Project

General

Profile

Bug #3043 ยป cert-staple.sh.diff

Changes from shellcheck run to fix POSIX issues - flynn, 2020-12-03 06:25

View differences:

./cert-staple.sh 2020-12-03 07:14:19.941995363 +0100
6 6

  
7 7
OCSP_TMP=""     # temporary file
8 8

  
9
if [[ -z "$CERT_PEM" ]] || [[ -z "$CHAIN_PEM" ]] || [[ -z "$OCSP_DER" ]] \
10
   || [[ ! -f "$CERT_PEM" ]] || [[ ! -f "$CHAIN_PEM" ]]; then
9
if [ -z "$CERT_PEM" ] || [ -z "$CHAIN_PEM" ] || [ -z "$OCSP_DER" ] \
10
   || [ ! -f "$CERT_PEM" ] || [ ! -f "$CHAIN_PEM" ]; then
11 11
    echo 1>&2 "usage: cert-staple.sh cert.pem chain.pem staple.der"
12 12
    exit 1
13 13
fi
14 14

  
15
function errexit {
16
    [[ -n "$OCSP_TMP" ]] && rm -f "$OCSP_TMP"
15
errexit() {
16
    [ -n "$OCSP_TMP" ] && rm -f "$OCSP_TMP"
17 17
    exit 1
18 18
}
19 19

  
20 20
# get URI of OCSP responder from certificate
21 21
OCSP_URI=$(openssl x509 -in "$CERT_PEM" -ocsp_uri -noout)
22
[[ $? = 0 ]] && [[ -n "$OCSP_URI" ]] || exit 1
22
[ $? = 0 ] && [ -n "$OCSP_URI" ] || exit 1
23 23

  
24 24
# exception for (unsupported, end-of-life) older versions of OpenSSL
25 25
OCSP_HOST=
26 26
OPENSSL_VERSION=$(openssl version)
27
if [[ "${OPENSSL_VERSION}" != "${OPENSSL_VERSION#OpenSSL 1.0.}" ]]; then
27
if [ "${OPENSSL_VERSION}" != "${OPENSSL_VERSION#OpenSSL 1.0.}" ]; then
28 28
    # get authority from URI
29 29
    OCSP_HOST=$(echo "$OCSP_URI" | cut -d/ -f3)
30 30
fi
......
32 32
# get OCSP response from OCSP responder
33 33
OCSP_TMP="$OCSP_DER.$$"
34 34
OCSP_RESP=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respout "$OCSP_TMP" -noverify -no_nonce -url "$OCSP_URI" ${OCSP_HOST:+-header Host "$OCSP_HOST"})
35
[[ $? = 0 ]] || errexit
35
[ $? = 0 ] || errexit
36 36

  
37 37
# parse OCSP response from OCSP responder
38 38
#
......
41 41
#        Next Update: Jun 12 21:00:00 2020 GMT
42 42

  
43 43
ocsp_status="$(printf %s "$OCSP_RESP" | head -1)"
44
[[ "$ocsp_status" = "$CERT_PEM: good" ]] || errexit
44
[ "$ocsp_status" = "$CERT_PEM: good" ] || errexit
45 45

  
46 46
next_update="$(printf %s "$OCSP_RESP" | grep 'Next Update:')"
47 47
next_date="$(printf %s "$next_update" | sed 's/.*Next Update: //')"
48
[[ -n "$next_date" ]] || errexit
48
[ -n "$next_date" ] || errexit
49 49
ocsp_expire=$(date -d "$next_date" +%s)
50 50

  
51 51
# validate OCSP response
52 52
ocsp_verify=$(openssl ocsp -issuer "$CHAIN_PEM" -verify_other "$CHAIN_PEM" -cert "$CERT_PEM" -respin "$OCSP_TMP" -no_nonce -out /dev/null 2>&1)
53
[[ "$ocsp_verify" = "Response verify OK" ]] || errexit
53
[ "$ocsp_verify" = "Response verify OK" ] || errexit
54 54

  
55 55
# rename and update symlink to install OCSP response to be used in OCSP stapling
56 56
OCSP_OUT="$OCSP_DER.$ocsp_expire"
......
65 65
now=$(date +%s)
66 66
for i in "$OCSP_DER".*; do
67 67
    ts="${i#${OCSP_DER}.}"
68
    if [[ -n "$ts" ]] && [[ "$ts" -lt "$now" ]]; then
68
    if [ -n "$ts" ] && [ "$ts" -lt "$now" ]; then
69 69
        rm -f "$i"
70 70
    fi
71 71
done
    (1-1/1)