shell/caucase.sh: Make shellcheck happy.

Do not rely on test's -a & -o. Escape backslashes which are intended as literals. Avoid one useless "cat". Avoid testing $?. Simplify "is integer ?" test. Quote a few variable expansions. Arithmetic expression does not need explicit expansion. Split declaration and assignment to unmask status. Disable shellcheck warning about "local" being undefined in POSIX.

shell/caucase.sh: Make shellcheck happy.
Do not rely on test's -a & -o. Escape backslashes which are intended as literals. Avoid one useless "cat". Avoid testing $?. Simplify "is integer ?" test. Quote a few variable expansions. Arithmetic expression does not need explicit expansion. Split declaration and assignment to unmask status. Disable shellcheck warning about "local" being undefined in POSIX.
3540d427 · Vincent Pelletier · 1c9b9b6d · 3540d427
Commit 3540d427 authored Jul 08, 2018 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 135 additions and 107 deletions

shell/caucase.sh shell/caucase.sh +135 -107

No files found.
--- a/shell/caucase.sh
+++ b/shell/caucase.sh
@@ -33,6 +33,7 @@ pairs2obj () {
  # Keys are expected unquoted, as they must be strings anyway.
  # Values are expected in json.
  # If arg count is odd, last argument is ignored.
+  # shellcheck disable=SC2039
  local first=1
  printf '{'
  while [ $# -ge 2 ]; do
@@ -51,16 +52,20 @@ forEachJSONListItem () {
  # Usage: <command> [<arg> ...] < json
  # <command> is receives each item in json as input.
  # If <command> exit status is non-zero, enumeration stops.
-  local list="$(cat)" index
+  # shellcheck disable=SC2039
-  for index in $(seq 0 $(($(printf "%s\n" "$list" | jq length) - 1))); do
+  local list index
-    printf "%s\n" "$list" | jq ".[$index]" | "$@" || return $?
+  list="$(cat)"
+  for index in $(seq 0 $(($(printf "%s\\n" "$list" | jq length) - 1))); do
+    printf "%s\\n" "$list" | jq ".[$index]" | "$@" || return $?
  done
 }
 wrap () {
  # Wrap payload in a format suitable for caucase and sign it
  # Usage: wrap <key file> <digest> < payload > wrapped
-  local digest="$2" payload="$(cat)"
+  # shellcheck disable=SC2039
+  local digest="$2" payload
+  payload="$(cat)"
  # Note: $() looses trailing newlines, so payload should not need to end with
  # any newline.
  pairs2obj \
@@ -90,14 +95,16 @@ unwrap () {
  # Usage: unwrap <command> [...] < wrapped > payload
  # <command> must output the x509 certificate to use to verify the signature.
  # It receives the payload being unwrapped.
-  local wrapped="$(cat)" status json_digest digest signature_file payload pubkey_file
+  # shellcheck disable=SC2039
+  local wrapped status json_digest digest signature_file payload pubkey_file
+  wrapped="$(cat)"
-  json_digest="$(printf "%s\n" "$wrapped" | jq .digest)"
+  json_digest="$(printf "%s\\n" "$wrapped" | jq .digest)"
  if [ "$json_digest" = "null" ]; then
    return 1
  fi
  digest="$(
-    printf "%s\n" "$json_digest" | jq --raw-output ascii_downcase
+    printf "%s\\n" "$json_digest" | jq --raw-output ascii_downcase
  )"
  case "$digest" in
    sha256|sha384|sha512)
@@ -111,12 +118,11 @@ unwrap () {
    ;;
  esac
  signature_file="$(mktemp --suffix=unwrap.sig)"
-  printf "%s\n" "$wrapped" | jq --raw-output .signature | \
+  printf "%s\\n" "$wrapped" | jq --raw-output .signature | \
    base64 -d > "$signature_file"
-  payload="$(printf "%s\n" "$wrapped" | jq --raw-output .payload)"
+  payload="$(printf "%s\\n" "$wrapped" | jq --raw-output .payload)"
  PUBKEY_FILE="$(mktemp --suffix=unwrap.pub)"
-  printf "%s\n" "$payload" "$@" | openssl x509 -pubkey -noout > "$pubkey_file"
+  if printf "%s\\n" "$payload" "$@" | openssl x509 -pubkey -noout > "$pubkey_file"; then
-  if [ $? -eq 0 ]; then
    printf "%s%s " "$payload" "$digest" \
    | openssl dgst \
      -"$digest" \
@@ -136,26 +142,28 @@ unwrap () {
 nullUnwrap () {
  # Usage: nullUnwrap < wrapped > payload
-  local wrapped="$(cat)"
+  # shellcheck disable=SC2039
-  if [ "$(printf "%s\n" "$wrapped" | jq '.digest')" != "null" ]; then
+  local wrapped
+  wrapped="$(cat)"
