Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caucase
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Boxiang Sun
caucase
Commits
a36ccf92
Commit
a36ccf92
authored
Dec 13, 2018
by
Vincent Pelletier
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
shell: Use single-quote strings wherever possible.
Reduces backslash-doubling crazyness.
parent
268b3a53
Changes
1
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
134 additions
and
132 deletions
+134
-132
shell/caucase.sh
shell/caucase.sh
+134
-132
No files found.
shell/caucase.sh
View file @
a36ccf92
...
...
@@ -22,7 +22,7 @@ str2json () {
# Usage: str2json < str
# Note: using $() to strip the trailing newline added by jq.
printf
"%s"
"
$(
jq
--raw-input
--slurp
.
)
"
printf
'%s'
"
$(
jq
--raw-input
--slurp
.
)
"
}
pairs2obj
()
{
...
...
@@ -55,8 +55,8 @@ forEachJSONListItem () {
# shellcheck disable=SC2039
local
list index
list
=
"
$(
cat
)
"
for
index
in
$(
seq
0
$((
$(
printf
"%s
\\
n"
"
$list
"
| jq length
)
-
1
))
)
;
do
printf
"%s
\\
n"
"
$list
"
| jq
".[
$index
]"
|
"
$@
"
||
return
$?
for
index
in
$(
seq
0
$((
$(
printf
'%s\n'
"
$list
"
| jq length
)
-
1
))
)
;
do
printf
'%s\n'
"
$list
"
| jq
".[
$index
]"
|
"
$@
"
||
return
$?
done
}
...
...
@@ -69,10 +69,10 @@ wrap () {
# Note: $() looses trailing newlines, so payload should not need to end with
# any newline.
pairs2obj
\
"digest"
"
$(
printf
"%s"
"
$digest
"
| str2json
)
"
\
"payload"
"
$(
printf
"%s"
"
$payload
"
| str2json
)
"
\
"signature"
"
$(
printf
"%s%s "
"
$payload
"
"
$digest
"
\
'digest'
"
$(
printf
'%s'
"
$digest
"
| str2json
)
"
\
'payload'
"
$(
printf
'%s'
"
$payload
"
| str2json
)
"
\
'signature'
"
$(
printf
'%s%s '
"
$payload
"
"
$digest
"
\
| openssl dgst
\
-
"
$digest
"
\
-binary
\
...
...
@@ -99,12 +99,12 @@ unwrap () {
local
wrapped status json_digest digest signature_file payload pubkey_file
wrapped
=
"
$(
cat
)
"
json_digest
=
"
$(
printf
"%s
\\
n"
"
$wrapped
"
| jq .digest
)
"
if
[
"
$json_digest
"
=
"null"
]
;
then
json_digest
=
"
$(
printf
'%s\n'
"
$wrapped
"
| jq .digest
)
"
if
[
"
$json_digest
"
=
'null'
]
;
then
return
1
fi
digest
=
"
$(
printf
"%s
\\
n"
"
$json_digest
"
| jq
--raw-output
ascii_downcase
printf
'%s\n'
"
$json_digest
"
| jq
--raw-output
ascii_downcase
)
"
case
"
$digest
"
in
sha256|sha384|sha512
)
...
...
@@ -118,12 +118,12 @@ unwrap () {
;;
esac
signature_file
=
"
$(
mktemp
--suffix
=
unwrap.sig
)
"
printf
"%s
\\
n"
"
$wrapped
"
| jq
--raw-output
.signature |
\
printf
'%s\n'
"
$wrapped
"
| jq
--raw-output
.signature |
\
base64
-d
>
"
$signature_file
"
payload
=
"
$(
printf
"%s
\\
n"
"
$wrapped
"
| jq
--raw-output
.payload
)
"
payload
=
"
$(
printf
'%s\n'
"
$wrapped
"
| jq
--raw-output
.payload
)
"
pubkey_file
=
"
$(
mktemp
--suffix
=
unwrap.pub
)
"
if
printf
"%s
\\
n"
"
$payload
"
"
$@
"
| openssl x509
-pubkey
-noout
>
"
$pubkey_file
"
;
then
printf
"%s%s "
"
$payload
"
"
$digest
"
\
if
printf
'%s\n'
"
$payload
"
"
$@
"
| openssl x509
-pubkey
-noout
>
"
$pubkey_file
"
;
then
printf
'%s%s '
"
$payload
"
"
$digest
"
\
| openssl dgst
\
-
"
$digest
"
\
-verify
"
$pubkey_file
"
\
...
...
