Updated documentation & made file checks more robust.
This commit is contained in:
Matthias Bühlmann
@@ -117,19 +117,25 @@ retrieve_crl_for_most_recent_parent_timestamps() {
|
||||
#iterate over extracted token and download CRL data
|
||||
for (( i=0; i<"$NUM_EXTRACTED"; i++)); do
|
||||
local TOKEN_FILE="${TOKEN_ARRAY[$i]}"
|
||||
local TSA_URL="${URL_ARRAY[$i]}"
|
||||
local DIGEST
|
||||
get_token_digest "$TOKEN_FILE" DIGEST
|
||||
local SIGNING_CERT_ID
|
||||
get_tsa_cert_id "$TOKEN_FILE" SIGNING_CERT_ID
|
||||
#get certificate chain of this token from LTV data
|
||||
local CERT_CHAIN_FILE="$LTV_DIR"/certs/"$SIGNING_CERT_ID".cer
|
||||
if [ ! -f "$CERT_CHAIN_FILE" ]; then
|
||||
if [ ! -s "$CERT_CHAIN_FILE" ]; then
|
||||
#If LTV data is not in the working directory, check it out from the corresponding commit
|
||||
local TMP_CERT_CHAIN_FILE="$TMP_DIR"/"$SIGNING_CERT_ID".cer
|
||||
local PATH_SPEC=$(realpath --relative-to="$ROOT_DIR" "$CERT_CHAIN_FILE")
|
||||
local CERT_CHAIN_CONTENT=$(git show "$COMMIT_HASH":"$PATH_SPEC") && printf "%s" "$CERT_CHAIN_CONTENT" > "$TMP_CERT_CHAIN_FILE"
|
||||
CERT_CHAIN_FILE="$TMP_CERT_CHAIN_FILE"
|
||||
fi
|
||||
if [ ! -s "$CERT_CHAIN_FILE" ]; then
|
||||
CERT_CHAIN_FILE="$TMP_LTV_DIR"/certs/"$SIGNING_CERT_ID".cer
|
||||
build_certificate_chain_for_token "$TOKEN_FILE" "$DIGEST" "$TSA_URL" "$CERT_CHAIN_FILE"
|
||||
fi
|
||||
assert "[ -s $CERT_CHAIN_FILE ]" "Certificate chain could neither be extracted from LTV data nor reconstructed."
|
||||
#download CRL file
|
||||
local CRL_CHAIN_FILE="$TMP_LTV_DIR"/crls/"$SIGNING_CERT_ID".crl
|
||||
if ! download_crls_for_chain "$CERT_CHAIN_FILE" "$CRL_CHAIN_FILE"; then
|
||||
|
||||
@@ -536,7 +536,10 @@ download_crls_for_chain() {
|
||||
cat "$CERT_FILE" \
|
||||
| awk '/-----BEGIN CERTIFICATE-----/ { i++; } /-----BEGIN CERTIFICATE-----/, /-----END CERTIFICATE-----/ \
|
||||
{ print > tmpdir i ".extracted.pem.cer" }' tmpdir="$TMP_DIR/"
|
||||
|
||||
|
||||
local NUM_EXTRACTED=$(find "$TMP_DIR" -maxdepth 1 -name "*.extracted.pem.cer" -printf '.' | wc -m)
|
||||
assert "[ $NUM_EXTRACTED -gt 0 ]" "Precondition: Certificate file $CERT_FILE must contain at least one certificate in PEM format."
|
||||
|
||||
#iterate over certificates. Ignore self-signed certificates
|
||||
ls "$TMP_DIR"/*.extracted.pem.cer | while read EXTRACTED_CERT; do
|
||||
if ! openssl verify -CAfile "$EXTRACTED_CERT" "$EXTRACTED_CERT" &> "$OUT_STREAM"; then
|
||||
@@ -579,7 +582,7 @@ verify_token_and_add_ltv_data() {
|
||||
local SIGNING_CERT_ID
|
||||
get_tsa_cert_id "$TOKEN_FILE" SIGNING_CERT_ID
|
||||
local CERT_CHAIN_FILE="$LTV_DIR"/certs/"$SIGNING_CERT_ID".cer
|
||||
if [ ! -f "$CERT_CHAIN_FILE" ]; then
|
||||
if [ ! -s "$CERT_CHAIN_FILE" ]; then
|
||||
CERT_CHAIN_FILE="$TMP_LTV_DIR"/certs/"$SIGNING_CERT_ID".cer
|
||||
#try to build full chain.
|
||||
if ! build_certificate_chain_for_token "$TOKEN_FILE" "$DIGEST" "$TSA_URL" "$CERT_CHAIN_FILE"; then
|
||||
@@ -594,7 +597,7 @@ verify_token_and_add_ltv_data() {
|
||||
#verify token and download CRL data
|
||||
local CRL_CHAIN_FILE="$TMP_LTV_DIR"/crls/"$SIGNING_CERT_ID.crl"
|
||||
#only download CRL data if it hasn't been already in a previous step
|
||||
if [ ! -f "$CRL_CHAIN_FILE" ]; then
|
||||
if [ ! -s "$CRL_CHAIN_FILE" ]; then
|
||||
if ! download_crls_for_chain "$CERT_CHAIN_FILE" "$CRL_CHAIN_FILE"; then
|
||||
echo "Could not download CRL data for $TOKEN_FILE"
|
||||
return 1
|
||||
|
||||
Reference in New Issue
Block a user