+  if [ "$(printf "%s\\n" "$wrapped" | jq '.digest')" != "null" ]; then
    return 1
  fi
-  printf "%s\n" "$wrapped" | jq .payload
+  printf "%s\\n" "$wrapped" | jq .payload
 }
 writeCertKey () {
  # Write given certificate and key to file(s).
  # Usage: writeCertKey <crt data> <crt path> <key data> <key path>
+  # shellcheck disable=SC2039
  local crt_path="$1" crt_data="$2" key_path="$3" key_data="$4" need_chmod
  test ! -e "$key_path"
  need_chmod=$?
  # Empty both files first, as they may be the same.
  : > "$crt_path"
  : > "$key_path"
  test $need_chmod -eq 0 && chmod go= "$key_path"
-  printf "%s\n" "$key_data" >> "$key_path"
+  printf "%s\\n" "$key_data" >> "$key_path"
-  printf "%s\n" "$crt_data" >> "$crt_path"
+  printf "%s\\n" "$crt_data" >> "$crt_path"
 }
 alias CURL='curl --silent'
@@ -164,29 +172,31 @@ alias PUT='CURL --upload-file -'
 PUTNoOut () {
  # For when PUT does not provide a response body, so the only way to check
  # for issues is checking HTTP status.
+  # shellcheck disable=SC2039
  local result
-  result="$(
+  if result="$(
    PUT \
-      --write-out "\n%{http_code}\n" \
+      --write-out "\\n%{http_code}\\n" \
      "$@"
-  )"
+  )"; then
-  if [ $? -ne 0 ]; then
+    :
+  else
    return 3
  fi
-  case "$(printf "%s\n" "$result" | tail -n 1)" in
+  case "$(printf "%s\\n" "$result" | tail -n 1)" in
    2?? )
      return 0
    ;;
    401 )
-      printf "Unauthorized\n" >&2
+      printf "Unauthorized\\n" >&2
      return 2
    ;;
    409 )
-      printf "Found\n" >&2
+      printf "Found\\n" >&2
      return 4
    ;;
    * )
-      printf "%s\n" "$result" | head -n -1 >&2
+      printf "%s\\n" "$result" | head -n -1 >&2
      return 1
    ;;
  esac
@@ -212,18 +222,19 @@ _forEachPEM () {
  # <type tester> is called with the end boundary as argument
  # <command> receives each matching PEM element as input.
  # If <command> exit status is non-zero, enumeration stops.
+  # shellcheck disable=SC2039
  local tester="$1" current=""
  shift
  while IFS= read -r line; do
    if [ -z "$current" ]; then
      current="$line"
    else
-      current="$(printf "%s\n%s" "$current" "$line")"
+      current="$(printf "%s\\n%s" "$current" "$line")"
    fi
    case "$line" in
      "-----END "*"-----")
        if "$tester" "$line"; then
-          printf "%s\n" "$current" | "$@" || return $?
+          printf "%s\\n" "$current" | "$@" || return $?
        fi
        current=""
        ;;
@@ -251,7 +262,9 @@ expiresBefore () {
  # Tests whether certificate is expired at given date
  # Usage: expiresBefore <date> < certificate > certificate
  # <date> must be a unix timestamp (date +%s)
-  local enddate="$(openssl x509 -enddate -noout | sed "s/^[^=]*=//")"
+  # shellcheck disable=SC2039
+  local enddate
+  enddate="$(openssl x509 -enddate -noout | sed "s/^[^=]*=//")"
  test $? -ne 0 && return 1
  test "$(date --date="$enddate" +%s)" -lt "$1"
  return $?
