Skip to content

C
caucase
Commit a36ccf92 authored by Vincent Pelletier's avatar Vincent Pelletier
Browse files
Options

shell: Use single-quote strings wherever possible. 

Reduces backslash-doubling crazyness.
parent 268b3a53
Show whitespace changes
Inline Side-by-side
Showing with 134 additions and 132 deletions
shell/caucase.sh
View file @ a36ccf92
...@@ -22,7 +22,7 @@ str2json () { ...@@ -22,7 +22,7 @@ str2json () {
# Usage: str2json < str # Usage: str2json < str
# Note: using $() to strip the trailing newline added by jq. # Note: using $() to strip the trailing newline added by jq.
printf "%s" "$(jq --raw-input --slurp .)" printf '%s' "$(jq --raw-input --slurp .)"
} }
pairs2obj () { pairs2obj () {
...@@ -55,8 +55,8 @@ forEachJSONListItem () { ...@@ -55,8 +55,8 @@ forEachJSONListItem () {
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local list index local list index
list="$(cat)" list="$(cat)"
for index in $(seq 0 $(($(printf "%s\\n" "$list" | jq length) - 1))); do for index in $(seq 0 $(($(printf '%s\n' "$list" | jq length) - 1))); do
printf "%s\\n" "$list" | jq ".[$index]" | "$@" || return $? printf '%s\n' "$list" | jq ".[$index]" | "$@" || return $?
done done
} }
...@@ -69,10 +69,10 @@ wrap () { ...@@ -69,10 +69,10 @@ wrap () {
# Note: $() looses trailing newlines, so payload should not need to end with # Note: $() looses trailing newlines, so payload should not need to end with
# any newline. # any newline.
pairs2obj \ pairs2obj \
"digest" "$(printf "%s" "$digest" | str2json)" \ 'digest' "$(printf '%s' "$digest" | str2json)" \
"payload" "$(printf "%s" "$payload" | str2json)" \ 'payload' "$(printf '%s' "$payload" | str2json)" \
"signature" "$( 'signature' "$(
printf "%s%s " "$payload" "$digest" \ printf '%s%s ' "$payload" "$digest" \
| openssl dgst \ | openssl dgst \
-"$digest" \ -"$digest" \
-binary \ -binary \
...@@ -99,12 +99,12 @@ unwrap () { ...@@ -99,12 +99,12 @@ unwrap () {
local wrapped status json_digest digest signature_file payload pubkey_file local wrapped status json_digest digest signature_file payload pubkey_file
wrapped="$(cat)" wrapped="$(cat)"
json_digest="$(printf "%s\\n" "$wrapped" | jq .digest)" json_digest="$(printf '%s\n' "$wrapped" | jq .digest)"
if [ "$json_digest" = "null" ]; then if [ "$json_digest" = 'null' ]; then
return 1 return 1
fi fi
digest="$( digest="$(
printf "%s\\n" "$json_digest" | jq --raw-output ascii_downcase printf '%s\n' "$json_digest" | jq --raw-output ascii_downcase
)" )"
case "$digest" in case "$digest" in
sha256|sha384|sha512) sha256|sha384|sha512)
...@@ -118,12 +118,12 @@ unwrap () { ...@@ -118,12 +118,12 @@ unwrap () {
;; ;;
esac esac
signature_file="$(mktemp --suffix=unwrap.sig)" signature_file="$(mktemp --suffix=unwrap.sig)"
printf "%s\\n" "$wrapped" | jq --raw-output .signature | \ printf '%s\n' "$wrapped" | jq --raw-output .signature | \
base64 -d > "$signature_file" base64 -d > "$signature_file"
payload="$(printf "%s\\n" "$wrapped" | jq --raw-output .payload)" payload="$(printf '%s\n' "$wrapped" | jq --raw-output .payload)"
pubkey_file="$(mktemp --suffix=unwrap.pub)" pubkey_file="$(mktemp --suffix=unwrap.pub)"
if printf "%s\\n" "$payload" "$@" | openssl x509 -pubkey -noout > "$pubkey_file"; then if printf '%s\n' "$payload" "$@" | openssl x509 -pubkey -noout > "$pubkey_file"; then
printf "%s%s " "$payload" "$digest" \ printf '%s%s ' "$payload" "$digest" \
| openssl dgst \ | openssl dgst \
-"$digest" \ -"$digest" \
-verify "$pubkey_file" \ -verify "$pubkey_file" \
...@@ -136,7 +136,7 @@ unwrap () { ...@@ -136,7 +136,7 @@ unwrap () {
status=2 status=2
fi fi
rm "$signature_file" "$pubkey_file" rm "$signature_file" "$pubkey_file"
test $status -eq 0 && printf "%s" "$payload" test $status -eq 0 && printf '%s' "$payload"
return $status return $status
} }
...@@ -145,10 +145,10 @@ nullUnwrap () { ...@@ -145,10 +145,10 @@ nullUnwrap () {
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local wrapped local wrapped
wrapped="$(cat)" wrapped="$(cat)"
if [ "$(printf "%s\\n" "$wrapped" | jq '.digest')" != "null" ]; then if [ "$(printf '%s\n' "$wrapped" | jq '.digest')" != 'null' ]; then
return 1 return 1
fi fi
