Merge branch 'TinCanTech-remove-init-pki-soft'

TinCanTech · TinCanTech · commit ea96b313b5dd · 2025-06-10T18:21:33.000+01:00
Signed-off-by: Richard T Bonhomme &lt;tincantech@protonmail.com&gt;
diff --git a/ChangeLog b/ChangeLog
@@ -2,6 +2,8 @@ Easy-RSA 3 ChangeLog
 
 3.2.3 (TBD)
 
+   * build-ca: Remove TLS Key processing (c1c2a06) (#1351)
+   * init-pki: Remove option 'soft' and TLS Key processing (976f864) (#1351)
    * peer-fingerprint mode: Make CA mode mutually exclusive to PFP mode (8c1c435) (#1347)
    * TLS key generation: Allow 'gen-tls-auth/crypt-key' without a CA Cert (2580dc2) (#1345)
    * Inline_file(): Improvements self-signed integration (bc72a21) (#1345)
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -28,7 +28,7 @@ For a list of utility commands, use:
   ./easyrsa help util
 
 A list of commands is shown below:
-  init-pki [ cmd-opts ]
+  init-pki
   self-sign-server <file_name_base> [ cmd-opts ]
   self-sign-client <file_name_base> [ cmd-opts ]
   build-ca [ cmd-opts ]
@@ -123,12 +123,6 @@ Usage: easyrsa [ OPTIONS.. ] <COMMAND> <TARGET> [ cmd-opts.. ]"
 * init-pki [ cmd-opts ]
 
       Removes & re-initializes the PKI directory for a new PKI"
-
-		opts="
-      * hard    - Recursively delete the ENTIRE PKI directory (default).
-      * soft    - Keep the named PKI directory and PKI 'vars' file intact.
-                  Also keep the current Request files,
-                  to be signed by a new CA (Partial CA renewal)."
 	;;
 	self-sign*)
 		text="
@@ -1398,23 +1392,6 @@ $verify_ca_help_note"
 
 # init-pki backend:
 init_pki() {
-	# Process command options
-	reset="hard"
-	while [ "$1" ]; do
-		case "$1" in
-			hard-reset|hard)
-				reset="hard"
-				confirm_msg=
-			;;
-			soft-reset|soft)
-				reset="soft"
-				confirm_msg='PARTIALLY '
-			;;
-			*) warn "Ignoring unknown command option: '$1'"
-		esac
-		shift
-	done
-
 	# EasyRSA will NOT do 'rm -rf /'
 	case "$EASYRSA_PKI" in
 		.|..|./|../|.//*|..//*|/|//*|\\|?:|'')
@@ -1426,116 +1403,22 @@ init_pki() {
 		confirm "Confirm removal: " "yes" "
 WARNING!!!
 
-You are about to ${confirm_msg}remove the EASYRSA_PKI at:
+You are about to remove the EASYRSA_PKI at:
 * $EASYRSA_PKI
 
 and initialize a fresh PKI here."
-
-		# now remove it:
-		case "$reset" in
-		hard)
-			# Promote use of 'init-pki soft':
-			confirm "
-  WARNING: COMPLETELY DESTROY current PKI (NOT recommended) ?
-
-    [yes/NO]: " yes "\
-         ******************************************
-         * SECOND WARNING - STOP - SECOND WARNING *
-         ******************************************
-
-  To keep your current 'pki/vars' settings use 'init-pki soft'.
-  To keep your current Request files use 'init-pki soft'
-  The Requests can then be signed by a new CA (Partial CA renewal)
-  To keep your current Easy-RSA TLS Key use 'init-pki soft'
-  This private key file is in use by your current VPN.
-
-       ** USE OF   'init-pki soft'   IS RECOMMENDED **${NL}"
-
-			# # # shellcheck disable=SC2115 # Use "${var:?}"
-			rm -rf "$EASYRSA_PKI" || \
-				die "init-pki hard reset failed."
-		;;
-		soft)
-		# There is no unit test for a soft reset
-		# Save existing TLS key
-			tls_key_file="$EASYRSA_PKI"/private/easyrsa-tls.key
-			old_tls_key_file="$EASYRSA_PKI"/easyrsa-keepsafe-tls.key
-
-			# If both keys exist then they must be the same
-			if [ -f "$old_tls_key_file" ]; then
-				if [ -f "$tls_key_file" ]; then
-					# Match by hash
-					tls_key_hash="$(
-						"$EASYRSA_OPENSSL" dgst -sha256 \
-							"$tls_key_file")"
-					tls_key_hash="${tls_key_hash##* }"
-					old_tls_key_hash="$(
-						"$EASYRSA_OPENSSL" dgst -sha256 \
-							"$old_tls_key_file")"
-					old_tls_key_hash="${old_tls_key_hash##* }"
-					[ "$tls_key_hash" = "$old_tls_key_hash" ] || \
-						user_error "\
-Easy-RSA TLS Keys do not match, only ONE of these files is valid:
-* $tls_key_file
-* $old_tls_key_file
-
-Please delete the key above that is no longer in use."
-				fi
-			fi
-
-			# Save existing TLS key
-			if [ -f "$tls_key_file" ]; then
-				tls_key_data="$(cat "$tls_key_file")"
-			else
-				tls_key_data=
-			fi
-
-			# Do NOT remove pki/reqs sub-dir, for "renew ca"
-			for i in ca.crt crl.pem \
-				issued private inline revoked renewed expired \
-				serial serial.old index.txt index.txt.old \
-				index.txt.attr index.txt.attr.old certs_by_serial
-			do
-				# # # shellcheck disable=SC2115 # Use "${var:?}"
-				target="$EASYRSA_PKI/$i"
-				if [ "${target%/*}" ]; then
-					rm -rf "$target" || \
-						die "init-pki soft reset(1) failed!"
-				else
-					die "init-pki soft reset(2) failed!"
-				fi
-			done
-		;;
-		*)
-			user_error "Unknown reset type: $reset"
-		esac
 	fi
 
