Skip to content

C
caucase
Commit c6531df2 authored by Vincent Pelletier's avatar Vincent Pelletier
Browse files
Options

shell/caucase.sh: Simplify most return-on-error cases. 

Also, some word-wrapping.
parent dc024644
Show whitespace changes
Inline Side-by-side
Showing with 37 additions and 67 deletions
shell/caucase.sh
View file @ c6531df2
......@@ -125,7 +125,8 @@ unwrap () {
base64 -d > "$signature_file"
payload="$(printf '%s\n' "$wrapped" | jq --raw-output .payload)"
pubkey_file="$(mktemp --suffix=unwrap.pub)"
if printf '%s\n' "$payload" "$@" | openssl x509 -pubkey -noout > "$pubkey_file"; then
if printf '%s\n' "$payload" "$@" \
| openssl x509 -pubkey -noout > "$pubkey_file"; then
printf '%s%s ' "$payload" "$digest" \
| openssl dgst \
-"$digest" \
......@@ -506,9 +507,7 @@ updateCACertificate () {
valid_ca="$(
printf '%s\n' "$orig_ca" \
| forEachCertificate printIfExpiresAfter "$(date +%s)"
)"
status=$?
test $status -ne 0 && return 1
)" || return
if [ $ca_is_file -eq 1 ]; then
printf '%s\n' "$valid_ca" > "$ca"
else
......@@ -529,9 +528,7 @@ updateCACertificate () {
printf '%s does not exist\n' "$cas_ca"
return 1
fi
future_ca="$(_curlInsecure "$url/crt/ca.crt.json")"
status=$?
test $status -ne 0 && return 1
future_ca="$(_curlInsecure "$url/crt/ca.crt.json")" || return
printf '%s\n' "$future_ca" | forEachJSONListItem appendValidCA "$ca"
}
......@@ -577,11 +574,9 @@ deletePendingCertificateRequest () {
getCertificate () {
# Usage: <url> <csr id>
# shellcheck disable=SC2039
local status
_curlInsecure --fail "$1/crt/$2"
status=$?
if [ $status -ne 0 ]; then
if _curlInsecure --fail "$1/crt/$2"; then
:
else
printf 'Certificate %s not found (not signed yet or rejected)\n' "$2" >&2
return 1
fi
......@@ -776,13 +771,9 @@ EOF
# shellcheck disable=SC2039
local crt
key_found=0
key="$(forEachPrivateKey _printOneKey < "$2")"
status=$?
test $status -ne 0 && return $status
key="$(forEachPrivateKey _printOneKey < "$2")" || return
crt_found=0
crt="$(forEachCertificate _printOneMatchingCert "$key" < "$1")"
status=$?
test $status -ne 0 && return $status
crt="$(forEachCertificate _printOneMatchingCert "$key" < "$1")" || return
if [ -z "$crt" ]; then
_argUsage 'No certificate matches private key'
return 1
......@@ -904,9 +895,7 @@ EOF
return 1
;;
esac
updateCACertificate "${ca_anon_url}/cas" "$cas_ca"
status=$?
test $status -ne 0 && return $status
updateCACertificate "${ca_anon_url}/cas" "$cas_ca" || return
;;
--ca-crt)
_needArg 1 || return 1
......@@ -979,10 +968,9 @@ EOF
return 1
fi
csr_id="$(
createCertificateSigningRequest "${ca_anon_url}/${mode_path}" < "$1"
)"
status=$?
test $status -ne 0 && return $status
createCertificateSigningRequest "${ca_anon_url}/${mode_path}" \
< "$1"
)" || return
printf '%s %s\n' "$csr_id" "$1"
shift
;;
......@@ -992,20 +980,22 @@ EOF
crt_path="$2"
shift 2
crt_dir="$(dirname "$crt_path")"
if [ "x$crt_path" = 'x-' ]; then # stdin & stdout
if [ "x$crt_path" = 'x-' ]; then
# stdin & stdout
:
elif [ -w "$crt_path" ] && [ -r "$crt_path" ]; then # existing file
elif [ -w "$crt_path" ] && [ -r "$crt_path" ]; then
# existing file
:
elif [ -w "$crt_dir" ] && [ -x "$crt_dir" ]; then # containing directory
elif [ -w "$crt_dir" ] && [ -x "$crt_dir" ]; then
# containing directory
:
else
_argUsage \
"$crt_path is not writeable (and/or not readable if exists)"
return 1
fi
