Skip to content

C
caucase
Commit c6531df2 authored by Vincent Pelletier's avatar Vincent Pelletier
Browse files
Options

shell/caucase.sh: Simplify most return-on-error cases. 

Also, some word-wrapping.
parent dc024644
Hide whitespace changes
Inline Side-by-side
Showing with 37 additions and 67 deletions
shell/caucase.sh
View file @ c6531df2
...@@ -125,7 +125,8 @@ unwrap () { ...@@ -125,7 +125,8 @@ unwrap () {
base64 -d > "$signature_file" base64 -d > "$signature_file"
payload="$(printf '%s\n' "$wrapped" | jq --raw-output .payload)" payload="$(printf '%s\n' "$wrapped" | jq --raw-output .payload)"
pubkey_file="$(mktemp --suffix=unwrap.pub)" pubkey_file="$(mktemp --suffix=unwrap.pub)"
if printf '%s\n' "$payload" "$@" | openssl x509 -pubkey -noout > "$pubkey_file"; then if printf '%s\n' "$payload" "$@" \
| openssl x509 -pubkey -noout > "$pubkey_file"; then
printf '%s%s ' "$payload" "$digest" \ printf '%s%s ' "$payload" "$digest" \
| openssl dgst \ | openssl dgst \
-"$digest" \ -"$digest" \
...@@ -506,9 +507,7 @@ updateCACertificate () { ...@@ -506,9 +507,7 @@ updateCACertificate () {
valid_ca="$( valid_ca="$(
printf '%s\n' "$orig_ca" \ printf '%s\n' "$orig_ca" \
| forEachCertificate printIfExpiresAfter "$(date +%s)" | forEachCertificate printIfExpiresAfter "$(date +%s)"
)" )" || return
status=$?
test $status -ne 0 && return 1
if [ $ca_is_file -eq 1 ]; then if [ $ca_is_file -eq 1 ]; then
printf '%s\n' "$valid_ca" > "$ca" printf '%s\n' "$valid_ca" > "$ca"
else else
...@@ -529,9 +528,7 @@ updateCACertificate () { ...@@ -529,9 +528,7 @@ updateCACertificate () {
printf '%s does not exist\n' "$cas_ca" printf '%s does not exist\n' "$cas_ca"
return 1 return 1
fi fi
future_ca="$(_curlInsecure "$url/crt/ca.crt.json")" future_ca="$(_curlInsecure "$url/crt/ca.crt.json")" || return
status=$?
test $status -ne 0 && return 1
printf '%s\n' "$future_ca" | forEachJSONListItem appendValidCA "$ca" printf '%s\n' "$future_ca" | forEachJSONListItem appendValidCA "$ca"
} }
...@@ -577,11 +574,9 @@ deletePendingCertificateRequest () { ...@@ -577,11 +574,9 @@ deletePendingCertificateRequest () {
getCertificate () { getCertificate () {
# Usage: <url> <csr id> # Usage: <url> <csr id>
# shellcheck disable=SC2039 if _curlInsecure --fail "$1/crt/$2"; then
local status :
_curlInsecure --fail "$1/crt/$2" else
status=$?
if [ $status -ne 0 ]; then
printf 'Certificate %s not found (not signed yet or rejected)\n' "$2" >&2 printf 'Certificate %s not found (not signed yet or rejected)\n' "$2" >&2
return 1 return 1
fi fi
...@@ -776,13 +771,9 @@ EOF ...@@ -776,13 +771,9 @@ EOF
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local crt local crt
key_found=0 key_found=0
key="$(forEachPrivateKey _printOneKey < "$2")" key="$(forEachPrivateKey _printOneKey < "$2")" || return
status=$?
test $status -ne 0 && return $status
crt_found=0 crt_found=0
crt="$(forEachCertificate _printOneMatchingCert "$key" < "$1")" crt="$(forEachCertificate _printOneMatchingCert "$key" < "$1")" || return
status=$?