printf "%s\\n" "$wrapped" | jq .payload printf '%s\n' "$wrapped" | jq .payload
} }
writeCertKey () { writeCertKey () {
...@@ -162,8 +162,8 @@ writeCertKey () { ...@@ -162,8 +162,8 @@ writeCertKey () {
: > "$crt_path" : > "$crt_path"
: > "$key_path" : > "$key_path"
test $need_chmod -eq 0 && chmod go= "$key_path" test $need_chmod -eq 0 && chmod go= "$key_path"
printf "%s\\n" "$key_data" >> "$key_path" printf '%s\n' "$key_data" >> "$key_path"
printf "%s\\n" "$crt_data" >> "$crt_path" printf '%s\n' "$crt_data" >> "$crt_path"
} }
alias CURL='curl --silent' alias CURL='curl --silent'
...@@ -176,40 +176,40 @@ PUTNoOut () { ...@@ -176,40 +176,40 @@ PUTNoOut () {
local result local result
if result="$( if result="$(
PUT \ PUT \
--write-out "\\n%{http_code}\\n" \ --write-out '\n%{http_code}\n' \
"$@" "$@"
)"; then )"; then
: :
else else
return 3 return 3
fi fi
case "$(printf "%s\\n" "$result" | tail -n 1)" in case "$(printf '%s\n' "$result" | tail -n 1)" in
2?? ) 2?? )
return 0 return 0
;; ;;
401 ) 401 )
printf "Unauthorized\\n" >&2 printf 'Unauthorized\n' >&2
return 2 return 2
;; ;;
409 ) 409 )
printf "Found\\n" >&2 printf 'Found\n' >&2
return 4 return 4
;; ;;
* ) * )
printf "%s\\n" "$result" | head -n -1 >&2 printf '%s\n' "$result" | head -n -1 >&2
return 1 return 1
;; ;;
esac esac
} }
_matchCertificateBoundary () { _matchCertificateBoundary () {
test "$1" = "-----END CERTIFICATE-----" test "$1" = '-----END CERTIFICATE-----'
return $? return $?
} }
_matchPrivateKeyBoundary () { _matchPrivateKeyBoundary () {
case "$1" in case "$1" in
"-----END PRIVATE KEY-----" | "-----END RSA PRIVATE KEY-----") '-----END PRIVATE KEY-----' | '-----END RSA PRIVATE KEY-----')
return 0 return 0
;; ;;
esac esac
...@@ -223,34 +223,34 @@ _forEachPEM () { ...@@ -223,34 +223,34 @@ _forEachPEM () {
# <command> receives each matching PEM element as input. # <command> receives each matching PEM element as input.
# If <command> exit status is non-zero, enumeration stops. # If <command> exit status is non-zero, enumeration stops.
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local tester="$1" current="" local tester="$1" current=''
shift shift
while IFS= read -r line; do while IFS= read -r line; do
if [ -z "$current" ]; then if [ -z "$current" ]; then
current="$line" current="$line"
else else
current="$(printf "%s\\n%s" "$current" "$line")" current="$(printf '%s\n%s' "$current" "$line")"
fi fi
case "$line" in case "$line" in
"-----END "*"-----") '-----END '*'-----')
if "$tester" "$line"; then if "$tester" "$line"; then
printf "%s\\n" "$current" | "$@" || return $? printf '%s\n' "$current" | "$@" || return $?
fi fi
current="" current=''
;; ;;
esac esac
done done
} }
alias forEachCertificate="_forEachPEM _matchCertificateBoundary" alias forEachCertificate='_forEachPEM _matchCertificateBoundary'
# Iterate over certificate of a PEM file, piping each to <command> # Iterate over certificate of a PEM file, piping each to <command>
# Usage: _forEachPEM <command> [<arg> ...] < pem # Usage: _forEachPEM <command> [<arg> ...] < pem
alias forEachPrivateKey="_forEachPEM _matchPrivateKeyBoundary" alias forEachPrivateKey='_forEachPEM _matchPrivateKeyBoundary'
# Iterate over private key of a PEM file, piping each to <command> # Iterate over private key of a PEM file, piping each to <command>
# Usage: _forEachPEM <command> [<arg> ...] < pem # Usage: _forEachPEM <command> [<arg> ...] < pem
alias pem2fingerprint="openssl x509 -fingerprint -noout" alias pem2fingerprint='openssl x509 -fingerprint -noout'
pemFingerprintIs () { pemFingerprintIs () {
# Usage: pemFingerprintIs <fingerprint> < certificate # Usage: pemFingerprintIs <fingerprint> < certificate
...@@ -264,7 +264,7 @@ expiresBefore () { ...@@ -264,7 +264,7 @@ expiresBefore () {
# <date> must be a unix timestamp (date +%s) # <date> must be a unix timestamp (date +%s)
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local enddate local enddate
enddate="$(openssl x509 -enddate -noout | sed "s/^[^=]*=//")" enddate="$(openssl x509 -enddate -noout | sed 's/^[^=]*=//')"
test $? -ne 0 && return 1 test $? -ne 0 && return 1
test "$(date --date="$enddate" +%s)" -lt "$1" test "$(date --date="$enddate" +%s)" -lt "$1"
return $? return $?
