Fixed an issue with colliding local and global variables.

2021-02-22 21:21:01 +01:00
parent 81fdbaede7
commit 9e458dfba3
2 changed files with 24 additions and 9 deletions
--- a/hooks/post-commit
+++ b/hooks/post-commit
@@ -105,6 +105,7 @@ retrieve_crl_for_most_recent_parent_timestamps() {
    local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
    local RETURN_VAL=0
    if [ ! -z "$PARENTS" ]; then
+      local PARENT_HASH
      while read PARENT_HASH; do
        if ! retrieve_crl_for_most_recent_parent_timestamps "$PARENT_HASH"; then
          RETURN_VAL=1
@@ -115,7 +116,7 @@ retrieve_crl_for_most_recent_parent_timestamps() {
  fi

  #iterate over extracted token and download CRL data
-  for (( i=0; i<"$NUM_EXTRACTED"; i++)); do
+  for ((i=0; i<"$NUM_EXTRACTED"; i++)); do
    local TOKEN_FILE="${TOKEN_ARRAY[$i]}"
    local TSA_URL="${URL_ARRAY[$i]}"
    local DIGEST
@@ -159,14 +160,15 @@ fi

 DIGEST_TO_TIMESTAMP=''

-for ((i=0; i<2; i++)); do
-
+for ((i=0; i<3; i++)); do
  #add all ltv files
-  ls "$TMP_LTV_DIR"/*/* | while read SOURCE_FILE; do
-    TARGET_FILE="$LTV_DIR"${SOURCE_FILE#"$TMP_LTV_DIR"}
-    cp -f "$SOURCE_FILE" "$TARGET_FILE"
-    git add "$TARGET_FILE"
-  done
+  if ls "$TMP_LTV_DIR"/*/* &> "$OUT_STREAM"; then
+    ls "$TMP_LTV_DIR"/*/* | while read SOURCE_FILE; do
+      TARGET_FILE="$LTV_DIR"${SOURCE_FILE#"$TMP_LTV_DIR"}
+      cp -f "$SOURCE_FILE" "$TARGET_FILE"
+      git add "$TARGET_FILE"
+    done
+  fi
  TREE_HASH=$(git write-tree)

  declare PREIMAGE
@@ -179,7 +181,11 @@ for ((i=0; i<2; i++)); do
  fi

  #assert that this line is never reached in the second loop
-  assert "[ $i -eq 0 ]" "in second iteration there must be no new LTV data."
+  assert "[ $i -lt 2 ]" "after second iteration there must be no new LTV data."
+
+  if [ $i -eq 1 ]; then
+    echo_info "New LTV data has been added, need to request token again."
+  fi

  DIGEST_TO_TIMESTAMP="$NEW_DIGEST_TO_TIMESTAMP"

@@ -212,6 +218,7 @@ for ((i=0; i<2; i++)); do
        continue
      fi
    fi
+
    #validate token and download LTV data
    if ! verify_token_and_add_ltv_data "$TOKEN_FILE" "$DIGEST_TO_TIMESTAMP" "$TSA_URL"; then
      if [ ! "$TOKEN_OPTIONAL" ]; then
@@ -222,6 +229,7 @@ for ((i=0; i<2; i++)); do
        continue
      fi
    fi
+
    #add token to commit message
    openssl ts -reply -token_in -in "$TOKEN_FILE" -token_out -text -out "$TMP_DIR"/token.txt &> "$OUT_STREAM"
    #do not remove or change Info line (see license)
--- a/hooks/timestamping
+++ b/hooks/timestamping
@@ -100,6 +100,7 @@ assert() {
    MESSAGE="$CONDITION"
  fi
  local -r STACK_DEPTH=${#BASH_SOURCE[@]}
+  local -i i
  local -r BACKTRACE="for ((i=1; i<$STACK_DEPTH; i++)); do
                        echo_error "\"'  [$i]: ${BASH_SOURCE[$i]} : ${FUNCNAME[$i]} line ${BASH_LINENO[$i-1]}'\""
                      done"
@@ -214,6 +215,7 @@ extract_token_from_commit() {

  local -r TMP_DER="$TMP_DIR"/extracted_token.der
  local -i IDX=0;
+  local -i i
  for (( i=1; i<=$NUM_EXTRACTED; i++ )); do
    local EXTRACTED_PEM_FILE="$TMP_DIR"/"$i".extracted_token.pem
    local EXTRACTED_TOKEN="$TOKEN_DIR"/"$IDX".extracted_token.tst
@@ -421,6 +423,7 @@ build_certificate_chain_for_token() {
  get_tsa_cert_id "$TOKEN_FILE" SIGNING_CERT_ID
  local CERT_ID_HASH_ALGO=""
  get_cert_id_hash_agorithm "$TOKEN_FILE" CERT_ID_HASH_ALGO
+  local -i i
  for i in {1..10} ;do
    #request dummy token. Use current commit digest
    request_token "$TSA_URL" "$DIGEST" true "$DUMMY_TOKEN"
@@ -438,6 +441,7 @@ build_certificate_chain_for_token() {
    { print > tmpdir i ".extracted.pem.cer" }' tmpdir="$TMP_DIR/"

    #find cetificate that signed token
+    local EXTRACTED_CERT
    while read EXTRACTED_CERT; do
      local CERT_ID=$(openssl x509 -inform PEM -in "$EXTRACTED_CERT" -outform DER | openssl dgst -"$CERT_ID_HASH_ALGO" -binary | xxd -p -c 256)
      #if openssl ts -verify -digest "$DIGEST" -in "$TOKEN_FILE" -token_in -partial_chain -CAfile "$EXTRACTED_CERT" &> "$OUT_STREAM"; then
@@ -471,6 +475,7 @@ build_certificate_chain_for_token() {
    
    #otherwise try to find in trust store
    if ls "$CA_PATH"/*.0 &> "$OUT_STREAM"; then
+      local TRUSTED_CERT
      while read TRUSTED_CERT; do
        if openssl verify -partial_chain -CAfile "$TRUSTED_CERT" "${CHAIN[-1]}" &> "$OUT_STREAM"; then
          CHAIN+=("$TRUSTED_CERT")
@@ -505,6 +510,7 @@ build_certificate_chain_for_token() {
  done

  echo -n > "$OUT_CERT_FILE"
+  local CERT
  for CERT in "${CHAIN[@]}"; do
    openssl x509 -in "$CERT" -noout -subject >> "$OUT_CERT_FILE"
    echo '' >> "$OUT_CERT_FILE"
@@ -541,6 +547,7 @@ download_crls_for_chain() {
  assert "[ $NUM_EXTRACTED -gt 0 ]" "Precondition: Certificate file $CERT_FILE must contain at least one certificate in PEM format."

  #iterate over certificates. Ignore self-signed certificates
+  local EXTRACTED_CERT
  ls "$TMP_DIR"/*.extracted.pem.cer | while read EXTRACTED_CERT; do
    if ! openssl verify -CAfile "$EXTRACTED_CERT" "$EXTRACTED_CERT" &> "$OUT_STREAM"; then
      local URL=$(openssl x509 -inform PEM -in $EXTRACTED_CERT -text -noout \