crt="$(getCertificate "${ca_anon_url}/${mode_path}" "$csr_id")"
status=$?
test $status -ne 0 && return $status
crt="$(getCertificate "${ca_anon_url}/${mode_path}" "$csr_id")" \
|| return
if [ "x$crt_path" = 'x-' ]; then
printf '%s\n' "$crt"
else
......@@ -1030,31 +1020,27 @@ EOF
crt_path="$1"
key_path="$2"
shift 2
crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")"
status=$?
test $status -ne 0 && return $status
crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" \
"$key_path")" || return
printf '%s\n' "$crt" \
| revokeCertificate "${ca_anon_url}/${mode_path}" "$key_path"
status=$?
test $status -ne 0 && return $status
| revokeCertificate "${ca_anon_url}/${mode_path}" "$key_path" \
|| return
;;
--renew-crt)
_needURLAndArg 2 || return 1
crt_path="$1"
key_path="$2"
shift 2
crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")"
status=$?
test $status -ne 0 && return $status
crt="$( \
_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path" \
)" || return
if printf '%s\n' "$crt" \
| expiresBefore "$(date --date="$threshold days" +%s)"; then
printf '%s\n' "$crt" \
| renewCertificate "${ca_anon_url}/${mode_path}" \
"$key_path" \
"$key_len" \
"$crt_path" "$key_path"
status=$?
test $status -ne 0 && return $status
"$crt_path" "$key_path" || return
else
printf '%s did not reach renew threshold, not renewing\n' \
"$crt_path" >&2
......@@ -1067,9 +1053,7 @@ EOF
shift 2
csr="$(
getCertificateSigningRequest "${ca_anon_url}/${mode_path}" "$csr_id"
)"
status=$?
test $status -ne 0 && return $status
)" || return
if [ "x$csr_path" = 'x-' ]; then
printf '%s\n' "$csr"
else
......@@ -1090,9 +1074,7 @@ EOF
csr_list_json="$(
getPendingCertificateRequestList "${ca_auth_url}/${mode_path}" \
"$user_key"
)"
status=$?
test $status -ne 0 && return $status
)" || return
printf '%s' "$csr_list_json" | forEachJSONListItem _printPendingCSR
printf '%s\n' "-- end of pending $mode CSRs --"
;;
......@@ -1101,9 +1083,7 @@ EOF
csr_id="$1"
shift
createCertificate "${ca_auth_url}/${mode_path}" \
"$user_key" "$csr_id"
status=$?
test $status -ne 0 && return $status
"$user_key" "$csr_id" || return
;;
--sign-csr-with)
_needAuthURLAndArg 2 || return 1
......@@ -1111,40 +1091,30 @@ EOF
csr="$2"
shift
createCertificateWith "${ca_auth_url}/${mode_path}" \
"$user_key" "$csr_id" < "$csr"
status=$?
test $status -ne 0 && return $status
"$user_key" "$csr_id" < "$csr" || return
;;
--reject-csr)
_needAuthURLAndArg 1 || return 1
csr_id="$1"
shift
deletePendingCertificateRequest "${ca_auth_url}/${mode_path}" \
"$user_key" "$csr_id"
status=$?
test $status -ne 0 && return $status
"$user_key" "$csr_id" || return
;;
--revoke-other-crt)
_needAuthURLAndArg 1 || return 1
crt_path="$1"
shift
crt_found=0
crt="$(forEachCertificate _printOneCert < "$crt_path")"
status=$?
test $status -ne 0 && return $status
crt="$(forEachCertificate _printOneCert < "$crt_path")" || return
printf '%s\n' "$crt" | revokeCRTWithoutKey \
"${ca_auth_url}/${mode_path}" "$user_key"
status=$?
test $status -ne 0 && return $status
"${ca_auth_url}/${mode_path}" "$user_key" || return
;;
--revoke-serial)
_needAuthURLAndArg 1 || return 1
serial="$1"
shift
revokeSerial "${ca_auth_url}/${mode_path}" \
"$user_key" "$serial"
status=$?
test $status -ne 0 && return $status
"$user_key" "$serial" || return
;;
*)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7