...@@ -277,7 +277,7 @@ printIfExpiresAfter () { ...@@ -277,7 +277,7 @@ printIfExpiresAfter () {
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local crt local crt
crt="$(cat)" crt="$(cat)"
printf "%s\\n" "$crt" | expiresBefore "$1" || printf "%s\\n" "$crt" printf '%s\n' "$crt" | expiresBefore "$1" || printf '%s\n' "$crt"
} }
appendValidCA () { appendValidCA () {
...@@ -290,15 +290,15 @@ appendValidCA () { ...@@ -290,15 +290,15 @@ appendValidCA () {
if payload=$(unwrap jq --raw-output .old_pem); then if payload=$(unwrap jq --raw-output .old_pem); then
: :
else else
printf "Bad signature, something is very wrong" >&2 printf 'Bad signature, something is very wrong' >&2
return 1 return 1
fi fi
cert="$(printf "%s\\n" "$payload" | jq --raw-output .old_pem)" cert="$(printf '%s\n' "$payload" | jq --raw-output .old_pem)"
forEachCertificate \ forEachCertificate \
pemFingerprintIs \ pemFingerprintIs \
"$(printf "%s\\n" "$cert" | pem2fingerprint)" < "$ca" "$(printf '%s\n' "$cert" | pem2fingerprint)" < "$ca"
if [ $? -eq 1 ]; then if [ $? -eq 1 ]; then
printf "%s\\n" "$cert" >> "$ca" printf '%s\n' "$cert" >> "$ca"
fi fi
} }
...@@ -307,16 +307,16 @@ checkCertificateMatchesKey () { ...@@ -307,16 +307,16 @@ checkCertificateMatchesKey () {
# Returns 0 if certificate's public key matches private key's public key, # Returns 0 if certificate's public key matches private key's public key,
# 1 otherwise. # 1 otherwise.
test "$( test "$(
printf "%s\\n" "$1" | openssl x509 -modulus -noout | sed "s/^Modulus=//" printf '%s\n' "$1" | openssl x509 -modulus -noout | sed 's/^Modulus=//'
)" = "$( )" = "$(
echo "$2" | openssl rsa -modulus -noout | sed "s/^Modulus=//" echo "$2" | openssl rsa -modulus -noout | sed 's/^Modulus=//'
)" )"
return $? return $?
} }
checkDeps () { checkDeps () {
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local missingdeps="" dep local missingdeps='' dep
# Expected builtins & keywords: # Expected builtins & keywords:
# alias local if then else elif fi for in do done case esac return [ test # alias local if then else elif fi for in do done case esac return [ test
# shift set # shift set
...@@ -328,7 +328,7 @@ checkDeps () { ...@@ -328,7 +328,7 @@ checkDeps () {
return 1 return 1
fi fi
if [ ! -r /dev/null ] || [ ! -w /dev/null ]; then if [ ! -r /dev/null ] || [ ! -w /dev/null ]; then
echo "Cannot read from & write to /dev/null" >&2 echo 'Cannot read from & write to /dev/null' >&2
return 1 return 1
fi fi
} }
...@@ -367,34 +367,34 @@ EOF ...@@ -367,34 +367,34 @@ EOF
)" )"
if newcrtdata="$( if newcrtdata="$(
pairs2obj \ pairs2obj \
"crt_pem" "$(str2json)" \ 'crt_pem' "$(str2json)" \
"renew_csr_pem" "$( 'renew_csr_pem' "$(
echo "$newkeydata" \ echo "$newkeydata" \
| openssl req \ | openssl req \
-new \ -new \
-key - \ -key - \
-subj "/CN=dummy" \ -subj '/CN=dummy' \
-config "$emptyreqcnf" \ -config "$emptyreqcnf" \
| str2json | str2json
)" \ )" \
| wrap "$oldkey" "sha256" \ | wrap "$oldkey" 'sha256' \
| PUT --insecure \ | PUT --insecure \
--header "Content-Type: application/json" \ --header 'Content-Type: application/json' \
"$url/crt/renew/" "$url/crt/renew/"
)"; then )"; then
if [ \ if [ \
"x$(printf "%s\\n" "$newcrtdata" | head -n 1)" \ "x$(printf '%s\n' "$newcrtdata" | head -n 1)" \
= \ = \
"x-----BEGIN CERTIFICATE-----" \ 'x-----BEGIN CERTIFICATE-----' \
]; then ]; then
if checkCertificateMatchesKey "$newcrtdata" "$newkeydata"; then if checkCertificateMatchesKey "$newcrtdata" "$newkeydata"; then
writeCertKey "$newcrt" "$newcrtdata" "$newkey" "$newkeydata" writeCertKey "$newcrt" "$newcrtdata" "$newkey" "$newkeydata"
rm "$emptyreqcnf" rm "$emptyreqcnf"
return 0 return 0
fi fi
printf "Certificate does not match private key\\n" >&2 printf 'Certificate does not match private key\n' >&2
else else
printf "%s" "$newcrtdata" >&2 printf '%s' "$newcrtdata" >&2
fi fi
fi fi
rm "$emptyreqcnf" rm "$emptyreqcnf"
...@@ -403,10 +403,10 @@ EOF ...@@ -403,10 +403,10 @@ EOF
revokeCertificate () { revokeCertificate () {
# Usage: <url> <key_path> < crt # Usage: <url> <key_path> < crt
pairs2obj "revoke_crt_pem" "$(str2json)" \ pairs2obj 'revoke_crt_pem' "$(str2json)" \
| wrap "$2" "sha256" \ | wrap "$2" 'sha256' \
| PUTNoOut \ | PUTNoOut \
--header "Content-Type: application/json" \ --header 'Content-Type: application/json' \
--insecure \ --insecure \
"$1/crt/revoke/" "$1/crt/revoke/"
return $? return $?