@@ -261,8 +274,10 @@ printIfExpiresAfter () {
  # Print certificate if it expires after given date
  # Usage: printIfExpiresAfter <date> < certificate > certificate
  # <date> must be a unix timestamp (date +%s)
-  local crt="$(cat)"
+  # shellcheck disable=SC2039
-  printf "%s\n" "$crt" | expiresBefore "$1" || printf "%s\n" "$crt"
+  local crt
+  crt="$(cat)"
+  printf "%s\\n" "$crt" | expiresBefore "$1" || printf "%s\\n" "$crt"
 }
 appendValidCA () {
@@ -270,19 +285,20 @@ appendValidCA () {
  # Append CA to given file if it is signed by a CA we know of already.
  # Usage: _appendValidCA <ca path> < json
  # Appends valid certificates to the file at <ca path>
+  # shellcheck disable=SC2039
  local ca="$1" payload cert
-  payload=$(unwrap jq --raw-output .old_pem)
+  if payload=$(unwrap jq --raw-output .old_pem); then
-  if [ $? -ne 0 ]; then
+    :
+  else
    printf "Bad signature, something is very wrong" >&2
    return 1
  fi
-  cert="$(printf "%s\n" "$payload" | jq --raw-output .old_pem)"
+  cert="$(printf "%s\\n" "$payload" | jq --raw-output .old_pem)"
-  cat "$ca" \
+  forEachCertificate \
-  | forEachCertificate \
    pemFingerprintIs \
-    "$(printf "%s\n" "$cert" | pem2fingerprint)"
+    "$(printf "%s\\n" "$cert" | pem2fingerprint)" < "$ca"
  if [ $? -eq 1 ]; then
-    printf "%s\n" "$cert" >> "$ca"
+    printf "%s\\n" "$cert" >> "$ca"
  fi
 }
@@ -291,7 +307,7 @@ checkCertificateMatchesKey () {
  # Returns 0 if certificate's public key matches private key's public key,
  # 1 otherwise.
  test "$(
-    printf "%s\n" "$1" | openssl x509 -modulus -noout | sed "s/^Modulus=//"
+    printf "%s\\n" "$1" | openssl x509 -modulus -noout | sed "s/^Modulus=//"
  )" = "$(
    echo "$2" | openssl rsa -modulus -noout | sed "s/^Modulus=//"
  )"
@@ -299,6 +315,7 @@ checkCertificateMatchesKey () {
 }
 checkDeps () {
+  # shellcheck disable=SC2039
  local missingdeps="" dep
  # Expected builtins & keywords:
  #   alias local if then else elif fi for in do done case esac return [ test
@@ -310,7 +327,7 @@ checkDeps () {
    echo "Missing dependencies: $missingdeps" >&2
    return 1
  fi
-  if [ ! -r /dev/null -o ! -w /dev/null ]; then
+  if [ ! -r /dev/null ] || [ ! -w /dev/null ]; then
    echo "Cannot read from & write to /dev/null" >&2
    return 1
  fi
@@ -324,16 +341,18 @@ renewCertificate () {
  # on success.
  # If created, key file permissions will be set so group and other have no
  # access.
+  # shellcheck disable=SC2039
  local url="$1" oldkey="$2" bits="$3" newcrt="$4" newkey="$5"
+  # shellcheck disable=SC2039
  local newkeydata newcrtdata
  newkeydata="$(
    openssl genpkey \
      -algorithm rsa \
-      -pkeyopt rsa_keygen_bits:$bits \
+      -pkeyopt "rsa_keygen_bits:$bits" \
      -outform PEM 2> /dev/null
  )"
-  newcrtdata="$(
+  if newcrtdata="$(
    pairs2obj \
      "crt_pem" "$(str2json)" \
      "renew_csr_pem" "$(
@@ -349,10 +368,9 @@ renewCertificate () {
    | PUT --insecure \
      --header "Content-Type: application/json" \
      "$url/crt/renew/"
-  )"
+  )"; then
-  if [ $? -eq 0 ]; then
    if [ \
-      "x$(printf "%s\n" "$newcrtdata" | head -n 1)" \
+      "x$(printf "%s\\n" "$newcrtdata" | head -n 1)" \
      = \
      "x-----BEGIN CERTIFICATE-----" \
    ]; then
@@ -360,7 +378,7 @@ renewCertificate () {
        writeCertKey "$newcrt" "$newcrtdata" "$newkey" "$newkeydata"
        return 0
      fi
-      printf "Certificate does not match private key\n" >&2
+      printf "Certificate does not match private key\\n" >&2
    else
      printf "%s" "$newcrtdata" >&2
    fi
@@ -405,6 +423,7 @@ revokeSerial () {
 updateCACertificate () {
  # Usage: <url> <cas_ca> <ca>
+  # shellcheck disable=SC2039
  local url="$1" cas_ca="$2" ca="$3" future_ca status orig_ca valid_ca
  orig_ca="$(
    if [ -e "$ca" ]; then
@@ -416,24 +435,24 @@ updateCACertificate () {
  status=$?
