JankariTechUG/GitTrustedTimestamps
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Fixed an issue with colliding local and global variables.

Browse Source
This commit is contained in:
Matthias Bühlmann
2021-02-22 21:21:01 +01:00
parent 81fdbaede7
commit 9e458dfba3
2 changed files with 24 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
hooks/post-commit
View File

@@ -105,6 +105,7 @@ retrieve_crl_for_most_recent_parent_timestamps() {
local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //') local PARENTS=$(git cat-file -p "$COMMIT_HASH" | awk '/^$/{exit} /parent/ {print}' | sed 's/parent //')
local RETURN_VAL=0 local RETURN_VAL=0
if [ ! -z "$PARENTS" ]; then if [ ! -z "$PARENTS" ]; then
local PARENT_HASH
while read PARENT_HASH; do while read PARENT_HASH; do
if ! retrieve_crl_for_most_recent_parent_timestamps "$PARENT_HASH"; then if ! retrieve_crl_for_most_recent_parent_timestamps "$PARENT_HASH"; then
RETURN_VAL=1 RETURN_VAL=1
@@ -115,7 +116,7 @@ retrieve_crl_for_most_recent_parent_timestamps() {
fi fi
#iterate over extracted token and download CRL data #iterate over extracted token and download CRL data
for (( i=0; i<"$NUM_EXTRACTED"; i++)); do for ((i=0; i<"$NUM_EXTRACTED"; i++)); do
local TOKEN_FILE="${TOKEN_ARRAY[$i]}" local TOKEN_FILE="${TOKEN_ARRAY[$i]}"
local TSA_URL="${URL_ARRAY[$i]}" local TSA_URL="${URL_ARRAY[$i]}"
local DIGEST local DIGEST
@@ -159,14 +160,15 @@ fi
DIGEST_TO_TIMESTAMP='' DIGEST_TO_TIMESTAMP=''
for ((i=0; i<2; i++)); do for ((i=0; i<3; i++)); do
#add all ltv files #add all ltv files
ls "$TMP_LTV_DIR"/*/* | while read SOURCE_FILE; do if ls "$TMP_LTV_DIR"/*/* &> "$OUT_STREAM"; then
TARGET_FILE="$LTV_DIR"${SOURCE_FILE#"$TMP_LTV_DIR"} ls "$TMP_LTV_DIR"/*/* | while read SOURCE_FILE; do
cp -f "$SOURCE_FILE" "$TARGET_FILE" TARGET_FILE="$LTV_DIR"${SOURCE_FILE#"$TMP_LTV_DIR"}
git add "$TARGET_FILE" cp -f "$SOURCE_FILE" "$TARGET_FILE"
done git add "$TARGET_FILE"
done
fi
TREE_HASH=$(git write-tree) TREE_HASH=$(git write-tree)
declare PREIMAGE declare PREIMAGE
@@ -179,7 +181,11 @@ for ((i=0; i<2; i++)); do
fi fi
#assert that this line is never reached in the second loop #assert that this line is never reached in the second loop
assert "[ $i -eq 0 ]" "in second iteration there must be no new LTV data." assert "[ $i -lt 2 ]" "after second iteration there must be no new LTV data."
if [ $i -eq 1 ]; then
echo_info "New LTV data has been added, need to request token again."
fi
DIGEST_TO_TIMESTAMP="$NEW_DIGEST_TO_TIMESTAMP" DIGEST_TO_TIMESTAMP="$NEW_DIGEST_TO_TIMESTAMP"
@@ -212,6 +218,7 @@ for ((i=0; i<2; i++)); do
continue continue
fi fi
fi fi
#validate token and download LTV data #validate token and download LTV data
if ! verify_token_and_add_ltv_data "$TOKEN_FILE" "$DIGEST_TO_TIMESTAMP" "$TSA_URL"; then if ! verify_token_and_add_ltv_data "$TOKEN_FILE" "$DIGEST_TO_TIMESTAMP" "$TSA_URL"; then
if [ ! "$TOKEN_OPTIONAL" ]; then if [ ! "$TOKEN_OPTIONAL" ]; then
@@ -222,6 +229,7 @@ for ((i=0; i<2; i++)); do
continue continue
fi fi
fi fi
#add token to commit message #add token to commit message
openssl ts -reply -token_in -in "$TOKEN_FILE" -token_out -text -out "$TMP_DIR"/token.txt &> "$OUT_STREAM" openssl ts -reply -token_in -in "$TOKEN_FILE" -token_out -text -out "$TMP_DIR"/token.txt &> "$OUT_STREAM"
#do not remove or change Info line (see license) #do not remove or change Info line (see license)