@@ -136,7 +136,7 @@ unwrap () {
status
=
2
fi
rm
"
$signature_file
"
"
$pubkey_file
"
test
$status
-eq
0
&&
printf
"%s"
"
$payload
"
test
$status
-eq
0
&&
printf
'%s'
"
$payload
"
return
$status
}
...
...
@@ -145,10 +145,10 @@ nullUnwrap () {
# shellcheck disable=SC2039
local
wrapped
wrapped
=
"
$(
cat
)
"
if
[
"
$(
printf
"%s
\\
n"
"
$wrapped
"
| jq
'.digest'
)
"
!=
"null"
]
;
then
if
[
"
$(
printf
'%s\n'
"
$wrapped
"
| jq
'.digest'
)
"
!=
'null'
]
;
then
return
1
fi
printf
"%s
\\
n"
"
$wrapped
"
| jq .payload
printf
'%s\n'
"
$wrapped
"
| jq .payload
}
writeCertKey
()
{
...
...
@@ -162,8 +162,8 @@ writeCertKey () {
:
>
"
$crt_path
"
:
>
"
$key_path
"
test
$need_chmod
-eq
0
&&
chmod
go
=
"
$key_path
"
printf
"%s
\\
n"
"
$key_data
"
>>
"
$key_path
"
printf
"%s
\\
n"
"
$crt_data
"
>>
"
$crt_path
"
printf
'%s\n'
"
$key_data
"
>>
"
$key_path
"
printf
'%s\n'
"
$crt_data
"
>>
"
$crt_path
"
}
alias
CURL
=
'curl --silent'
...
...
@@ -176,40 +176,40 @@ PUTNoOut () {
local
result
if
result
=
"
$(
PUT
\
--write-out
"
\\
n%{http_code}
\\
n"
\
--write-out
'\n%{http_code}\n'
\
"
$@
"
)
"
;
then
:
else
return
3
fi
case
"
$(
printf
"%s
\\
n"
"
$result
"
|
tail
-n
1
)
"
in
case
"
$(
printf
'%s\n'
"
$result
"
|
tail
-n
1
)
"
in
2??
)
return
0
;;
401
)
printf
"Unauthorized
\\
n"
>
&2
printf
'Unauthorized\n'
>
&2
return
2
;;
409
)
printf
"Found
\\
n"
>
&2
printf
'Found\n'
>
&2
return
4
;;
*
)
printf
"%s
\\
n"
"
$result
"
|
head
-n
-1
>
&2
printf
'%s\n'
"
$result
"
|
head
-n
-1
>
&2
return
1
;;
esac
}
_matchCertificateBoundary
()
{
test
"
$1
"
=
"-----END CERTIFICATE-----"
test
"
$1
"
=
'-----END CERTIFICATE-----'
return
$?
}
_matchPrivateKeyBoundary
()
{
case
"
$1
"
in
"-----END PRIVATE KEY-----"
|
"-----END RSA PRIVATE KEY-----"
)
'-----END PRIVATE KEY-----'
|
'-----END RSA PRIVATE KEY-----'
)
return
0
;;
esac
...
...
@@ -223,34 +223,34 @@ _forEachPEM () {
# <command> receives each matching PEM element as input.
# If <command> exit status is non-zero, enumeration stops.
# shellcheck disable=SC2039
local
tester
=
"
$1
"
current
=
""
local
tester
=
"
$1
"
current
=
''
shift
while
IFS
=
read
-r
line
;
do
if
[
-z
"
$current
"
]
;
then
current
=
"
$line
"
else
current
=
"
$(
printf
"%s
\\
n%s"
"
$current
"
"
$line
"
)
"
current
=
"
$(
printf
'%s\n%s'
"
$current
"
"
$line
"
)
"
fi
case
"
$line
"
in
"-----END "
*
"-----"
)
'-----END '
*
'-----'
)
if
"
$tester
"
"
$line
"
;
then
printf
"%s
\\
n"
"
$current
"
|
"
$@
"
||
return
$?
printf
'%s\n'
"
$current
"
|
"
$@
"
||
return
$?
fi
current
=
""
current
=
''
;;
esac
done
}
alias
forEachCertificate
=
"_forEachPEM _matchCertificateBoundary"
alias
forEachCertificate
=
'_forEachPEM _matchCertificateBoundary'
# Iterate over certificate of a PEM file, piping each to <command>
# Usage: _forEachPEM <command> [<arg> ...] < pem
alias
forEachPrivateKey
=
"_forEachPEM _matchPrivateKeyBoundary"
alias
forEachPrivateKey
=
'_forEachPEM _matchPrivateKeyBoundary'
# Iterate over private key of a PEM file, piping each to <command>
# Usage: _forEachPEM <command> [<arg> ...] < pem
alias
pem2fingerprint
=
"openssl x509 -fingerprint -noout"
alias
pem2fingerprint
=
'openssl x509 -fingerprint -noout'
pemFingerprintIs
()
{
# Usage: pemFingerprintIs <fingerprint> < certificate
...