  test $status -ne 0 && return 1
  valid_ca="$(
-    printf "%s\n" "$orig_ca" \
+    printf "%s\\n" "$orig_ca" \
    | forEachCertificate printIfExpiresAfter "$(date +%s)"
  )"
  status=$?
  test $status -ne 0 && return 1
-  printf "%s\n" "$valid_ca" > "$ca"
+  printf "%s\\n" "$valid_ca" > "$ca"
  if [ ! -r "$cas_ca" ]; then
    # Should never be reached, as this function should be run once with
    # cas_ca == ca (to update CAS' CA), in which case cas_ca exists by this
    # point. CAU's CA should only be updated after, and by that point CAS' CA
    # already exists.
-    printf "%s does not exist\n" "$cas_ca"
+    printf "%s does not exist\\n" "$cas_ca"
    return 1
  fi
  future_ca="$(CURL --cacert "$cas_ca" "$url/crt/ca.crt.json")"
  status=$?
  test $status -ne 0 && return 1
-  printf "%s\n" "$future_ca" | forEachJSONListItem appendValidCA "$ca"
+  printf "%s\\n" "$future_ca" | forEachJSONListItem appendValidCA "$ca"
 }
 getCertificateRevocationList () {
@@ -462,7 +481,7 @@ createCertificateSigningRequest () {
    # So strip it with sed instead.
    case "$line" in
      "Location: "*)
-        printf "%s\n" "$line" | sed "s/^Location: \(\S*\).*/\1/"
+        printf "%s\\n" "$line" | sed "s/^Location: \\(\\S*\\).*/\\1/"
      ;;
    esac
  done
@@ -477,22 +496,24 @@ deletePendingCertificateRequest () {
 getCertificate () {
  # Usage: <url> <csr id>
+  # shellcheck disable=SC2039
  local status
  CURL --fail --insecure "$1/crt/$2"
  status=$?
  if [ $status -ne 0 ]; then
-    printf "Certificate %s not found (not signed yet or rejected)\n" "$2" >&2
+    printf "Certificate %s not found (not signed yet or rejected)\\n" "$2" >&2
    return 1
  fi
 }
 createCertificate () {
  # Usage: <url> <ca> <user crt> <csr id>
+  # shellcheck disable=SC2039
  local result
  PUTNoOut --cert "$3" --cacert "$2" "$1/crt/$4" < /dev/null
  result=$?
