shell: Use single-quote strings wherever possible.

Reduces backslash-doubling crazyness.

shell: Use single-quote strings wherever possible.
Reduces backslash-doubling crazyness.
a36ccf92 · Vincent Pelletier · 268b3a53 · a36ccf92
Commit a36ccf92 authored Dec 13, 2018 by Vincent Pelletier
Show whitespace changes
Inline Side-by-side

Showing with 134 additions and 132 deletions

shell/caucase.sh shell/caucase.sh +134 -132

No files found.
--- a/shell/caucase.sh
+++ b/shell/caucase.sh
@@ -22,7 +22,7 @@ str2json () {
  # Usage: str2json < str
  # Note: using $() to strip the trailing newline added by jq.
-  printf "%s" "$(jq --raw-input --slurp .)"
+  printf '%s' "$(jq --raw-input --slurp .)"
 }
 pairs2obj () {
@@ -55,8 +55,8 @@ forEachJSONListItem () {
  # shellcheck disable=SC2039
  local list index
  list="$(cat)"
-  for index in $(seq 0 $(($(printf "%s\\n" "$list" | jq length) - 1))); do
+  for index in $(seq 0 $(($(printf '%s\n' "$list" | jq length) - 1))); do
-    printf "%s\\n" "$list" | jq ".[$index]" | "$@" || return $?
+    printf '%s\n' "$list" | jq ".[$index]" | "$@" || return $?
  done
 }
@@ -69,10 +69,10 @@ wrap () {
  # Note: $() looses trailing newlines, so payload should not need to end with
  # any newline.
  pairs2obj \
-    "digest" "$(printf "%s" "$digest" | str2json)" \
+    'digest' "$(printf '%s' "$digest" | str2json)" \
-    "payload" "$(printf "%s" "$payload" | str2json)" \
+    'payload' "$(printf '%s' "$payload" | str2json)" \
-    "signature" "$(
+    'signature' "$(
-      printf "%s%s " "$payload" "$digest" \
+      printf '%s%s ' "$payload" "$digest" \
      | openssl dgst \
        -"$digest" \
        -binary \
@@ -99,12 +99,12 @@ unwrap () {
  local wrapped status json_digest digest signature_file payload pubkey_file
  wrapped="$(cat)"
-  json_digest="$(printf "%s\\n" "$wrapped" | jq .digest)"
+  json_digest="$(printf '%s\n' "$wrapped" | jq .digest)"
-  if [ "$json_digest" = "null" ]; then
+  if [ "$json_digest" = 'null' ]; then
    return 1
  fi
  digest="$(
-    printf "%s\\n" "$json_digest" | jq --raw-output ascii_downcase
+    printf '%s\n' "$json_digest" | jq --raw-output ascii_downcase
  )"
  case "$digest" in
    sha256|sha384|sha512)
@@ -118,12 +118,12 @@ unwrap () {
    ;;
  esac
  signature_file="$(mktemp --suffix=unwrap.sig)"
-  printf "%s\\n" "$wrapped" | jq --raw-output .signature | \
+  printf '%s\n' "$wrapped" | jq --raw-output .signature | \
    base64 -d > "$signature_file"
-  payload="$(printf "%s\\n" "$wrapped" | jq --raw-output .payload)"
+  payload="$(printf '%s\n' "$wrapped" | jq --raw-output .payload)"
  pubkey_file="$(mktemp --suffix=unwrap.pub)"
-  if printf "%s\\n" "$payload" "$@" | openssl x509 -pubkey -noout > "$pubkey_file"; then
+  if printf '%s\n' "$payload" "$@" | openssl x509 -pubkey -noout > "$pubkey_file"; then
