diff options
| author | Glenn Strauss <gstrauss@gluelogic.com> | 2020-12-09 15:01:59 -0500 |
|---|---|---|
| committer | Glenn Strauss <gstrauss@gluelogic.com> | 2020-12-09 17:07:43 -0500 |
| commit | 8a2f9c1173cd1fbf4a78e942072c7a13df64c2be (patch) | |
| tree | 2f8ec87426cb6ea877a352c65fd8d664157de3bc /doc | |
| parent | de29a3777188bf2065fb8efa2f2cdd8bc11a88ed (diff) | |
| download | lighttpd-git-8a2f9c1173cd1fbf4a78e942072c7a13df64c2be.tar.gz | |
[TLS] cert-staple.sh POSIX sh compat (fixes #3043)
(thx flynn) (patch from flynn)
x-ref:
"cert-staple.sh not POSIX compatible"
https://redmine.lighttpd.net/issues/3043
Diffstat (limited to 'doc')
| -rwxr-xr-x | doc/scripts/cert-staple.sh | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/doc/scripts/cert-staple.sh b/doc/scripts/cert-staple.sh index c50a4031..af0c5c13 100755 --- a/doc/scripts/cert-staple.sh +++ b/doc/scripts/cert-staple.sh @@ -6,25 +6,25 @@ OCSP_DER="$3" # output symlink (staple.der) OCSP_TMP="" # temporary file -if [[ -z "$CERT_PEM" ]] || [[ -z "$CHAIN_PEM" ]] || [[ -z "$OCSP_DER" ]] \ - || [[ ! -f "$CERT_PEM" ]] || [[ ! -f "$CHAIN_PEM" ]]; then +if [ -z "$CERT_PEM" ] || [ -z "$CHAIN_PEM" ] || [ -z "$OCSP_DER" ] \ + || [ ! -f "$CERT_PEM" ] || [ ! -f "$CHAIN_PEM" ]; then echo 1>&2 "usage: cert-staple.sh cert.pem chain.pem staple.der" exit 1 fi -function errexit { - [[ -n "$OCSP_TMP" ]] && rm -f "$OCSP_TMP" +errexit() { + [ -n "$OCSP_TMP" ] && rm -f "$OCSP_TMP" exit 1 } # get URI of OCSP responder from certificate OCSP_URI=$(openssl x509 -in "$CERT_PEM" -ocsp_uri -noout) -[[ $? = 0 ]] && [[ -n "$OCSP_URI" ]] || exit 1 +[ $? = 0 ] && [ -n "$OCSP_URI" ] || exit 1 # exception for (unsupported, end-of-life) older versions of OpenSSL OCSP_HOST= OPENSSL_VERSION=$(openssl version) -if [[ "${OPENSSL_VERSION}" != "${OPENSSL_VERSION#OpenSSL 1.0.}" ]]; then +if [ "${OPENSSL_VERSION}" != "${OPENSSL_VERSION#OpenSSL 1.0.}" ]; then # get authority from URI OCSP_HOST=$(echo "$OCSP_URI" | cut -d/ -f3) fi @@ -32,7 +32,7 @@ fi # get OCSP response from OCSP responder OCSP_TMP="$OCSP_DER.$$" OCSP_RESP=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respout "$OCSP_TMP" -noverify -no_nonce -url "$OCSP_URI" ${OCSP_HOST:+-header Host "$OCSP_HOST"}) -[[ $? = 0 ]] || errexit +[ $? = 0 ] || errexit # parse OCSP response from OCSP responder # @@ -41,16 +41,16 @@ OCSP_RESP=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respout "$OCSP_ # Next Update: Jun 12 21:00:00 2020 GMT ocsp_status="$(printf %s "$OCSP_RESP" | head -1)" -[[ "$ocsp_status" = "$CERT_PEM: good" ]] || errexit +[ "$ocsp_status" = "$CERT_PEM: good" ] || errexit next_update="$(printf %s "$OCSP_RESP" | grep 'Next Update:')" next_date="$(printf %s "$next_update" | sed 's/.*Next Update: //')" -[[ -n "$next_date" ]] || errexit +[ -n "$next_date" ] || errexit ocsp_expire=$(date -d "$next_date" +%s) # validate OCSP response ocsp_verify=$(openssl ocsp -issuer "$CHAIN_PEM" -verify_other "$CHAIN_PEM" -cert "$CERT_PEM" -respin "$OCSP_TMP" -no_nonce -out /dev/null 2>&1) -[[ "$ocsp_verify" = "Response verify OK" ]] || errexit +[ "$ocsp_verify" = "Response verify OK" ] || errexit # rename and update symlink to install OCSP response to be used in OCSP stapling OCSP_OUT="$OCSP_DER.$ocsp_expire" @@ -65,7 +65,7 @@ ln -sf "${OCSP_OUT##*/}" "$OCSP_DER" || errexit now=$(date +%s) for i in "$OCSP_DER".*; do ts="${i#${OCSP_DER}.}" - if [[ -n "$ts" ]] && [[ "$ts" -lt "$now" ]]; then + if [ -n "$ts" ] && [ "$ts" -lt "$now" ]; then rm -f "$i" fi done |