From b4dc2ad0ea7aadb0e990dd2561919a4b77c98da9 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat, 17 Dec 2022 21:45:23 +0000
Subject: [PATCH 1/6] Command renew: Process options correctly and minor
 improvements

Process options correctly:
* This removes an errant 'shift' when processing options.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 742f36b..993e9bd 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2171,16 +2171,17 @@ Run easyrsa without commands for usage and command help."
 	# Upgrade CA index.txt.attr - unique_subject = no
 	up23_upgrade_ca || die "Failed to upgrade CA to support renewal."
 
-	# Set 'nopass'
-	case "$1" in
-		nopass)
-			warn "\
-Option 'nopass' is no longer supported by command 'renew'."
-			shift
-		;;
-		'') :; shift ;; # Empty ok
-		*) die "Unknown option: $1"
-	esac
+	# deprecate ALL options
+	while [ "$1" ]; do
+		case "$1" in
+			nopass)
+				warn "\
+Option 'nopass' is not supported by command 'renew'."
+			;;
+			*) die "Unknown option: $1"
+		esac
+		shift
+	done
 
 	# referenced cert must exist:
 	[ -f "$crt_in" ] || die "\

From 4c8a4e8765adccff4e96049caa41168076daa063 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat, 17 Dec 2022 21:51:39 +0000
Subject: [PATCH 2/6] Command renew: Require CSR as input file and refactor
 verification

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 993e9bd..da400f3 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2183,21 +2183,26 @@ Option 'nopass' is not supported by command 'renew'."
 		shift
 	done
 
-	# referenced cert must exist:
-	[ -f "$crt_in" ] || die "\
-Unable to renew as no certificate was found. Certificate was expected
-at: $crt_in"
-
 	# Verify certificate
-	verify_file x509 "$crt_in" || die "\
-Unable to renew as the input file is not a valid certificate. Unexpected
-input in file: $crt_in"
+	if [ -f "$crt_in" ]; then
+		verify_file x509 "$crt_in" || die "\
+Input file is not a valid certificate:
+* $crt_in"
+	else
+		die "\
+Missing certificate file:
+* $crt_in"
+	fi
 
 	# Verify request
 	if [ -e "$req_in" ]; then
 		verify_file req "$req_in" || die "\
-Unable to verify request. The file is not a valid request.
-Unexpected input in file: $req_in"
+Input file is not a valid request:
+* $req_in"
+	else
+		die "\
+Missing request file:
+* $req_in"
 	fi
 
 	# get the serial number of the certificate

From a815f398474dbd4950c12047c0902a0fea04a65b Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat, 17 Dec 2022 22:27:39 +0000
Subject: [PATCH 3/6] Function renew_move(): Ignore non-essential file removal
 errors

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 34 ++++++++++++----------------------
 1 file changed, 12 insertions(+), 22 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index da400f3..ecbeddc 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2338,36 +2338,26 @@ renew_move() {
 	done
 
 	# move crt, key and req file to renewed folders
+	# After this point, renew is possible!
 	restore_crt_in="$crt_in"
 	restore_crt_out="$crt_out"
-	mv "$crt_in" "$crt_out" || die "Failed to move: $crt_in"
+	mv "$crt_in" "$crt_out" || \
+		die "Failed to move: $crt_in"
 
+	# Further file removal is a convenience, only.
 	# remove any pkcs files
 	for pkcs in p12 p7b p8 p1; do
-		if [ -e "$in_dir/issued/$file_name_base.$pkcs" ]; then
-			# issued
-			rm "$in_dir/issued/$file_name_base.$pkcs" ||
-				warn "Failed to remove: $file_name_base.$pkcs"
-
-		elif [ -e "$in_dir/private/$file_name_base.$pkcs" ]; then
-			# private
-			rm "$in_dir/private/$file_name_base.$pkcs" ||
-				warn "Failed to remove: $file_name_base.$pkcs"
-		else
-			: # ok
-		fi
+		# issued
+		rm -f "$in_dir/issued/$file_name_base.$pkcs"
+		# private
+		rm -f "$in_dir/private/$file_name_base.$pkcs"
 	done
 
