Make serial a simple counter

While at it, error out when ssh-keygen fails, not after writing the
serial.
This commit is contained in:
Lucas 2022-04-19 03:41:28 +00:00
parent be8e55bb06
commit 497363b31b

View File

@ -29,24 +29,6 @@ err()
exit 1 exit 1
} }
strip_leading_zeros()
{
_s=$1
if [ -z "$_s" ]; then
return
fi
while [ X"${_s#0}" != X"$_s" ]; do
_s=${_s#0}
done
echo "${_s:-0}"
}
strcmp()
{
_r=$(expr "X$1" "$2" "X$3")
[ "${_r:-0}" -eq 1 ]
}
# Returns comment from the ssh-agent if any is returned, otherwise it # Returns comment from the ssh-agent if any is returned, otherwise it
# returns the public key's fingerprint. # returns the public key's fingerprint.
get_ca_comment_from_sk() get_ca_comment_from_sk()
@ -149,24 +131,12 @@ main_issue()
fi fi
if [ ! -f "$PATH_CA_SERIAL" ]; then if [ ! -f "$PATH_CA_SERIAL" ]; then
date -u +%Y%m%d000000000 >"$PATH_CA_SERIAL" echo 0 >"$PATH_CA_SERIAL"
fi fi
read -r serial <"$PATH_CA_SERIAL" read -r serial <"$PATH_CA_SERIAL"
# Remove NNNNNNNNN suffix
serial_date=${serial%?????????}
current_date=$(date -u +%Y%m%d)
if strcmp "$current_date" ">" "$serial_date"; then
serial_date=$current_date
serial_counter=0
else
# Remove YYYYmmdd prefix and leading
serial_counter=$(strip_leading_zeros "${serial#????????}")
fi
serial=$(printf "%s%09u\n" "$serial_date" "$serial_counter")
_template_fmt_C=$(get_ca_comment_from_sk "$PATH_CA_PUB") _template_fmt_C=$(get_ca_comment_from_sk "$PATH_CA_PUB")
find "$PATH_PUBKEYS_DIR/" -type f -name '*.pub' ! -name '*-cert.pub' | { find "$PATH_PUBKEYS_DIR/" -type f -name '*.pub' ! -name '*-cert.pub' | {
rc=0
while read -r pk; do while read -r pk; do
pkname=${pk%.pub} pkname=${pk%.pub}
pkname=${pkname#$PATH_PUBKEYS_DIR/} pkname=${pkname#$PATH_PUBKEYS_DIR/}
@ -182,20 +152,14 @@ main_issue()
ssh-keygen "$@" -n "$principals" "$pk" ssh-keygen "$@" -n "$principals" "$pk"
else else
ssh-keygen "$@" "$pk" ssh-keygen "$@" "$pk"
fi || rc=1
serial_counter=$(($serial_counter + 1))
if [ $serial_counter -ge 1000000000 ]; then
err "can't issue more certificates today"
fi fi
serial=$(printf "%s%09u\n" "$serial_date" \ if [ $? -ne 0 ]; then
"$serial_counter" | tee "$PATH_CA_SERIAL") exit 1
if [ $rc -ne 0 ]; then
break
fi fi
serial=$(($serial + 1))
echo $serial >"$PATH_CA_SERIAL"
done done
return $rc
} }
} }