...
@@ -264,7 +264,7 @@ expiresBefore () {
# <date> must be a unix timestamp (date +%s)
# shellcheck disable=SC2039
local
enddate
enddate
=
"
$(
openssl x509
-enddate
-noout
|
sed
"s/^[^=]*=//"
)
"
enddate
=
"
$(
openssl x509
-enddate
-noout
|
sed
's/^[^=]*=//'
)
"
test
$?
-ne
0
&&
return
1
test
"
$(
date
--date
=
"
$enddate
"
+%s
)
"
-lt
"
$1
"
return
$?
...
...
@@ -277,7 +277,7 @@ printIfExpiresAfter () {
# shellcheck disable=SC2039
local
crt
crt
=
"
$(
cat
)
"
printf
"%s
\\
n"
"
$crt
"
| expiresBefore
"
$1
"
||
printf
"%s
\\
n"
"
$crt
"
printf
'%s\n'
"
$crt
"
| expiresBefore
"
$1
"
||
printf
'%s\n'
"
$crt
"
}
appendValidCA
()
{
...
...
@@ -290,15 +290,15 @@ appendValidCA () {
if
payload
=
$(
unwrap jq
--raw-output
.old_pem
)
;
then
:
else
printf
"Bad signature, something is very wrong"
>
&2
printf
'Bad signature, something is very wrong'
>
&2
return
1
fi
cert
=
"
$(
printf
"%s
\\
n"
"
$payload
"
| jq
--raw-output
.old_pem
)
"
cert
=
"
$(
printf
'%s\n'
"
$payload
"
| jq
--raw-output
.old_pem
)
"
forEachCertificate
\
pemFingerprintIs
\
"
$(
printf
"%s
\\
n"
"
$cert
"
| pem2fingerprint
)
"
<
"
$ca
"
"
$(
printf
'%s\n'
"
$cert
"
| pem2fingerprint
)
"
<
"
$ca
"
if
[
$?
-eq
1
]
;
then
printf
"%s
\\
n"
"
$cert
"
>>
"
$ca
"
printf
'%s\n'
"
$cert
"
>>
"
$ca
"
fi
}
...
...
@@ -307,16 +307,16 @@ checkCertificateMatchesKey () {
# Returns 0 if certificate's public key matches private key's public key,
# 1 otherwise.
test
"
$(
printf
"%s
\\
n"
"
$1
"
| openssl x509
-modulus
-noout
|
sed
"s/^Modulus=//"
printf
'%s\n'
"
$1
"
| openssl x509
-modulus
-noout
|
sed
's/^Modulus=//'
)
"
=
"
$(
echo
"
$2
"
| openssl rsa
-modulus
-noout
|
sed
"s/^Modulus=//"
echo
"
$2
"
| openssl rsa
-modulus
-noout
|
sed
's/^Modulus=//'
)
"
return
$?
}
checkDeps
()
{
# shellcheck disable=SC2039
local
missingdeps
=
""
dep
local
missingdeps
=
''
dep
# Expected builtins & keywords:
# alias local if then else elif fi for in do done case esac return [ test
# shift set
...
...
@@ -328,7 +328,7 @@ checkDeps () {
return
1
fi
if
[
!
-r
/dev/null
]
||
[
!
-w
/dev/null
]
;
then
echo
"Cannot read from & write to /dev/null"
>
&2
echo
'Cannot read from & write to /dev/null'
>
&2
return
1
fi
}
...
...