  if [ $result -ne 0 ]; then
-    printf "%s: No such pending signing request\n" "$4" >&2
+    printf "%s: No such pending signing request\\n" "$4" >&2
  fi
  return $result
 }
@@ -596,13 +617,13 @@ EOF
  }
  _argUsage () {
-    printf "%s: %s\n" "$arg" "$1" >&2
+    printf "%s: %s\\n" "$arg" "$1" >&2
    _usage >&2
  }
  _needArg () {
    if [ "$argc" -lt "$1" ]; then
-      printf "%s\n" "$arg needs $1 arguments" >&2
+      printf "%s\\n" "$arg needs $1 arguments" >&2
      _usage >&2
      return 1
    fi
@@ -610,7 +631,7 @@ EOF
  _needURLAndArg () {
    if [ -z "$ca_anon_url" ]; then
-      printf "%s\n" "--ca-url must be provided before $arg" >&2
+      printf "%s\\n" "--ca-url must be provided before $arg" >&2
      return 1
    fi
    _needArg "$1" || return 1
@@ -618,7 +639,7 @@ EOF
  _needAuthURLAndArg () {
    if [ -z "$user_key" ]; then
-      printf "%s\n" "--user-key must be provided before $arg" >&2
+      printf "%s\\n" "--user-key must be provided before $arg" >&2
      return 1
    fi
    _needURLAndArg "$1" || return 1
@@ -626,7 +647,7 @@ EOF
  _checkCertficateMatchesOneKey () {
    # Called from _main, sets global "key_found".
-    test $key_found -ne 0 && return 2
+    test "$key_found" -ne 0 && return 2
    key_found=1
    checkCertificateMatchesKey "$1" "$(cat)" || return 1
  }
@@ -643,7 +664,7 @@ EOF
  _printOneCert () {
    # Called indirectly from _main, sets global "crt_found".
-    if [ $crt_found -ne 0 ]; then
+    if [ "$crt_found" -ne 0 ]; then
      _argUsage "Multiple certificates"
      return 1
    fi
@@ -653,18 +674,21 @@ EOF
  _printOneMatchingCert () {
    # Called indirectly from _main, sets global "crt_found".
-    local crt="$(cat)"
+    # shellcheck disable=SC2039
+    local crt
+    crt="$(cat)"
    if [ $crt_found -ne 0 ]; then
      _argUsage "Multiple certificates"
      return 1
    fi
    crt_found=1
-    checkCertificateMatchesKey "$crt" "$1" && printf "%s\n" "$crt"
+    checkCertificateMatchesKey "$crt" "$1" && printf "%s\\n" "$crt"
  }
  _matchOneKeyAndPrintOneMatchingCert () {
    # Usage: _matchOneKeyAndPrintOneMatchingCert <crt path> <key path>
    # Sets globals "crt_found" and "key_found"
+    # shellcheck disable=SC2039
    local crt
    key_found=0
    key="$(forEachPrivateKey _printOneKey < "$2")"
@@ -678,20 +702,23 @@ EOF
      _argUsage "No certificate matches private key"
      return 1
    fi
-    printf "%s\n" "$crt"
+    printf "%s\\n" "$crt"
  }
  _printPendingCSR () {
-    local json="$(cat)"
+    # shellcheck disable=SC2039
-    printf "%20s | %s\n" \
+    local json
-      "$(printf "%s\n" "$json" | jq --raw-output .id)" \
+    json="$(cat)"
-      "$(printf "%s\n" "$json" | jq --raw-output .csr \
+    printf "%20s | %s\\n" \
+      "$(printf "%s\\n" "$json" | jq --raw-output .id)" \
+      "$(printf "%s\\n" "$json" | jq --raw-output .csr \
        | openssl req -subject -noout | sed "s/^subject=//")"
  }
  _main() {
    checkDeps || return 1
+    # shellcheck disable=SC2039
    local ca_anon_url="" \
      ca_auth_url \
      mode="service" \
@@ -706,7 +733,7 @@ EOF
      threshold=31 \
      status arg argc \
      ca_netloc ca_address ca_port ca_path \
-      csr_id csr csr_path crl crt crt_path key_path key serial \
+      csr_id csr csr_path crl crt crt_path crt_dir key_path key serial \
      csr_list_json
    while test $# -gt 0; do
@@ -728,10 +755,10 @@ EOF
            ;;
            http://*)
              ca_netloc="$(
-                printf "%s\n" "$ca_anon_url" | sed "s!^http://\([^/?#]*\).*!\1!"
+                printf "%s\\n" "$ca_anon_url" | sed "s!^http://\\([^/?#]*\\).*!\\1!"
              )"
              ca_path="$(
-                printf "%s\n" "$ca_anon_url" | sed "s!^http://[^/?#]*!!"
+                printf "%s\\n" "$ca_anon_url" | sed "s!^http://[^/?#]*!!"
              )"
              ca_port=80
              # Note: too bad there is no portable case fall-through...
@@ -739,38 +766,38 @@ EOF
                *]:*)
                  # Bracket-enclosed address, which may contain colons
                  ca_address="$(
-                    printf "%s\n" "$ca_netloc" | sed "s!^\(.*\]\).*!\1!"
+                    printf "%s\\n" "$ca_netloc" | sed "s!^\\(.*\\]\\).*!\\1!"