...@@ -414,11 +414,11 @@ revokeCertificate () { ...@@ -414,11 +414,11 @@ revokeCertificate () {
revokeCRTWithoutKey () { revokeCRTWithoutKey () {
# Usage: <url> <ca> <user crt> < crt # Usage: <url> <ca> <user crt> < crt
pairs2obj "revoke_crt_pem" "$(str2json)" \ pairs2obj 'revoke_crt_pem' "$(str2json)" \
| nullWrap \ | nullWrap \
| PUTNoOut \ | PUTNoOut \
--cert "$3" \ --cert "$3" \
--header "Content-Type: application/json" \ --header 'Content-Type: application/json' \
--cacert "$2" \ --cacert "$2" \
"$1/crt/revoke/" "$1/crt/revoke/"
return $? return $?
...@@ -426,11 +426,11 @@ revokeCRTWithoutKey () { ...@@ -426,11 +426,11 @@ revokeCRTWithoutKey () {
revokeSerial () { revokeSerial () {
# Usage: <url> <ca> <user crt> <serial> # Usage: <url> <ca> <user crt> <serial>
pairs2obj "revoke_serial" "$4" \ pairs2obj 'revoke_serial' "$4" \
| nullWrap \ | nullWrap \
| PUTNoOut \ | PUTNoOut \
--cert "$3" \ --cert "$3" \
--header "Content-Type: application/json" \ --header 'Content-Type: application/json' \
--cacert "$2" \ --cacert "$2" \
"$1/crt/revoke/" "$1/crt/revoke/"
return $? return $?
...@@ -450,24 +450,24 @@ updateCACertificate () { ...@@ -450,24 +450,24 @@ updateCACertificate () {
status=$? status=$?
test $status -ne 0 && return 1 test $status -ne 0 && return 1
valid_ca="$( valid_ca="$(
printf "%s\\n" "$orig_ca" \ printf '%s\n' "$orig_ca" \
| forEachCertificate printIfExpiresAfter "$(date +%s)" | forEachCertificate printIfExpiresAfter "$(date +%s)"
)" )"
status=$? status=$?
test $status -ne 0 && return 1 test $status -ne 0 && return 1
printf "%s\\n" "$valid_ca" > "$ca" printf '%s\n' "$valid_ca" > "$ca"
if [ ! -r "$cas_ca" ]; then if [ ! -r "$cas_ca" ]; then
# Should never be reached, as this function should be run once with # Should never be reached, as this function should be run once with
# cas_ca == ca (to update CAS' CA), in which case cas_ca exists by this # cas_ca == ca (to update CAS' CA), in which case cas_ca exists by this
# point. CAU's CA should only be updated after, and by that point CAS' CA # point. CAU's CA should only be updated after, and by that point CAS' CA
# already exists. # already exists.
printf "%s does not exist\\n" "$cas_ca" printf '%s does not exist\n' "$cas_ca"
return 1 return 1
fi fi
future_ca="$(CURL --cacert "$cas_ca" "$url/crt/ca.crt.json")" future_ca="$(CURL --cacert "$cas_ca" "$url/crt/ca.crt.json")"
status=$? status=$?
test $status -ne 0 && return 1 test $status -ne 0 && return 1
printf "%s\\n" "$future_ca" | forEachJSONListItem appendValidCA "$ca" printf '%s\n' "$future_ca" | forEachJSONListItem appendValidCA "$ca"
} }
getCertificateRevocationList () { getCertificateRevocationList () {
...@@ -490,13 +490,13 @@ getPendingCertificateRequestList () { ...@@ -490,13 +490,13 @@ getPendingCertificateRequestList () {
createCertificateSigningRequest () { createCertificateSigningRequest () {
# Usage: <url> < csr > csr id # Usage: <url> < csr > csr id
PUT --insecure --header "Content-Type: application/pkcs10" "$1/csr" \ PUT --insecure --header 'Content-Type: application/pkcs10' "$1/csr" \
--dump-header - | while IFS= read -r line; do --dump-header - | while IFS= read -r line; do
# Note: $line contains trailing \r, which will not get stripped by $(). # Note: $line contains trailing \r, which will not get stripped by $().