@@ -367,34 +367,34 @@ EOF
)
"
if
newcrtdata
=
"
$(
pairs2obj
\
"crt_pem"
"
$(
str2json
)
"
\
"renew_csr_pem"
"
$(
'crt_pem'
"
$(
str2json
)
"
\
'renew_csr_pem'
"
$(
echo
"
$newkeydata
"
\
| openssl req
\
-new
\
-key
-
\
-subj
"/CN=dummy"
\
-subj
'/CN=dummy'
\
-config
"
$emptyreqcnf
"
\
| str2json
)
"
\
| wrap
"
$oldkey
"
"sha256"
\
| wrap
"
$oldkey
"
'sha256'
\
| PUT
--insecure
\
--header
"Content-Type: application/json"
\
--header
'Content-Type: application/json'
\
"
$url
/crt/renew/"
)
"
;
then
if
[
\
"x
$(
printf
"%s
\\
n"
"
$newcrtdata
"
|
head
-n
1
)
"
\
"x
$(
printf
'%s\n'
"
$newcrtdata
"
|
head
-n
1
)
"
\
=
\
"x-----BEGIN CERTIFICATE-----"
\
'x-----BEGIN CERTIFICATE-----'
\
]
;
then
if
checkCertificateMatchesKey
"
$newcrtdata
"
"
$newkeydata
"
;
then
writeCertKey
"
$newcrt
"
"
$newcrtdata
"
"
$newkey
"
"
$newkeydata
"
rm
"
$emptyreqcnf
"
return
0
fi
printf
"Certificate does not match private key
\\
n"
>
&2
printf
'Certificate does not match private key\n'
>
&2
else
printf
"%s"
"
$newcrtdata
"
>
&2
printf
'%s'
"
$newcrtdata
"
>
&2
fi
fi
rm
"
$emptyreqcnf
"
...
...
@@ -403,10 +403,10 @@ EOF
revokeCertificate
()
{
# Usage: <url> <key_path> < crt
pairs2obj
"revoke_crt_pem"
"
$(
str2json
)
"
\
| wrap
"
$2
"
"sha256"
\
pairs2obj
'revoke_crt_pem'
"
$(
str2json
)
"
\
| wrap
"
$2
"
'sha256'
\
| PUTNoOut
\
--header
"Content-Type: application/json"
\
--header
'Content-Type: application/json'
\
--insecure
\
"
$1
/crt/revoke/"
return
$?
...
...
@@ -414,11 +414,11 @@ revokeCertificate () {
revokeCRTWithoutKey
()
{
# Usage: <url> <ca> <user crt> < crt
pairs2obj
"revoke_crt_pem"
"
$(
str2json
)
"
\
pairs2obj
'revoke_crt_pem'
"
$(
str2json
)
"
\
| nullWrap
\
| PUTNoOut
\
--cert
"
$3
"
\
--header
"Content-Type: application/json"
\
--header
'Content-Type: application/json'
\
--cacert
"
$2
"
\
"
$1
/crt/revoke/"
return
$?
...
...
@@ -426,11 +426,11 @@ revokeCRTWithoutKey () {
revokeSerial
()
{
# Usage: <url> <ca> <user crt> <serial>
pairs2obj
"revoke_serial"
"
$4
"
\
pairs2obj
'revoke_serial'
"
$4
"
\
| nullWrap
\
| PUTNoOut
\
--cert
"
$3
"
\
--header
"Content-Type: application/json"
\
--header
'Content-Type: application/json'
\
--cacert
"
$2
"
\
"
$1
/crt/revoke/"
return
$?
...
...
@@ -450,24 +450,24 @@ updateCACertificate () {
status
=
$?
test
$status
-ne
0
&&
return
1
valid_ca
=
"
$(
printf
"%s
\\
n"
"
$orig_ca
"
\
printf
'%s\n'
"
$orig_ca
"
\
| forEachCertificate printIfExpiresAfter
"
$(
date
+%s
)
"
)
"
status
=
$?
test
$status
-ne
0
&&
return
1
printf
"%s
\\
n"
"
$valid_ca
"
>
"
$ca
"
printf
'%s\n'
"
$valid_ca
"
>
"
$ca
"
if
[
!
-r
"
$cas_ca
"
]
;
then
# Should never be reached, as this function should be run once with
# cas_ca == ca (to update CAS' CA), in which case cas_ca exists by this
# point. CAU's CA should only be updated after, and by that point CAS' CA
# already exists.
printf
"%s does not exist
\\
n"
"
$cas_ca
"
printf
'%s does not exist\n'
"
$cas_ca
"
return
1
fi
future_ca
=
"
$(
CURL
--cacert
"
$cas_ca
"
"
$url
/crt/ca.crt.json"
)
"
status
=
$?
test
$status
-ne
0
&&
return
1
printf
"%s
\\
n"
"
$future_ca
"
| forEachJSONListItem appendValidCA
"
$ca
"
printf
'%s\n'
"
$future_ca
"
| forEachJSONListItem appendValidCA
"
$ca
"
}
getCertificateRevocationList
()
{
...
...
