Skip to content

C
caucase
Commit 2a556bd2 authored by Vincent Pelletier's avatar Vincent Pelletier
Browse files
Options

shell/caucase.sh: Do not check caucased certificate. 

Should have been part of:
  commit 17325dc0
  Author: Vincent Pelletier <plr.vincent@gmail.com>
  Date:   Sat Jul 14 18:40:41 2018 +0900

      all: Make caucased https certificate independent from CAS.

Also, remove CURL, PUT and PUTNoOut aliases. They are replaced with
private function with a naming consistent with the rest of this script.
parent 66c9e82c
Hide whitespace changes
Inline Side-by-side
Showing with 57 additions and 44 deletions
shell/caucase.sh
View file @ 2a556bd2
...@@ -169,16 +169,26 @@ writeCertKey () { ...@@ -169,16 +169,26 @@ writeCertKey () {
printf '%s\n' "$crt_data" >> "$crt_path" printf '%s\n' "$crt_data" >> "$crt_path"
} }
alias CURL='curl --silent' _curlInsecure () {
alias PUT='CURL --upload-file -' # Because caucased https certificate does not need to be trusted.
# Usage: ...
curl --silent --insecure "$@"
}
_putInsecure () {
# To PUT stdin via https.
# Usage: ... < input
_curlInsecure --upload-file - "$@"
}
PUTNoOut () { _putInsecureNoOut () {
# For when PUT does not provide a response body, so the only way to check # For when _putInsecure does not provide a response body, so the only way to
# for issues is checking HTTP status. # check for issues is checking HTTP status.
# Usage: ... < input
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local result local result
if result="$( if result="$(
PUT \ _putInsecure \
--write-out '\n%{http_code}\n' \ --write-out '\n%{http_code}\n' \
"$@" "$@"
)"; then )"; then
...@@ -378,7 +388,7 @@ EOF ...@@ -378,7 +388,7 @@ EOF
| str2json | str2json
)" \ )" \
| wrap "$oldkey" 'sha256' \ | wrap "$oldkey" 'sha256' \
| PUT --insecure \ | _putInsecure \
--header 'Content-Type: application/json' \ --header 'Content-Type: application/json' \
"$url/crt/renew/" "$url/crt/renew/"
)"; then )"; then
...@@ -405,43 +415,46 @@ revokeCertificate () { ...@@ -405,43 +415,46 @@ revokeCertificate () {
# Usage: <url> <key_path> < crt # Usage: <url> <key_path> < crt
pairs2obj 'revoke_crt_pem' "$(str2json)" \ pairs2obj 'revoke_crt_pem' "$(str2json)" \
| wrap "$2" 'sha256' \ | wrap "$2" 'sha256' \
| PUTNoOut \ | _putInsecureNoOut \
--header 'Content-Type: application/json' \ --header 'Content-Type: application/json' \
--insecure \ --insecure \
"$1/crt/revoke/" "$1/crt/revoke/"
} }
revokeCRTWithoutKey () { revokeCRTWithoutKey () {
# Usage: <url> <ca> <user crt> < crt # Usage: <url> <user crt> < crt
pairs2obj 'revoke_crt_pem' "$(str2json)" \ pairs2obj 'revoke_crt_pem' "$(str2json)" \
| nullWrap \ | nullWrap \
| PUTNoOut \ | _putInsecureNoOut \
--cert "$3" \ --cert "$2" \
--header 'Content-Type: application/json' \ --header 'Content-Type: application/json' \
--cacert "$2" \
"$1/crt/revoke/" "$1/crt/revoke/"
} }
revokeSerial () { revokeSerial () {
# Usage: <url> <ca> <user crt> <serial> # Usage: <url> <user crt> <serial>
pairs2obj 'revoke_serial' "$4" \ pairs2obj 'revoke_serial' "$3" \
| nullWrap \ | nullWrap \
| PUTNoOut \ | _putInsecureNoOut \
--cert "$3" \ --cert "$2" \
--header 'Content-Type: application/json' \ --header 'Content-Type: application/json' \
--cacert "$2" \
"$1/crt/revoke/" "$1/crt/revoke/"
} }
updateCACertificate () { updateCACertificate () {
# Usage: <url> <cas_ca> <ca> # Usage: <url> <ca>
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local url="$1" cas_ca="$2" ca="$3" future_ca status orig_ca valid_ca local url="$1" \
ca="$2" \
future_ca \
status \
orig_ca \
valid_ca
orig_ca="$( orig_ca="$(
