From 360e9ff59d3712094c467fdb24338f760d4ba8e4 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 7 Dec 2023 02:45:08 +0000 Subject: [PATCH 1/8] Remove 'upgrade' command interface and help only Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + easyrsa3/easyrsa | 20 ++------------------ 2 files changed, 3 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7421e102f..1eb4def33 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Remove command 'upgrade' (#1045)' * Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (#1043) * New diagnostic command 'display-cn' (#1040) * Expand renewable certificate types to include code-signing (#1039) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index cd88572d4..4d8fe89cc 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -57,8 +57,7 @@ A list of commands is shown below: export-p7 [ cmd-opts ] export-p8 [ cmd-opts ] export-p12 [ cmd-opts ] - set-pass [ cmd-opts ] - upgrade " + set-pass [ cmd-opts ]" # collect/show dir status: text_only=1 @@ -404,17 +403,6 @@ cmd_help() { * nopass - Do not encrypt the private key (Default: encrypted) (Equivalent to global option '--nopass|--no-pass') * file - (Advanced) Treat the file as a raw path, not a short-name" - ;; - upgrade) - text=" -* upgrade - - Upgrade EasyRSA PKI and/or CA. - - Upgrade must be one of: - - * pki - Upgrade EasyRSA v2.x PKI to v3.x PKI (includes CA below) - * ca - Upgrade EasyRSA v3.0.5 CA or older to v3.0.6 CA or later." ;; altname|subjectaltname|san) text_only=1 @@ -7153,7 +7141,7 @@ cmd="$1" # Establish PKI and CA initialisation requirements # This avoids unnecessary warnings and notices case "$cmd" in - ''|help|-h|--help|--usage|version|upgrade|show-host) + ''|help|-h|--help|--usage|version|show-host) unset -v require_pki require_ca ignore_vars=1 ;; @@ -7388,10 +7376,6 @@ case "$cmd" in ssl_cert_x509v3_eku "$@" || \ easyrsa_exit_with_error=1 ;; - upgrade) - verify_working_env - up23_manage_upgrade_23 "$@" - ;; ""|help|-h|--help|--usage) verify_working_env cmd_help "$1" From d6953cc9d76e1f79fcf763dbf97f50731094c83f Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 7 Dec 2023 02:47:22 +0000 Subject: [PATCH 2/8] Remove 'rebuild' command interface and help only Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + easyrsa3/easyrsa | 317 +---------------------------------------------- 2 files changed, 2 insertions(+), 316 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1eb4def33..8364b1600 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Remove command 'rebuild' (#1045)' * Remove command 'upgrade' (#1045)' * Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (#1043) * New diagnostic command 'display-cn' (#1040) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4d8fe89cc..5ff17ded6 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -41,7 +41,6 @@ A list of commands is shown below: renew revoke-renewed [ cmd-opts ] rewind-renew - rebuild [ cmd-opts ] gen-crl update-db show-req [ cmd-opts ] @@ -218,16 +217,6 @@ cmd_help() { cessationOfOperation certificateHold" ;; - rebuild) - text=" -* rebuild [ cmd-opts ] - - Rebuild a certificate and key specified by " - - opts=" - * nopass - Do not encrypt the private key (Default: encrypted) - (Equivalent to global option '--nopass|--no-pass')" - ;; renew) text=" * renew @@ -856,8 +845,6 @@ cleanup() { rm -f "$crt_out" "$req_out" "$key_out" # Restore files when renew is interrupted [ "$error_undo_renew_move" ] && renew_restore_move - # Restore files when rebuild is interrupted - [ "$error_undo_rebuild_move" ] && rebuild_restore_move if [ "${secured_session%/*}" ] && \ [ -d "$secured_session" ] @@ -3293,302 +3280,6 @@ Serial number: $cert_serial To revoke use: 'revoke-renewed $crt_cn'" } # => rewind_renew() -# rebuild backend -rebuild() { - # pull filename base: - [ "$1" ] || user_error "\ -Error: didn't find a file base name as the first argument. -Run easyrsa without commands for usage and command help." - - # Assign file_name_base and dust off! - file_name_base="$1" - shift - - in_dir="$EASYRSA_PKI" - crt_in="$in_dir/issued/${file_name_base}.crt" - key_in="$in_dir/private/${file_name_base}.key" - req_in="$in_dir/reqs/${file_name_base}.req" - creds_in="$in_dir/${file_name_base}.creds" - inline_in="$in_dir/inline/${file_name_base}.inline" - - # Upgrade CA index.txt.attr - unique_subject = no - up23_upgrade_ca || \ - die "Failed to upgrade CA to support renewal." - - # Set 'nopass' - while [ "$1" ]; do - case "$1" in - nopass) - [ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1 - ;; - *) user_error "Unknown option: $1" - esac - shift - done - - # referenced cert must exist: - [ -f "$crt_in" ] || user_error "\ -Unable to rebuild as no certificate was found. -Certificate was expected at: -* $crt_in" - - # Verify certificate - verify_file x509 "$crt_in" || user_error "\ -Unable to rebuild as the input file is not a valid certificate. -Certificate was expected at: -* $crt_in" - - # Verify request - if [ -e "$req_in" ]; then - verify_file req "$req_in" || user_error "\ -Unable to verify request. The file is not a valid request. -Request was expected at: -* $req_in" - fi - - # get the serial number of the certificate - ssl_cert_serial "$crt_in" cert_serial || \ - die "$cmd: Failed to get cert serial number!" - - # Duplicate cert by serial file - dup_dir="$EASYRSA_PKI/certs_by_serial" - dup_crt_by_serial="$dup_dir/${cert_serial}.pem" - - # Set out_dir - out_dir="$EASYRSA_PKI/renewed" - crt_out="$out_dir/issued/${file_name_base}.crt" - key_out="$out_dir/private/${file_name_base}.key" - req_out="$out_dir/reqs/${file_name_base}.req" - - # NEVER over-write a renewed cert, revoke it first - deny_msg="\ -Cannot rebuild this certificate, a conflicting file exists. -*" - [ -e "$crt_out" ] && \ - user_error "$deny_msg certificate: $crt_out" - [ -e "$key_out" ] && \ - user_error "$deny_msg private key: $key_out" - [ -e "$req_out" ] && \ - user_error "$deny_msg request : $req_out" - unset -v deny_msg - - # Extract certificate usage from old cert - cert_ext_key_usage="$( - easyrsa_openssl x509 -in "$crt_in" -noout -text | - sed -n "/X509v3 Extended Key Usage:/{n;s/^ *//g;p;}" - )" - - case "$cert_ext_key_usage" in - "TLS Web Client Authentication") - cert_type=client - ;; - "TLS Web Server Authentication") - cert_type=server - ;; - "TLS Web Server Auth"*", TLS Web Client Auth"*) - cert_type=serverClient - ;; - *) die "Unknown key usage: $cert_ext_key_usage" - esac - - # Use SAN from --subject-alt-name, if set - # else use SAN from old cert - if echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName - then - : # ok - Use current subjectAltName - else - san="$( - easyrsa_openssl x509 -in "$crt_in" -noout -text | sed -n \ - "/X509v3 Subject Alternative Name:/{n;s/IP Address:/IP:/g;s/ //g;p;}" - )" - - [ "$san" ] && export EASYRSA_EXTRA_EXTS="\ -$EASYRSA_EXTRA_EXTS -subjectAltName = $san" - fi - - # confirm operation by displaying DN: - unset -v if_exist_key_in if_exist_req_in - [ -e "$key_in" ] && if_exist_key_in=" -* $key_in" - [ -e "$req_in" ] && if_exist_req_in=" -* $req_in" - warn "\ -This process is destructive! - -These files will be MOVED to the 'renewed' sub-directory: -* $crt_in${if_exist_key_in}${if_exist_req_in} - -These files will be DELETED: -All PKCS files for commonName : $file_name_base - -The inline credentials files: -* $creds_in -* $inline_in - -The duplicate certificate: -* $dup_crt_by_serial - -IMPORTANT: The new key will${EASYRSA_NO_PASS:+ NOT} \ -be password protected." - - confirm " Continue with rebuild: " "yes" " -Please confirm you wish to renew the certificate -with the following subject: - - $(display_dn x509 "$crt_in") - - serial-number: $cert_serial" - - # move renewed files so we can reissue - # certificate with the same name - rebuild_move - error_undo_rebuild_move=1 - - # rebuild certificate - if EASYRSA_BATCH=1 build_full "$cert_type" "$file_name_base" - then - unset -v error_undo_rebuild_move - else - # If rebuild failed then restore cert, key and req. - # Otherwise, issue a warning. If *restore* fails - # then at least the file-names are not serial-numbers - rebuild_restore_move - die "\ -Rebuild has failed to build a new certificate/key pair." - fi - - # Success messages - notice "Rebuild was successful. - - * IMPORTANT * - -Rebuild has created a new certificate and key, to replace -both old files. - -To revoke the old certificate, once the new one has been -deployed, use command: -'revoke-renewed $file_name_base reason' ('reason' is optional)" - - return 0 -} # => rebuild() - -# Restore files on failure to rebuild -rebuild_restore_move() { - unset -v rrm_err error_undo_renew_move - # restore crt, key and req file to PKI folders - if mv "$restore_crt_out" "$restore_crt_in"; then - : # ok - else - warn "Failed to restore: $restore_crt_out" - rrm_err=1 - fi - - # only restore the key if we have it - if [ -e "$restore_key_out" ]; then - if mv "$restore_key_out" "$restore_key_in"; then - : # ok - else - warn "Failed to restore: $restore_key_out" - rrm_err=1 - fi - fi - - # only restore the req if we have it - if [ -e "$restore_req_out" ]; then - if mv "$restore_req_out" "$restore_req_in"; then - : # ok - else - warn "Failed to restore: $restore_req_out" - rrm_err=1 - fi - fi - - # messages - if [ "$rrm_err" ]; then - warn "Failed to restore renewed files." - else - notice "\ -Rebuild FAILED but files have been successfully restored." - fi - - return 0 -} # => rebuild_restore_move() - -# rebuild_move -# moves renewed certificates to the 'renewed' folder -# allows reissuing certificates with the same name -rebuild_move() { - # make sure renewed dirs exist - for target in "$out_dir" \ - "$out_dir/issued" \ - "$out_dir/private" \ - "$out_dir/reqs" - do - [ -d "$target" ] && continue - mkdir -p "$target" || - die "Failed to mkdir: $target" - done - - # move crt, key and req file to renewed folders - restore_crt_in="$crt_in" - restore_crt_out="$crt_out" - mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in" - - # only move the key if we have it - restore_key_in="$key_in" - restore_key_out="$key_out" - if [ -e "$key_in" ]; then - mv "$key_in" "$key_out" || warn "Failed to move: $key_in" - fi - - # only move the req if we have it - restore_req_in="$req_in" - restore_req_out="$req_out" - if [ -e "$req_in" ]; then - mv "$req_in" "$req_out" || warn "Failed to move: $req_in" - fi - - # remove any pkcs files - for pkcs in p12 p7b p8 p1; do - if [ -e "$in_dir/issued/$file_name_base.$pkcs" ]; then - # issued - rm "$in_dir/issued/$file_name_base.$pkcs" || - warn "Failed to remove: $file_name_base.$pkcs" - - elif [ -e "$in_dir/private/$file_name_base.$pkcs" ]; then - # private - rm "$in_dir/private/$file_name_base.$pkcs" || - warn "Failed to remove: $file_name_base.