Skip to content

Commit

Permalink
pkidb-client-krl: Fix multiple bugs
Browse files Browse the repository at this point in the history
  • Loading branch information
andsens committed Feb 21, 2024
1 parent de98665 commit 6dc1448
Showing 1 changed file with 5 additions and 2 deletions.
7 changes: 5 additions & 2 deletions pkidb-client-krl.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ pkidb_client_krl() {
local pkgroot; pkgroot=$(dirname "$(realpath "${BASH_SOURCE[0]}")")
PATH=$("$pkgroot/.upkg/.bin/path_prepend" "$pkgroot/.upkg/.bin")
source "$pkgroot/.upkg/orbit-online/records.sh/records.sh"
source "$pkgroot/.upkg/orbit-online/collections.sh/collections.sh"
source "$pkgroot/common.sh"

DOC="pkidb-client-krl - Retrieve a CMS signed KRL and verify it against CAs
Expand Down Expand Up @@ -40,7 +41,7 @@ for ((;docopt_i>0;docopt_i--)); do declare -p "${prefix}__dest" \
# shellcheck disable=2154
local pem pem_dest=${__dest}.pem
# shellcheck disable=2153
if [[ -e $__dest ]] && ! check_krl "${CAPATH[@]}" <"$pem_dest"; then
if [[ -e $__dest ]] && ! check_krlcms "${CAPATH[@]}" <"$pem_dest"; then
info 'Current KRL invalid, deleting'
rm -fv "$__dest" | tee_warning
fi
Expand All @@ -54,6 +55,8 @@ for ((;docopt_i>0;docopt_i--)); do declare -p "${prefix}__dest" \
if [[ $chg = 0 ]]; then
pem=$(download "$url") || fatal $? "Unable to fetch the KRL '%s'" "$KRLNAME"
krlb64=$(check_krlcms "${CAFILE[@]}" <<<"$pem")
verbose "Saving KRLCMS to '%s'" "$pem_dest"
printf "%s" "$pem" >"$pem_dest"
verbose "Saving KRL to '%s'" "$__dest"
base64 -d <<<"$krlb64" >"$__dest"
info "The KRL '%s' has been updated" "$KRLNAME"
Expand All @@ -69,7 +72,7 @@ for ((;docopt_i>0;docopt_i--)); do declare -p "${prefix}__dest" \
check_krlcms() {
local capaths=("$@") out ret
debug 'Verifying the KRL using CAs at %s' "$(join_by , "${capaths[@]}")"
if out=$(openssl cms -verify -inform PEM -CAfile <(cat ../../pkidb/ykpiv/cas/*.pem) -certfile <(cat "${capaths[@]}") -binary | base64); then
if out=$(openssl cms -verify -inform PEM -CAfile <(cat "${capaths[@]}") -certfile <(cat "${capaths[@]}") -binary | base64); then
verbose 'The KRL is valid'
else
ret=$?
Expand Down

0 comments on commit 6dc1448

Please sign in to comment.