@@ -490,13 +490,13 @@ getPendingCertificateRequestList () {
createCertificateSigningRequest
()
{
# Usage: <url> < csr > csr id
PUT
--insecure
--header
"Content-Type: application/pkcs10"
"
$1
/csr"
\
PUT
--insecure
--header
'Content-Type: application/pkcs10'
"
$1
/csr"
\
--dump-header
- |
while
IFS
=
read
-r
line
;
do
# Note: $line contains trailing \r, which will not get stripped by $().
# So strip it with sed instead.
case
"
$line
"
in
"Location: "
*
)
printf
"%s
\\
n"
"
$line
"
|
sed
"s/^Location:
\\
(
\\
S*
\\
).*/
\\
1/"
'Location: '
*
)
printf
'%s\n'
"
$line
"
|
sed
's/^Location: \(\S*\).*/\1/'
;;
esac
done
...
...
@@ -516,7 +516,7 @@ getCertificate () {
CURL
--fail
--insecure
"
$1
/crt/
$2
"
status
=
$?
if
[
$status
-ne
0
]
;
then
printf
"Certificate %s not found (not signed yet or rejected)
\\
n"
"
$2
"
>
&2
printf
'Certificate %s not found (not signed yet or rejected)\n'
"
$2
"
>
&2
return
1
fi
}
...
...
@@ -528,7 +528,7 @@ createCertificate () {
PUTNoOut
--cert
"
$3
"
--cacert
"
$2
"
"
$1
/crt/
$4
"
< /dev/null
result
=
$?
if
[
$result
-ne
0
]
;
then
printf
"%s: No such pending signing request
\\
n"
"
$4
"
>
&2
printf
'%s: No such pending signing request\n'
"
$4
"
>
&2
fi
return
$result
}
...
...
@@ -536,7 +536,7 @@ createCertificate () {
createCertificateWith
()
{
# Usage: <url> <ca> <user crt> <csr id> < csr
PUTNoOut
--cert
"
$3
"
--cacert
"
$2
"
\
--header
"Content-Type: application/pkcs10"
"
$1
/crt/
$4
"
--header
'Content-Type: application/pkcs10'
"
$1
/crt/
$4
"
return
$?
}
...
...
@@ -628,17 +628,19 @@ These options require --user-key .
Special actions
--help
Display this help and exit.
--version
Display command version and exit.
EOF
}
_argUsage
()
{
printf
"%s: %s
\\
n"
"
$arg
"
"
$1
"
>
&2
printf
'%s: %s\n'
"
$arg
"
"
$1
"
>
&2
_usage
>
&2
}
_needArg
()
{
if
[
"
$argc
"
-lt
"
$1
"
]
;
then
printf
"%s
\\
n"
"
$arg
needs
$1
arguments"
>
&2
printf
'%s\n'
"
$arg
needs
$1
arguments"
>
&2
_usage
>
&2
return
1
fi
...
...
@@ -646,7 +648,7 @@ EOF
_needURLAndArg
()
{
if
[
-z
"
$ca_anon_url
"
]
;
then
printf
"%s
\\
n"
"--ca-url must be provided before
$arg
"
>
&2
printf
'%s\n'
"--ca-url must be provided before
$arg
"
>
&2
return
1
fi
_needArg
"
$1
"
||
return
1
...
...
@@ -654,7 +656,7 @@ EOF
_needAuthURLAndArg
()
{
if
[
-z
"
$user_key
"
]
;
then
printf
"%s
\\
n"
"--user-key must be provided before
$arg
"
>
&2
printf
'%s\n'
"--user-key must be provided before
$arg
"
>
&2
return
1
fi
_needURLAndArg
"
$1
"
||
return
1
...
...
@@ -670,7 +672,7 @@ EOF
_printOneKey
()
{
# Called from _main, sets global "key_found".
if
[
$key_found
-ne
0
]
;
then
_argUsage
"Multiple private keys"
_argUsage
'Multiple private keys'
return
1
fi
key_found
=
1
...
...
@@ -680,7 +682,7 @@ EOF
_printOneCert
()
{
# Called indirectly from _main, sets global "crt_found".
if
[
"
$crt_found
"
-ne
0
]
;
then
_argUsage
"Multiple certificates"
_argUsage
'Multiple certificates'
return
1
fi
crt_found
=
1
...
...
@@ -693,11 +695,11 @@ EOF
local
crt
crt
=
"
$(
cat
)
"
if
[
$crt_found
-ne
0
]
;
then
_argUsage
"Multiple certificates"
_argUsage
'Multiple certificates'
return
1
fi
crt_found
=
1
checkCertificateMatchesKey
"
$crt
"
"
$1
"
&&
printf
"%s
\\
n"
"
$crt
"
checkCertificateMatchesKey
"
$crt
"
"
$1
"
&&
printf
'%s\n'
"
$crt
"
}
_matchOneKeyAndPrintOneMatchingCert
()
{
...
