From 8a2f9c1173cd1fbf4a78e942072c7a13df64c2be Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Wed, 9 Dec 2020 15:01:59 -0500
Subject: [TLS] cert-staple.sh POSIX sh compat (fixes #3043)

(thx flynn)  (patch from flynn)

x-ref:
  "cert-staple.sh not POSIX compatible"
  https://redmine.lighttpd.net/issues/3043
---
 doc/scripts/cert-staple.sh | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/doc/scripts/cert-staple.sh b/doc/scripts/cert-staple.sh
index c50a4031..af0c5c13 100755
--- a/doc/scripts/cert-staple.sh
+++ b/doc/scripts/cert-staple.sh
@@ -6,25 +6,25 @@ OCSP_DER="$3"   # output symlink (staple.der)
 
 OCSP_TMP=""     # temporary file
 
-if [[ -z "$CERT_PEM" ]] || [[ -z "$CHAIN_PEM" ]] || [[ -z "$OCSP_DER" ]] \
-   || [[ ! -f "$CERT_PEM" ]] || [[ ! -f "$CHAIN_PEM" ]]; then
+if [ -z "$CERT_PEM" ] || [ -z "$CHAIN_PEM" ] || [ -z "$OCSP_DER" ] \
+   || [ ! -f "$CERT_PEM" ] || [ ! -f "$CHAIN_PEM" ]; then
     echo 1>&2 "usage: cert-staple.sh cert.pem chain.pem staple.der"
     exit 1
 fi
 
-function errexit {
-    [[ -n "$OCSP_TMP" ]] && rm -f "$OCSP_TMP"
+errexit() {
+    [ -n "$OCSP_TMP" ] && rm -f "$OCSP_TMP"
     exit 1
 }
 
 # get URI of OCSP responder from certificate
 OCSP_URI=$(openssl x509 -in "$CERT_PEM" -ocsp_uri -noout)
-[[ $? = 0 ]] && [[ -n "$OCSP_URI" ]] || exit 1
+[ $? = 0 ] && [ -n "$OCSP_URI" ] || exit 1
 
 # exception for (unsupported, end-of-life) older versions of OpenSSL
 OCSP_HOST=
 OPENSSL_VERSION=$(openssl version)
-if [[ "${OPENSSL_VERSION}" != "${OPENSSL_VERSION#OpenSSL 1.0.}" ]]; then
+if [ "${OPENSSL_VERSION}" != "${OPENSSL_VERSION#OpenSSL 1.0.}" ]; then
     # get authority from URI
     OCSP_HOST=$(echo "$OCSP_URI" | cut -d/ -f3)
 fi
@@ -32,7 +32,7 @@ fi
 # get OCSP response from OCSP responder
 OCSP_TMP="$OCSP_DER.$$"
 OCSP_RESP=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respout "$OCSP_TMP" -noverify -no_nonce -url "$OCSP_URI" ${OCSP_HOST:+-header Host "$OCSP_HOST"})
-[[ $? = 0 ]] || errexit
+[ $? = 0 ] || errexit
 
 # parse OCSP response from OCSP responder
 #
@@ -41,16 +41,16 @@ OCSP_RESP=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respout "$OCSP_
 #        Next Update: Jun 12 21:00:00 2020 GMT
 
 ocsp_status="$(printf %s "$OCSP_RESP" | head -1)"
-[[ "$ocsp_status" = "$CERT_PEM: good" ]] || errexit
+[ "$ocsp_status" = "$CERT_PEM: good" ] || errexit
 
 next_update="$(printf %s "$OCSP_RESP" | grep 'Next Update:')"
 next_date="$(printf %s "$next_update" | sed 's/.*Next Update: //')"
-[[ -n "$next_date" ]] || errexit
+[ -n "$next_date" ] || errexit
 ocsp_expire=$(date -d "$next_date" +%s)
 
 # validate OCSP response
 ocsp_verify=$(openssl ocsp -issuer "$CHAIN_PEM" -verify_other "$CHAIN_PEM" -cert "$CERT_PEM" -respin "$OCSP_TMP" -no_nonce -out /dev/null 2>&1)
-[[ "$ocsp_verify" = "Response verify OK" ]] || errexit
+[ "$ocsp_verify" = "Response verify OK" ] || errexit
 
 # rename and update symlink to install OCSP response to be used in OCSP stapling
 OCSP_OUT="$OCSP_DER.$ocsp_expire"
@@ -65,7 +65,7 @@ ln -sf "${OCSP_OUT##*/}" "$OCSP_DER" || errexit
 now=$(date +%s)
 for i in "$OCSP_DER".*; do
     ts="${i#${OCSP_DER}.}"
-    if [[ -n "$ts" ]] && [[ "$ts" -lt "$now" ]]; then
+    if [ -n "$ts" ] && [ "$ts" -lt "$now" ]; then
         rm -f "$i"
     fi
 done
-- 
cgit v1.2.1