[doc/scripts/cert-staple.sh] short-circuit checks

short-circuit checks if staple.der next update is > 25 hours in future (allows script to be run daily and to exit quickly if CA staples are issued for longer, e.g. a week at a time)
author: Glenn Strauss <gstrauss@gluelogic.com> 2022-11-13 08:47:33 -0500
committer: Glenn Strauss <gstrauss@gluelogic.com> 2022-11-23 08:44:48 -0500
commit: 422e3569bb82ade44aec5b54a938ed4497cb218b (patch)
tree: 8bd9f642d141ff200ee17573ac712425b0034407 /doc
parent: d616dea236785733dd04e3765d54a7f3a793f10c (diff)
download: lighttpd-git-422e3569bb82ade44aec5b54a938ed4497cb218b.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/doc/scripts/cert-staple.sh b/doc/scripts/cert-staple.sh
index 09f7bb3a..84946d3c 100755
--- a/doc/scripts/cert-staple.sh
+++ b/doc/scripts/cert-staple.sh
@@ -5,6 +5,7 @@ CHAIN_PEM="$2"  # input (chain.pem)
 OCSP_DER="$3"   # output symlink (staple.der)
 
 OCSP_TMP=""     # temporary file
+next_delta=90000  # 25 hours
 
 if [ -z "$CERT_PEM" ] || [ -z "$CHAIN_PEM" ] || [ -z "$OCSP_DER" ] \
    || [ ! -f "$CERT_PEM" ] || [ ! -f "$CHAIN_PEM" ]; then
@@ -17,6 +18,17 @@ errexit() {
     exit 1
 }
 
+# short-circuit if Next Update is > $next_delta in the future
+next_ts=$(readlink "$OCSP_DER" 2>/dev/null)
+if [ -n "$next_ts" ]; then
+    next_ts="${next_ts##*.}"
+    ts=$(date +%s)
+    ts=$(( $ts + $next_delta ))
+    if [ -n "$next_ts" ] && [ "$next_ts" -gt "$ts" ]; then
+        exit 0
+    fi
+fi
+
 # get URI of OCSP responder from certificate
 OCSP_URI=$(openssl x509 -in "$CERT_PEM" -ocsp_uri -noout)
 [ $? = 0 ] && [ -n "$OCSP_URI" ] || exit 1
author	Glenn Strauss <gstrauss@gluelogic.com>	2022-11-13 08:47:33 -0500
committer	Glenn Strauss <gstrauss@gluelogic.com>	2022-11-23 08:44:48 -0500
commit	422e3569bb82ade44aec5b54a938ed4497cb218b (patch)
tree	8bd9f642d141ff200ee17573ac712425b0034407 /doc
parent	d616dea236785733dd04e3765d54a7f3a793f10c (diff)
download	lighttpd-git-422e3569bb82ade44aec5b54a938ed4497cb218b.tar.gz