From 422e3569bb82ade44aec5b54a938ed4497cb218b Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Sun, 13 Nov 2022 08:47:33 -0500
Subject: [doc/scripts/cert-staple.sh] short-circuit checks

short-circuit checks if staple.der next update is > 25 hours in future

(allows script to be run daily and to exit quickly if CA staples are
 issued for longer, e.g. a week at a time)
---
 doc/scripts/cert-staple.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'doc')

diff --git a/doc/scripts/cert-staple.sh b/doc/scripts/cert-staple.sh
index 09f7bb3a..84946d3c 100755
--- a/doc/scripts/cert-staple.sh
+++ b/doc/scripts/cert-staple.sh
@@ -5,6 +5,7 @@ CHAIN_PEM="$2"  # input (chain.pem)
 OCSP_DER="$3"   # output symlink (staple.der)
 
 OCSP_TMP=""     # temporary file
+next_delta=90000  # 25 hours
 
 if [ -z "$CERT_PEM" ] || [ -z "$CHAIN_PEM" ] || [ -z "$OCSP_DER" ] \
    || [ ! -f "$CERT_PEM" ] || [ ! -f "$CHAIN_PEM" ]; then
@@ -17,6 +18,17 @@ errexit() {
     exit 1
 }
 
+# short-circuit if Next Update is > $next_delta in the future
+next_ts=$(readlink "$OCSP_DER" 2>/dev/null)
+if [ -n "$next_ts" ]; then
+    next_ts="${next_ts##*.}"
+    ts=$(date +%s)
+    ts=$(( $ts + $next_delta ))
+    if [ -n "$next_ts" ] && [ "$next_ts" -gt "$ts" ]; then
+        exit 0
+    fi
+fi
+
 # get URI of OCSP responder from certificate
 OCSP_URI=$(openssl x509 -in "$CERT_PEM" -ocsp_uri -noout)
 [ $? = 0 ] && [ -n "$OCSP_URI" ] || exit 1
-- 
cgit v1.2.1