From 70b388f0a2348bbd59992d8633c643e44714aa84 Mon Sep 17 00:00:00 2001
From: Anders Blomdell <anders.blomdell@control.lth.se>
Date: Wed, 4 May 2022 12:49:51 +0200
Subject: [PATCH 1/4] Add command for testing which certificates are eligible
 for renewal

---
 easyrsa3/easyrsa | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index c625752..b88580d 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -36,6 +36,7 @@ Here is the list of commands available with a short syntax reminder. Use the
   revoke <filename_base> [cmd-opts]
   revoke-renewed <filename_base> [cmd-opts]
   renew <filename_base> [cmd-opts]
+  renewable [ <filename_base> ]
   build-serverClient-full <filename_base> [ cmd-opts ]
   gen-crl
   update-db
@@ -138,6 +139,9 @@ cmd_help() {
       Renew a certificate specified by the filename_base"
 			opts="
         nopass  - do not encrypt the private key (default is encrypted)" ;;
+		renewable) text="
+  renewable [ <filename_base> ]
+      Check which certificates can be renewed" ;;
 		gen-crl) text="
   gen-crl
       Generate a CRL" ;;
@@ -2055,6 +2059,32 @@ revoke_renewed_move() {
 	return 0
 } # => revoke_renewed_move()
 
+# renewable backend
+renewable() {
+	verify_ca_init
+
+	in_dir="$EASYRSA_PKI"
+	if [ $# -eq 0 ] ; then
+		candidates=( $(ls ${in_dir}/issued/ | sed -e 's|.crt$||p;d' ) )
+	else
+		candidates=( $@ )
+	fi
+	matches=()
+	for candidate in ${candidates[@]} ; do
+		crt_in="$in_dir/issued/$candidate.crt"
+		cert_dates "$crt_in"
+		if [ "$expire_date" -lt "$allow_renew_date" ] ; then
+		    matches+=( $candidate )
+		fi
+	done
+	if [ ${#matches[@]} -eq 0 ] ; then
+		# Nothing to renew
+		exit 1
+	else
+		print "${matches[@]}"
+	fi
+} # => renewable
+
 # gen-crl backend
 gen_crl() {
 	verify_ca_init
@@ -3579,6 +3609,9 @@ case "$cmd" in
 	renew)
 		renew "$@"
 		;;
+	renewable)
+		renewable "$@"
+		;;
 	import-req)
 		import_req "$@"
 		;;

From 5c1a77cf66da716e70afa6b7c5f398715016fb88 Mon Sep 17 00:00:00 2001
From: Anders Blomdell <anders.blomdell@control.lth.se>
Date: Wed, 4 May 2022 14:47:48 +0200
Subject: [PATCH 2/4] Get rid of bash arrays, we know that certificate names
 does not contain whitespace

---
 easyrsa3/easyrsa | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index b88580d..1647a1c 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2065,23 +2065,24 @@ renewable() {
 
 	in_dir="$EASYRSA_PKI"
 	if [ $# -eq 0 ] ; then
-		candidates=( $(ls ${in_dir}/issued/ | sed -e 's|.crt$||p;d' ) )
+	    candidates=$(find "${in_dir}"/issued/ \
+                             | sort | sed -e 's|^.*/||;s|.crt$||p;d' )
 	else
-		candidates=( $@ )
+		candidates=$*
 	fi
-	matches=()
-	for candidate in ${candidates[@]} ; do
+	matches=""
+	for candidate in $candidates ; do
 		crt_in="$in_dir/issued/$candidate.crt"
 		cert_dates "$crt_in"
 		if [ "$expire_date" -lt "$allow_renew_date" ] ; then
-		    matches+=( $candidate )
+		    matches="$matches $candidate"
 		fi
 	done
-	if [ ${#matches[@]} -eq 0 ] ; then
+	if [ -z "$matches" ] ; then
 		# Nothing to renew
 		exit 1
 	else
-		print "${matches[@]}"
+		print "$matches"
 	fi
 } # => renewable
 

From d56dbcf300d64651e446ed4e60c0fbb953819bc7 Mon Sep 17 00:00:00 2001
From: Anders Blomdell <anders.blomdell@control.lth.se>
Date: Thu, 5 May 2022 19:34:24 +0200
Subject: [PATCH 3/4] Get rid of non-existing find command

---
 easyrsa3/easyrsa | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 1647a1c..0c43ecf 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2065,8 +2065,14 @@ renewable() {
 
 	in_dir="$EASYRSA_PKI"
 	if [ $# -eq 0 ] ; then
-	    candidates=$(find "${in_dir}"/issued/ \
-                             | sort | sed -e 's|^.*/||;s|.crt$||p;d' )
+            awkscript='
+BEGIN { FS = "\t" };
+$1 ~ '/V/' {
+  gsub(".*/CN=", "",  $6);
+  gsub("[^-0-9a-zA-Z.].*", "", $6);
+  print $6;
+}'
+		candidates=$(awk "$awkscript" ${in_dir}/index.txt)
 	else
 		candidates=$*
 	fi

From b6089f25a72b810e57b9a9647da4e9258457ece9 Mon Sep 17 00:00:00 2001
From: Anders Blomdell <anders.blomdell@control.lth.se>
Date: Fri, 6 May 2022 12:15:23 +0200
Subject: [PATCH 4/4] Do all renewable checking in awk script

---
 easyrsa3/easyrsa | 39 ++++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 0c43ecf..86e6673 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -2064,26 +2064,27 @@ renewable() {
 	verify_ca_init
 
 	in_dir="$EASYRSA_PKI"
-	if [ $# -eq 0 ] ; then
-            awkscript='
+	MATCH=$(echo "$*" | sed -re 's/\s+/|/g')
+	DATE=$(date --date \
+               "+${EASYRSA_CERT_RENEW} days" \
+               +"%y%m%d%H%M%S")
+        { awkscript=$(cat) ; } <<EOF
 BEGIN { FS = "\t" };
-$1 ~ '/V/' {
-  gsub(".*/CN=", "",  $6);
-  gsub("[^-0-9a-zA-Z.].*", "", $6);
-  print $6;
-}'
-		candidates=$(awk "$awkscript" ${in_dir}/index.txt)
-	else
-		candidates=$*
-	fi
-	matches=""
-	for candidate in $candidates ; do
-		crt_in="$in_dir/issued/$candidate.crt"
-		cert_dates "$crt_in"
-		if [ "$expire_date" -lt "$allow_renew_date" ] ; then
-		    matches="$matches $candidate"
-		fi
-	done
+# Only report valid entries
+\$1 ~ /V/ {
+  # Only consider CN
+  gsub(".*/CN=", "",  \$6);
+  gsub("[^-0-9a-zA-Z.].*", "", \$6);
+  # Only report old enough candidates
+  if (\$2 < "${DATE}") {
+    # Only report matches
+    if (\$6 ~ /(${MATCH})/) {
+      print \$6;
+    }
+  }
+}
+EOF
+	matches=$(awk "$awkscript" "${in_dir}/index.txt")
 	if [ -z "$matches" ] ; then
 		# Nothing to renew
 		exit 1