# So strip it with sed instead. # So strip it with sed instead.
case "$line" in case "$line" in
"Location: "*) 'Location: '*)
printf "%s\\n" "$line" | sed "s/^Location: \\(\\S*\\).*/\\1/" printf '%s\n' "$line" | sed 's/^Location: \(\S*\).*/\1/'
;; ;;
esac esac
done done
...@@ -516,7 +516,7 @@ getCertificate () { ...@@ -516,7 +516,7 @@ getCertificate () {
CURL --fail --insecure "$1/crt/$2" CURL --fail --insecure "$1/crt/$2"
status=$? status=$?
if [ $status -ne 0 ]; then if [ $status -ne 0 ]; then
printf "Certificate %s not found (not signed yet or rejected)\\n" "$2" >&2 printf 'Certificate %s not found (not signed yet or rejected)\n' "$2" >&2
return 1 return 1
fi fi
} }
...@@ -528,7 +528,7 @@ createCertificate () { ...@@ -528,7 +528,7 @@ createCertificate () {
PUTNoOut --cert "$3" --cacert "$2" "$1/crt/$4" < /dev/null PUTNoOut --cert "$3" --cacert "$2" "$1/crt/$4" < /dev/null
result=$? result=$?
if [ $result -ne 0 ]; then if [ $result -ne 0 ]; then
printf "%s: No such pending signing request\\n" "$4" >&2 printf '%s: No such pending signing request\n' "$4" >&2
fi fi
return $result return $result
} }
...@@ -536,7 +536,7 @@ createCertificate () { ...@@ -536,7 +536,7 @@ createCertificate () {
createCertificateWith () { createCertificateWith () {
# Usage: <url> <ca> <user crt> <csr id> < csr # Usage: <url> <ca> <user crt> <csr id> < csr
PUTNoOut --cert "$3" --cacert "$2" \ PUTNoOut --cert "$3" --cacert "$2" \
--header "Content-Type: application/pkcs10" "$1/crt/$4" --header 'Content-Type: application/pkcs10' "$1/crt/$4"
return $? return $?
} }
...@@ -628,17 +628,19 @@ These options require --user-key . ...@@ -628,17 +628,19 @@ These options require --user-key .
Special actions Special actions
--help --help
Display this help and exit. Display this help and exit.
--version
Display command version and exit.
EOF EOF
} }
_argUsage () { _argUsage () {
printf "%s: %s\\n" "$arg" "$1" >&2 printf '%s: %s\n' "$arg" "$1" >&2
_usage >&2 _usage >&2
} }
_needArg () { _needArg () {
if [ "$argc" -lt "$1" ]; then if [ "$argc" -lt "$1" ]; then
printf "%s\\n" "$arg needs $1 arguments" >&2 printf '%s\n' "$arg needs $1 arguments" >&2
_usage >&2 _usage >&2
return 1 return 1
fi fi
...@@ -646,7 +648,7 @@ EOF ...@@ -646,7 +648,7 @@ EOF
_needURLAndArg () { _needURLAndArg () {
if [ -z "$ca_anon_url" ]; then if [ -z "$ca_anon_url" ]; then
printf "%s\\n" "--ca-url must be provided before $arg" >&2 printf '%s\n' "--ca-url must be provided before $arg" >&2
return 1 return 1
fi fi
_needArg "$1" || return 1 _needArg "$1" || return 1
...@@ -654,7 +656,7 @@ EOF ...@@ -654,7 +656,7 @@ EOF
_needAuthURLAndArg () { _needAuthURLAndArg () {
if [ -z "$user_key" ]; then if [ -z "$user_key" ]; then
printf "%s\\n" "--user-key must be provided before $arg" >&2 printf '%s\n' "--user-key must be provided before $arg" >&2
return 1 return 1
fi fi
_needURLAndArg "$1" || return 1 _needURLAndArg "$1" || return 1
...@@ -670,7 +672,7 @@ EOF ...@@ -670,7 +672,7 @@ EOF
_printOneKey () { _printOneKey () {
# Called from _main, sets global "key_found". # Called from _main, sets global "key_found".
if [ $key_found -ne 0 ]; then if [ $key_found -ne 0 ]; then
_argUsage "Multiple private keys" _argUsage 'Multiple private keys'
