Skip to content

Commit

Permalink
Remove 'rebuild' command interface and help only
Browse files Browse the repository at this point in the history
Signed-off-by: Richard T Bonhomme <[email protected]>
  • Loading branch information
TinCanTech committed Dec 7, 2023
1 parent 360e9ff commit d6953cc
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 316 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
Easy-RSA 3 ChangeLog

3.2.0 (TBD)
* Remove command 'rebuild' (#1045)'
* Remove command 'upgrade' (#1045)'
* Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (#1043)
* New diagnostic command 'display-cn' (#1040)
Expand Down
317 changes: 1 addition & 316 deletions easyrsa3/easyrsa
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@ A list of commands is shown below:
renew <file_name_base>
revoke-renewed <file_name_base> [ cmd-opts ]
rewind-renew <certificate_serial_number>
rebuild <file_name_base> [ cmd-opts ]
gen-crl
update-db
show-req <file_name_base> [ cmd-opts ]
Expand Down Expand Up @@ -218,16 +217,6 @@ cmd_help() {
cessationOfOperation
certificateHold"
;;
rebuild)
text="
* rebuild <file_name_base> [ cmd-opts ]

Rebuild a certificate and key specified by <file_name_base>"

opts="
* nopass - Do not encrypt the private key (Default: encrypted)
(Equivalent to global option '--nopass|--no-pass')"
;;
renew)
text="
* renew <file_name_base>
Expand Down Expand Up @@ -856,8 +845,6 @@ cleanup() {
rm -f "$crt_out" "$req_out" "$key_out"
# Restore files when renew is interrupted
[ "$error_undo_renew_move" ] && renew_restore_move
# Restore files when rebuild is interrupted
[ "$error_undo_rebuild_move" ] && rebuild_restore_move

if [ "${secured_session%/*}" ] && \
[ -d "$secured_session" ]
Expand Down Expand Up @@ -3293,302 +3280,6 @@ Serial number: $cert_serial
To revoke use: 'revoke-renewed $crt_cn'"
} # => rewind_renew()

# rebuild backend
rebuild() {
# pull filename base:
[ "$1" ] || user_error "\
Error: didn't find a file base name as the first argument.
Run easyrsa without commands for usage and command help."

# Assign file_name_base and dust off!
file_name_base="$1"
shift

in_dir="$EASYRSA_PKI"
crt_in="$in_dir/issued/${file_name_base}.crt"
key_in="$in_dir/private/${file_name_base}.key"
req_in="$in_dir/reqs/${file_name_base}.req"
creds_in="$in_dir/${file_name_base}.creds"
inline_in="$in_dir/inline/${file_name_base}.inline"

# Upgrade CA index.txt.attr - unique_subject = no
up23_upgrade_ca || \
die "Failed to upgrade CA to support renewal."

# Set 'nopass'
while [ "$1" ]; do
case "$1" in
nopass)
[ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1
;;
*) user_error "Unknown option: $1"
esac
shift
done

# referenced cert must exist:
[ -f "$crt_in" ] || user_error "\
Unable to rebuild as no certificate was found.
Certificate was expected at:
* $crt_in"

# Verify certificate
verify_file x509 "$crt_in" || user_error "\
Unable to rebuild as the input file is not a valid certificate.
Certificate was expected at:
* $crt_in"

# Verify request
if [ -e "$req_in" ]; then
verify_file req "$req_in" || user_error "\
Unable to verify request. The file is not a valid request.
Request was expected at:
* $req_in"
fi

# get the serial number of the certificate
ssl_cert_serial "$crt_in" cert_serial || \
die "$cmd: Failed to get cert serial number!"

# Duplicate cert by serial file
dup_dir="$EASYRSA_PKI/certs_by_serial"
dup_crt_by_serial="$dup_dir/${cert_serial}.pem"

# Set out_dir
out_dir="$EASYRSA_PKI/renewed"
crt_out="$out_dir/issued/${file_name_base}.crt"
key_out="$out_dir/private/${file_name_base}.key"
req_out="$out_dir/reqs/${file_name_base}.req"

# NEVER over-write a renewed cert, revoke it first
deny_msg="\
Cannot rebuild this certificate, a conflicting file exists.
*"
[ -e "$crt_out" ] && \
user_error "$deny_msg certificate: $crt_out"
[ -e "$key_out" ] && \
user_error "$deny_msg private key: $key_out"
[ -e "$req_out" ] && \
user_error "$deny_msg request : $req_out"
unset -v deny_msg

# Extract certificate usage from old cert
cert_ext_key_usage="$(
easyrsa_openssl x509 -in "$crt_in" -noout -text |
sed -n "/X509v3 Extended Key Usage:/{n;s/^ *//g;p;}"
)"

case "$cert_ext_key_usage" in
"TLS Web Client Authentication")
cert_type=client
;;
"TLS Web Server Authentication")
cert_type=server
;;
"TLS Web Server Auth"*", TLS Web Client Auth"*)
cert_type=serverClient
;;
*) die "Unknown key usage: $cert_ext_key_usage"
esac

# Use SAN from --subject-alt-name, if set
# else use SAN from old cert
if echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName
then
: # ok - Use current subjectAltName
else
san="$(
easyrsa_openssl x509 -in "$crt_in" -noout -text | sed -n \
"/X509v3 Subject Alternative Name:/{n;s/IP Address:/IP:/g;s/ //g;p;}"
)"

[ "$san" ] && export EASYRSA_EXTRA_EXTS="\
$EASYRSA_EXTRA_EXTS
subjectAltName = $san"
fi

# confirm operation by displaying DN:
unset -v if_exist_key_in if_exist_req_in
[ -e "$key_in" ] && if_exist_key_in="
* $key_in"
[ -e "$req_in" ] && if_exist_req_in="
* $req_in"
warn "\
This process is destructive!