test $status -ne 0 && return $status
if [ -z "$crt" ]; then if [ -z "$crt" ]; then
_argUsage 'No certificate matches private key' _argUsage 'No certificate matches private key'
return 1 return 1
...@@ -904,9 +895,7 @@ EOF ...@@ -904,9 +895,7 @@ EOF
return 1 return 1
;; ;;
esac esac
updateCACertificate "${ca_anon_url}/cas" "$cas_ca" updateCACertificate "${ca_anon_url}/cas" "$cas_ca" || return
status=$?
test $status -ne 0 && return $status
;; ;;
--ca-crt) --ca-crt)
_needArg 1 || return 1 _needArg 1 || return 1
...@@ -979,10 +968,9 @@ EOF ...@@ -979,10 +968,9 @@ EOF
return 1 return 1
fi fi
csr_id="$( csr_id="$(
createCertificateSigningRequest "${ca_anon_url}/${mode_path}" < "$1" createCertificateSigningRequest "${ca_anon_url}/${mode_path}" \
)" < "$1"
status=$? )" || return
test $status -ne 0 && return $status
printf '%s %s\n' "$csr_id" "$1" printf '%s %s\n' "$csr_id" "$1"
shift shift
;; ;;
...@@ -992,20 +980,22 @@ EOF ...@@ -992,20 +980,22 @@ EOF
crt_path="$2" crt_path="$2"
shift 2 shift 2
crt_dir="$(dirname "$crt_path")" crt_dir="$(dirname "$crt_path")"
if [ "x$crt_path" = 'x-' ]; then # stdin & stdout if [ "x$crt_path" = 'x-' ]; then
# stdin & stdout
: :
elif [ -w "$crt_path" ] && [ -r "$crt_path" ]; then # existing file elif [ -w "$crt_path" ] && [ -r "$crt_path" ]; then
# existing file
: :
elif [ -w "$crt_dir" ] && [ -x "$crt_dir" ]; then # containing directory elif [ -w "$crt_dir" ] && [ -x "$crt_dir" ]; then
# containing directory
: :
else else
_argUsage \ _argUsage \
"$crt_path is not writeable (and/or not readable if exists)" "$crt_path is not writeable (and/or not readable if exists)"
return 1 return 1
fi fi
crt="$(getCertificate "${ca_anon_url}/${mode_path}" "$csr_id")" crt="$(getCertificate "${ca_anon_url}/${mode_path}" "$csr_id")" \
status=$? || return
test $status -ne 0 && return $status
if [ "x$crt_path" = 'x-' ]; then if [ "x$crt_path" = 'x-' ]; then
printf '%s\n' "$crt" printf '%s\n' "$crt"
else else
...@@ -1030,31 +1020,27 @@ EOF ...@@ -1030,31 +1020,27 @@ EOF
crt_path="$1" crt_path="$1"
key_path="$2" key_path="$2"
shift 2 shift 2
crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")" crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" \
status=$? "$key_path")" || return
test $status -ne 0 && return $status
printf '%s\n' "$crt" \ printf '%s\n' "$crt" \
| revokeCertificate "${ca_anon_url}/${mode_path}" "$key_path" | revokeCertificate "${ca_anon_url}/${mode_path}" "$key_path" \
status=$? || return
test $status -ne 0 && return $status
;; ;;
--renew-crt) --renew-crt)
_needURLAndArg 2 || return 1 _needURLAndArg 2 || return 1
crt_path="$1" crt_path="$1"
key_path="$2" key_path="$2"
shift 2 shift 2
crt="$(_matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path")" crt="$( \
status=$? _matchOneKeyAndPrintOneMatchingCert "$crt_path" "$key_path" \
test $status -ne 0 && return $status )" || return
if printf '%s\n' "$crt" \ if printf '%s\n' "$crt" \
| expiresBefore "$(date --date="$threshold days" +%s)"; then | expiresBefore "$(date --date="$threshold days" +%s)"; then
printf '%s\n' "$crt" \ printf '%s\n' "$crt" \
| renewCertificate "${ca_anon_url}/${mode_path}" \ | renewCertificate "${ca_anon_url}/${mode_path}" \
"$key_path" \ "$key_path" \
"$key_len" \ "$key_len" \
"$crt_path" "$key_path" "$crt_path" "$key_path" || return
status=$?