return 1 return 1
fi fi
key_found=1 key_found=1
...@@ -680,7 +682,7 @@ EOF ...@@ -680,7 +682,7 @@ EOF
_printOneCert () { _printOneCert () {
# Called indirectly from _main, sets global "crt_found". # Called indirectly from _main, sets global "crt_found".
if [ "$crt_found" -ne 0 ]; then if [ "$crt_found" -ne 0 ]; then
_argUsage "Multiple certificates" _argUsage 'Multiple certificates'
return 1 return 1
fi fi
crt_found=1 crt_found=1
...@@ -693,11 +695,11 @@ EOF ...@@ -693,11 +695,11 @@ EOF
local crt local crt
crt="$(cat)" crt="$(cat)"
if [ $crt_found -ne 0 ]; then if [ $crt_found -ne 0 ]; then
_argUsage "Multiple certificates" _argUsage 'Multiple certificates'
return 1 return 1
fi fi
crt_found=1 crt_found=1
checkCertificateMatchesKey "$crt" "$1" && printf "%s\\n" "$crt" checkCertificateMatchesKey "$crt" "$1" && printf '%s\n' "$crt"
} }
_matchOneKeyAndPrintOneMatchingCert () { _matchOneKeyAndPrintOneMatchingCert () {
...@@ -714,37 +716,37 @@ EOF ...@@ -714,37 +716,37 @@ EOF
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
if [ -z "$crt" ]; then if [ -z "$crt" ]; then
_argUsage "No certificate matches private key" _argUsage 'No certificate matches private key'
return 1 return 1
fi fi
printf "%s\\n" "$crt" printf '%s\n' "$crt"
} }
_printPendingCSR () { _printPendingCSR () {
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local json local json
json="$(cat)" json="$(cat)"
printf "%20s | %s\\n" \ printf '%20s | %s\n' \
"$(printf "%s\\n" "$json" | jq --raw-output .id)" \ "$(printf '%s\n' "$json" | jq --raw-output .id)" \
"$(printf "%s\\n" "$json" | jq --raw-output .csr \ "$(printf '%s\n' "$json" | jq --raw-output .csr \
| openssl req -subject -noout | sed "s/^subject=//")" | openssl req -subject -noout | sed 's/^subject=//')"
} }
_main() { _main() {
checkDeps || return 1 checkDeps || return 1
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local ca_anon_url="" \ local ca_anon_url='' \
ca_auth_url \ ca_auth_url \
mode="service" \ mode='service' \
mode_path="cas" \ mode_path='cas' \
cas_ca="cas.crt.pem" \ cas_ca='cas.crt.pem' \
cau_ca="cau.crt.pem" \ cau_ca='cau.crt.pem' \
cas_crl="cas.crl.pem" \ cas_crl='cas.crl.pem' \
cau_crl="cau.crl.pem" \ cau_crl='cau.crl.pem' \
key_len=2048 \ key_len=2048 \
update_user=0 \ update_user=0 \
user_key="" \ user_key='' \
threshold=31 \ threshold=31 \
status arg argc \ status arg argc \
ca_netloc ca_address ca_port ca_path \ ca_netloc ca_address ca_port ca_path \
...@@ -783,10 +785,10 @@ EOF ...@@ -783,10 +785,10 @@ EOF
;; ;;
http://*) http://*)
ca_netloc="$( ca_netloc="$(
printf "%s\\n" "$ca_anon_url" | sed "s!^http://\\([^/?#]*\\).*!\\1!" printf '%s\n' "$ca_anon_url" | sed 's!^http://\([^/?#]*\).*!\1!'
)" )"
ca_path="$( ca_path="$(
printf "%s\\n" "$ca_anon_url" | sed "s!^http://[^/?#]*!!" printf '%s\n' "$ca_anon_url" | sed 's!^http://[^/?#]*!!'
)" )"
ca_port=80 ca_port=80
# Note: too bad there is no portable case fall-through... # Note: too bad there is no portable case fall-through...
...@@ -794,43 +796,43 @@ EOF ...@@ -794,43 +796,43 @@ EOF
*\]:*) *\]:*)
# Bracket-enclosed address, which may contain colons # Bracket-enclosed address, which may contain colons
ca_address="$( ca_address="$(
printf "%s\\n" "$ca_netloc" | sed "s!^\\(.*\\]\\).*!\\1!" printf '%s\n' "$ca_netloc" | sed 's!^\(.*\]\).*!\1!'
)" )"
ca_port="$( ca_port="$(
printf "%s\\n" "$ca_netloc" | sed "s!.*\\]:!!" printf '%s\n' "$ca_netloc" | sed 's!.*\]:!!'
)" )"
;; ;;
*\]*) *\]*)
# Bracket-enclosed address, which may contain colons # Bracket-enclosed address, which may contain colons
ca_address="$( ca_address="$(
printf "%s\\n" "$ca_netloc" | sed "s!^\\(.*\\]\\).*!\\1!" printf '%s\n' "$ca_netloc" | sed 's!^\(.*\]\).*!\1!'
