From 0d4e61f5d8a9291877b708ef6909ed4df9b67354 Mon Sep 17 00:00:00 2001 From: Lucas Werkmeister Date: Thu, 28 Dec 2017 13:37:15 +0100 Subject: [PATCH] =?utf8?q?chg:=20don=E2=80=99t=20use=20printf=20with=20var?= =?utf8?q?iable=20format=20strings?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Except in very exceptional cases, the format string to printf should never be variable (and for maximum clarity, it should always be single-quoted even if it happens to contain no shell special characters). This commit changes one format string from double to single quotes and rewrites two more to use substitution sequences instead of substituting variables directly into the format (which is dangerous if they could contain ‘%’ characters). With this change, the following search finds no results: git grep "printf (?:>&2 )? [^']" Change-Id: Ieeae16c483a7e568cd5812260a6ac54375c33340 --- config/generateTruststoreNRE.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/generateTruststoreNRE.sh b/config/generateTruststoreNRE.sh index 5a6f6013..23b7b989 100755 --- a/config/generateTruststoreNRE.sh +++ b/config/generateTruststoreNRE.sh @@ -36,7 +36,7 @@ if [[ -f "$ca.key" ]] && ! [[ -f keystore.pkcs12 ]]; then serial_base=100000 fi serial_base=$((serial_base + 1)) - printf "%d\n" "$serial_base" >| serial_base + printf '%d\n' "$serial_base" >| serial_base # when the domain is provided externally as environment variable, use it and do not prompt for it. [[ -z $DOMAIN ]] && read -rp "I need to generate gigi-certificates. I need your base domain: " DOMAIN # Assuming we have access to the CA-keys we generate two certificates and present them to gigi @@ -47,8 +47,8 @@ if [[ -f "$ca.key" ]] && ! [[ -f keystore.pkcs12 ]]; then openssl req -newkey rsa:2048 -keyout mail.key -out mail.csr -nodes -subj "/CN=gigi system" # Sign the two requests with the keys in the config of the simple signer. Use the serial_base with extensions 1 and 2. These serials are long enough to probably not collide with the "simple signer" - openssl x509 -req -in www.csr -out www.crt -CA $ca.crt -CAkey $ca.key -set_serial ${serial_base}1 -extfile <(printf "[ext]\nsubjectAltName=DNS:www.$DOMAIN,DNS:secure.$DOMAIN,DNS:static.$DOMAIN,DNS:api.$DOMAIN\nbasicConstraints=CA:FALSE\nextendedKeyUsage=serverAuth\nkeyUsage=digitalSignature,keyEncipherment\n") -extensions ext - openssl x509 -req -in mail.csr -out mail.crt -CA $ca.crt -CAkey $ca.key -set_serial ${serial_base}2 -extfile <(printf "[ext]\nsubjectAltName=email:support@$DOMAIN\nbasicConstraints=CA:FALSE\nextendedKeyUsage=emailProtection\nkeyUsage=digitalSignature,keyEncipherment\n") -extensions ext + openssl x509 -req -in www.csr -out www.crt -CA $ca.crt -CAkey $ca.key -set_serial ${serial_base}1 -extfile <(printf '[ext]\nsubjectAltName=DNS:www.%s,DNS:secure.%s,DNS:static.%s,DNS:api.%s\nbasicConstraints=CA:FALSE\nextendedKeyUsage=serverAuth\nkeyUsage=digitalSignature,keyEncipherment\n' "$DOMAIN" "$DOMAIN" "$DOMAIN" "$DOMAIN") -extensions ext + openssl x509 -req -in mail.csr -out mail.crt -CA $ca.crt -CAkey $ca.key -set_serial ${serial_base}2 -extfile <(printf '[ext]\nsubjectAltName=email:support@%s\nbasicConstraints=CA:FALSE\nextendedKeyUsage=emailProtection\nkeyUsage=digitalSignature,keyEncipherment\n' "$DOMAIN") -extensions ext # Store the webserver cert in 4 different pkcs12-keystores to have different "key aliases" and import them all into the "keystore.pkcs12" using the "importP"-method for t in www api secure static; do -- 2.39.2