Startseite Erkunden Hilfe
Anmelden
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Branch: master
Branches Tags
csu3_am335x
/
EVSE
/
GPL
/
lighttpd-1.4.64
/
doc
/
scripts
/
cert-staple.sh

cert-staple.sh 2.2 KB
Permalink Verlauf Originalformat

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071 
  1. #!/bin/sh
    2. 

  2. 

  3. CERT_PEM="$1"   # input (cert.pem)
    4. 

  4. CHAIN_PEM="$2"  # input (chain.pem)
    5. 

  5. OCSP_DER="$3"   # output symlink (staple.der)
    6. 

  6. 

  7. OCSP_TMP=""     # temporary file
    8. 

  8. 

  9. if [ -z "$CERT_PEM" ] || [ -z "$CHAIN_PEM" ] || [ -z "$OCSP_DER" ] \
    10. 

  10.    || [ ! -f "$CERT_PEM" ] || [ ! -f "$CHAIN_PEM" ]; then
    11. 

  11.     echo 1>&2 "usage: cert-staple.sh cert.pem chain.pem staple.der"
    12. 

  12.     exit 1
    13. 

  13. fi
    14. 

  14. 

  15. errexit() {
    16. 

  16.     [ -n "$OCSP_TMP" ] && rm -f "$OCSP_TMP"
    17. 

  17.     exit 1
    18. 

  18. }
    19. 

  19. 

  20. # get URI of OCSP responder from certificate
    21. 

  21. OCSP_URI=$(openssl x509 -in "$CERT_PEM" -ocsp_uri -noout)
    22. 

  22. [ $? = 0 ] && [ -n "$OCSP_URI" ] || exit 1
    23. 

  23. 

  24. # exception for (unsupported, end-of-life) older versions of OpenSSL
    25. 

  25. OCSP_HOST=
    26. 

  26. OPENSSL_VERSION=$(openssl version)
    27. 

  27. if [ "${OPENSSL_VERSION}" != "${OPENSSL_VERSION#OpenSSL 1.0.}" ]; then
    28. 

  28.     # get authority from URI
    29. 

  29.     OCSP_HOST=$(echo "$OCSP_URI" | cut -d/ -f3)
    30. 

  30. fi
    31. 

  31. 

  32. # get OCSP response from OCSP responder
    33. 

  33. OCSP_TMP="$OCSP_DER.$$"
    34. 

  34. OCSP_RESP=$(openssl ocsp -issuer "$CHAIN_PEM" -cert "$CERT_PEM" -respout "$OCSP_TMP" -noverify -no_nonce -url "$OCSP_URI" ${OCSP_HOST:+-header Host "$OCSP_HOST"})
    35. 

  35. [ $? = 0 ] || errexit
    36. 

  36. 

  37. # parse OCSP response from OCSP responder
    38. 

  38. #
    39. 

  39. #$CERT_PEM: good
    40. 

  40. #        This Update: Jun  5 21:00:00 2020 GMT
    41. 

  41. #        Next Update: Jun 12 21:00:00 2020 GMT
    42. 

  42. 

  43. ocsp_status="$(printf %s "$OCSP_RESP" | head -1)"
    44. 

  44. [ "$ocsp_status" = "$CERT_PEM: good" ] || errexit
    45. 

  45. 

  46. next_update="$(printf %s "$OCSP_RESP" | grep 'Next Update:')"
    47. 

  47. next_date="$(printf %s "$next_update" | sed 's/.*Next Update: //')"
    48. 

  48. [ -n "$next_date" ] || errexit
    49. 

  49. ocsp_expire=$(date -d "$next_date" +%s)
    50. 

  50. 

  51. # validate OCSP response
    52. 

  52. ocsp_verify=$(openssl ocsp -issuer "$CHAIN_PEM" -verify_other "$CHAIN_PEM" -cert "$CERT_PEM" -respin "$OCSP_TMP" -no_nonce -out /dev/null 2>&1)
    53. 

  53. [ "$ocsp_verify" = "Response verify OK" ] || errexit
    54. 

  54. 

  55. # rename and update symlink to install OCSP response to be used in OCSP stapling
    56. 

  56. OCSP_OUT="$OCSP_DER.$ocsp_expire"
    57. 

  57. mv "$OCSP_TMP" "$OCSP_OUT" || errexit
    58. 

  58. OCSP_TMP=""
    59. 

  59. ln -sf "${OCSP_OUT##*/}" "$OCSP_DER" || errexit
    60. 

  60. 

  61. # debug: display text output of OCSP .der file
    62. 

  62. #openssl ocsp -respin "$OCSP_DER" -resp_text -noverify
    63. 

  63. 

  64. # remove old OCSP responses which have expired
    65. 

  65. now=$(date +%s)
    66. 

  66. for i in "$OCSP_DER".*; do
    67. 

  67.     ts="${i#${OCSP_DER}.}"
    68. 

  68.     if [ -n "$ts" ] && [ "$ts" -lt "$now" ]; then
    69. 

  69.         rm -f "$i"
    70. 

  70.     fi
    71. 

  71. done
    72.