Skip to content

C
caucase
Commit 2a556bd2 authored by Vincent Pelletier's avatar Vincent Pelletier
Browse files
Options

shell/caucase.sh: Do not check caucased certificate. 

Should have been part of:
  commit 17325dc0
  Author: Vincent Pelletier <plr.vincent@gmail.com>
  Date:   Sat Jul 14 18:40:41 2018 +0900

      all: Make caucased https certificate independent from CAS.

Also, remove CURL, PUT and PUTNoOut aliases. They are replaced with
private function with a naming consistent with the rest of this script.
parent 66c9e82c
Hide whitespace changes
Inline Side-by-side
Showing with 57 additions and 44 deletions
shell/caucase.sh
View file @ 2a556bd2
......@@ -169,16 +169,26 @@ writeCertKey () {
printf '%s\n' "$crt_data" >> "$crt_path"
}
alias CURL='curl --silent'
alias PUT='CURL --upload-file -'
_curlInsecure () {
# Because caucased https certificate does not need to be trusted.
# Usage: ...
curl --silent --insecure "$@"
}
_putInsecure () {
# To PUT stdin via https.
# Usage: ... < input
_curlInsecure --upload-file - "$@"
}
PUTNoOut () {
# For when PUT does not provide a response body, so the only way to check
# for issues is checking HTTP status.
_putInsecureNoOut () {
# For when _putInsecure does not provide a response body, so the only way to
# check for issues is checking HTTP status.
# Usage: ... < input
# shellcheck disable=SC2039
local result
if result="$(
PUT \
_putInsecure \
--write-out '\n%{http_code}\n' \
"$@"
)"; then
......@@ -378,7 +388,7 @@ EOF
| str2json
)" \
| wrap "$oldkey" 'sha256' \
| PUT --insecure \
| _putInsecure \
--header 'Content-Type: application/json' \
"$url/crt/renew/"
)"; then
......@@ -405,43 +415,46 @@ revokeCertificate () {
# Usage: <url> <key_path> < crt
pairs2obj 'revoke_crt_pem' "$(str2json)" \
| wrap "$2" 'sha256' \
| PUTNoOut \
| _putInsecureNoOut \
--header 'Content-Type: application/json' \
--insecure \
"$1/crt/revoke/"
}
revokeCRTWithoutKey () {
# Usage: <url> <ca> <user crt> < crt
# Usage: <url> <user crt> < crt
pairs2obj 'revoke_crt_pem' "$(str2json)" \
| nullWrap \
| PUTNoOut \
--cert "$3" \
| _putInsecureNoOut \
--cert "$2" \
--header 'Content-Type: application/json' \
--cacert "$2" \
"$1/crt/revoke/"
}
revokeSerial () {
# Usage: <url> <ca> <user crt> <serial>
pairs2obj 'revoke_serial' "$4" \
# Usage: <url> <user crt> <serial>
pairs2obj 'revoke_serial' "$3" \
| nullWrap \
| PUTNoOut \
--cert "$3" \
| _putInsecureNoOut \
--cert "$2" \
--header 'Content-Type: application/json' \
--cacert "$2" \
"$1/crt/revoke/"
}
updateCACertificate () {
# Usage: <url> <cas_ca> <ca>
# Usage: <url> <ca>
# shellcheck disable=SC2039
local url="$1" cas_ca="$2" ca="$3" future_ca status orig_ca valid_ca
local url="$1" \
ca="$2" \
future_ca \
status \
orig_ca \
valid_ca
orig_ca="$(
if [ -e "$ca" ]; then
cat "$ca"
else
CURL --insecure "$url/crt/ca.crt.pem"
_curlInsecure "$url/crt/ca.crt.pem"
fi
)"
status=$?
......@@ -461,7 +474,7 @@ updateCACertificate () {
printf '%s does not exist\n' "$cas_ca"
return 1
fi
future_ca="$(CURL --cacert "$cas_ca" "$url/crt/ca.crt.json")"
future_ca="$(_curlInsecure "$url/crt/ca.crt.json")"
status=$?
test $status -ne 0 && return 1
printf '%s\n' "$future_ca" | forEachJSONListItem appendValidCA "$ca"
......@@ -469,22 +482,22 @@ updateCACertificate () {
getCertificateRevocationList () {
# Usage: <url> <ca>
CURL --insecure "$1/crl" | openssl crl -CAfile "$2" 2> /dev/null
_curlInsecure "$1/crl" | openssl crl -CAfile "$2" 2> /dev/null
}
getCertificateSigningRequest () {
# Usage: <url> <csr id>
CURL --insecure "$1/csr/$2"
_curlInsecure "$1/csr/$2"
}
getPendingCertificateRequestList () {
# Usage: <url> <ca> <user crt>
CURL --cert "$3" --cacert "$2" "$1/csr"
# Usage: <url> <user crt>
_curlInsecure --cert "$2" "$1/csr"
}
createCertificateSigningRequest () {
# Usage: <url> < csr > csr id
PUT --insecure --header 'Content-Type: application/pkcs10' "$1/csr" \
