warden_apply.sh: URL of warden_ra must be passed as parameter

+ possibility to specify cacert

warden_apply.sh: URL of warden_ra must be passed as parameter
16eed2c2 · Václav Bartoš · Pavel Kácha · 947e23d6 · 16eed2c2 · 16eed2c2
Commit 16eed2c2 authored 6 years ago by Václav Bartoš Committed by Pavel Kácha 6 years ago
--- a/warden3/contrib/warden_ra/README
+++ b/warden3/contrib/warden_ra/README
@@ -57,7 +57,7 @@ to the new client administrator along with other setup information.
 The client administrator runs the application script with application
 password:

-    warden_apply.sh org.example.warden.client P4SSW0RD
+    warden_apply.sh https://warden.example.org/warden-ra/ org.example.warden.client P4SSW0RD

 The script creates new X509 key, CSR certificate request and makes call to
 the Warden RA web service, where it obtains the new complete certificate.
@@ -69,7 +69,7 @@ Prolonging existing client credentials
 The client administrator runs the application script with his existing valid
 Warden credentials, which he needs to prolong:

-    warden_apply.sh org.example.warden.client cert.pem key.pem
+    warden_apply.sh https://warden.example.org/warden-ra/ org.example.warden.client cert.pem key.pem

 The script creates new X509 key, CSR certificate request and makes call to
 the Warden RA web service, where it obtains the new complete certificate.

--- a/warden3/contrib/warden_ra/warden_apply.sh
+++ b/warden3/contrib/warden_ra/warden_apply.sh
 #!/bin/bash

-url='https://warden-hub.cesnet.cz/warden-ra/getCert'
 key=key.pem
 csr=csr.pem
 cert=cert.pem
 result=${TMPDIR:-${TMP:-/tmp}}/cert.$$.$RANDOM
 config=${TMPDIR:-${TMP:-/tmp}}/conf.$$.$RANDOM
-client="$1"
-password="$2"
-incert="$2"
-inkey="$3"
+if [ "$1" == "--cacert" ]; then
+  cacert="--cacert $2"
+  shift
+  shift
+fi
+url="$1"
+client="$2"
+password="$3"
+incert="$4"
+inkey="$5"

 trap 'rm -f "$config $result"' INT TERM HUP EXIT

 function flee { echo -e "$1"; exit $2; }

-[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} client.name password\n       ${0%.*} client.name cert_file key_file" 255
+[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} [--cacert CERT] url client.name password\n       ${0%.*} [--cacert CERT] url client.name cert_file key_file" 255
+
+url="${url%/}/getCert"

 for n in openssl curl; do
    command -v "$n" 2>&1 >/dev/null || flee "Haven't found $n binary." 251
@@ -32,9 +39,9 @@ echo -e "default_bits=2048\ndistinguished_name=rdn\nprompt=no\n[rdn]\ncommonName
 openssl req -new -nodes -batch -keyout "$key" -out "$csr" -config "$config" || flee "Error generating key/certificate request." 252

 if [ -z "$inkey" ]; then
-	curl --progress-bar --request POST --data-binary '@-' "$url?name=$client&password=$password" < "$csr" > "$result"
+    curl --progress-bar $cacert --request POST --data-binary '@-' "$url?name=$client&password=$password" < "$csr" > "$result"
 else
-	curl --progress-bar --request POST --data-binary '@-' --cert "$incert" --key "$inkey" "$url?name=$client" < "$csr" > "$result"
+    curl --progress-bar $cacert --request POST --data-binary '@-' --cert "$incert" --key "$inkey" "$url?name=$client" < "$csr" > "$result"
 fi

 case $(<$result) in '-----BEGIN CERTIFICATE-----'*)