...
@@ -714,37 +716,37 @@ EOF
status
=
$?
test
$status
-ne
0
&&
return
$status
if
[
-z
"
$crt
"
]
;
then
_argUsage
"No certificate matches private key"
_argUsage
'No certificate matches private key'
return
1
fi
printf
"%s
\\
n"
"
$crt
"
printf
'%s\n'
"
$crt
"
}
_printPendingCSR
()
{
# shellcheck disable=SC2039
local
json
json
=
"
$(
cat
)
"
printf
"%20s | %s
\\
n"
\
"
$(
printf
"%s
\\
n"
"
$json
"
| jq
--raw-output
.id
)
"
\
"
$(
printf
"%s
\\
n"
"
$json
"
| jq
--raw-output
.csr
\
| openssl req
-subject
-noout
|
sed
"s/^subject=//"
)
"
printf
'%20s | %s\n'
\
"
$(
printf
'%s\n'
"
$json
"
| jq
--raw-output
.id
)
"
\
"
$(
printf
'%s\n'
"
$json
"
| jq
--raw-output
.csr
\
| openssl req
-subject
-noout
|
sed
's/^subject=//'
)
"
}
_main
()
{
checkDeps
||
return
1
# shellcheck disable=SC2039
local
ca_anon_url
=
""
\
local
ca_anon_url
=
''
\
ca_auth_url
\
mode
=
"service"
\
mode_path
=
"cas"
\
cas_ca
=
"cas.crt.pem"
\
cau_ca
=
"cau.crt.pem"
\
cas_crl
=
"cas.crl.pem"
\
cau_crl
=
"cau.crl.pem"
\
mode
=
'service'
\
mode_path
=
'cas'
\
cas_ca
=
'cas.crt.pem'
\
cau_ca
=
'cau.crt.pem'
\
cas_crl
=
'cas.crl.pem'
\
cau_crl
=
'cau.crl.pem'
\
key_len
=
2048
\
update_user
=
0
\
user_key
=
""
\
user_key
=
''
\
threshold
=
31
\
status arg argc
\
ca_netloc ca_address ca_port ca_path
\
...
...
@@ -783,10 +785,10 @@ EOF
;;
http://
*
)
ca_netloc
=
"
$(
printf
"%s
\\
n"
"
$ca_anon_url
"
|
sed
"s!^http://
\\
([^/?#]*
\\
).*!
\\
1!"
printf
'%s\n'
"
$ca_anon_url
"
|
sed
's!^http://\([^/?#]*\).*!\1!'
)
"
ca_path
=
"
$(
printf
"%s
\\
n"
"
$ca_anon_url
"
|
sed
"s!^http://[^/?#]*!!"
printf
'%s\n'
"
$ca_anon_url
"
|
sed
's!^http://[^/?#]*!!'
)
"
ca_port
=
80
# Note: too bad there is no portable case fall-through...
...
...
@@ -794,43 +796,43 @@ EOF
*
\]
:
*
)
# Bracket-enclosed address, which may contain colons
ca_address
=
"
$(
printf
"%s
\\
n"
"
$ca_netloc
"
|
sed
"s!^
\\
(.*
\\
]
\\
).*!
\\
1!"
printf
'%s\n'
"
$ca_netloc
"
|
sed
's!^\(.*\]\).*!\1!'
)
"
ca_port
=
"
$(
printf
"%s
\\
n"
"
$ca_netloc
"
|
sed
"s!.*
\\
]:!!"
printf
'%s\n'
"
$ca_netloc
"
|
sed
's!.*\]:!!'
)
"
;;
*
\]
*
)
# Bracket-enclosed address, which may contain colons
ca_address
=
"
$(
printf
"%s
\\
n"
"
$ca_netloc
"
|
sed
"s!^
\\
(.*
\\
]
\\
).*!
\\
1!"
printf
'%s\n'
"
$ca_netloc
"
|
sed
's!^\(.*\]\).*!\1!'
)
"
;;
*
:
*
)
# No bracket-encosed address, rely on colon
# No bracket-enc
l
osed address, rely on colon
ca_address
=
"
$(
printf
"%s
\\
n"
"
$ca_netloc
"
|
sed
"s!^
\\
([^:]*
\\
).*!
\\
1!"
printf
'%s\n'
"
$ca_netloc
"
|
sed
's!^\([^:]*\).*!\1!'