7
hooks/timestamping
View File

@@ -100,6 +100,7 @@ assert() {
MESSAGE="$CONDITION" MESSAGE="$CONDITION"
fi fi
local -r STACK_DEPTH=${#BASH_SOURCE[@]} local -r STACK_DEPTH=${#BASH_SOURCE[@]}
local -i i
local -r BACKTRACE="for ((i=1; i<$STACK_DEPTH; i++)); do local -r BACKTRACE="for ((i=1; i<$STACK_DEPTH; i++)); do
echo_error "\"' [$i]: ${BASH_SOURCE[$i]} : ${FUNCNAME[$i]} line ${BASH_LINENO[$i-1]}'\"" echo_error "\"' [$i]: ${BASH_SOURCE[$i]} : ${FUNCNAME[$i]} line ${BASH_LINENO[$i-1]}'\""
done" done"
@@ -214,6 +215,7 @@ extract_token_from_commit() {
local -r TMP_DER="$TMP_DIR"/extracted_token.der local -r TMP_DER="$TMP_DIR"/extracted_token.der
local -i IDX=0; local -i IDX=0;
local -i i
for (( i=1; i<=$NUM_EXTRACTED; i++ )); do for (( i=1; i<=$NUM_EXTRACTED; i++ )); do
local EXTRACTED_PEM_FILE="$TMP_DIR"/"$i".extracted_token.pem local EXTRACTED_PEM_FILE="$TMP_DIR"/"$i".extracted_token.pem
local EXTRACTED_TOKEN="$TOKEN_DIR"/"$IDX".extracted_token.tst local EXTRACTED_TOKEN="$TOKEN_DIR"/"$IDX".extracted_token.tst
@@ -421,6 +423,7 @@ build_certificate_chain_for_token() {
get_tsa_cert_id "$TOKEN_FILE" SIGNING_CERT_ID get_tsa_cert_id "$TOKEN_FILE" SIGNING_CERT_ID
local CERT_ID_HASH_ALGO="" local CERT_ID_HASH_ALGO=""
get_cert_id_hash_agorithm "$TOKEN_FILE" CERT_ID_HASH_ALGO get_cert_id_hash_agorithm "$TOKEN_FILE" CERT_ID_HASH_ALGO
local -i i
for i in {1..10} ;do for i in {1..10} ;do
#request dummy token. Use current commit digest #request dummy token. Use current commit digest
request_token "$TSA_URL" "$DIGEST" true "$DUMMY_TOKEN" request_token "$TSA_URL" "$DIGEST" true "$DUMMY_TOKEN"
@@ -438,6 +441,7 @@ build_certificate_chain_for_token() {
{ print > tmpdir i ".extracted.pem.cer" }' tmpdir="$TMP_DIR/" { print > tmpdir i ".extracted.pem.cer" }' tmpdir="$TMP_DIR/"
#find cetificate that signed token #find cetificate that signed token
local EXTRACTED_CERT
while read EXTRACTED_CERT; do while read EXTRACTED_CERT; do
local CERT_ID=$(openssl x509 -inform PEM -in "$EXTRACTED_CERT" -outform DER | openssl dgst -"$CERT_ID_HASH_ALGO" -binary | xxd -p -c 256) local CERT_ID=$(openssl x509 -inform PEM -in "$EXTRACTED_CERT" -outform DER | openssl dgst -"$CERT_ID_HASH_ALGO" -binary | xxd -p -c 256)
#if openssl ts -verify -digest "$DIGEST" -in "$TOKEN_FILE" -token_in -partial_chain -CAfile "$EXTRACTED_CERT" &> "$OUT_STREAM"; then #if openssl ts -verify -digest "$DIGEST" -in "$TOKEN_FILE" -token_in -partial_chain -CAfile "$EXTRACTED_CERT" &> "$OUT_STREAM"; then
@@ -471,6 +475,7 @@ build_certificate_chain_for_token() {
#otherwise try to find in trust store #otherwise try to find in trust store
if ls "$CA_PATH"/*.0 &> "$OUT_STREAM"; then if ls "$CA_PATH"/*.0 &> "$OUT_STREAM"; then
local TRUSTED_CERT
while read TRUSTED_CERT; do while read TRUSTED_CERT; do
if openssl verify -partial_chain -CAfile "$TRUSTED_CERT" "${CHAIN[-1]}" &> "$OUT_STREAM"; then if openssl verify -partial_chain -CAfile "$TRUSTED_CERT" "${CHAIN[-1]}" &> "$OUT_STREAM"; then
CHAIN+=("$TRUSTED_CERT") CHAIN+=("$TRUSTED_CERT")
@@ -505,6 +510,7 @@ build_certificate_chain_for_token() {
done done
echo -n > "$OUT_CERT_FILE" echo -n > "$OUT_CERT_FILE"
local CERT
for CERT in "${CHAIN[@]}"; do for CERT in "${CHAIN[@]}"; do
openssl x509 -in "$CERT" -noout -subject >> "$OUT_CERT_FILE" openssl x509 -in "$CERT" -noout -subject >> "$OUT_CERT_FILE"
echo '' >> "$OUT_CERT_FILE" echo '' >> "$OUT_CERT_FILE"
@@ -541,6 +547,7 @@ download_crls_for_chain() {
assert "[ $NUM_EXTRACTED -gt 0 ]" "Precondition: Certificate file $CERT_FILE must contain at least one certificate in PEM format." assert "[ $NUM_EXTRACTED -gt 0 ]" "Precondition: Certificate file $CERT_FILE must contain at least one certificate in PEM format."
#iterate over certificates. Ignore self-signed certificates #iterate over certificates. Ignore self-signed certificates
local EXTRACTED_CERT
ls "$TMP_DIR"/*.extracted.pem.cer | while read EXTRACTED_CERT; do ls "$TMP_DIR"/*.extracted.pem.cer | while read EXTRACTED_CERT; do
if ! openssl verify -CAfile "$EXTRACTED_CERT" "$EXTRACTED_CERT" &> "$OUT_STREAM"; then if ! openssl verify -CAfile "$EXTRACTED_CERT" "$EXTRACTED_CERT" &> "$OUT_STREAM"; then
local URL=$(openssl x509 -inform PEM -in $EXTRACTED_CERT -text -noout \ local URL=$(openssl x509 -inform PEM -in $EXTRACTED_CERT -text -noout \