-	# remove the duplicate certificate in the certs_by_serial folder
-	if [ -e "$duplicate_crt_by_serial" ]; then
-		rm "$duplicate_crt_by_serial" || warn "\
-Failed to remove the duplicate certificate in the certs_by_serial folder"
-	fi
+	# remove duplicate cert in 'certs_by_serial' folder
+	rm -f "$duplicate_crt_by_serial"
 
-	# remove credentials file (if exists)
-	if [ -e "$creds_in" ]; then
-		rm "$creds_in" || warn "Failed to remove the inline file."
-	fi
+	# remove credentials file
+	rm -f "$creds_in"
 
 	return 0
 } # => renew_move()

From 1cf4cce432a8e341b7918178dfacb2eec758b052 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat, 17 Dec 2022 22:35:13 +0000
Subject: [PATCH 4/6] Renew: wrap long lines in related functions

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 50 ++++++++++++++++++++++++++++++------------------
 1 file changed, 31 insertions(+), 19 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index ecbeddc..bdf55be 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2169,7 +2169,8 @@ Run easyrsa without commands for usage and command help."
 	creds_in="$in_dir/$file_name_base.creds"
 
 	# Upgrade CA index.txt.attr - unique_subject = no
-	up23_upgrade_ca || die "Failed to upgrade CA to support renewal."
+	up23_upgrade_ca || \
+		die "Failed to upgrade CA to support renewal."
 
 	# deprecate ALL options
 	while [ "$1" ]; do
@@ -2208,7 +2209,8 @@ Missing request file:
 	# get the serial number of the certificate
 	ssl_cert_serial "$crt_in" cert_serial
 
-	duplicate_crt_by_serial="$EASYRSA_PKI/certs_by_serial/$cert_serial.pem"
+	duplicate_crt_by_serial="\
+$EASYRSA_PKI/certs_by_serial/$cert_serial.pem"
 
 	# Set out_dir
 	out_dir="$EASYRSA_PKI/renewed"
@@ -2216,7 +2218,7 @@ Missing request file:
 
 	# NEVER over-write a renewed cert, revoke it first
 	deny_msg="\
-Cannot renew this certificate because a conflicting file exists.
+Cannot renew this certificate, a conflicting file exists:
 *"
 	[ -e "$crt_out" ] && die "$deny_msg certificate: $crt_out"
 	unset -v deny_msg
@@ -2230,24 +2232,25 @@ Cannot renew this certificate because a conflicting file exists.
 	case "$cert_ext_key_usage" in
 		"TLS Web Client Authentication")
 			cert_type=client
-			;;
+		;;
 		"TLS Web Server Authentication")
 			cert_type=server
-			;;
-		"TLS Web Server Authentication, TLS Web Client Authentication")
+		;;
+	"TLS Web Server Authentication, TLS Web Client Authentication")
 			cert_type=serverClient
-			;;
+		;;
 		*) die "Unknown key usage: $cert_ext_key_usage"
 	esac
 
-	# Use SAN from --subject-alt-name if set else use SAN from old cert
+	# Use SAN from --san if set else use SAN from old cert
 	if echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName; then
 		: # ok - Use current subjectAltName
 	else
 		san="$(
-			easyrsa_openssl x509 -in "$crt_in" -noout -text | sed -n \
-			"/X509v3 Subject Alternative Name:/{n;s/IP Address:/IP:/g;s/ //g;p;}"
-			)"
+easyrsa_openssl x509 -in "$crt_in" -noout -text | sed -n \
+"/X509v3 Subject Alternative Name:\
+/{n;s/IP Address:/IP:/g;s/ //g;p;}"
+		)"
 
 		[ "$san" ] && export EASYRSA_EXTRA_EXTS="\
 $EASYRSA_EXTRA_EXTS
@@ -2258,13 +2261,18 @@ subjectAltName = $san"
 	warn "\
 This process is destructive!
 
