diff --git a/ChangeLog b/ChangeLog index a7e625297..5656a029d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ Easy-RSA 3 ChangeLog 3.2.1 (TBD) + * gen-req: Always check for existing request file (7eab98e) (#1177) + * revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) (#1177) + * revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) (#1177) * revoke: Add abbreviations for optional 'reason' (a88ccc7) (#1173) * build-ca: Allow use of --req-cn without batch mode (b77a0fb) (#1170) * gen-req: Re-enable use of --req-cn (5cf8c46) (#1170) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index b9ab7afdb..cca9473d3 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2178,15 +2178,25 @@ Run easyrsa without commands for usage and commands." shift done + # don't wipe out an existing request without confirmation + [ -f "$req_out" ] && confirm "Confirm request overwrite: " "yes" "\ + +WARNING!!! + +An existing request file was found at +* $req_out + +Continuing with key generation will replace this request." + # don't wipe out an existing private key without confirmation - if [ -f "$key_out" ]; then - confirm "Confirm key overwrite: " "yes" "\ + [ -f "$key_out" ] && confirm "Confirm key overwrite: " "yes" "\ WARNING!!! -An existing private key was found at $key_out +An existing private key was found at +* $key_out + Continuing with key generation will replace this key." - fi # When EASYRSA_EXTRA_EXTS is defined, # append it to openssl's [req] section: @@ -3029,9 +3039,13 @@ issued certificate:${NL} Expiry: ${crt_endd%%${NL}serial=*} Serial: ${crt_endd##*serial=}" fi + + # Revoking an issued cert forces req/key to be moved + move_req_and_key=1 ;; expired|renewed) - : # ok + # Revoke-expired/renewed cert means req/key can remain + move_req_and_key= ;; *) die "Invalid cert_dir: '$cert_dir'" @@ -3050,10 +3064,6 @@ Request was expected at: ssl_cert_serial "$crt_in" cert_serial || \ die "$cmd: Failed to get cert serial number!" - # Duplicate cert by serial file - dup_dir="$EASYRSA_PKI/certs_by_serial" - dup_crt_by_serial="$dup_dir/${cert_serial}.pem" - # Set out_dir out_dir="$EASYRSA_PKI/revoked" crt_out="$out_dir/certs_by_serial/${cert_serial}.crt" @@ -3074,10 +3084,15 @@ Cannot revoke this certificate, a conflicting file exists. # Check for key and request files unset -v if_exist_key_in if_exist_req_in - [ -e "$key_in" ] && if_exist_key_in=" + if [ "$move_req_and_key" ] && [ -e "$key_in" ]; then + if_exist_key_in=" * $key_in" - [ -e "$req_in" ] && if_exist_req_in=" + fi + + if [ "$move_req_and_key" ] && [ -e "$req_in" ]; then + if_exist_req_in=" * $req_in" + fi # Set confirm DN and serial confirm_dn="$(display_dn x509 "$crt_in")" || \ @@ -3096,10 +3111,7 @@ All PKCS files for commonName : $file_name_base The inline credentials files: * $creds_in -* $inline_in - -The duplicate certificate: -* $dup_crt_by_serial" +* $inline_in" confirm " Continue with revocation: " "yes" " Please confirm that you wish to revoke the certificate @@ -3137,19 +3149,24 @@ certificate from being accepted." revoke_move() { parent_dir="$EASYRSA_PKI"/revoked easyrsa_mkdir "$parent_dir" - for i in certs_by_serial private_by_serial + for i in reqs_by_serial certs_by_serial private_by_serial do easyrsa_mkdir "${parent_dir}/$i" done parent_dir= - # do NOT move the req - can be signed again + # only move the req when revoking an issued cert + # and if we have the req + if [ "$move_req_and_key" ] && [ -e "$req_in" ]; then + mv "$req_in" "$req_out" || warn "Failed to move: $req_in" + fi # move crt to revoked folder mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in" - # only move the key if we have it - if [ -e "$key_in" ]; then + # only move the key when revoking an issued cert + # and if we have the key + if [ "$move_req_and_key" ] && [ -e "$key_in" ]; then mv "$key_in" "$key_out" || warn "Failed to move: $key_in" fi @@ -3168,13 +3185,6 @@ revoke_move() { fi done - # remove the duplicate certificate - if [ -e "$dup_crt_by_serial" ]; then - rm "$dup_crt_by_serial" || warn "\ -Failed to remove the duplicate certificate: -* $dup_crt_by_serial" - fi - # remove credentials file if [ -e "$creds_in" ]; then rm "$creds_in" || warn "\