                  )"
                  ca_port="$(
-                    printf "%s\n" "$ca_netloc" | sed "s!^[^\]]*\]:!!"
+                    printf "%s\\n" "$ca_netloc" | sed "s!^[^\\]]*\\]:!!"
                  )"
                ;;
                *]*)
                  # Bracket-enclosed address, which may contain colons
                  ca_address="$(
-                    printf "%s\n" "$ca_netloc" | sed "s!^\(.*\]\).*!\1!"
+                    printf "%s\\n" "$ca_netloc" | sed "s!^\\(.*\\]\\).*!\\1!"
                  )"
                ;;
                *:*)
                  # No bracket-encosed address, rely on colon
                  ca_address="$(
-                    printf "%s\n" "$ca_netloc" | sed "s!^\([^:]*\).*!\1!"
+                    printf "%s\\n" "$ca_netloc" | sed "s!^\\([^:]*\\).*!\\1!"
                  )"
                  ca_port="$(
-                    printf "%s\n" "$ca_netloc" | sed "s!^[^:]*:!!"
+                    printf "%s\\n" "$ca_netloc" | sed "s!^[^:]*:!!"
                  )"
                ;;
                *)
                  # No bracket-encosed address, rely on colon
                  ca_address="$(
-                    printf "%s\n" "$ca_netloc" | sed "s!^\([^:]*\).*!\1!"
+                    printf "%s\\n" "$ca_netloc" | sed "s!^\\([^:]*\\).*!\\1!"
                  )"
                ;;
              esac
              if [ "$ca_port" -eq 80 ]; then
                ca_port=""
              else
-                ca_port=":$(($ca_port + 1))"
+                ca_port=":$((ca_port + 1))"
              fi
              ca_auth_url="https://${ca_address}${ca_port}${ca_path}"
            ;;
@@ -811,11 +838,9 @@ EOF
          _needArg 1 || return 1
          threshold="$1"
          shift
-          # Apparent no-op, but fails if "$threshoold" is not a number
+          if [ "$threshold" -eq "$threshold" ] 2> /dev/null ; then
-          # Also, test outside of "if" statemnt so we do not have an
+            :
-          # "if ... then : else ... fi".
+          else
-          test "$threshold" -ge 0 -o "$threshold" -lt 0
-          if [ $? -ne 0 ]; then
            _argUsage "Argument must be an integer"
            return 1
          fi
@@ -860,7 +885,7 @@ EOF
          )"
          status=$?
          test $status -ne 0 && return $status
-          printf "%s %s\n" "$csr_id" "$1"
+          printf "%s %s\\n" "$csr_id" "$1"
          shift
        ;;
        --get-crt)
@@ -868,9 +893,14 @@ EOF
          csr_id="$1"
          crt_path="$2"
          shift 2
-          if [ "$crt_path" != "-" -a ! -d "$(dirname "$crt_path")" -o "(" \
+          crt_dir="$(dirname "$crt_path")"
-            -e "$crt_path" -a ! "(" -w "$crt_path" -a -r "$crt_path" ")" \
+          if [ "x$crt_path" = "x-" ]; then # stdin & stdout
-          ")" ]; then
+            :
+          elif [ -w "$crt_path" ] && [ -r "$crt_path" ]; then # existing file
+            :
+          elif [ -w "$crt_dir" ] && [ -x "$crt_dir" ]; then # containing directory
+            :
+          else
            _argUsage \
              "$crt_path is not writeable (and/or not readable if exists)"
            return 1
@@ -879,7 +909,7 @@ EOF
          status=$?
          test $status -ne 0 && return $status
          if [ "$crt_path" = "-" ]; then
-            printf "%s\n" "$crt"
+            printf "%s\\n" "$crt"
          else
            if [ -e "$crt_path" ]; then
              key_found=0
@@ -894,7 +924,7 @@ EOF
                return 1
              fi
            fi
-            printf "%s\n" "$crt" >> "$crt_path"
+            printf "%s\\n" "$crt" >> "$crt_path"
          fi
        ;;
        --revoke-crt)
@@ -905,7 +935,7 @@ EOF
          crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")"
          status=$?
          test $status -ne 0 && return $status
-          printf "%s\n" "$crt" \
+          printf "%s\\n" "$crt" \
          | revokeCertificate "${ca_anon_url}/${mode_path}" "$key_path"
          status=$?