test $status -ne 0 && return $status
else else
printf '%s did not reach renew threshold, not renewing\n' \ printf '%s did not reach renew threshold, not renewing\n' \
"$crt_path" >&2 "$crt_path" >&2
...@@ -1067,9 +1053,7 @@ EOF ...@@ -1067,9 +1053,7 @@ EOF
shift 2 shift 2
csr="$( csr="$(
getCertificateSigningRequest "${ca_anon_url}/${mode_path}" "$csr_id" getCertificateSigningRequest "${ca_anon_url}/${mode_path}" "$csr_id"
)" )" || return
status=$?
test $status -ne 0 && return $status
if [ "x$csr_path" = 'x-' ]; then if [ "x$csr_path" = 'x-' ]; then
printf '%s\n' "$csr" printf '%s\n' "$csr"
else else
...@@ -1090,9 +1074,7 @@ EOF ...@@ -1090,9 +1074,7 @@ EOF
csr_list_json="$( csr_list_json="$(
getPendingCertificateRequestList "${ca_auth_url}/${mode_path}" \ getPendingCertificateRequestList "${ca_auth_url}/${mode_path}" \
"$user_key" "$user_key"
)" )" || return
status=$?
test $status -ne 0 && return $status
printf '%s' "$csr_list_json" | forEachJSONListItem _printPendingCSR printf '%s' "$csr_list_json" | forEachJSONListItem _printPendingCSR
printf '%s\n' "-- end of pending $mode CSRs --" printf '%s\n' "-- end of pending $mode CSRs --"
;; ;;
...@@ -1101,9 +1083,7 @@ EOF ...@@ -1101,9 +1083,7 @@ EOF
csr_id="$1" csr_id="$1"
shift shift
createCertificate "${ca_auth_url}/${mode_path}" \ createCertificate "${ca_auth_url}/${mode_path}" \
"$user_key" "$csr_id" "$user_key" "$csr_id" || return
status=$?
test $status -ne 0 && return $status
;; ;;
--sign-csr-with) --sign-csr-with)
_needAuthURLAndArg 2 || return 1 _needAuthURLAndArg 2 || return 1
...@@ -1111,40 +1091,30 @@ EOF ...@@ -1111,40 +1091,30 @@ EOF
csr="$2" csr="$2"
shift shift
createCertificateWith "${ca_auth_url}/${mode_path}" \ createCertificateWith "${ca_auth_url}/${mode_path}" \
"$user_key" "$csr_id" < "$csr" "$user_key" "$csr_id" < "$csr" || return
status=$?
test $status -ne 0 && return $status
;; ;;
--reject-csr) --reject-csr)
_needAuthURLAndArg 1 || return 1 _needAuthURLAndArg 1 || return 1
csr_id="$1" csr_id="$1"
shift shift
deletePendingCertificateRequest "${ca_auth_url}/${mode_path}" \ deletePendingCertificateRequest "${ca_auth_url}/${mode_path}" \
"$user_key" "$csr_id" "$user_key" "$csr_id" || return
status=$?
test $status -ne 0 && return $status
;; ;;
--revoke-other-crt) --revoke-other-crt)
_needAuthURLAndArg 1 || return 1 _needAuthURLAndArg 1 || return 1
crt_path="$1" crt_path="$1"
shift shift
crt_found=0 crt_found=0
crt="$(forEachCertificate _printOneCert < "$crt_path")" crt="$(forEachCertificate _printOneCert < "$crt_path")" || return
status=$?
test $status -ne 0 && return $status
printf '%s\n' "$crt" | revokeCRTWithoutKey \ printf '%s\n' "$crt" | revokeCRTWithoutKey \
"${ca_auth_url}/${mode_path}" "$user_key" "${ca_auth_url}/${mode_path}" "$user_key" || return
status=$?
test $status -ne 0 && return $status
;; ;;
--revoke-serial) --revoke-serial)
_needAuthURLAndArg 1 || return 1 _needAuthURLAndArg 1 || return 1
serial="$1" serial="$1"
shift shift
revokeSerial "${ca_auth_url}/${mode_path}" \ revokeSerial "${ca_auth_url}/${mode_path}" \
"$user_key" "$serial" "$user_key" "$serial" || return
status=$?
test $status -ne 0 && return $status
;; ;;
*) *)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7