_putInsecure --header 'Content-Type: application/pkcs10' "$1/csr" \
--dump-header - | while IFS= read -r line; do
# Note: $line contains trailing \r, which will not get stripped by $().
# So strip it with sed instead.
......@@ -497,15 +510,15 @@ createCertificateSigningRequest () {
}
deletePendingCertificateRequest () {
# Usage: <url> <ca> <user crt> <csr id>
CURL --request DELETE --cert "$3" --cacert "$2" "$1/csr/$4"
# Usage: <url> <user crt> <csr id>
_curlInsecure --request DELETE --cert "$2" "$1/csr/$3"
}
getCertificate () {
# Usage: <url> <csr id>
# shellcheck disable=SC2039
local status
CURL --fail --insecure "$1/crt/$2"
_curlInsecure --fail "$1/crt/$2"
status=$?
if [ $status -ne 0 ]; then
printf 'Certificate %s not found (not signed yet or rejected)\n' "$2" >&2
......@@ -514,21 +527,21 @@ getCertificate () {
}
createCertificate () {
# Usage: <url> <ca> <user crt> <csr id>
# Usage: <url> <user crt> <csr id>
# shellcheck disable=SC2039
local result
PUTNoOut --cert "$3" --cacert "$2" "$1/crt/$4" < /dev/null
_putInsecureNoOut --cert "$2" "$1/crt/$3" < /dev/null
result=$?
if [ $result -ne 0 ]; then
printf '%s: No such pending signing request\n' "$4" >&2
printf '%s: No such pending signing request\n' "$3" >&2
fi
return $result
}
createCertificateWith () {
# Usage: <url> <ca> <user crt> <csr id> < csr
PUTNoOut --cert "$3" --cacert "$2" \
--header 'Content-Type: application/pkcs10' "$1/crt/$4"
# Usage: <url> <user crt> <csr id> < csr
_putInsecureNoOut --cert "$2" \
--header 'Content-Type: application/pkcs10' "$1/crt/$3"
}
if [ $# -ne 0 ]; then
......@@ -827,7 +840,7 @@ EOF
return 1
;;
esac
updateCACertificate "${ca_anon_url}/cas" "$cas_ca" "$cas_ca"
updateCACertificate "${ca_anon_url}/cas" "$cas_ca"
status=$?
test $status -ne 0 && return $status
;;
......@@ -1012,7 +1025,7 @@ EOF
'csr_id'
csr_list_json="$(
getPendingCertificateRequestList "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key"
"$user_key"
)"
status=$?
test $status -ne 0 && return $status
......@@ -1024,7 +1037,7 @@ EOF
csr_id="$1"
shift
createCertificate "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key" "$csr_id"
"$user_key" "$csr_id"
status=$?
test $status -ne 0 && return $status
;;
......@@ -1034,7 +1047,7 @@ EOF
csr="$2"
shift
createCertificateWith "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key" "$csr_id" < "$csr"
"$user_key" "$csr_id" < "$csr"
status=$?
test $status -ne 0 && return $status
;;
......@@ -1043,7 +1056,7 @@ EOF
csr_id="$1"
shift
deletePendingCertificateRequest "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key" "$csr_id"
"$user_key" "$csr_id"
status=$?
test $status -ne 0 && return $status
;;
......@@ -1056,7 +1069,7 @@ EOF
status=$?
test $status -ne 0 && return $status
printf '%s\n' "$crt" | revokeCRTWithoutKey \
"${ca_auth_url}/${mode_path}" "$cas_ca" "$user_key"
"${ca_auth_url}/${mode_path}" "$user_key"
status=$?
test $status -ne 0 && return $status
;;
......@@ -1065,7 +1078,7 @@ EOF
serial="$1"
shift
revokeSerial "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key" "$serial"
"$user_key" "$serial"
status=$?
test $status -ne 0 && return $status
;;
......@@ -1086,7 +1099,7 @@ EOF
'Received CAS CRL was not signed by CAS CA certificate, skipping\n'
fi
if [ $update_user -eq 1 ]; then
updateCACertificate "${ca_anon_url}/cau" "$cas_ca" "$cau_ca"
updateCACertificate "${ca_anon_url}/cau" "$cau_ca"
status=$?
test $status -ne 0 && return $status
if crl="$(
......@@ -1130,7 +1143,7 @@ EOF
# wait for up to about 10 seconds for caucased to start listening (initial
# certificate generation.
for _ in $(seq 100); do
CURL "http://$netloc" > /dev/null
_curlInsecure "http://$netloc" > /dev/null
status=$?
test $status -eq 0 && break
# curl status 7 means "cnould not connect"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7