-These files will be moved to the 'renewed' storage sub-directory:
+These files will be moved to 'renewed' storage sub-directory:
 * $crt_in
 
 These files will be DELETED:
-* All PKCS files for commonName : $file_name_base
-* The inline credentials file   : $creds_in
-* The duplicate certificate     : $duplicate_crt_by_serial"
+* All PKCS files for commonName:
+  $file_name_base
+
+* The inline credentials file:
+  $creds_in
+
+* The duplicate certificate:
+  $duplicate_crt_by_serial"
 
 	confirm "  Continue with renewal: " "yes" "\
 Please confirm you wish to renew the certificate
@@ -2274,15 +2282,18 @@ with the following subject:
 
   serial-number: $cert_serial"
 
-	# move renewed files so we can reissue certificate with the same name
+	# move renewed files
+	# so we can reissue certificate with the same name
 	renew_move
 	on_error_undo_renew_move=1
 
 	# renew certificate
-	if EASYRSA_BATCH=1 sign_req "$cert_type" "$file_name_base"; then
+	if EASYRSA_BATCH=1 sign_req "$cert_type" "$file_name_base"
+	then
 		unset -v on_error_undo_renew_move
 	else
-		# If renew failed then restore cert. Otherwise, issue a warning
+		# If renew failed then restore cert.
+		# Otherwise, issue a warning
 		renew_restore_move
 		die "\
 Renewal has failed to build a new certificate/key pair."
@@ -2316,7 +2327,8 @@ renew_restore_move() {
 	if [ "$rrm_err" ]; then
 		warn "Failed to restore renewed files."
 	else
-		notice "Renew FAILED but files have been successfully restored."
+		notice "\
+Renew FAILED but files have been successfully restored."
 	fi
 
 	return 0

From 6e0a9c78c4eb210674e7fb4fade2f5dbd9ed57b6 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat, 17 Dec 2022 22:38:12 +0000
Subject: [PATCH 5/6] Wrap long lines

hide_read_pass()
get_passphrase()

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index bdf55be..ef2f0af 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1239,7 +1239,8 @@ hide_read_pass()
 	elif (echo | read -r -s 2>/dev/null) ; then
 		read -r -s "$@"
 	else
-		warn "Could not disable echo. Password will be shown on screen!"
+		warn "\
+Could not disable echo. Password will be shown on screen!"
 		read -r "$@"
 	fi
 
@@ -1254,9 +1255,11 @@ get_passphrase() {
 		hide_read_pass r
 
 		if [ "${#r}" -lt 4 ]; then
-			printf '\n%s\n' "Passphrase must be at least 4 characters!"
+			printf '\n%s\n' \
+				"Passphrase must be at least 4 characters!"
 		else
-			safe_set_var "$*" "$r" || die "Passphrase error!"
+			safe_set_var "$*" "$r" || \
+				die "Passphrase error!"
 			unset -v r
 			print
 			return 0

From e4b02a1dcb694760da3859d97ba04d2504b1d314 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sat, 17 Dec 2022 22:40:56 +0000
Subject: [PATCH 6/6] Function safe_set_var(): Hard exit for unexpected errors

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index ef2f0af..17c05a1 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -3743,14 +3743,15 @@ db_date_to_ff_date() {
 
 # sanatize and set var
 safe_set_var() {
-	[ "$#" -eq 2 ] || return 1
+	[ "$#" -eq 2 ] || die "safe_set_var - input"
 	# check for simple errors
 	case "$1" in
-		[1234567890]*|*-*|"* *") return 1
+		[1234567890]*|*[-.\ ]*)
+			die "safe_set_var - var"
 	esac
-	eval "$1"=1 || return 1
-	unset -v "$1" || return 1
-	set_var "$1" "$2" || return 1
+	eval "$1"=1 || die "safe_set_var - eval"
+	unset -v "$1" || die "safe_set_var - unset"
+	set_var "$1" "$2" || die "safe_set_var - set_var"
 } # => safe_set_var()
 
 # get the serial number of the certificate -> serial=XXXX