-    printf "%s%s " "$payload" "$digest" \
+    printf '%s%s ' "$payload" "$digest" \
    | openssl dgst \
      -"$digest" \
      -verify "$pubkey_file" \
@@ -136,7 +136,7 @@ unwrap () {
    status=2
  fi
  rm "$signature_file" "$pubkey_file"
-  test $status -eq 0 && printf "%s" "$payload"
+  test $status -eq 0 && printf '%s' "$payload"
  return $status
 }
@@ -145,10 +145,10 @@ nullUnwrap () {
  # shellcheck disable=SC2039
  local wrapped
  wrapped="$(cat)"
-  if [ "$(printf "%s\\n" "$wrapped" | jq '.digest')" != "null" ]; then
+  if [ "$(printf '%s\n' "$wrapped" | jq '.digest')" != 'null' ]; then
    return 1
  fi
-  printf "%s\\n" "$wrapped" | jq .payload
+  printf '%s\n' "$wrapped" | jq .payload
 }
 writeCertKey () {
@@ -162,8 +162,8 @@ writeCertKey () {
  : > "$crt_path"
  : > "$key_path"
  test $need_chmod -eq 0 && chmod go= "$key_path"
-  printf "%s\\n" "$key_data" >> "$key_path"
+  printf '%s\n' "$key_data" >> "$key_path"
-  printf "%s\\n" "$crt_data" >> "$crt_path"
+  printf '%s\n' "$crt_data" >> "$crt_path"
 }
 alias CURL='curl --silent'
@@ -176,40 +176,40 @@ PUTNoOut () {
  local result
  if result="$(
    PUT \
-      --write-out "\\n%{http_code}\\n" \
+      --write-out '\n%{http_code}\n' \
      "$@"
  )"; then
    :
  else
    return 3
  fi
-  case "$(printf "%s\\n" "$result" | tail -n 1)" in
+  case "$(printf '%s\n' "$result" | tail -n 1)" in
    2?? )
      return 0
    ;;
    401 )
-      printf "Unauthorized\\n" >&2
+      printf 'Unauthorized\n' >&2
      return 2
    ;;
    409 )
-      printf "Found\\n" >&2
+      printf 'Found\n' >&2
      return 4
    ;;
    * )
-      printf "%s\\n" "$result" | head -n -1 >&2
+      printf '%s\n' "$result" | head -n -1 >&2
      return 1
    ;;
  esac
 }
 _matchCertificateBoundary () {
-  test "$1" = "-----END CERTIFICATE-----"
+  test "$1" = '-----END CERTIFICATE-----'
  return $?
 }
 _matchPrivateKeyBoundary () {
  case "$1" in
-    "-----END PRIVATE KEY-----" | "-----END RSA PRIVATE KEY-----")
+    '-----END PRIVATE KEY-----' | '-----END RSA PRIVATE KEY-----')
      return 0
    ;;
  esac
@@ -223,34 +223,34 @@ _forEachPEM () {
  # <command> receives each matching PEM element as input.
  # If <command> exit status is non-zero, enumeration stops.
  # shellcheck disable=SC2039
-  local tester="$1" current=""
+  local tester="$1" current=''
  shift
  while IFS= read -r line; do
    if [ -z "$current" ]; then
      current="$line"
    else
-      current="$(printf "%s\\n%s" "$current" "$line")"
+      current="$(printf '%s\n%s' "$current" "$line")"
    fi
    case "$line" in
-      "-----END "*"-----")
+      '-----END '*'-----')
        if "$tester" "$line"; then
-          printf "%s\\n" "$current" | "$@" || return $?
+          printf '%s\n' "$current" | "$@" || return $?
