From f62328ee8db1aee7efa199081f9d52bba0e61eb2 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 26 Jan 2023 21:20:10 +0100
Subject: check-certificates: handle decryption failures and warn

If a download succeeds at least one of the given passphrases is
expected to decrypt a key in the file.
---
 check-certificates | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'check-certificates')

diff --git a/check-certificates b/check-certificates
index 2bf2443..8a06f8b 100644
--- a/check-certificates
+++ b/check-certificates
@@ -49,11 +49,20 @@ $WaitFullyConnected;
         /tool/fetch check-certificate=yes-without-crl \
             ($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;
         $WaitForFile $CertFileName;
+
+        :local DecryptionFailed true;
         :foreach PassPhrase in=$CertRenewPass do={
-          /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value;
+          :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ];
+          :if ($Result->"decryption-failures" = 0) do={
+            :set DecryptionFailed false;
+          }
         }
         /file/remove [ find where name=$CertFileName ];
 
+        :if ($DecryptionFailed = true) do={
+          $LogPrintExit2 warning $0 ("Decryption failed for certificate file " . $CertFileName) false;
+        }
+
         :foreach CertInChain in=[ /certificate/find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={
           $CertificateNameByCN [ /certificate/get $CertInChain common-name ];
         }
-- 
cgit v1.2.3-54-g00ecf