$pkcs" - else - : # ok - fi - done - - # remove the duplicate certificate - if [ -e "$dup_crt_by_serial" ]; then - rm "$dup_crt_by_serial" || warn "\ -Failed to remove the duplicate certificate: -* $dup_crt_by_serial" - fi - - # remove credentials file - if [ -e "$creds_in" ]; then - rm "$creds_in" || warn "\ -Failed to remove credentials file: -* $creds_in" - fi - - # remove inline file - if [ -e "$inline_in" ]; then - rm "$inline_in" || warn "\ -Failed to remove inline file: -* $inline_in" - fi - - return 0 -} # => rebuild_move() - # gen-crl backend gen_crl() { out_file="$EASYRSA_PKI/crl.pem" @@ -5510,7 +5201,7 @@ Use of --startdate requires use of --enddate." # --enddate may over-rule EASYRSA_CERT_EXPIRE if [ "$EASYRSA_END_DATE" ]; then case "$cmd" in - sign-req|build-*-full|renew|rebuild) + sign-req|build-*-full|renew) # User specified alias_days IS over-ruled if [ "$alias_days" ]; then warn "\ @@ -7254,12 +6945,6 @@ case "$cmd" in verify_working_env rewind_renew "$@" ;; - rebuild) - verify_working_env - [ -z "$alias_days" ] || \ - export EASYRSA_CERT_EXPIRE="$alias_days" - rebuild "$@" - ;; import-req) verify_working_env import_req "$@" From 1b3b75b46433d8d284f119be1d2a127bca6a97cc Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 7 Dec 2023 16:38:50 +0000 Subject: [PATCH 3/8] Remove 'rewind-renew' command interface and help only Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5ff17ded6..714d01e48 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -40,7 +40,6 @@ A list of commands is shown below: revoke [ cmd-opts ] renew revoke-renewed [ cmd-opts ] - rewind-renew gen-crl update-db show-req [ cmd-opts ] @@ -222,17 +221,6 @@ cmd_help() { * renew Renew a certificate specified by " - ;; - rewind|rewind-renew) - text=" -* rewind-renew - - Rewind an EasyRSA version 3.0 'style' renewed certificate. - Once 'rewind' has completed the certificate can be revoked - by using: 'revoke-renewed [reason]' - - * NOTE: This does NOT 'unrenew' or 'unrevoke' a certificate. - Ref : https://github.com/OpenVPN/easy-rsa/issues/578" ;; gen-crl) text=" @@ -6941,10 +6929,6 @@ case "$cmd" in export EASYRSA_CERT_EXPIRE="$alias_days" renew "$@" ;; - rewind-renew) - verify_working_env - rewind_renew "$@" - ;; import-req) verify_working_env import_req "$@" From c11ab54c654de01daa801d2ec53019423cbc10b2 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 7 Dec 2023 18:33:38 +0000 Subject: [PATCH 4/8] renew: Replace 'up23_upgrade_ca' with 'ca_unique_subject_no' These two do essentially the same: * Make sure index.txt.attr file contains 'unique_subject = no' Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 714d01e48..7a27be7f5 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2758,7 +2758,7 @@ Run easyrsa without commands for usage and command help." inline_in="$in_dir/inline/${file_name_base}.inline" # Upgrade CA index.txt.attr - unique_subject = no - up23_upgrade_ca || \ + ca_unique_subject_no || \ die "Failed to upgrade CA to support renewal." # deprecate ALL options @@ -2987,6 +2987,29 @@ Failed to remove inline file: return 0 } # => renew_move() +# Set unique_subject = no in index.txt.attr +ca_unique_subject_no() { + [ -d "$EASYRSA_PKI" ] || return 0 + attr_file="$EASYRSA_PKI/index.txt.attr" + verbose "\ +Confirm: index.txt.attr exists and 'unique_subject = no'" + + if [ -f "$attr_file" ]; then + if grep -q '^[[:blank:]]*unique_subject = no' \ + "$attr_file" + then + return 0 + fi + else + return 0 + fi + + # Otherwise this is required for all easyrsa v3 + printf '%s\n' 'unique_subject = no' > "$attr_file" || \ + die "ca_unique_subject_no - Failed write" + verbose "Set unique_subject = no in index.txt.attr" +} #=> ca_unique_subject_no() + # revoke-renewed backend revoke_renewed() { # pull filename base: From e9c29da7700d8ece4724aea9096864272592a9fc Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 7 Dec 2023 18:52:45 +0000 Subject: [PATCH 5/8] renew: Define 'cert_serial and 'cert_type'; Correct minor formatting Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 7a27be7f5..017a9ea63 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1434,7 +1434,7 @@ install_data_to_pki: $context - create_openssl_easyrsa_cnf OK" [ -d "$EASYRSA_EXT_DIR" ] || verbose "\ install_data_to_pki: $context - Missing: '$x509_types_dir'" verbose "install_data_to_pki: $context - COMPLETED" -} # => install_data_to_pki () +} # => install_data_to_pki() # Disable terminal echo, if possible, otherwise warn hide_read_pass() { @@ -2457,7 +2457,7 @@ INCOMPLETE Inline file created: } # => build_full() # Print inline data for file_name_base -inline_creds () { +inline_creds() { [ "$1" ] || die "inline_creds - Missing file_name_base" # Source files @@ -2524,7 +2524,7 @@ $ca_data " # If inline file is incomplete then return error return "$incomplete" -} # => inline_creds () +} # => inline_creds() # revoke backend revoke() { @@ -2796,6 +2796,7 @@ Missing request file: fi # get the serial number of the certificate + cert_serial= ssl_cert_serial "$crt_in" cert_serial || \ die "$cmd: Failed to get cert serial number!" @@ -2821,6 +2822,7 @@ Cannot renew this certificate, a conflicting file exists: die "Failed to create inline directoy." # Extract certificate usage from old cert + cert_type= ssl_cert_x509v3_eku "$crt_in" cert_type || \ die "Unknown EKU: $cert_type" @@ -6587,7 +6589,7 @@ SSL Lib: ${ssl_version:-undefined} Git Commit: ~GITHEAD~ Source Repo: https://github.com/OpenVPN/easy-rsa VERSION_TEXT -} # => print_version () +} # => print_version() ######################################## From 6a88eddead0a5d62369925424679fb52cd3f5d2e Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 7 Dec 2023 20:46:44 +0000 Subject: [PATCH 6/8] Remove upgrade functions Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 592 +---------------------------------------------- 1 file changed, 1 insertion(+), 591 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 017a9ea63..b678fde1c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -5985,597 +5985,7 @@ authorityKeyIdentifier=keyid:always,issuer:always SSL_CONFIG } # => create_openssl_easyrsa_cnf() - - -############################################################################ -# Upgrade v2 PKI to v3 PKI - -# You can report problems on the normal openvpn support channels: -# -------------------------------------------------------------------------- -# 1. The Openvpn Forum: https://forums.openvpn.net/viewforum.php?f=31 -# 2. The #easyrsa IRC channel at libera.chat -# 3. Info: https://community.openvpn.net/openvpn/wiki/easyrsa-upgrade -# -------------------------------------------------------------------------- -# - -up23_fail_upgrade () { - # Replace die() - unset -v EASYRSA_BATCH - notice " -============================================================================ -The update has failed but NOTHING has been lost. - -ERROR: $1 ----------------------------------------------------------------------------- - -Further info: -* https://community.openvpn.net/openvpn/wiki/easyrsa-upgrade#ersa-up23-fails - -Easyrsa3 upgrade FAILED -============================================================================ -" - exit 9 -} #=> up23_fail_upgrade () - -up23_verbose () { - [ "$VERBOSE" ] || return 0 - printf "%s\n" "$1" -} #=> up23_verbose () - -up23_verify_new_pki () { - # Fail now, before any changes are made - - up23_verbose "> Verify DEFAULT NEW PKI does not exist .." - EASYRSA_NEW_PKI="$EASYRSA/pki" - [ -d "$EASYRSA_NEW_PKI" ] \ - && up23_fail_upgrade "DEFAULT NEW PKI exists: $EASYRSA_NEW_PKI" - - up23_verbose "> Verify VERY-SAFE-PKI does not exist .." - EASYRSA_SAFE_PKI="$EASYRSA/VERY-SAFE-PKI" - [ -d "$EASYRSA_SAFE_PKI" ] \ - && up23_fail_upgrade "VERY-SAFE-PKI exists: $EASYRSA_SAFE_PKI" - - up23_verbose "> Verify openssl-easyrsa.cnf does exist .." - EASYRSA_SSL_CNFFILE="$EASYRSA/openssl-easyrsa.cnf" - [ -f "$EASYRSA_SSL_CNFFILE" ] \ - || up23_fail_upgrade "cannot find $EASYRSA_SSL_CNFFILE" - - up23_verbose "> Verify vars.example does exist .." - EASYRSA_VARSV3_EXMP="$EASYRSA/vars.example" - [ -f "$EASYRSA_VARSV3_EXMP" ] \ - || up23_fail_upgrade "cannot find $EASYRSA_VARSV3_EXMP" - - up23_verbose "> OK" - up23_verbose " Initial dirs & files are in a workable state." -} #=> up23_verify_new_pki () - -# shellcheck disable=SC2154 -up23_verify_current_pki () { - up23_verbose "> Verify CURRENT PKI vars .." - - # This can probably be improved - EASYRSA_NO_REM="$(grep '^set ' "$EASYRSA_VER2_VARSFILE")" - - # This list may not be complete - # Not required: DH_KEY_SIZE PKCS11_MODULE_PATH PKCS11_PIN - for i in KEY_DIR KEY_SIZE KEY_COUNTRY KEY_PROVINCE \ - KEY_CITY KEY_ORG KEY_EMAIL KEY_CN KEY_NAME KEY_OU - do - # Effectively, source the v2 vars file - UNIQUE="set $i" - KEY_grep="$(printf "%s\n" "$EASYRSA_NO_REM" | grep "$UNIQUE")" - KEY_value="${KEY_grep##*=}" - set_var $i "$KEY_value" - done - - [ -d "$KEY_DIR" ] || up23_fail_upgrade "Cannot find CURRENT PKI KEY_DIR: $KEY_DIR" - - up23_verbose "> OK" - up23_verbose " Current CURRENT PKI vars uses PKI in: $KEY_DIR" -} #=> up23_verify_current_pki () - -# shellcheck disable=SC2154 -up23_verify_current_ca () { - up23_verbose "> Find CA .." - # $KEY_DIR is assigned in up23_verify_current_pki () - [ -f "$KEY_DIR/ca.crt" ] \ - || up23_fail_upgrade "Cannot find current ca.crt: $KEY_DIR/ca.crt" - up23_verbose "> OK" - - # If CA is already verified then return - in_file="$KEY_DIR/ca.crt" - [ "$CURRENT_CA_IS_VERIFIED" = "$in_file" ] && return 0 - format="x509" - - # Current CA is unverified - # Extract the current CA details - name_opts="utf8,sep_multiline,space_eq,lname,align" - CA_SUBJECT="$( - easyrsa_openssl $format -in "$in_file" -subject -noout \ - -nameopt "$name_opts" - )" - - # Extract individual elements - CA_countryName="$(printf "%s\n" "$CA_SUBJECT" \ - | grep countryName | sed "s\`^.*=\ \`\`g")" - CA_stateOrProvinceName="$(printf "%s\n" "$CA_SUBJECT" \ - | grep stateOrProvinceName | sed "s\`^.*=\ \`\`g")" - CA_localityName="$(printf "%s\n" "$CA_SUBJECT" \ - | grep localityName | sed "s\`^.*=\ \`\`g")" - CA_organizationName="$(printf "%s\n" "$CA_SUBJECT" \ - | grep organizationName | sed "s\`^.*=\ \`\`g")" - CA_organizationalUnitName="$(printf "%s\n" "$CA_SUBJECT" \ - | grep organizationalUnitName | sed "s\`^.*=\ \`\`g")" - CA_emailAddress="$(printf "%s\n" "$CA_SUBJECT" \ - | grep emailAddress | sed "s\`^.*=\ \`\`g")" - - # Match the current CA elements to the vars file settings - CA_vars_match=1 - [ "$CA_countryName" = "$KEY_COUNTRY" ] || CA_vars_match=0 - [ "$CA_stateOrProvinceName" = "$KEY_PROVINCE" ] || CA_vars_match=0 - [ "$CA_localityName" = "$KEY_CITY" ] || CA_vars_match=0 - [ "$CA_organizationName" = "$KEY_ORG" ] || CA_vars_match=0 - [ "$CA_organizationalUnitName" = "$KEY_OU" ] || CA_vars_match=0 - [ "$CA_emailAddress" = "$KEY_EMAIL" ] || CA_vars_match=0 - - if [ "$CA_vars_match" -eq 1 ] - then - CURRENT_CA_IS_VERIFIED="partially" - else - warn "CA certificate does not match vars file settings" - fi - - opts="-certopt no_pubkey,no_sigdump" - if [ ! "$EASYRSA_BATCH" ] - then - up23_show_current_ca - elif [ "$VERBOSE" ] - then - up23_show_current_ca - fi - confirm "* Confirm CA shown above is correct: " "yes" \ - "Found current CA at: $KEY_DIR/ca.crt" - CURRENT_CA_IS_VERIFIED="$in_file" -} #=> up23_verify_current_ca () - -up23_show_current_ca () { - name_opts="utf8,sep_multiline,space_eq,lname,align" - printf "%s\n" "-------------------------------------------------------------------------" - # $opts is always set here - # shellcheck disable=SC2086 # Ignore unquoted variables - easyrsa_openssl $format -in "$in_file" -noout -text \ - -nameopt "$name_opts" $opts || die "\ - OpenSSL failure to process the input CA certificate: $in_file" - printf "%s\n" "-------------------------------------------------------------------------" -} #=> up23_show_current_ca () - -up23_backup_current_pki () { - up23_verbose "> Backup current PKI .." - - mkdir -p "$EASYRSA_SAFE_PKI" \ - || up23_fail_upgrade "Failed to create safe PKI dir: $EASYRSA_SAFE_PKI" - - cp -r "$KEY_DIR" "$EASYRSA_SAFE_PKI" \ - || up23_fail_upgrade "Failed to copy $KEY_DIR to $EASYRSA_SAFE_PKI" - - # EASYRSA_VER2_VARSFILE is either version 2 *nix ./vars or Win vars.bat - cp "$EASYRSA_VER2_VARSFILE" "$EASYRSA_SAFE_PKI" \ - || up23_fail_upgrade "Failed to copy $EASYRSA_VER2_VARSFILE to EASYRSA_SAFE_PKI" - - up23_verbose "> OK" - up23_verbose " Current PKI backup created in: $EASYRSA_SAFE_PKI" -} #=> up23_backup_current_pki () - -up23_create_new_pki () { - # Dirs: renewed and revoked are created when used. - up23_verbose "> Create NEW PKI .." - up23_verbose ">> Create NEW PKI dirs .." - for i in private reqs issued certs_by_serial - do - mkdir -p "$EASYRSA_PKI/$i" \ - || up23_fail_upgrade "Failed to Create NEW PKI dir: $EASYRSA_PKI/$i" - done - up23_verbose ">> OK" - - up23_verbose ">> Copy database to NEW PKI .." - # Failure for these is not optional - # Files ignored: index.txt.old serial.old - for i in index.txt serial ca.crt index.txt.attr - do - cp "$KEY_DIR/$i" "$EASYRSA_PKI" \ - || up23_fail_upgrade "Failed to copy $KEY_DIR/$i to $EASYRSA_PKI" - done - up23_verbose ">> OK" - - up23_verbose ">> Copy current PKI to NEW PKI .." - for i in "csr.reqs" "pem.certs_by_serial" "crt.issued" "key.private" \ - "p12.private" "p8.private" "p7b.issued" - do - FILE_EXT="${i%%.*}" - DEST_DIR="${i##*.}" - if ls "$KEY_DIR/"*".$FILE_EXT" > /dev/null 2>&1; then - cp "$KEY_DIR/"*".$FILE_EXT" "$EASYRSA_PKI/$DEST_DIR" \ - || up23_fail_upgrade "Failed to copy .$FILE_EXT" - else - up23_verbose " Note: No .$FILE_EXT files found" - fi - done - up23_verbose ">> OK" - up23_verbose "> OK" - - # Todo: CRL - Or generate a new CRL on completion - up23_verbose " New PKI created in: $EASYRSA_PKI" -} #=> up23_create_new_pki () - -up23_upgrade_ca () { - [ -d "$EASYRSA_PKI" ] || return 0 - up23_verbose "> Confirm that index.txt.attr exists and 'unique_subject = no'" - if [ -f "$EASYRSA_PKI/index.txt.attr" ] - then - if grep -q 'unique_subject = no' "$EASYRSA_PKI/index.txt.attr" - then - # If index.txt.attr exists and "unique_suject = no" then do nothing - return 0 - fi - else - # If index.txt.attr does not exists then do nothing - return 0 - fi - - # Otherwise this is required for all easyrsa v3 - #confirm "Set 'unique_subject = no' in index.txt.attr for your current CA: " \ - #"yes" "This version of easyrsa requires that 'unique_subject = no' is set correctly" - - printf "%s\n" "unique_subject = no" > "$EASYRSA_PKI/index.txt.attr" - up23_verbose "> OK" - up23_verbose " Upgraded index.txt.attr to v306+" -} #=> up23_upgrade_index_txt_attr () - -up23_create_openssl_cnf () { - up23_verbose "> OpenSSL config .." - EASYRSA_PKI_SSL_CNFFILE="$EASYRSA_PKI/openssl-easyrsa.cnf" - EASYRSA_PKI_SAFE_CNFFILE="$EASYRSA_PKI/safessl-easyrsa.cnf" - cp "$EASYRSA_SSL_CNFFILE" "$EASYRSA_PKI_SSL_CNFFILE" \ - || up23_fail_upgrade "create $EASYRSA_PKI_SSL_CNFFILE" - up23_verbose "> OK" - up23_verbose " New OpenSSL config file created in: $EASYRSA_PKI_SSL_CNFFILE" - - # Create secure session - # Because the upgrade runs twice, once as a test and then for real - # secured_session must be cleared to avoid overload error - #[ "$secured_session" ] && unset -v secured_session - #up23_verbose "> Create secure session" - #secure_session || die "up23_create_openssl_cnf - secure_session failed." - #up23_verbose "> OK" - #up23_verbose " secure session: $secured_session" - - # Create $EASYRSA_PKI/safessl-easyrsa.cnf - easyrsa_openssl makesafeconf - if [ -f "$EASYRSA_PKI_SAFE_CNFFILE" ] - then - up23_verbose " New SafeSSL config file created in: $EASYRSA_PKI_SAFE_CNFFILE" - else - up23_verbose " FAILED to create New SafeSSL config file in: $EASYRSA_PKI_SAFE_CNFFILE" - fi -} #=> up23_create_openssl_cnf () - -up23_move_easyrsa2_programs () { - # These files may not exist here - up23_verbose "> Move easyrsa2 programs to SAFE PKI .." - for i in build-ca build-dh build-inter build-key build-key-pass \ - build-key-pkcs12 build-key-server build-req build-req-pass \ - clean-all inherit-inter list-crl pkitool revoke-full sign-req \ - whichopensslcnf build-ca-pass build-key-server-pass init-config \ - make-crl revoke-crt openssl-0.9.6.cnf openssl-0.9.8.cnf \ - openssl-1.0.0.cnf openssl.cnf README.txt index.txt.start \ - vars.bat.sample serial.start - do - # Although unlikely, both files could exist - # EG: ./build-ca and ./build-ca.bat - NIX_FILE="$EASYRSA/$i" - WIN_FILE="$EASYRSA/$i.bat" - if [ -f "$NIX_FILE" ] - then - cp "$NIX_FILE" "$EASYRSA_SAFE_PKI" \ - || up23_fail_upgrade "copy $NIX_FILE $EASYRSA_SAFE_PKI" - fi - - if [ -f "$WIN_FILE" ] - then - cp "$WIN_FILE" "$EASYRSA_SAFE_PKI" \ - || up23_fail_upgrade "copy $WIN_FILE $EASYRSA_SAFE_PKI" - fi - - if [ ! -f "$NIX_FILE" ] && [ ! -f "$WIN_FILE" ] - then - up23_verbose "File does not exist, ignoring: $i(.bat)" - fi - - # These files are not removed on TEST run - [ "$NOSAVE" -eq 1 ] && rm -f "$NIX_FILE" "$WIN_FILE" - done - - up23_verbose "> OK" - up23_verbose " Easyrsa2 programs successfully moved to: $EASYRSA_SAFE_PKI" -} #=> up23_move_easyrsa2_programs () - -# shellcheck disable=SC2154 -up23_build_v3_vars () { - up23_verbose "> Build v3 vars file .." - - EASYRSA_EXT="easyrsa-upgrade-23" - EASYRSA_VARSV2_TMP="$EASYRSA/vars-v2.tmp.$EASYRSA_EXT" - rm -f "$EASYRSA_VARSV2_TMP" - EASYRSA_VARSV3_TMP="$EASYRSA/vars-v3.tmp.$EASYRSA_EXT" - rm -f "$EASYRSA_VARSV3_TMP" - EASYRSA_VARSV3_NEW="$EASYRSA/vars-v3.new.$EASYRSA_EXT" - rm -f "$EASYRSA_VARSV3_NEW" - EASYRSA_VARSV3_WRN="$EASYRSA/vars-v3.wrn.$EASYRSA_EXT" - rm -f "$EASYRSA_VARSV3_WRN" - - printf "%s\n" "\ -########################++++++++++######################### -### ### -### WARNING: THIS FILE WAS AUTOMATICALLY GENERATED ### -### ALL SETTINGS ARE AT THE END OF THE FILE ### -### ### -########################++++++++++######################### - -" > "$EASYRSA_VARSV3_WRN" || up23_fail_upgrade "Failed to create $EASYRSA_VARSV3_WRN" - - # Create vars v3 temp file from sourced vars v2 key variables - { - printf "%s\n" "set_var EASYRSA_KEY_SIZE $KEY_SIZE" - printf "%s\n" "set_var EASYRSA_REQ_COUNTRY \"$KEY_COUNTRY\"" - printf "%s\n" "set_var EASYRSA_REQ_PROVINCE \"$KEY_PROVINCE\"" - printf "%s\n" "set_var EASYRSA_REQ_CITY \"$KEY_CITY\"" - printf "%s\n" "set_var EASYRSA_REQ_ORG \"$KEY_ORG\"" - printf "%s\n" "set_var EASYRSA_REQ_EMAIL \"$KEY_EMAIL\"" - printf "%s\n" "set_var EASYRSA_REQ_OU \"$KEY_OU\"" - printf "%s\n" 'set_var EASYRSA_NS_SUPPORT "yes"' - printf "%s\n" 'set_var EASYRSA_DN "org"' - printf "%s\n" 'set_var EASYRSA_RAND_SN "no"' - printf "%s\n" "" - } > "$EASYRSA_VARSV3_TMP" \ - || up23_fail_upgrade "Failed to create $EASYRSA_VARSV3_TMP" - - # cat temp files into new v3 vars - cat "$EASYRSA_VARSV3_WRN" "$EASYRSA_VARSV3_EXMP" "$EASYRSA_VARSV3_TMP" \ - > "$EASYRSA_VARSV3_NEW" \ - || up23_fail_upgrade "Failed to create $EASYRSA_VARSV3_NEW" - - # This file must be created and restored at the end of TEST - # for the REAL update to to succeed - EASYRSA_VARS_LIVEBKP="$EASYRSA_TARGET_VARSFILE.livebackup" - cp "$EASYRSA_VER2_VARSFILE" "$EASYRSA_VARS_LIVEBKP" \ - || up23_fail_upgrade "Failed to create $EASYRSA_VARS_LIVEBKP" - rm -f "$EASYRSA_VER2_VARSFILE" - - # "$EASYRSA_TARGET_VARSFILE" is always $EASYRSA/vars - cp "$EASYRSA_VARSV3_NEW" "$EASYRSA_TARGET_VARSFILE" \ - || up23_fail_upgrade "copy $EASYRSA_VARSV3_NEW to $EASYRSA_TARGET_VARSFILE" - - # Delete temp files - rm -f "$EASYRSA_VARSV2_TMP" "$EASYRSA_VARSV3_TMP" \ - "$EASYRSA_VARSV3_NEW" "$EASYRSA_VARSV3_WRN" - - up23_verbose "> OK" - up23_verbose " New v3 vars file created in: $EASYRSA_TARGET_VARSFILE" -} #=> up23_build_v3_vars () - -# shellcheck disable=SC2154 -up23_do_upgrade_23 () { - up23_verbose "============================================================================" - up23_verbose "Begin ** $1 ** upgrade process .." - up23_verbose "" - up23_verbose "Easyrsa upgrade version: $EASYRSA_UPGRADE_23" - up23_verbose "" - - up23_verify_new_pki - up23_create_new_pki - up23_create_openssl_cnf - up23_verify_current_pki - up23_verify_current_ca - up23_backup_current_pki - up23_upgrade_ca - up23_move_easyrsa2_programs - up23_build_v3_vars - - if [ "$NOSAVE" -eq 0 ] - then - # Must stay in this order - # New created dirs: EASYRSA_NEW_PKI and EASYRSA_SAFE_PKI - rm -rf "$EASYRSA_NEW_PKI" - rm -rf "$EASYRSA_SAFE_PKI" - # EASYRSA_TARGET_VARSFILE is always the new created v3 vars - # Need to know if this fails - rm "$EASYRSA_TARGET_VARSFILE" \ - || up23_fail_upgrade "remove new vars file: $EASYRSA_TARGET_VARSFILE" - # EASYRSA_VER2_VARSFILE is either v2 *nix ./vars or Win vars.bat - # Need this dance because v2 vars is same name as v3 vars above - cp "$EASYRSA_VARS_LIVEBKP" "$EASYRSA_VER2_VARSFILE" - fi - rm -f "$EASYRSA_VARS_LIVEBKP" -} #= up23_do_upgrade_23 () - -up23_manage_upgrade_23 () { - EASYRSA_UPGRADE_VERSION="v1.0a (2020/01/08)" - EASYRSA_UPGRADE_TYPE="$1" - EASYRSA_FOUND_VARS=0 - - # Verify all existing versions of vars/vars.bat - if [ -f "$EASYRSA_VARS_FILE" ] - then - if grep -q 'Complain if a user tries to do this:' \ - "$EASYRSA_VARS_FILE" - then - EASYRSA_FOUND_VARS=1 - EASYRSA_VARS_IS_VER3=1 - fi - - # Easyrsa v3 does not use NOR allow use of `export`. - if grep -q 'export' "$EASYRSA_VARS_FILE" - then - EASYRSA_FOUND_VARS=1 - EASYRSA_VARS_IS_VER2=1 - EASYRSA_VER2_VARSFILE="$EASYRSA_VARS_FILE" - EASYRSA_TARGET_VARSFILE="$EASYRSA_VARS_FILE" - fi - fi - - if [ -f "$EASYRSA/vars.bat" ] - then - EASYRSA_FOUND_VARS=1 - EASYRSA_VARS_IS_WIN2=1 - EASYRSA_VER2_VARSFILE="$EASYRSA/vars.bat" - EASYRSA_TARGET_VARSFILE="$EASYRSA/vars" - fi - - if [ $EASYRSA_FOUND_VARS -ne 1 ]; - then - die "vars file not found" - fi - - # Only allow specific vars/vars.bat to exist - if [ "$EASYRSA_VARS_IS_VER3" ] && [ "$EASYRSA_VARS_IS_VER2" ] - then - die "Verify your current vars file, v3 cannot use 'export'." - fi - - if [ "$EASYRSA_VARS_IS_VER3" ] && [ "$EASYRSA_VARS_IS_WIN2" ] - then - die "Verify your current vars/vars.bat file, cannot have both." - fi - - if [ "$EASYRSA_VARS_IS_VER2" ] && [ "$EASYRSA_VARS_IS_WIN2" ] - then - die "Verify your current vars/vars.bat file, cannot have both." - fi - - # Die on invalid upgrade type or environment - if [ "$EASYRSA_UPGRADE_TYPE" = "ca" ] - then - if [ "$EASYRSA_VARS_IS_VER3" ] - then - # v3 ensure index.txt.attr "unique_subject = no" - up23_upgrade_ca - unset -v EASYRSA_BATCH - notice "Your CA is fully up to date." - return 0 - else - die "Only v3 PKI CA can be upgraded." - fi - fi - - if [ "$EASYRSA_UPGRADE_TYPE" = "pki" ] - then - if [ "$EASYRSA_VARS_IS_VER3" ] - then - unset -v EASYRSA_BATCH - notice "Your PKI is fully up to date." - return 0 - fi - else - user_error "upgrade type must be 'pki' or 'ca'." - fi - - # PKI is potentially suitable for upgrade - - warn " -========================================================================= - - * WARNING * - -Found settings from EasyRSA-v2 which are not compatible with EasyRSA-v3. -Before you can continue, EasyRSA must upgrade your settings and PKI. -* Found EASYRSA and vars file: - $EASYRSA - $EASYRSA_VER2_VARSFILE : - -Further info: -* https://community.openvpn.net/openvpn/wiki/easyrsa-upgrade - -Easyrsa upgrade version: $EASYRSA_UPGRADE_VERSION -========================================================================= -" - -# Test upgrade - - NOSAVE=0 - - confirm "* EasyRSA **TEST** upgrade (Changes will NOT be written): " "yes" " -This upgrade will TEST that the upgrade works BEFORE making any changes." - - up23_do_upgrade_23 "TEST" - - notice " -========================================================================= - - * NOTICE * - -EasyRSA upgrade **TEST** has successfully completed. -" -# Upgrade for REAL - - NOSAVE=1 - - confirm "* EasyRSA **REAL** upgrade (Changes WILL be written): " "yes" " -========================================================================= - - * WARNING * - -Run REAL upgrade: Answer yes (Once completed you will have a version 3 PKI) -Terminate upgrade: Answer no (No changes have been made to your current PKI) -" - - confirm "* Confirm **REAL** upgrade (Changes will be written): " "yes" " -========================================================================= - - * SECOND WARNING * - -This upgrade will permanently write changes to your PKI ! -(With full backup backout) -" - up23_do_upgrade_23 "REAL" - - notice " -========================================================================= - - * NOTICE * - -Your settings and PKI have been successfully upgraded to EasyRSA version3 - -A backup of your current PKI is here: - $EASYRSA_SAFE_PKI - - * IMPORTANT NOTICE * - -1. YOU MUST VERIFY THAT YOUR NEW ./vars FILE IS SETUP CORRECTLY -2. IF YOU ARE USING WINDOWS YOU MUST ENSURE THAT openssl IS CORRECTLY DEFINED - IN ./vars (example follows) - - # - # This sample is in Windows syntax -- edit it for your path if not using PATH: - # set_var EASYRSA_OPENSSL \"C:/Program Files/OpenSSL-Win32/bin/openssl.exe\" - # - # Alternate location (Note: Forward slash '/' is correct for Windpws): - # set_var EASYRSA_OPENSSL \"C:/Program Files/Openvpn/bin/openssl.exe\" - # - -3. Finally, you can verify that easyrsa works by using these two commands: - ./easyrsa show-ca (Verify that your CA is intact and correct) - ./easyrsa gen-crl ((re)-generate a CRL file) - -Further info: -* https://community.openvpn.net/openvpn/wiki/easyrsa-upgrade" - up23_verbose " - * UPGRADE COMPLETED SUCCESSFULLY * -" - -return 0 - -} # => up23_manage_upgrade_23 () - +# Version information print_version() { ssl_version="$( OPENSSL_CONF=/dev/null \ From 72b4079be7aa6bc560bc64549db086ab4459f576 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 7 Dec 2023 20:53:28 +0000 Subject: [PATCH 7/8] Remove function 'rewind_renew' Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + easyrsa3/easyrsa | 122 ----------------------------------------------- 2 files changed, 1 insertion(+), 122 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8364b1600..07dbac4e0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) + * Remove command 'rewind-renew' (#1045)' * Remove command 'rebuild' (#1045)' * Remove command 'upgrade' (#1045)' * Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (#1043) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b678fde1c..618acc944 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3171,128 +3171,6 @@ revoke_renewed_move() { return 0 } # => revoke_renewed_move() -# Move renewed certs_by_serial to the new renew layout -rewind_renew() { - # pull filename base: serial number - [ "$1" ] || user_error "\ -Error: didn't find a serial number as the first argument. -Run easyrsa without commands for usage and command help." - - # Assign file_name_base and dust off! - file_name_base="$1" - shift "$#" # No options supported - - cert_serial="$file_name_base" - in_dir="$EASYRSA_PKI/renewed" - crt_in="$in_dir/certs_by_serial/${file_name_base}.crt" - key_in="$in_dir/private_by_serial/${file_name_base}.key" - req_in="$in_dir/reqs_by_serial/${file_name_base}.req" - - # referenced cert must exist: - [ -f "$crt_in" ] || user_error "\ -Unable to rewind as no certificate was found. -Certificate was expected at: -* $crt_in" - - # Verify certificate - verify_file x509 "$crt_in" || user_error "\ -Unable to rewind as the input file is not a valid certificate. -Certificate was expected at: -* $crt_in" - - # Verify request - if [ -e "$req_in" ]; then - verify_file req "$req_in" || user_error "\ -Unable to verify request. The file is not a valid request. -Request was expected at: -* $req_in" - fi - - # get the commonName of the certificate via DN - crt_cn="$( - easyrsa_openssl x509 -in "$crt_in" -noout \ - -subject -nameopt utf8,multiline | grep \ - '^[[:blank:]]*commonName[[:blank:]]*=[[:blank:]]' - )" || die "Failed to find commonName in certificate" - crt_cn="${crt_cn#*= }" - - # Set out_dir - out_dir="$EASYRSA_PKI/renewed" - crt_out="$out_dir/issued/${crt_cn}.crt" - key_out="$out_dir/private/${crt_cn}.key" - req_out="$out_dir/reqs/${crt_cn}.req" - - # Create out_dir - for newdir in issued private reqs; do - mkdir -p "$out_dir/$newdir" || \ - die "Failed to create: $out_dir/$newdir" - done - - # NEVER over-write a renewed cert, revoke it first - deny_msg="\ -Cannot rewind this certificate, a conflicting file exists. -*" - [ -e "$crt_out" ] && \ - user_error "$deny_msg certificate: $crt_out" - [ -e "$key_out" ] && \ - user_error "$deny_msg private key: $key_out" - [ -e "$req_out" ] && \ - user_error "$deny_msg request : $req_out" - unset -v deny_msg - - warn "\ -This process is destructive! - -These files will be MOVED to the 'renewed' sub-directory: -* $crt_in -* $key_in -* $req_in" - - confirm " Continue with rewind-renew: " "yes" " -Please confirm you wish to rewind-renew the certificate -with the following subject: - - $(display_dn x509 "$crt_in") - - serial-number: $cert_serial -" # => confirm end - - # move crt, key and req file to renewed folders - mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in" - - # only move the key if we have it - if [ -e "$key_in" ]; then - if mv "$key_in" "$key_out"; then - : # ok - else - # Attempt restore - mv -f "$crt_out" "$crt_in" - die "Failed to move: $key_in" - fi - fi - - # only move the req if we have it - if [ -e "$req_in" ]; then - if mv "$req_in" "$req_out"; then - : # ok - else - # Attempt restore - mv -f "$crt_out" "$crt_in" - mv -f "$key_out" "$key_in" - die "Failed to move: $req_in" - fi - fi - - # Success message - notice "\ -Rewind is successful. - -Common Name : $crt_cn -Serial number: $cert_serial - -To revoke use: 'revoke-renewed $crt_cn'" -} # => rewind_renew() - # gen-crl backend gen_crl() { out_file="$EASYRSA_PKI/crl.pem" From 7470c2abacffcc63703093921e793802e9597336 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 7 Dec 2023 21:55:02 +0000 Subject: [PATCH 8/8] Remove function 'set_pass_legacy()' - Replaced by command 'set-pass' Signed-off-by: Richard T Bonhomme --- ChangeLog | 7 ++-- easyrsa3/easyrsa | 85 +----------------------------------------------- 2 files changed, 5 insertions(+), 87 deletions(-) diff --git a/ChangeLog b/ChangeLog index 07dbac4e0..9f0bce7e6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,9 +1,10 @@ Easy-RSA 3 ChangeLog 3.2.0 (TBD) - * Remove command 'rewind-renew' (#1045)' - * Remove command 'rebuild' (#1045)' - * Remove command 'upgrade' (#1045)' + * Remove function 'set_pass_legacy()' (#1045) + * Remove command 'rewind-renew' (#1045) + * Remove command 'rebuild' (#1045) + * Remove command 'upgrade' (#1045) * Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (#1043) * New diagnostic command 'display-cn' (#1040) * Expand renewable certificate types to include code-signing (#1039) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 618acc944..3d4fc0a24 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3459,81 +3459,6 @@ Successful export of $pkcs_type file. Your exported file is at: return 0 } # => export_pkcs() -# set-pass backend legacy -set_pass_legacy() { - # key type, supplied internally - # from frontend command call (rsa/ec) - key_type="$1" - shift - - [ "$1" ] || user_error "\ -Unable to set password: incorrect command syntax. -Run easyrsa without commands for usage and command help." - - # values supplied by the user: - raw_file="$1" - shift - - file="$EASYRSA_PKI/private/${raw_file}.key" - - # parse command options - cipher="-aes256" - unset -v nopass - while [ "$1" ]; do - case "$1" in - nopass) - [ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1 - ;; - file) - file="$raw_file" - ;; - *) warn "Ignoring unknown command option: '$1'" - esac - shift - done - - # If nopass then do not encrypt else encrypt with password. - if [ "$EASYRSA_NO_PASS" ]; then - unset -v cipher - fi - - [ -e "$file" ] || user_error "\ -Missing private key: expected to find the private key file at: -* $file" - - notice "\ -If the key is encrypted then you must supply the current password. -${cipher:+You will then enter a new password for this key.$NL}" - - # Set password - out_key_tmp="" - easyrsa_mktemp out_key_tmp || \ - die "set_pass_legacy - easyrsa_mktemp out_key_tmp" - - easyrsa_openssl "$key_type" -in "$file" -out "$out_key_tmp" \ - ${cipher:+ "$cipher"} \ - ${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \ - ${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} || die "\ -Failed to change the private key passphrase. -See above for possible openssl error messages." - - # Move old key-file out of the way - mv "$file" "${file}.tmp" || \ - die "Failed to move the old-key file." - - # Move new key-file into place - if mv "$out_key_tmp" "$file"; then - rm -f "${file}.tmp" - else - mv -f "${file}.tmp" "$file" - die "Failed to update the private key file." - fi - - notice "Key passphrase successfully changed" - - return 0 -} # => set_pass_legacy() - # set-pass backend set_pass() { # values supplied by the user: @@ -6267,15 +6192,7 @@ case "$cmd" in verify_working_env export_pkcs p1 "$@" ;; - set-rsa-pass) - verify_working_env - set_pass_legacy rsa "$@" - ;; - set-ec-pass) - verify_working_env - set_pass_legacy ec "$@" - ;; - set-pass|set-ed-pass) + set-pass|set-rsa-pass|set-ec-pass|set-ed-pass) verify_working_env set_pass "$@" ;;