From: Lukas Schauer <lukas@schauer.so>
Date: Mon, 30 Jan 2017 02:22:14 +0000 (+0100)
Subject: exclude root certificate from certificate chain
X-Git-Url: https://git.street.me.uk/andy/dehydrated.git/commitdiff_plain/ee65261ea833a234d9d7402f87a6803fa945ae12

exclude root certificate from certificate chain
---

diff --git a/dehydrated b/dehydrated
index e592206..a5e5e19 100755
--- a/dehydrated
+++ b/dehydrated
@@ -621,12 +621,20 @@ sign_csr() {
   echo " + Done!"
 }
 
+# grep issuer cert uri from certificate
+get_issuer_cert_uri() {
+  certificate="${1}"
+  openssl x509 -in "${certificate}" -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-) || true
+}
+
+# walk certificate chain, retrieving all intermediate certificates
 walk_chain() {
+  local certificate
   certificate="${1}"
 
-  # grep uri from certificate
   local issuer_cert_uri
-  issuer_cert_uri="$(openssl x509 -in "${certificate}" -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-) || true)"
+  issuer_cert_uri="${2:-}"
+  if [[ -z "${issuer_cert_uri}" ]]; then issuer_cert_uri="$(get_issuer_cert_uri "${certificate}")"; fi
   if [[ -n "${issuer_cert_uri}" ]]; then
     # create temporary files
     local tmpcert
@@ -647,9 +655,13 @@ walk_chain() {
     else _exiterr "Unknown certificate type in chain"
     fi
 
-    printf "\n%s\n" "${issuer_cert_uri}"
-    cat "${tmpcert}"
-    walk_chain "${tmpcert}"
+    local next_issuer_cert_uri
+    next_issuer_cert_uri="$(get_issuer_cert_uri "${tmpcert}")"
+    if [[ -n "${next_issuer_cert_uri}" ]]; then
+      printf "\n%s\n" "${issuer_cert_uri}"
+      cat "${tmpcert}"
+      walk_chain "${tmpcert}" "${next_issuer_cert_uri}"
+    fi
     rm -f "${tmpcert}" "${tmpcert_raw}"
   fi
 }
diff --git a/test.sh b/test.sh
index 8b35111..572f556 100755
--- a/test.sh
+++ b/test.sh
@@ -214,7 +214,8 @@ _CHECK_LOG "${TMP2_URL}"
 _SUBTEST "Verifying file with full chain..."
 openssl x509 -in "certs/${TMP_URL}/fullchain.pem" -noout -text > /dev/null 2>> errorlog && _PASS || _FAIL
 _SUBTEST "Verifying certificate against CA certificate..."
-(openssl verify -verbose -CAfile "certs/${TMP_URL}/fullchain.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL
+curl -s https://testca.kurz.pw/acme/issuer-cert | openssl x509 -inform DER -outform PEM > ca.pem
+(openssl verify -verbose -CAfile "ca.pem" -purpose sslserver "certs/${TMP_URL}/fullchain.pem" 2>&1 || true) | (grep -v ': OK$' || true) >> errorlog 2>> errorlog && _PASS || _FAIL
 _CHECK_ERRORLOG
 
 # Revoke certificate using certificate key