)
"
ca_port
=
"
$(
printf
"%s
\\
n"
"
$ca_netloc
"
|
sed
"s!^[^:]*:!!"
printf
'%s\n'
"
$ca_netloc
"
|
sed
's!^[^:]*:!!'
)
"
;;
*
)
# No bracket-encosed address, rely on colon
ca_address
=
"
$(
printf
"%s
\\
n"
"
$ca_netloc
"
|
sed
"s!^
\\
([^:]*
\\
).*!
\\
1!"
printf
'%s\n'
"
$ca_netloc
"
|
sed
's!^\([^:]*\).*!\1!'
)
"
;;
esac
if
[
"
$ca_port
"
-eq
80
]
;
then
ca_port
=
""
ca_port
=
''
else
ca_port
=
":
$((
ca_port
+
1
))
"
fi
ca_auth_url
=
"https://
${
ca_address
}${
ca_port
}${
ca_path
}
"
;;
*
)
_argUsage
"Unrecognised URL scheme"
_argUsage
'Unrecognised URL scheme'
return
1
;;
esac
...
...
@@ -869,7 +871,7 @@ EOF
if
[
"
$threshold
"
-eq
"
$threshold
"
]
2> /dev/null
;
then
:
else
_argUsage
"Argument must be an integer"
_argUsage
'Argument must be an integer'
return
1
fi
;;
...
...
@@ -890,13 +892,13 @@ EOF
shift
case
"
$mode
"
in
service
)
mode_path
=
"cas"
mode_path
=
'cas'
;;
user
)
mode_path
=
"cau"
mode_path
=
'cau'
;;
*
)
_argUsage
"Invalid mode"
_argUsage
'Invalid mode'
return
1
;;
esac
...
...
@@ -913,7 +915,7 @@ EOF
)
"
status
=
$?
test
$status
-ne
0
&&
return
$status
printf
"%s %s
\\
n"
"
$csr_id
"
"
$1
"
printf
'%s %s\n'
"
$csr_id
"
"
$1
"
shift
;;
--get-crt
)
...
...
@@ -922,7 +924,7 @@ EOF
crt_path
=
"
$2
"
shift
2
crt_dir
=
"
$(
dirname
"
$crt_path
"
)
"
if
[
"x
$crt_path
"
=
"x-"
]
;
then
# stdin & stdout
if
[
"x
$crt_path
"
=
'x-'
]
;
then
# stdin & stdout
:
elif
[
-w
"
$crt_path
"
]
&&
[
-r
"
$crt_path
"
]
;
then
# existing file
:
...
...
@@ -936,8 +938,8 @@ EOF
crt
=
"
$(
getCertificate
"
${
ca_anon_url
}
/
${
mode_path
}
"
"
$csr_id
"
)
"
status
=
$?
test
$status
-ne
0
&&
return
$status
if
[
"
$crt_path
"
=
"-"
]
;
then
printf
"%s
\\
n"
"
$crt
"
if
[
"
$crt_path
"
=
'-'
]
;
then
printf
'%s\n'
"
$crt
"
else
if
[
-e
"
$crt_path
"
]
;
then
key_found
=
0
...
...
@@ -945,14 +947,14 @@ EOF
<
"
$crt_path
"
status
=
$?
if
[
$status
-eq
1
]
;
then
_argUsage
"Certificate does not match private key"
_argUsage
'Certificate does not match private key'
return
1
elif
[
$status
-eq
2
]
;
then
_argUsage
"Multiple private keys"
_argUsage
'Multiple private keys'
return
1
fi
fi
printf
"%s
\\
n"
"
$crt
"
>>
"
$crt_path
"
printf
'%s\n'
"
$crt
"
>>
"
$crt_path
"
fi
;;
--revoke-crt
)
...
...
@@ -963,7 +965,7 @@ EOF
crt
=
"
$(
_matchOneKeyAndPrintOneMatchingCert
"
$crt_path
"
"
$key_path
"
)
"
status
=
$?
test
$status
-ne
0
&&
return
$status
printf
"%s
\\
n"
"
$crt
"
\
printf
'%s\n'
"
$crt
"
\
| revokeCertificate
"
${
ca_anon_url
}
/
${
mode_path
}
"
"
$key_path
"
status
=
$?
test
$status
-ne
0
&&
return
$status
...
...