        fi
-        current=""
+        current=''
        ;;
    esac
  done
 }
-alias forEachCertificate="_forEachPEM _matchCertificateBoundary"
+alias forEachCertificate='_forEachPEM _matchCertificateBoundary'
 # Iterate over certificate of a PEM file, piping each to <command>
 # Usage: _forEachPEM <command> [<arg> ...] < pem
-alias forEachPrivateKey="_forEachPEM _matchPrivateKeyBoundary"
+alias forEachPrivateKey='_forEachPEM _matchPrivateKeyBoundary'
 # Iterate over private key of a PEM file, piping each to <command>
 # Usage: _forEachPEM <command> [<arg> ...] < pem
-alias pem2fingerprint="openssl x509 -fingerprint -noout"
+alias pem2fingerprint='openssl x509 -fingerprint -noout'
 pemFingerprintIs () {
  # Usage: pemFingerprintIs <fingerprint> < certificate
@@ -264,7 +264,7 @@ expiresBefore () {
  # <date> must be a unix timestamp (date +%s)
  # shellcheck disable=SC2039
  local enddate
-  enddate="$(openssl x509 -enddate -noout | sed "s/^[^=]*=//")"
+  enddate="$(openssl x509 -enddate -noout | sed 's/^[^=]*=//')"
  test $? -ne 0 && return 1
  test "$(date --date="$enddate" +%s)" -lt "$1"
  return $?
@@ -277,7 +277,7 @@ printIfExpiresAfter () {
  # shellcheck disable=SC2039
  local crt
  crt="$(cat)"
-  printf "%s\\n" "$crt" | expiresBefore "$1" || printf "%s\\n" "$crt"
+  printf '%s\n' "$crt" | expiresBefore "$1" || printf '%s\n' "$crt"
 }
 appendValidCA () {
@@ -290,15 +290,15 @@ appendValidCA () {
  if payload=$(unwrap jq --raw-output .old_pem); then
    :
  else
-    printf "Bad signature, something is very wrong" >&2
+    printf 'Bad signature, something is very wrong' >&2
    return 1
  fi
-  cert="$(printf "%s\\n" "$payload" | jq --raw-output .old_pem)"
+  cert="$(printf '%s\n' "$payload" | jq --raw-output .old_pem)"
  forEachCertificate \
    pemFingerprintIs \
-    "$(printf "%s\\n" "$cert" | pem2fingerprint)" < "$ca"
+    "$(printf '%s\n' "$cert" | pem2fingerprint)" < "$ca"
  if [ $? -eq 1 ]; then
-    printf "%s\\n" "$cert" >> "$ca"
+    printf '%s\n' "$cert" >> "$ca"
  fi
 }
@@ -307,16 +307,16 @@ checkCertificateMatchesKey () {
  # Returns 0 if certificate's public key matches private key's public key,
  # 1 otherwise.
  test "$(
-    printf "%s\\n" "$1" | openssl x509 -modulus -noout | sed "s/^Modulus=//"
+    printf '%s\n' "$1" | openssl x509 -modulus -noout | sed 's/^Modulus=//'
  )" = "$(
-    echo "$2" | openssl rsa -modulus -noout | sed "s/^Modulus=//"
+    echo "$2" | openssl rsa -modulus -noout | sed 's/^Modulus=//'
  )"
  return $?
 }
 checkDeps () {
  # shellcheck disable=SC2039
-  local missingdeps="" dep
+  local missingdeps='' dep
  # Expected builtins & keywords:
  #   alias local if then else elif fi for in do done case esac return [ test
  #   shift set
@@ -328,7 +328,7 @@ checkDeps () {
    return 1
  fi
  if [ ! -r /dev/null ] || [ ! -w /dev/null ]; then
-    echo "Cannot read from & write to /dev/null" >&2
+    echo 'Cannot read from & write to /dev/null' >&2
    return 1
  fi
 }
@@ -367,34 +367,34 @@ EOF
  )"
  if newcrtdata="$(
    pairs2obj \
-      "crt_pem" "$(str2json)" \
+      'crt_pem' "$(str2json)" \
-      "renew_csr_pem" "$(