if [ -e "$ca" ]; then if [ -e "$ca" ]; then
cat "$ca" cat "$ca"
else else
CURL --insecure "$url/crt/ca.crt.pem" _curlInsecure "$url/crt/ca.crt.pem"
fi fi
)" )"
status=$? status=$?
...@@ -461,7 +474,7 @@ updateCACertificate () { ...@@ -461,7 +474,7 @@ updateCACertificate () {
printf '%s does not exist\n' "$cas_ca" printf '%s does not exist\n' "$cas_ca"
return 1 return 1
fi fi
future_ca="$(CURL --cacert "$cas_ca" "$url/crt/ca.crt.json")" future_ca="$(_curlInsecure "$url/crt/ca.crt.json")"
status=$? status=$?
test $status -ne 0 && return 1 test $status -ne 0 && return 1
printf '%s\n' "$future_ca" | forEachJSONListItem appendValidCA "$ca" printf '%s\n' "$future_ca" | forEachJSONListItem appendValidCA "$ca"
...@@ -469,22 +482,22 @@ updateCACertificate () { ...@@ -469,22 +482,22 @@ updateCACertificate () {
getCertificateRevocationList () { getCertificateRevocationList () {
# Usage: <url> <ca> # Usage: <url> <ca>
CURL --insecure "$1/crl" | openssl crl -CAfile "$2" 2> /dev/null _curlInsecure "$1/crl" | openssl crl -CAfile "$2" 2> /dev/null
} }
getCertificateSigningRequest () { getCertificateSigningRequest () {
# Usage: <url> <csr id> # Usage: <url> <csr id>
CURL --insecure "$1/csr/$2" _curlInsecure "$1/csr/$2"
} }
getPendingCertificateRequestList () { getPendingCertificateRequestList () {
# Usage: <url> <ca> <user crt> # Usage: <url> <user crt>
CURL --cert "$3" --cacert "$2" "$1/csr" _curlInsecure --cert "$2" "$1/csr"
} }
createCertificateSigningRequest () { createCertificateSigningRequest () {
# Usage: <url> < csr > csr id # Usage: <url> < csr > csr id
PUT --insecure --header 'Content-Type: application/pkcs10' "$1/csr" \ _putInsecure --header 'Content-Type: application/pkcs10' "$1/csr" \
--dump-header - | while IFS= read -r line; do --dump-header - | while IFS= read -r line; do
# Note: $line contains trailing \r, which will not get stripped by $(). # Note: $line contains trailing \r, which will not get stripped by $().
# So strip it with sed instead. # So strip it with sed instead.
...@@ -497,15 +510,15 @@ createCertificateSigningRequest () { ...@@ -497,15 +510,15 @@ createCertificateSigningRequest () {
} }
deletePendingCertificateRequest () { deletePendingCertificateRequest () {
# Usage: <url> <ca> <user crt> <csr id> # Usage: <url> <user crt> <csr id>
CURL --request DELETE --cert "$3" --cacert "$2" "$1/csr/$4" _curlInsecure --request DELETE --cert "$2" "$1/csr/$3"
} }
getCertificate () { getCertificate () {
# Usage: <url> <csr id> # Usage: <url> <csr id>
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local status local status
CURL --fail --insecure "$1/crt/$2" _curlInsecure --fail "$1/crt/$2"
status=$? status=$?
if [ $status -ne 0 ]; then if [ $status -ne 0 ]; then
printf 'Certificate %s not found (not signed yet or rejected)\n' "$2" >&2 printf 'Certificate %s not found (not signed yet or rejected)\n' "$2" >&2
...@@ -514,21 +527,21 @@ getCertificate () { ...@@ -514,21 +527,21 @@ getCertificate () {
} }
createCertificate () { createCertificate () {
# Usage: <url> <ca> <user crt> <csr id> # Usage: <url> <user crt> <csr id>
# shellcheck disable=SC2039 # shellcheck disable=SC2039
local result local result
PUTNoOut --cert "$3" --cacert "$2" "$1/crt/$4" < /dev/null _putInsecureNoOut --cert "$2" "$1/crt/$3" < /dev/null
result=$? result=$?
if [ $result -ne 0 ]; then if [ $result -ne 0 ]; then
printf '%s: No such pending signing request\n' "$4" >&2 printf '%s: No such pending signing request\n' "$3" >&2
fi fi
return $result return $result
} }
createCertificateWith () { createCertificateWith () {