@@ -976,9 +978,9 @@ EOF
crt
=
"
$(
_matchOneKeyAndPrintOneMatchingCert
"
$crt_path
"
"
$key_path
"
)
"
status
=
$?
test
$status
-ne
0
&&
return
$status
if
printf
"%s
\\
n"
"
$crt
"
\
if
printf
'%s\n'
"
$crt
"
\
| expiresBefore
"
$(
date
--date
=
"
$threshold
days"
+%s
)
"
;
then
printf
"%s
\\
n"
"
$crt
"
\
printf
'%s\n'
"
$crt
"
\
| renewCertificate
"
${
ca_anon_url
}
/
${
mode_path
}
"
\
"
$key_path
"
\
"
$key_len
"
\
...
...
@@ -986,7 +988,7 @@ EOF
status
=
$?
test
$status
-ne
0
&&
return
$status
else
printf
"%s did not reach renew threshold, not renewing
\\
n"
\
printf
'%s did not reach renew threshold, not renewing\n'
\
"
$crt_path
"
>
&2
fi
;;
...
...
@@ -1000,10 +1002,10 @@ EOF
)
"
status
=
$?
test
$status
-ne
0
&&
return
$status
if
[
"
$csr_path
"
=
"-"
]
;
then
printf
"%s
\\
n"
"
$csr
"
if
[
"
$csr_path
"
=
'-'
]
;
then
printf
'%s\n'
"
$csr
"
else
printf
"%s
\\
n"
"
$csr
"
>
"
$csr_path
"
printf
'%s\n'
"
$csr
"
>
"
$csr_path
"
fi
;;
--update-user
)
...
...
@@ -1013,18 +1015,18 @@ EOF
# Authenticated actions
--list-csr
)
_needAuthURLAndArg 0
||
return
1
printf
"%s
\\
n"
"-- pending
$mode
CSRs --"
printf
'%s\n'
"-- pending
$mode
CSRs --"
printf
\
"%20s | subject preview (fetch csr and check full content !)
\\
n"
\
"csr_id"
'%20s | subject preview (fetch csr and check full content !)\n'
\
'csr_id'
csr_list_json
=
"
$(
getPendingCertificateRequestList
"
${
ca_auth_url
}
/
${
mode_path
}
"
\
"
$cas_ca
"
"
$user_key
"
)
"
status
=
$?
test
$status
-ne
0
&&
return
$status
printf
"%s"
"
$csr_list_json
"
| forEachJSONListItem _printPendingCSR
printf
"%s
\\
n"
"-- end of pending
$mode
CSRs --"
printf
'%s'
"
$csr_list_json
"
| forEachJSONListItem _printPendingCSR
printf
'%s\n'
"-- end of pending
$mode
CSRs --"
;;
--sign-csr
)
_needAuthURLAndArg 1
||
return
1
...
...
@@ -1062,7 +1064,7 @@ EOF
crt
=
"
$(
forEachCertificate _printOneCert <
"
$crt_path
"
)
"
status
=
$?
test
$status
-ne
0
&&
return
$status
printf
"%s
\\
n"
"
$crt
"
| revokeCRTWithoutKey
\
printf
'%s\n'
"
$crt
"
| revokeCRTWithoutKey
\
"
${
ca_auth_url
}
/
${
mode_path
}
"
"
$cas_ca
"
"
$user_key
"
status
=
$?
test
$status
-ne
0
&&
return
$status
...
...
@@ -1078,7 +1080,7 @@ EOF
;;
*
)
_argUsage
"Unknown argument"
_argUsage
'Unknown argument'
return
1
;;
esac
...
...
@@ -1087,10 +1089,10 @@ EOF
if
crl
=
"
$(
getCertificateRevocationList
"
${
ca_anon_url
}
/cas"
"
$cas_ca
"
)
"
;
then
printf
"%s
\\
n"
"
$crl
"
>
"
$cas_crl
"
printf
'%s\n'
"
$crl
"
>
"
$cas_crl
"
else
printf
\
"Received CAS CRL was not signed by CAS CA certificate, skipping
\\
n"
'Received CAS CRL was not signed by CAS CA certificate, skipping\n'
fi
if
[
$update_user
-eq
1
]
;
then
updateCACertificate
"
${
ca_anon_url
}
/cau"
"
$cas_ca
"
"
$cau_ca
"
...
...
@@ -1099,10 +1101,10 @@ EOF
if
crl
=
"
$(
getCertificateRevocationList
"
${
ca_anon_url
}
/cau"
"
$cau_ca
"
)
"
;
then
printf
"%s
\\
n"
"
$crl
"
>
"
$cau_crl
"
printf
'%s\n'
"
$crl
"
>
"
$cau_crl
"
else
printf
\
"Received CAU CRL was not signed by CAU CA certificate, skipping
\\
n"
'Received CAU CRL was not signed by CAU CA certificate, skipping\n'
fi
fi
fi
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment