write: Always use verify_working_env()

Move the creation of secure_session and openssl-easyrsa.cnf (Temp) to verify_working_env(). Create a session and temp-file in the temp-dir EASRSA_TEMP_DIR, provided that the directory exists. By default, EASYRSA_TEMP_DIR is set to the current PKI but that can be decoupled and command 'write' can be run without a PKI, so long as a valid temp-dir exists. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
OpenVPN · Jan 9, 2024 · fd5e125 · fd5e125
1 parent c615f30
commit fd5e125
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 16 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -5,6 +5,7 @@ Easy-RSA 3 ChangeLog
    PENDING: Branch-merge: v3.2.0-beta2 (#1055)
    * Always use here-doc version of openssl-easyrsa.cnf (2a8c0de)
      Only use here-doc if the current version is recognised by sha256 hash.
+     This will DELETE any default version of openssl-easyrsa.cnf
    * export-p12: New command option 'legacy'. OpenSSL V3 Only (f8514de)
      Fallback to encryption algorithm RC2_CBC or 3DES_CBC
    * export-p12: Always set 'friendlyName' to file-name-base (da9e594)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -5346,6 +5346,7 @@ ${unexpected_error}"
 
 # Verify working environment
 verify_working_env() {
+	verbose "verify_working_env: BEGIN"
 	# For commands which 'require a PKI' and PKI exists
 	if  [ "$require_pki" ]; then
 		# Verify PKI is initialised
@@ -5354,6 +5355,7 @@ verify_working_env() {
 		# Temp dir session and default SSL conf file
 		if [ -z "$secured_session" ]; then
 			secure_session
+
 			# Verify or create temp EASYRSA_SSL_CONF
 			write_easyrsa_ssl_cnf_tmp
 		fi
@@ -5365,6 +5367,20 @@ verify_working_env() {
 		if [ "$require_ca" ]; then
 			verify_ca_init
 		fi
+	else
+		# For commands that do not require a PKI
+		# but do require a temp-dir, eg. 'write'
+		# If there is a valid temp-dir:
+		# Create temp-session and openssl-easyrsa.cnf (Temp) now
+		if [ -d "$EASYRSA_TEMP_DIR" ]; then
+			# Temp dir session and default SSL conf file
+			if [ -z "$secured_session" ]; then
+				secure_session
+
+				# Verify or create: EASYRSA_SSL_CONF
+				write_easyrsa_ssl_cnf_tmp
+			fi
+		fi
 	fi
 	verbose "verify_working_env: COMPLETED Handover-to: $cmd"
 } # => verify_working_env()
@@ -6313,21 +6329,6 @@ locate_support_files
 # Verify SSL Lib - One time ONLY
 verify_ssl_lib
 
-# If there is a valid temp-dir:
-if [ "$require_pki" ]; then
-	# taken care of later by verify_working_env()
-	:
-else
-	# Create temp-session and openssl-easyrsa.cnf (Temp) now
-	if [ -d "$EASYRSA_TEMP_DIR" ]; then
-		# Temp dir session and default SSL conf file
-		secure_session
-
-		# Verify or create: EASYRSA_SSL_CONF
-		write_easyrsa_ssl_cnf_tmp
-	fi
-fi
-
 # Check $working_safe_ssl_conf, to build
 # a fully configured safe ssl conf, on the
 # next invocation of easyrsa_openssl()
@@ -6476,7 +6477,7 @@ case "$cmd" in
 			easyrsa_exit_with_error=1
 		;;
 	write)
-		# verify_working_env - Not required
+		verify_working_env
 		# Write legacy files to write_dir
 		# or EASYRSA_PKI or EASYRSA
 		case "$1" in