From 09003e2682366208fa26e25209aecc845802d2e0 Mon Sep 17 00:00:00 2001
From: keros <notavail@keros.com>
Date: Wed, 13 May 2015 12:52:52 +0000
Subject: [PATCH 1/2] revoked files will be moved to subfolders

---
 easyrsa3/easyrsa | 66 ++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 64 insertions(+), 2 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index a7d6345..881fa11 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -368,7 +368,7 @@ $help_note"
 	[ "$1" = "test" ] && return 0
 
 	# verify expected CA-specific dirs:
-	for i in issued certs_by_serial; do
+	for i in issued certs_by_serial revoked/certs_by_serial revoked/private_by_serial revoked/reqs_by_serial; do
 		[ -d "$EASYRSA_PKI/$i" ] || die "\
 Missing expected CA dir: $i (perhaps you need to run build-ca?)
 $help_note"
@@ -446,7 +446,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 
 	# create necessary files and dirs:
 	local err_file="Unable to create necessary PKI files (permissions?)"
-	for i in issued certs_by_serial; do
+	for i in issued certs_by_serial revoked/certs_by_serial revoked/private_by_serial revoked/reqs_by_serial; do
 		mkdir -p "$EASYRSA_PKI/$i" || die "$err_file"
 	done
 	printf "" > "$EASYRSA_PKI/index.txt" || die "$err_file"
@@ -711,6 +711,9 @@ at: $crt_in"
 	"$EASYRSA_OPENSSL" ca -revoke "$crt_in" -config "$EASYRSA_SSL_CONF" || die "\
 Failed to revoke certificate: revocation command failed."
 
+	# move revoked files so we can reissue certificates with the same name
+	move_revoked $1
+
 	notice "\
 IMPORTANT!!!
 
@@ -720,6 +723,65 @@ infrastructure in order to prevent the revoked cert from being accepted.
 	return 0
 } #= revoke()
 
+# move-revoked
+# moves revoked certificates to an alternative folder
+# allows reissuing certificates with the same name
+move_revoked() {
+	verify_ca_init
+
+	[ -n "$1" ] || die "\
+Error: didn't find a file base name as the first argument.
+Run easyrsa without commands for usage and command help."
+
+	local crt_in="$EASYRSA_PKI/issued/$1.crt"
+	local key_in="$EASYRSA_PKI/private/$1.key"
+	local req_in="$EASYRSA_PKI/reqs/$1.req"
+
+	verify_file x509 "$crt_in" || die "\
+Unable to move revoked input file. The file is not a valid certificate. Unexpected
+input in file: $crt_in"
+
+	verify_file req "$req_in" || die "\
+Unable to move request. The file is not a valid request. Unexpected
+input in file: $req_in"
+
+	# get the serial number of the certificate -> serial=XXXX
+	local cert_serial="$($EASYRSA_OPENSSL x509 -in $crt_in -noout -serial)"
+	# remove the serial= part -> we only need the XXXX part
+	local cert_serial=${cert_serial##*=}
+
+	local crt_by_serial="$EASYRSA_PKI/certs_by_serial/$cert_serial.pem"
+	local crt_by_serial_revoked="$EASYRSA_PKI/revoked/certs_by_serial/$cert_serial.crt"
+	local key_by_serial_revoked="$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.key"
+	local req_by_serial_revoked="$EASYRSA_PKI/revoked/reqs_by_serial/$cert_serial.req"
+
+
+	# move crt, key and req file to revoked folders
+	mv "$crt_in" "$crt_by_serial_revoked"
+	mv "$req_in" "$req_by_serial_revoked"
+
+	# only move the key if we have it
+	if [ -e "$key_in" ]
+	then
+		mv "$key_in" "$key_by_serial_revoked"
+	fi
+
+	# move the rest of the files (p12, p7, ...)
+	for file in $EASYRSA_PKI/private/$1\.???
+	do
+		# get file extension
+		file_ext="${file##*.}"
+
+		mv $file "$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.$file_ext"
+	done
+
+	# remove the dublicate certificate in the certs_by_serial folder
+	rm "$crt_by_serial"
+
+	return 0
+
+} #= move_revoked()
+
 # gen-crl backend
 gen_crl() {
 	verify_ca_init

From 1b2f71de3c04a3351a57b555fcaa9c3f0c5440bc Mon Sep 17 00:00:00 2001
From: ValdikSS <iam@valdikss.org.ru>
Date: Sun, 17 Jan 2016 13:06:11 +0300
Subject: [PATCH 2/2] Properly escape parameters in moving revoked keys
 functionality

---
 easyrsa3/easyrsa | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 881fa11..14aa84a 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -712,7 +712,7 @@ at: $crt_in"
 Failed to revoke certificate: revocation command failed."
 
 	# move revoked files so we can reissue certificates with the same name
-	move_revoked $1
+	move_revoked "$1"
 
 	notice "\
 IMPORTANT!!!
@@ -746,7 +746,7 @@ Unable to move request. The file is not a valid request. Unexpected
 input in file: $req_in"
 
 	# get the serial number of the certificate -> serial=XXXX
-	local cert_serial="$($EASYRSA_OPENSSL x509 -in $crt_in -noout -serial)"
+	local cert_serial="$("$EASYRSA_OPENSSL" x509 -in "$crt_in" -noout -serial)"
 	# remove the serial= part -> we only need the XXXX part
 	local cert_serial=${cert_serial##*=}
 
@@ -767,12 +767,12 @@ input in file: $req_in"
 	fi
 
 	# move the rest of the files (p12, p7, ...)
-	for file in $EASYRSA_PKI/private/$1\.???
+	for file in "$EASYRSA_PKI/private/$1\.???"
 	do
 		# get file extension
 		file_ext="${file##*.}"
 
-		mv $file "$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.$file_ext"
+		mv "$file" "$EASYRSA_PKI/revoked/private_by_serial/$cert_serial.$file_ext"
 	done
 
 	# remove the dublicate certificate in the certs_by_serial folder