+      'renew_csr_pem' "$(
        echo "$newkeydata" \
        | openssl req \
          -new \
          -key - \
-          -subj "/CN=dummy" \
+          -subj '/CN=dummy' \
          -config "$emptyreqcnf" \
        | str2json
      )" \
-    | wrap "$oldkey" "sha256" \
+    | wrap "$oldkey" 'sha256' \
    | PUT --insecure \
-      --header "Content-Type: application/json" \
+      --header 'Content-Type: application/json' \
      "$url/crt/renew/"
  )"; then
    if [ \
-      "x$(printf "%s\\n" "$newcrtdata" | head -n 1)" \
+      "x$(printf '%s\n' "$newcrtdata" | head -n 1)" \
      = \
-      "x-----BEGIN CERTIFICATE-----" \
+      'x-----BEGIN CERTIFICATE-----' \
    ]; then
      if checkCertificateMatchesKey "$newcrtdata" "$newkeydata"; then
        writeCertKey "$newcrt" "$newcrtdata" "$newkey" "$newkeydata"
        rm "$emptyreqcnf"
        return 0
      fi
-      printf "Certificate does not match private key\\n" >&2
+      printf 'Certificate does not match private key\n' >&2
    else
-      printf "%s" "$newcrtdata" >&2
+      printf '%s' "$newcrtdata" >&2
    fi
  fi
  rm "$emptyreqcnf"
@@ -403,10 +403,10 @@ EOF
 revokeCertificate () {
  # Usage: <url> <key_path> < crt
-  pairs2obj "revoke_crt_pem" "$(str2json)" \
+  pairs2obj 'revoke_crt_pem' "$(str2json)" \
-  | wrap "$2" "sha256" \
+  | wrap "$2" 'sha256' \
  | PUTNoOut \
-    --header "Content-Type: application/json" \
+    --header 'Content-Type: application/json' \
    --insecure \
    "$1/crt/revoke/"
  return $?
@@ -414,11 +414,11 @@ revokeCertificate () {
 revokeCRTWithoutKey () {
  # Usage: <url> <ca> <user crt> < crt
-  pairs2obj "revoke_crt_pem" "$(str2json)" \
+  pairs2obj 'revoke_crt_pem' "$(str2json)" \
  | nullWrap \
  | PUTNoOut \
    --cert "$3" \
-    --header "Content-Type: application/json" \
+    --header 'Content-Type: application/json' \
    --cacert "$2" \
    "$1/crt/revoke/"
  return $?
@@ -426,11 +426,11 @@ revokeCRTWithoutKey () {
 revokeSerial () {
  # Usage: <url> <ca> <user crt> <serial>
-  pairs2obj "revoke_serial" "$4" \
+  pairs2obj 'revoke_serial' "$4" \
  | nullWrap \
  | PUTNoOut \
    --cert "$3" \
-    --header "Content-Type: application/json" \
+    --header 'Content-Type: application/json' \
    --cacert "$2" \
    "$1/crt/revoke/"
  return $?
@@ -450,24 +450,24 @@ updateCACertificate () {
  status=$?
  test $status -ne 0 && return 1
  valid_ca="$(
-    printf "%s\\n" "$orig_ca" \
+    printf '%s\n' "$orig_ca" \
    | forEachCertificate printIfExpiresAfter "$(date +%s)"
  )"
  status=$?
  test $status -ne 0 && return 1
-  printf "%s\\n" "$valid_ca" > "$ca"
+  printf '%s\n' "$valid_ca" > "$ca"
  if [ ! -r "$cas_ca" ]; then
    # Should never be reached, as this function should be run once with
    # cas_ca == ca (to update CAS' CA), in which case cas_ca exists by this
    # point. CAU's CA should only be updated after, and by that point CAS' CA
    # already exists.
-    printf "%s does not exist\\n" "$cas_ca"
+    printf '%s does not exist\n' "$cas_ca"
    return 1
  fi
  future_ca="$(CURL --cacert "$cas_ca" "$url/crt/ca.crt.json")"
  status=$?