)" )"
;; ;;
*:*) *:*)
# No bracket-encosed address, rely on colon # No bracket-enclosed address, rely on colon
ca_address="$( ca_address="$(
printf "%s\\n" "$ca_netloc" | sed "s!^\\([^:]*\\).*!\\1!" printf '%s\n' "$ca_netloc" | sed 's!^\([^:]*\).*!\1!'
)" )"
ca_port="$( ca_port="$(
printf "%s\\n" "$ca_netloc" | sed "s!^[^:]*:!!" printf '%s\n' "$ca_netloc" | sed 's!^[^:]*:!!'
)" )"
;; ;;
*) *)
# No bracket-encosed address, rely on colon # No bracket-encosed address, rely on colon
ca_address="$( ca_address="$(
printf "%s\\n" "$ca_netloc" | sed "s!^\\([^:]*\\).*!\\1!" printf '%s\n' "$ca_netloc" | sed 's!^\([^:]*\).*!\1!'
)" )"
;; ;;
esac esac
if [ "$ca_port" -eq 80 ]; then if [ "$ca_port" -eq 80 ]; then
ca_port="" ca_port=''
else else
ca_port=":$((ca_port + 1))" ca_port=":$((ca_port + 1))"
fi fi
ca_auth_url="https://${ca_address}${ca_port}${ca_path}" ca_auth_url="https://${ca_address}${ca_port}${ca_path}"
;; ;;
*) *)
_argUsage "Unrecognised URL scheme" _argUsage 'Unrecognised URL scheme'
return 1 return 1
;; ;;
esac esac
...@@ -869,7 +871,7 @@ EOF ...@@ -869,7 +871,7 @@ EOF
if [ "$threshold" -eq "$threshold" ] 2> /dev/null ; then if [ "$threshold" -eq "$threshold" ] 2> /dev/null ; then
: :
else else
_argUsage "Argument must be an integer" _argUsage 'Argument must be an integer'
return 1 return 1
fi fi
;; ;;
...@@ -890,13 +892,13 @@ EOF ...@@ -890,13 +892,13 @@ EOF
shift shift
case "$mode" in case "$mode" in
service) service)
mode_path="cas" mode_path='cas'
;; ;;
user) user)
mode_path="cau" mode_path='cau'
;; ;;
*) *)
_argUsage "Invalid mode" _argUsage 'Invalid mode'
return 1 return 1
;; ;;
esac esac
...@@ -913,7 +915,7 @@ EOF ...@@ -913,7 +915,7 @@ EOF
)" )"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
printf "%s %s\\n" "$csr_id" "$1" printf '%s %s\n' "$csr_id" "$1"
shift shift
;; ;;
--get-crt) --get-crt)
...@@ -922,7 +924,7 @@ EOF ...@@ -922,7 +924,7 @@ EOF
crt_path="$2" crt_path="$2"
shift 2 shift 2
crt_dir="$(dirname "$crt_path")" crt_dir="$(dirname "$crt_path")"
if [ "x$crt_path" = "x-" ]; then # stdin & stdout if [ "x$crt_path" = 'x-' ]; then # stdin & stdout
: :
elif [ -w "$crt_path" ] && [ -r "$crt_path" ]; then # existing file elif [ -w "$crt_path" ] && [ -r "$crt_path" ]; then # existing file
: :
...@@ -936,8 +938,8 @@ EOF ...@@ -936,8 +938,8 @@ EOF
crt="$(getCertificate "${ca_anon_url}/${mode_path}" "$csr_id")" crt="$(getCertificate "${ca_anon_url}/${mode_path}" "$csr_id")"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
if [ "$crt_path" = "-" ]; then if [ "$crt_path" = '-' ]; then
printf "%s\\n" "$crt" printf '%s\n' "$crt"
else else
if [ -e "$crt_path" ]; then if [ -e "$crt_path" ]; then
key_found=0 key_found=0
...@@ -945,14 +947,14 @@ EOF ...@@ -945,14 +947,14 @@ EOF
< "$crt_path" < "$crt_path"
status=$? status=$?
if [ $status -eq 1 ]; then if [ $status -eq 1 ]; then
_argUsage "Certificate does not match private key" _argUsage 'Certificate does not match private key'
return 1 return 1
elif [ $status -eq 2 ]; then elif [ $status -eq 2 ]; then
_argUsage "Multiple private keys" _argUsage 'Multiple private keys'
return 1 return 1
fi fi
fi fi
printf "%s\\n" "$crt" >> "$crt_path" printf '%s\n' "$crt" >> "$crt_path"
fi fi
;; ;;
--revoke-crt) --revoke-crt)
...@@ -963,7 +965,7 @@ EOF ...@@ -963,7 +965,7 @@ EOF
crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")" crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
printf "%s\\n" "$crt" \ printf '%s\n' "$crt" \
| revokeCertificate "${ca_anon_url}/${mode_path}" "$key_path" | revokeCertificate "${ca_anon_url}/${mode_path}" "$key_path"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
...@@ -976,9 +978,9 @@ EOF ...@@ -976,9 +978,9 @@ EOF
crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")" crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
if printf "%s\\n" "$crt" \ if printf '%s\n' "$crt" \
| expiresBefore "$(date --date="$threshold days" +%s)"; then | expiresBefore "$(date --date="$threshold days" +%s)"; then
printf "%s\\n" "$crt" \ printf '%s\n' "$crt" \
| renewCertificate "${ca_anon_url}/${mode_path}" \ | renewCertificate "${ca_anon_url}/${mode_path}" \
"$key_path" \ "$key_path" \
"$key_len" \ "$key_len" \
...@@ -986,7 +988,7 @@ EOF ...@@ -986,7 +988,7 @@ EOF
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
else else
printf "%s did not reach renew threshold, not renewing\\n" \ printf '%s did not reach renew threshold, not renewing\n' \
"$crt_path" >&2 "$crt_path" >&2
fi fi
;; ;;
...@@ -1000,10 +1002,10 @@ EOF ...@@ -1000,10 +1002,10 @@ EOF
)" )"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
if [ "$csr_path" = "-" ]; then if [ "$csr_path" = '-' ]; then
printf "%s\\n" "$csr" printf '%s\n' "$csr"
else else
printf "%s\\n" "$csr" > "$csr_path" printf '%s\n' "$csr" > "$csr_path"
fi fi
;; ;;
--update-user) --update-user)
...@@ -1013,18 +1015,18 @@ EOF ...@@ -1013,18 +1015,18 @@ EOF
# Authenticated actions # Authenticated actions
--list-csr) --list-csr)
_needAuthURLAndArg 0 || return 1 _needAuthURLAndArg 0 || return 1
printf "%s\\n" "-- pending $mode CSRs --" printf '%s\n' "-- pending $mode CSRs --"
printf \ printf \
"%20s | subject preview (fetch csr and check full content !)\\n" \ '%20s | subject preview (fetch csr and check full content !)\n' \
"csr_id" 'csr_id'
csr_list_json="$( csr_list_json="$(
getPendingCertificateRequestList "${ca_auth_url}/${mode_path}" \ getPendingCertificateRequestList "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key" "$cas_ca" "$user_key"
)" )"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
printf "%s" "$csr_list_json" | forEachJSONListItem _printPendingCSR printf '%s' "$csr_list_json" | forEachJSONListItem _printPendingCSR
printf "%s\\n" "-- end of pending $mode CSRs --" printf '%s\n' "-- end of pending $mode CSRs --"
;; ;;
--sign-csr) --sign-csr)
_needAuthURLAndArg 1 || return 1 _needAuthURLAndArg 1 || return 1
...@@ -1062,7 +1064,7 @@ EOF ...@@ -1062,7 +1064,7 @@ EOF
crt="$(forEachCertificate _printOneCert < "$crt_path")" crt="$(forEachCertificate _printOneCert < "$crt_path")"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
printf "%s\\n" "$crt" | revokeCRTWithoutKey \ printf '%s\n' "$crt" | revokeCRTWithoutKey \
"${ca_auth_url}/${mode_path}" "$cas_ca" "$user_key" "${ca_auth_url}/${mode_path}" "$cas_ca" "$user_key"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
...@@ -1078,7 +1080,7 @@ EOF ...@@ -1078,7 +1080,7 @@ EOF
;; ;;
*) *)
_argUsage "Unknown argument" _argUsage 'Unknown argument'
return 1 return 1
;; ;;
esac esac
...@@ -1087,10 +1089,10 @@ EOF ...@@ -1087,10 +1089,10 @@ EOF
if crl="$( if crl="$(
getCertificateRevocationList "${ca_anon_url}/cas" "$cas_ca" getCertificateRevocationList "${ca_anon_url}/cas" "$cas_ca"
)"; then )"; then
printf "%s\\n" "$crl" > "$cas_crl" printf '%s\n' "$crl" > "$cas_crl"
else else
printf \ printf \
"Received CAS CRL was not signed by CAS CA certificate, skipping\\n" 'Received CAS CRL was not signed by CAS CA certificate, skipping\n'
fi fi
if [ $update_user -eq 1 ]; then if [ $update_user -eq 1 ]; then
updateCACertificate "${ca_anon_url}/cau" "$cas_ca" "$cau_ca" updateCACertificate "${ca_anon_url}/cau" "$cas_ca" "$cau_ca"
...@@ -1099,10 +1101,10 @@ EOF ...@@ -1099,10 +1101,10 @@ EOF
if crl="$( if crl="$(
getCertificateRevocationList "${ca_anon_url}/cau" "$cau_ca" getCertificateRevocationList "${ca_anon_url}/cau" "$cau_ca"
)"; then )"; then
printf "%s\\n" "$crl" > "$cau_crl" printf '%s\n' "$crl" > "$cau_crl"
else else
printf \ printf \
"Received CAU CRL was not signed by CAU CA certificate, skipping\\n" 'Received CAU CRL was not signed by CAU CA certificate, skipping\n'
fi fi
fi fi
fi fi
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7