1f89d722b..7a970d742 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -5346,6 +5346,7 @@ ${unexpected_error}"
 
 # Verify working environment
 verify_working_env() {
+	verbose "verify_working_env: BEGIN"
 	# For commands which 'require a PKI' and PKI exists
 	if  [ "$require_pki" ]; then
 		# Verify PKI is initialised
@@ -5354,6 +5355,7 @@ verify_working_env() {
 		# Temp dir session and default SSL conf file
 		if [ -z "$secured_session" ]; then
 			secure_session
+
 			# Verify or create temp EASYRSA_SSL_CONF
 			write_easyrsa_ssl_cnf_tmp
 		fi
@@ -5365,6 +5367,20 @@ verify_working_env() {
 		if [ "$require_ca" ]; then
 			verify_ca_init
 		fi
+	else
+		# For commands that do not require a PKI
+		# but do require a temp-dir, eg. 'write'
+		# If there is a valid temp-dir:
+		# Create temp-session and openssl-easyrsa.cnf (Temp) now
+		if [ -d "$EASYRSA_TEMP_DIR" ]; then
+			# Temp dir session and default SSL conf file
+			if [ -z "$secured_session" ]; then
+				secure_session
+
+				# Verify or create: EASYRSA_SSL_CONF
+				write_easyrsa_ssl_cnf_tmp
+			fi
+		fi
 	fi
 	verbose "verify_working_env: COMPLETED Handover-to: $cmd"
 } # => verify_working_env()
@@ -5559,7 +5575,7 @@ write() {
 		fi
 	;;
 	*)
-		user_error "write - unknown type '$type'"
+		user_error "write - unknown type '$write_type'"
 	esac
 
 	# Check for output directory and file-name
@@ -6313,21 +6329,6 @@ locate_support_files
 # Verify SSL Lib - One time ONLY
 verify_ssl_lib
 
-# If there is a valid temp-dir:
-if [ "$require_pki" ]; then
-	# taken care of later by verify_working_env()
-	:
-else
-	# Create temp-session and openssl-easyrsa.cnf (Temp) now
-	if [ -d "$EASYRSA_TEMP_DIR" ]; then
-		# Temp dir session and default SSL conf file
-		secure_session
-
-		# Verify or create: EASYRSA_SSL_CONF
-		write_easyrsa_ssl_cnf_tmp
-	fi
-fi
-
 # Check $working_safe_ssl_conf, to build
 # a fully configured safe ssl conf, on the
 # next invocation of easyrsa_openssl()
@@ -6476,7 +6477,7 @@ case "$cmd" in
 			easyrsa_exit_with_error=1
 		;;
 	write)
-		# verify_working_env - Not required
+		verify_working_env
 		# Write legacy files to write_dir
 		# or EASYRSA_PKI or EASYRSA
 		case "$1" in