  test $status -ne 0 && return 1
-  printf "%s\\n" "$future_ca" | forEachJSONListItem appendValidCA "$ca"
+  printf '%s\n' "$future_ca" | forEachJSONListItem appendValidCA "$ca"
 }
 getCertificateRevocationList () {
@@ -490,13 +490,13 @@ getPendingCertificateRequestList () {
 createCertificateSigningRequest () {
  # Usage: <url> < csr > csr id
-  PUT --insecure --header "Content-Type: application/pkcs10" "$1/csr" \
+  PUT --insecure --header 'Content-Type: application/pkcs10' "$1/csr" \
    --dump-header - | while IFS= read -r line; do
    # Note: $line contains trailing \r, which will not get stripped by $().
    # So strip it with sed instead.
    case "$line" in
-      "Location: "*)
+      'Location: '*)
-        printf "%s\\n" "$line" | sed "s/^Location: \\(\\S*\\).*/\\1/"
+        printf '%s\n' "$line" | sed 's/^Location: \(\S*\).*/\1/'
      ;;
    esac
  done
@@ -516,7 +516,7 @@ getCertificate () {
  CURL --fail --insecure "$1/crt/$2"
  status=$?
  if [ $status -ne 0 ]; then
-    printf "Certificate %s not found (not signed yet or rejected)\\n" "$2" >&2
+    printf 'Certificate %s not found (not signed yet or rejected)\n' "$2" >&2
    return 1
  fi
 }
@@ -528,7 +528,7 @@ createCertificate () {
  PUTNoOut --cert "$3" --cacert "$2" "$1/crt/$4" < /dev/null
  result=$?
  if [ $result -ne 0 ]; then
-    printf "%s: No such pending signing request\\n" "$4" >&2
+    printf '%s: No such pending signing request\n' "$4" >&2
  fi
  return $result
 }
@@ -536,7 +536,7 @@ createCertificate () {
 createCertificateWith () {
  # Usage: <url> <ca> <user crt> <csr id> < csr
  PUTNoOut --cert "$3" --cacert "$2" \
-    --header "Content-Type: application/pkcs10" "$1/crt/$4"
+    --header 'Content-Type: application/pkcs10' "$1/crt/$4"
  return $?
 }
@@ -628,17 +628,19 @@ These options require --user-key .
 Special actions
 --help
  Display this help and exit.
+--version
+  Display command version and exit.
 EOF
  }
  _argUsage () {
-    printf "%s: %s\\n" "$arg" "$1" >&2
+    printf '%s: %s\n' "$arg" "$1" >&2
    _usage >&2
  }
  _needArg () {
    if [ "$argc" -lt "$1" ]; then
-      printf "%s\\n" "$arg needs $1 arguments" >&2
+      printf '%s\n' "$arg needs $1 arguments" >&2
      _usage >&2
      return 1
    fi
@@ -646,7 +648,7 @@ EOF
  _needURLAndArg () {
    if [ -z "$ca_anon_url" ]; then
-      printf "%s\\n" "--ca-url must be provided before $arg" >&2
+      printf '%s\n' "--ca-url must be provided before $arg" >&2
      return 1
    fi
    _needArg "$1" || return 1
@@ -654,7 +656,7 @@ EOF
  _needAuthURLAndArg () {
    if [ -z "$user_key" ]; then
-      printf "%s\\n" "--user-key must be provided before $arg" >&2
+      printf '%s\n' "--user-key must be provided before $arg" >&2
      return 1
    fi
    _needURLAndArg "$1" || return 1
@@ -670,7 +672,7 @@ EOF
  _printOneKey () {
    # Called from _main, sets global "key_found".
    if [ $key_found -ne 0 ]; then
-      _argUsage "Multiple private keys"
+      _argUsage 'Multiple private keys'
      return 1
    fi
    key_found=1
@@ -680,7 +682,7 @@ EOF
  _printOneCert () {
    # Called indirectly from _main, sets global "crt_found".
    if [ "$crt_found" -ne 0 ]; then
-      _argUsage "Multiple certificates"
+      _argUsage 'Multiple certificates'
      return 1
    fi
    crt_found=1
@@ -693,11 +695,11 @@ EOF
    local crt
    crt="$(cat)"
    if [ $crt_found -ne 0 ]; then
-      _argUsage "Multiple certificates"
+      _argUsage 'Multiple certificates'
      return 1
    fi
    crt_found=1
-    checkCertificateMatchesKey "$crt" "$1" && printf "%s\\n" "$crt"
+    checkCertificateMatchesKey "$crt" "$1" && printf '%s\n' "$crt"
  }
  _matchOneKeyAndPrintOneMatchingCert () {
@@ -714,37 +716,37 @@ EOF
    status=$?
