diff options
author | Christian Hesse <mail@eworm.de> | 2023-01-26 21:20:10 +0100 |
---|---|---|
committer | Christian Hesse <mail@eworm.de> | 2023-01-26 21:35:35 +0100 |
commit | f62328ee8db1aee7efa199081f9d52bba0e61eb2 (patch) | |
tree | 5a54dedca78c2b7c213fd09e2415c3817f58c215 /check-certificates | |
parent | b0d3e3d5f4775883554823ec26df36b00e4a5544 (diff) |
check-certificates: handle decryption failures and warn
If a download succeeds at least one of the given passphrases is
expected to decrypt a key in the file.
Diffstat (limited to 'check-certificates')
-rw-r--r-- | check-certificates | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/check-certificates b/check-certificates index 2bf2443..8a06f8b 100644 --- a/check-certificates +++ b/check-certificates @@ -49,11 +49,20 @@ $WaitFullyConnected; /tool/fetch check-certificate=yes-without-crl \ ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value; $WaitForFile $CertFileName; + + :local DecryptionFailed true; :foreach PassPhrase in=$CertRenewPass do={ - /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value; + :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ]; + :if ($Result->"decryption-failures" = 0) do={ + :set DecryptionFailed false; + } } /file/remove [ find where name=$CertFileName ]; + :if ($DecryptionFailed = true) do={ + $LogPrintExit2 warning $0 ("Decryption failed for certificate file " . $CertFileName) false; + } + :foreach CertInChain in=[ /certificate/find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={ $CertificateNameByCN [ /certificate/get $CertInChain common-name ]; } |