# Usage: <url> <ca> <user crt> <csr id> < csr # Usage: <url> <user crt> <csr id> < csr
PUTNoOut --cert "$3" --cacert "$2" \ _putInsecureNoOut --cert "$2" \
--header 'Content-Type: application/pkcs10' "$1/crt/$4" --header 'Content-Type: application/pkcs10' "$1/crt/$3"
} }
if [ $# -ne 0 ]; then if [ $# -ne 0 ]; then
...@@ -827,7 +840,7 @@ EOF ...@@ -827,7 +840,7 @@ EOF
return 1 return 1
;; ;;
esac esac
updateCACertificate "${ca_anon_url}/cas" "$cas_ca" "$cas_ca" updateCACertificate "${ca_anon_url}/cas" "$cas_ca"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
;; ;;
...@@ -1012,7 +1025,7 @@ EOF ...@@ -1012,7 +1025,7 @@ EOF
'csr_id' 'csr_id'
csr_list_json="$( csr_list_json="$(
getPendingCertificateRequestList "${ca_auth_url}/${mode_path}" \ getPendingCertificateRequestList "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key" "$user_key"
)" )"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
...@@ -1024,7 +1037,7 @@ EOF ...@@ -1024,7 +1037,7 @@ EOF
csr_id="$1" csr_id="$1"
shift shift
createCertificate "${ca_auth_url}/${mode_path}" \ createCertificate "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key" "$csr_id" "$user_key" "$csr_id"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
;; ;;
...@@ -1034,7 +1047,7 @@ EOF ...@@ -1034,7 +1047,7 @@ EOF
csr="$2" csr="$2"
shift shift
createCertificateWith "${ca_auth_url}/${mode_path}" \ createCertificateWith "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key" "$csr_id" < "$csr" "$user_key" "$csr_id" < "$csr"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
;; ;;
...@@ -1043,7 +1056,7 @@ EOF ...@@ -1043,7 +1056,7 @@ EOF
csr_id="$1" csr_id="$1"
shift shift
deletePendingCertificateRequest "${ca_auth_url}/${mode_path}" \ deletePendingCertificateRequest "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key" "$csr_id" "$user_key" "$csr_id"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
;; ;;
...@@ -1056,7 +1069,7 @@ EOF ...@@ -1056,7 +1069,7 @@ EOF
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
printf '%s\n' "$crt" | revokeCRTWithoutKey \ printf '%s\n' "$crt" | revokeCRTWithoutKey \
"${ca_auth_url}/${mode_path}" "$cas_ca" "$user_key" "${ca_auth_url}/${mode_path}" "$user_key"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
;; ;;
...@@ -1065,7 +1078,7 @@ EOF ...@@ -1065,7 +1078,7 @@ EOF
serial="$1" serial="$1"
shift shift
revokeSerial "${ca_auth_url}/${mode_path}" \ revokeSerial "${ca_auth_url}/${mode_path}" \
"$cas_ca" "$user_key" "$serial" "$user_key" "$serial"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
;; ;;
...@@ -1086,7 +1099,7 @@ EOF ...@@ -1086,7 +1099,7 @@ EOF
'Received CAS CRL was not signed by CAS CA certificate, skipping\n' 'Received CAS CRL was not signed by CAS CA certificate, skipping\n'
fi fi
if [ $update_user -eq 1 ]; then if [ $update_user -eq 1 ]; then
updateCACertificate "${ca_anon_url}/cau" "$cas_ca" "$cau_ca" updateCACertificate "${ca_anon_url}/cau" "$cau_ca"
status=$? status=$?
test $status -ne 0 && return $status test $status -ne 0 && return $status
if crl="$( if crl="$(
...@@ -1130,7 +1143,7 @@ EOF ...@@ -1130,7 +1143,7 @@ EOF
# wait for up to about 10 seconds for caucased to start listening (initial # wait for up to about 10 seconds for caucased to start listening (initial
# certificate generation. # certificate generation.
for _ in $(seq 100); do for _ in $(seq 100); do
CURL "http://$netloc" > /dev/null _curlInsecure "http://$netloc" > /dev/null
status=$? status=$?
test $status -eq 0 && break test $status -eq 0 && break
# curl status 7 means "cnould not connect" # curl status 7 means "cnould not connect"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7