    test $status -ne 0 && return $status
    if [ -z "$crt" ]; then
-      _argUsage "No certificate matches private key"
+      _argUsage 'No certificate matches private key'
      return 1
    fi
-    printf "%s\\n" "$crt"
+    printf '%s\n' "$crt"
  }
  _printPendingCSR () {
    # shellcheck disable=SC2039
    local json
    json="$(cat)"
-    printf "%20s | %s\\n" \
+    printf '%20s | %s\n' \
-      "$(printf "%s\\n" "$json" | jq --raw-output .id)" \
+      "$(printf '%s\n' "$json" | jq --raw-output .id)" \
-      "$(printf "%s\\n" "$json" | jq --raw-output .csr \
+      "$(printf '%s\n' "$json" | jq --raw-output .csr \
-        | openssl req -subject -noout | sed "s/^subject=//")"
+        | openssl req -subject -noout | sed 's/^subject=//')"
  }
  _main() {
    checkDeps || return 1
    # shellcheck disable=SC2039
-    local ca_anon_url="" \
+    local ca_anon_url='' \
      ca_auth_url \
-      mode="service" \
+      mode='service' \
-      mode_path="cas" \
+      mode_path='cas' \
-      cas_ca="cas.crt.pem" \
+      cas_ca='cas.crt.pem' \
-      cau_ca="cau.crt.pem" \
+      cau_ca='cau.crt.pem' \
-      cas_crl="cas.crl.pem" \
+      cas_crl='cas.crl.pem' \
-      cau_crl="cau.crl.pem" \
+      cau_crl='cau.crl.pem' \
      key_len=2048 \
      update_user=0 \
-      user_key="" \
+      user_key='' \
      threshold=31 \
      status arg argc \
      ca_netloc ca_address ca_port ca_path \
@@ -783,10 +785,10 @@ EOF
            ;;
            http://*)
              ca_netloc="$(
-                printf "%s\\n" "$ca_anon_url" | sed "s!^http://\\([^/?#]*\\).*!\\1!"
+                printf '%s\n' "$ca_anon_url" | sed 's!^http://\([^/?#]*\).*!\1!'
              )"
              ca_path="$(
-                printf "%s\\n" "$ca_anon_url" | sed "s!^http://[^/?#]*!!"
+                printf '%s\n' "$ca_anon_url" | sed 's!^http://[^/?#]*!!'
              )"
              ca_port=80
              # Note: too bad there is no portable case fall-through...
@@ -794,43 +796,43 @@ EOF
                *\]:*)
                  # Bracket-enclosed address, which may contain colons
                  ca_address="$(
-                    printf "%s\\n" "$ca_netloc" | sed "s!^\\(.*\\]\\).*!\\1!"
+                    printf '%s\n' "$ca_netloc" | sed 's!^\(.*\]\).*!\1!'
                  )"
                  ca_port="$(
-                    printf "%s\\n" "$ca_netloc" | sed "s!.*\\]:!!"
+                    printf '%s\n' "$ca_netloc" | sed 's!.*\]:!!'
                  )"
                ;;
                *\]*)
                  # Bracket-enclosed address, which may contain colons
                  ca_address="$(
-                    printf "%s\\n" "$ca_netloc" | sed "s!^\\(.*\\]\\).*!\\1!"
+                    printf '%s\n' "$ca_netloc" | sed 's!^\(.*\]\).*!\1!'
                  )"
                ;;
                *:*)
-                  # No bracket-encosed address, rely on colon
+                  # No bracket-enclosed address, rely on colon
                  ca_address="$(
-                    printf "%s\\n" "$ca_netloc" | sed "s!^\\([^:]*\\).*!\\1!"
+                    printf '%s\n' "$ca_netloc" | sed 's!^\([^:]*\).*!\1!'