+	# # # shellcheck disable=SC2115 # Use "${var:?}"
+	rm -rf "$EASYRSA_PKI" || \
+		die "init-pki hard reset failed."
+
 	# new dirs:
 	easyrsa_mkdir "$EASYRSA_PKI"
 	for i in issued private reqs; do
 		easyrsa_mkdir "${EASYRSA_PKI}/$i"
 	done
 
-	# If one existed then recreate old TLS key backup file
-	if [ "$tls_key_data" ]; then
-		header="# Easy-RSA TLS Key: $(date)${NL}# DO NOT DELETE"
-		printf '%s\n\n%s\n' "$header" "$tls_key_data" \
-			> "$old_tls_key_file"
-		tls_msg="${NL}
-Previous Easy-RSA TLS key saved to:
-* $old_tls_key_file${NL}"
-	else
-		# if an OLD TLS key still exists then notify user
-		if [ -f "$old_tls_key_file" ]; then
-			tls_msg="${NL}
-Existing Easy-RSA TLS key preserved:
-* $old_tls_key_file${NL}"
-		else
-			tls_msg=
-		fi
-	fi
-
 	# write pki/vars.example - no temp-file because no session
 	write_legacy_file_v2 \
 		vars "$EASYRSA_PKI"/vars.example overwrite || \
@@ -1553,7 +1436,7 @@ Your newly created PKI dir is:
 	select_vars
 	information "\
 Using Easy-RSA configuration:
-* ${EASYRSA_VARS_FILE:-undefined}${tls_msg}"
+* ${EASYRSA_VARS_FILE:-undefined}"
 } # => init_pki()
 
 # Find support files from various sources
@@ -1733,40 +1616,6 @@ Unable to create necessary PKI files (permissions?)"
 		> "$EASYRSA_PKI/serial" || die "$err_msg"
 	unset -v err_msg
 
-	# If one exists then recreate TLS Key
-	tls_key_file="$EASYRSA_PKI"/private/easyrsa-tls.key
-	old_tls_key_file="$EASYRSA_PKI"/easyrsa-keepsafe-tls.key
-	if [ -f "$old_tls_key_file" ]; then
-		confirm "Re-install existing Easy-RSA TLS Key ? " yes "
-An Easy-RSA TLS Key, saved by 'init-pki soft', has been found.
-This TLS Key is in use by your VPN, it is recommended that you
-re-install this TLS Key.
-
-Note:
-This is a private key and will NOT be added to new inline files.
-
-To create a new Easy-RSA TLS Key, delete this old TLS Key above."
-		cp "$old_tls_key_file" "$tls_key_file" || \
-			warn "Failed to install TLS Key!"
-		tls_key_msg="${NL}
-NOTICE: The previous Easy-RSA TLS Key has been installed:
-* $tls_key_file
-
-This TLS Key will NOT be added to new inline files. These new
-inline files can then be easily distributed to your servers and
-clients. The TLS Key that your servers and clients have previously
-received, can be added to the inline file manually.
-
-To re-enable automatically adding this TLS Key to inline files,
-simply delete the backup TLS Key at:
-* $old_tls_key_file
-
-To create a new Easy-RSA TLS Key, delete both TLS Keys above."
-	else
-		tls_key_msg="${NL}
-Create an OpenVPN TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'"
-	fi
-
 	# Set ssl batch mode, as required
 	[ "$EASYRSA_BATCH" ] && ssl_batch=1
 
@@ -2002,7 +1851,7 @@ Prior to signing operations, place your resulting Sub-CA cert at:
 	else
 		notice "\
 CA creation complete. Your new CA certificate is at:
-* $out_file${tls_key_msg}
+* $out_file
 
 Build-ca completed successfully."
 	fi
