From 7b52ef3322df0146e15be0b595178771445a078f Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun, 28 Jul 2024 23:18:35 +0100
Subject: [PATCH] Prepare and improve interface for use of easyrsa-tools.lib:
 renew

Add specific error message for 'renew'.

Re-insert 'renew_restore_move', to undo changes made by 'renew'.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 93 +++++++++++++++++++++++++++---------------------
 1 file changed, 52 insertions(+), 41 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index a20cb9f8..4d5376b5 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -940,6 +940,9 @@ cleanup() {
 	[ "$error_build_full_cleanup" ] && \
 		rm -f "$crt_out" "$req_out" "$key_out"
 
+	# Restore files when renew is interrupted
+	[ "$error_undo_renew_move" ] && renew_restore_move
+
 	if [ "${secured_session%/*}" ] && \
 		[ -d "$secured_session" ]
 	then
@@ -2731,7 +2734,7 @@ ${confirm_critical_attribs}${confirm_dn}"
 	# Confirm the user wishes to sign this request
 	# The foreign_request confirmation is not required
 	# for build_full:
-	if [ "$do_build_full" ]; then
+	if [ "$local_request" ]; then
 		unset -v foreign_request
 	else
 		foreign_request="\
@@ -2743,7 +2746,7 @@ source or that you have verified the request checksum \
 with the sender.$NL"
 	fi
 
-	confirm "Confirm request details: " "yes" "\
+	confirm "Confirm requested details: " "yes" "\
 ${foreign_request}You are about to sign the following certificate:
 
 $confirm_details" # => confirm end
@@ -2901,14 +2904,14 @@ Warning!
 An inline file for name '$name' already exists:
 * $inline_out"
 
-	# Set to modify sign-req confirmation message
-	do_build_full=1
-
 	# create request
 	verbose "build_full: BEGIN gen_req"
 	gen_req "$name" batch
 	verbose "build_full: END gen_req"
 
+	# Set to modify sign-req confirmation message
+	local_request=1
+
 	# Recreate temp-session and
 	# drop edits to SSL Conf file
 	remove_secure_session
@@ -3330,17 +3333,6 @@ Failed to remove inline file:
 	return 0
 } # => revoke_move()
 
-# renew backend
-renew() {
-	print "
-To renew a certificate, please use commands:
-* expire <NAME>
-* sign-req <TYPE> <NAME>
-
-See help for details.${NL}"
-	cleanup
-} # => renew()
-
 # Move expired cert out of pki/issued to pki/expired
 # to allow renewal
 expire_cert() {
@@ -5462,7 +5454,7 @@ unset -v \
 	alias_days \
 	prohibit_no_pass \
 	invalid_vars \
-	do_build_full error_build_full_cleanup \
+	local_request error_build_full_cleanup \
 	selfsign_eku \
 	internal_batch mv_temp_error \
 	easyrsa_exit_with_error error_info \
@@ -5864,12 +5856,6 @@ case "$cmd" in
 		cert_dir=renewed/issued
 		revoke "$@"
 		;;
-	renew)
-		verify_working_env
-		[ -z "$alias_days" ] || \
-			export EASYRSA_CERT_EXPIRE="$alias_days"
-		renew "$@"
-		;;
 	import-req)
 		verify_working_env
 		import_req "$@"
@@ -5927,7 +5913,7 @@ case "$cmd" in
 		verify_working_env
 		show_host "$@"
 		;;
-	show-expire|show-revoke|show-renew)
+	renew|show-expire|show-revoke|show-renew)
 		verify_working_env
 
 		# easyrsa-tools.lib is required
@@ -5936,36 +5922,61 @@ case "$cmd" in
 			# shellcheck disable=SC1090 # can't follow non-constant..
 			. "$EASYRSA_TOOLS_LIB" || \
 				die "Source failed: $EASYRSA_TOOLS_LIB"
-			unset -v EASYRSA_TOOLS_CALLER
+			unset -v EASYRSA_TOOLS_CALLER tools_error
+
+			verbose "EASYRSA_TOOLS_LIB: $EASYRSA_TOOLS_LIB"
+			verbose "EASYRSA_TOOLS_VERSION: $EASYRSA_TOOLS_VERSION"
+
+			# Verify tools version
+			if [ "$EASYRSA_TOOLS_VERSION" -lt 321 ]; then
+				warn "\
+EasyRSA Tools version is out of date:
+* EASYRSA_TOOLS_VERSION: $EASYRSA_TOOLS_VERSION"
+			fi
 		else
-			user_error "Missing: easyrsa-tools.lib
+			tools_error="Missing: easyrsa-tools.lib
 
-Use of Status Reports requires Easy-RSA tools library, source:
+Use of command '$cmd' requires Easy-RSA tools library, source:
 * https://github.com/OpenVPN/easy-rsa/dev/easyrsa-tools.lib
 
 Place a copy of easyrsa-tools.lib in a standard system location."
 		fi
 
-		# Verify tools version
-		if [ "$EASYRSA_TOOLS_VERSION" = 1.0.1 ]; then
-			verbose "EASYRSA_TOOLS_VERSION: $EASYRSA_TOOLS_VERSION"
-		else
-			warn "\
-EasyRSA Tools version is out of date:
-* EASYRSA_TOOLS_VERSION: $EASYRSA_TOOLS_VERSION"
-		fi
-
 		case "$cmd" in
+			renew)
+				if [ "$tools_error" ]; then
+					user_error "$tools_error
+
+A certificate can be renewed without EasyRSA Tools. Expire the certificate
+using command 'expire' and sign the original request with 'sign-req'."
+				else
+					[ -z "$alias_days" ] || \
+						export EASYRSA_CERT_EXPIRE="$alias_days"
+					renew "$@"
+				fi
+				;;
 			show-expire)
-				[ -z "$alias_days" ] || \
-					export EASYRSA_PRE_EXPIRY_WINDOW="$alias_days"
-				status expire "$@"
+				if [ "$tools_error" ]; then
+					user_error "$tools_error"
+				else
+					[ -z "$alias_days" ] || \
+						export EASYRSA_PRE_EXPIRY_WINDOW="$alias_days"
+					status expire "$@"
+				fi
 				;;
 			show-revoke)
-				status revoke "$@"
+				if [ "$tools_error" ]; then
+					user_error "$tools_error"
+				else
+					status revoke "$@"
+				fi
 				;;
 			show-renew)
-				status renew "$@"
+				if [ "$tools_error" ]; then
+					user_error "$tools_error"
+				else
+					status renew "$@"
+				fi
 				;;
 			*)
 				die "Unknown command: '$cmd'"