                  )"
                  ca_port="$(
-                    printf "%s\\n" "$ca_netloc" | sed "s!^[^:]*:!!"
+                    printf '%s\n' "$ca_netloc" | sed 's!^[^:]*:!!'
                  )"
                ;;
                *)
                  # No bracket-encosed address, rely on colon
                  ca_address="$(
-                    printf "%s\\n" "$ca_netloc" | sed "s!^\\([^:]*\\).*!\\1!"
+                    printf '%s\n' "$ca_netloc" | sed 's!^\([^:]*\).*!\1!'
                  )"
                ;;
              esac
              if [ "$ca_port" -eq 80 ]; then
-                ca_port=""
+                ca_port=''
              else
                ca_port=":$((ca_port + 1))"
              fi
              ca_auth_url="https://${ca_address}${ca_port}${ca_path}"
            ;;
            *)
-              _argUsage "Unrecognised URL scheme"
+              _argUsage 'Unrecognised URL scheme'
              return 1
            ;;
          esac
@@ -869,7 +871,7 @@ EOF
          if [ "$threshold" -eq "$threshold" ] 2> /dev/null ; then
            :
          else
-            _argUsage "Argument must be an integer"
+            _argUsage 'Argument must be an integer'
            return 1
          fi
        ;;
@@ -890,13 +892,13 @@ EOF
          shift
          case "$mode" in
            service)
-              mode_path="cas"
+              mode_path='cas'
            ;;
            user)
-              mode_path="cau"
+              mode_path='cau'
            ;;
            *)
-              _argUsage "Invalid mode"
+              _argUsage 'Invalid mode'
              return 1
            ;;
          esac
@@ -913,7 +915,7 @@ EOF
          )"
          status=$?
          test $status -ne 0 && return $status
-          printf "%s %s\\n" "$csr_id" "$1"
+          printf '%s %s\n' "$csr_id" "$1"
          shift
        ;;
        --get-crt)
@@ -922,7 +924,7 @@ EOF
          crt_path="$2"
          shift 2
          crt_dir="$(dirname "$crt_path")"
-          if [ "x$crt_path" = "x-" ]; then # stdin & stdout
+          if [ "x$crt_path" = 'x-' ]; then # stdin & stdout
            :
          elif [ -w "$crt_path" ] && [ -r "$crt_path" ]; then # existing file
            :
@@ -936,8 +938,8 @@ EOF
          crt="$(getCertificate "${ca_anon_url}/${mode_path}" "$csr_id")"
          status=$?
          test $status -ne 0 && return $status
-          if [ "$crt_path" = "-" ]; then
+          if [ "$crt_path" = '-' ]; then
-            printf "%s\\n" "$crt"
+            printf '%s\n' "$crt"
          else
            if [ -e "$crt_path" ]; then
              key_found=0
@@ -945,14 +947,14 @@ EOF
                < "$crt_path"
              status=$?
              if [ $status -eq 1 ]; then
-                _argUsage "Certificate does not match private key"
+                _argUsage 'Certificate does not match private key'
                return 1
              elif [ $status -eq 2 ]; then
-                _argUsage "Multiple private keys"
+                _argUsage 'Multiple private keys'
                return 1
              fi
            fi
-            printf "%s\\n" "$crt" >> "$crt_path"
+            printf '%s\n' "$crt" >> "$crt_path"
          fi
        ;;
        --revoke-crt)
@@ -963,7 +965,7 @@ EOF
          crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")"
          status=$?
          test $status -ne 0 && return $status
-          printf "%s\\n" "$crt" \
+          printf '%s\n' "$crt" \
          | revokeCertificate "${ca_anon_url}/${mode_path}" "$key_path"
          status=$?
          test $status -ne 0 && return $status
@@ -976,9 +978,9 @@ EOF
          crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")"
          status=$?