These files will be MOVED to the 'renewed' sub-directory:
* $crt_in${if_exist_key_in}${if_exist_req_in}

These files will be DELETED:
All PKCS files for commonName : $file_name_base

The inline credentials files:
* $creds_in
* $inline_in

The duplicate certificate:
* $dup_crt_by_serial

IMPORTANT: The new key will${EASYRSA_NO_PASS:+ NOT} \
be password protected."

confirm " Continue with rebuild: " "yes" "
Please confirm you wish to renew the certificate
with the following subject:

$(display_dn x509 "$crt_in")

serial-number: $cert_serial"

# move renewed files so we can reissue
# certificate with the same name
rebuild_move
error_undo_rebuild_move=1

# rebuild certificate
if EASYRSA_BATCH=1 build_full "$cert_type" "$file_name_base"
then
unset -v error_undo_rebuild_move
else
# If rebuild failed then restore cert, key and req.
# Otherwise, issue a warning. If *restore* fails
# then at least the file-names are not serial-numbers
rebuild_restore_move
die "\
Rebuild has failed to build a new certificate/key pair."
fi

# Success messages
notice "Rebuild was successful.

* IMPORTANT *

Rebuild has created a new certificate and key, to replace
both old files.

To revoke the old certificate, once the new one has been
deployed, use command:
'revoke-renewed $file_name_base reason' ('reason' is optional)"

return 0
} # => rebuild()

# Restore files on failure to rebuild
rebuild_restore_move() {
unset -v rrm_err error_undo_renew_move
# restore crt, key and req file to PKI folders
if mv "$restore_crt_out" "$restore_crt_in"; then
: # ok
else
warn "Failed to restore: $restore_crt_out"
rrm_err=1
fi

# only restore the key if we have it
if [ -e "$restore_key_out" ]; then
if mv "$restore_key_out" "$restore_key_in"; then
: # ok
else
warn "Failed to restore: $restore_key_out"
rrm_err=1
fi
fi

# only restore the req if we have it
if [ -e "$restore_req_out" ]; then
if mv "$restore_req_out" "$restore_req_in"; then
: # ok
else
warn "Failed to restore: $restore_req_out"
rrm_err=1
fi
fi

# messages
if [ "$rrm_err" ]; then
warn "Failed to restore renewed files."
else
notice "\
Rebuild FAILED but files have been successfully restored."
fi

return 0
} # => rebuild_restore_move()

# rebuild_move
# moves renewed certificates to the 'renewed' folder
# allows reissuing certificates with the same name
rebuild_move() {
# make sure renewed dirs exist
for target in "$out_dir" \
"$out_dir/issued" \
"$out_dir/private" \
"$out_dir/reqs"
do
[ -d "$target" ] && continue
mkdir -p "$target" ||
die "Failed to mkdir: $target"
done

# move crt, key and req file to renewed folders
restore_crt_in="$crt_in"
restore_crt_out="$crt_out"
mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in"

# only move the key if we have it
restore_key_in="$key_in"
restore_key_out="$key_out"
if [ -e "$key_in" ]; then
mv "$key_in" "$key_out" || warn "Failed to move: $key_in"
fi

# only move the req if we have it
restore_req_in="$req_in"
restore_req_out="$req_out"
if [ -e "$req_in" ]; then
mv "$req_in" "$req_out" || warn "Failed to move: $req_in"
fi

# remove any pkcs files
for pkcs in p12 p7b p8 p1; do
if [ -e "$in_dir/issued/$file_name_base.$pkcs" ]; then
# issued
rm "$in_dir/issued/$file_name_base.$pkcs" ||
warn "Failed to remove: $file_name_base.$pkcs"

elif [ -e "$in_dir/private/$file_name_base.$pkcs" ]; then
# private
rm "$in_dir/private/$file_name_base.$pkcs" ||
warn "Failed to remove: $file_name_base.$pkcs"
else
: # ok
fi
done

# remove the duplicate certificate
if [ -e "$dup_crt_by_serial" ]; then
rm "$dup_crt_by_serial" || warn "\
Failed to remove the duplicate certificate:
* $dup_crt_by_serial"
fi

# remove credentials file
if [ -e "$creds_in" ]; then
rm "$creds_in" || warn "\
Failed to remove credentials file:
* $creds_in"
fi

# remove inline file
if [ -e "$inline_in" ]; then
rm "$inline_in" || warn "\
Failed to remove inline file:
* $inline_in"
fi

return 0
} # => rebuild_move()

# gen-crl backend
gen_crl() {
out_file="$EASYRSA_PKI/crl.pem"
Expand Down Expand Up @@ -5510,7 +5201,7 @@ Use of --startdate requires use of --enddate."
# --enddate may over-rule EASYRSA_CERT_EXPIRE
if [ "$EASYRSA_END_DATE" ]; then
case "$cmd" in
sign-req|build-*-full|renew|rebuild)
sign-req|build-*-full|renew)
# User specified alias_days IS over-ruled
if [ "$alias_days" ]; then
warn "\
Expand Down Expand Up @@ -7254,12 +6945,6 @@ case "$cmd" in
verify_working_env
rewind_renew "$@"
;;
rebuild)
verify_working_env
[ -z "$alias_days" ] || \
export EASYRSA_CERT_EXPIRE="$alias_days"
rebuild "$@"
;;
import-req)
verify_working_env
import_req "$@"
Expand Down

0 comments on commit d6953cc

Please sign in to comment.