          test $status -ne 0 && return $status
@@ -918,9 +948,9 @@ EOF
          crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")"
          status=$?
          test $status -ne 0 && return $status
-          if printf "%s\n" "$crt" \
+          if printf "%s\\n" "$crt" \
          | expiresBefore "$(date --date="$threshold days" +%s)"; then
-            printf "%s\n" "$crt" \
+            printf "%s\\n" "$crt" \
            | renewCertificate "${ca_anon_url}/${mode_path}" \
              "$key_path" \
              "$key_len" \
@@ -928,7 +958,7 @@ EOF
            status=$?
            test $status -ne 0 && return $status
          else
-            printf "%s did not reach renew threshold, not renewing\n" \
+            printf "%s did not reach renew threshold, not renewing\\n" \
              "$crt_path" >&2
          fi
        ;;
@@ -943,9 +973,9 @@ EOF
          status=$?
          test $status -ne 0 && return $status
          if [ "$csr_path" = "-" ]; then
-            printf "%s\n" "$csr"
+            printf "%s\\n" "$csr"
          else
-            printf "%s\n" "$csr" > "$csr_path"
+            printf "%s\\n" "$csr" > "$csr_path"
          fi
        ;;
        --update-user)
@@ -955,9 +985,9 @@ EOF
        # Authenticated actions
        --list-csr)
          _needAuthURLAndArg 0 || return 1
-          printf "%s\n" "-- pending $mode CSRs --"
+          printf "%s\\n" "-- pending $mode CSRs --"
          printf \
-            "%20s | subject preview (fetch csr and check full content !)\n" \
+            "%20s | subject preview (fetch csr and check full content !)\\n" \
            "csr_id"
          csr_list_json="$(
            getPendingCertificateRequestList "${ca_auth_url}/${mode_path}" \
@@ -966,7 +996,7 @@ EOF
          status=$?
          test $status -ne 0 && return $status
          printf "%s" "$csr_list_json" | forEachJSONListItem _printPendingCSR
-          printf "%s\n" "-- end of pending $mode CSRs --"
+          printf "%s\\n" "-- end of pending $mode CSRs --"
        ;;
        --sign-csr)
          _needAuthURLAndArg 1 || return 1
@@ -1004,7 +1034,7 @@ EOF
          crt="$(forEachCertificate _printOneCert < "$crt_path")"
          status=$?
          test $status -ne 0 && return $status
-          printf "%s\n" "$crt" | revokeCRTWithoutKey \
+          printf "%s\\n" "$crt" | revokeCRTWithoutKey \
            "${ca_auth_url}/${mode_path}" "$cas_ca" "$user_key"
          status=$?
          test $status -ne 0 && return $status
@@ -1025,27 +1055,25 @@ EOF
        ;;
      esac
    done
-    if [ -n "$ca_anon_url" -a -r "$cas_ca" ]; then
+    if [ -n "$ca_anon_url" ] && [ -r "$cas_ca" ]; then
-      crl="$(
+      if crl="$(
        getCertificateRevocationList "${ca_anon_url}/cas" "$cas_ca"
-      )"
+      )"; then
-      if [ $? -eq 0 ]; then
+      printf "%s\\n" "$crl" > "$cas_crl"
-      printf "%s\n" "$crl" > "$cas_crl"
    else
-      printf "Received CAS CRL was not signed by CAS CA certificate, skipping\n"
+      printf "Received CAS CRL was not signed by CAS CA certificate, skipping\\n"
    fi
      if [ $update_user -eq 1 ]; then
        updateCACertificate "${ca_anon_url}/cau" "$cas_ca" "$cau_ca"
        status=$?
        test $status -ne 0 && return $status
-        crl="$(
+        if crl="$(
          getCertificateRevocationList "${ca_anon_url}/cau" "$cau_ca"
-        )"
+        )"; then
-        if [ $? -eq 0 ]; then
+          printf "%s\\n" "$crl" > "$cau_crl"
-          printf "%s\n" "$crl" > "$cau_crl"
        else
          printf \
-            "Received CAU CRL was not signed by CAU CA certificate, skipping\n"
+            "Received CAU CRL was not signed by CAU CA certificate, skipping\\n"
        fi
      fi
    fi