          test $status -ne 0 && return $status
-          if printf "%s\\n" "$crt" \
+          if printf '%s\n' "$crt" \
          | expiresBefore "$(date --date="$threshold days" +%s)"; then
-            printf "%s\\n" "$crt" \
+            printf '%s\n' "$crt" \
            | renewCertificate "${ca_anon_url}/${mode_path}" \
              "$key_path" \
              "$key_len" \
@@ -986,7 +988,7 @@ EOF
            status=$?
            test $status -ne 0 && return $status
          else
-            printf "%s did not reach renew threshold, not renewing\\n" \
+            printf '%s did not reach renew threshold, not renewing\n' \
              "$crt_path" >&2
          fi
        ;;
@@ -1000,10 +1002,10 @@ EOF
          )"
          status=$?
          test $status -ne 0 && return $status
-          if [ "$csr_path" = "-" ]; then
+          if [ "$csr_path" = '-' ]; then
-            printf "%s\\n" "$csr"
+            printf '%s\n' "$csr"
          else
-            printf "%s\\n" "$csr" > "$csr_path"
+            printf '%s\n' "$csr" > "$csr_path"
          fi
        ;;
        --update-user)
@@ -1013,18 +1015,18 @@ EOF
        # Authenticated actions
        --list-csr)
          _needAuthURLAndArg 0 || return 1
-          printf "%s\\n" "-- pending $mode CSRs --"
+          printf '%s\n' "-- pending $mode CSRs --"
          printf \
-            "%20s | subject preview (fetch csr and check full content !)\\n" \
+            '%20s | subject preview (fetch csr and check full content !)\n' \
-            "csr_id"
+            'csr_id'
          csr_list_json="$(
            getPendingCertificateRequestList "${ca_auth_url}/${mode_path}" \
              "$cas_ca" "$user_key"
          )"
          status=$?
          test $status -ne 0 && return $status
-          printf "%s" "$csr_list_json" | forEachJSONListItem _printPendingCSR
+          printf '%s' "$csr_list_json" | forEachJSONListItem _printPendingCSR
-          printf "%s\\n" "-- end of pending $mode CSRs --"
+          printf '%s\n' "-- end of pending $mode CSRs --"
        ;;
        --sign-csr)
          _needAuthURLAndArg 1 || return 1
@@ -1062,7 +1064,7 @@ EOF
          crt="$(forEachCertificate _printOneCert < "$crt_path")"
          status=$?
          test $status -ne 0 && return $status
-          printf "%s\\n" "$crt" | revokeCRTWithoutKey \
+          printf '%s\n' "$crt" | revokeCRTWithoutKey \
            "${ca_auth_url}/${mode_path}" "$cas_ca" "$user_key"
          status=$?
          test $status -ne 0 && return $status
@@ -1078,7 +1080,7 @@ EOF
        ;;
        *)
-          _argUsage "Unknown argument"
+          _argUsage 'Unknown argument'
          return 1
        ;;
      esac
@@ -1087,10 +1089,10 @@ EOF
      if crl="$(
        getCertificateRevocationList "${ca_anon_url}/cas" "$cas_ca"
      )"; then
-        printf "%s\\n" "$crl" > "$cas_crl"
+        printf '%s\n' "$crl" > "$cas_crl"
      else
        printf \
-          "Received CAS CRL was not signed by CAS CA certificate, skipping\\n"
+          'Received CAS CRL was not signed by CAS CA certificate, skipping\n'
      fi
      if [ $update_user -eq 1 ]; then
        updateCACertificate "${ca_anon_url}/cau" "$cas_ca" "$cau_ca"
@@ -1099,10 +1101,10 @@ EOF
        if crl="$(
          getCertificateRevocationList "${ca_anon_url}/cau" "$cau_ca"
        )"; then
-          printf "%s\\n" "$crl" > "$cau_crl"
+          printf '%s\n' "$crl" > "$cau_crl"
        else
          printf \
-            "Received CAU CRL was not signed by CAU CA certificate, skipping\\n"
+            'Received CAU CRL was not signed by CAU CA certificate, skipping\n'
        fi
      fi
    fi