From 9fc0928d331d524eefd2e16c5ca6ebdc72d7bc41 Mon Sep 17 00:00:00 2001
From: srvrco <andy@serverco.com>
Date: Tue, 27 Dec 2016 09:23:15 +0000
Subject: [PATCH] update checks to work with openssl in FIPS mode (1.93)

---
 getssl | 65 +++++++++++++++++++++++++++++++---------------------------
 1 file changed, 35 insertions(+), 30 deletions(-)

diff --git a/getssl b/getssl
index 1a79409..033b0f7 100755
--- a/getssl
+++ b/getssl
@@ -167,53 +167,58 @@
 # 2016-12-19 included IGNORE_DIRECTORY_DOMAIN option (1.90)
 # 2016-12-22 allow copying files to multiple locations (1.91)
 # 2016-12-22 bug fix for copying tokens to multiple locations (1.92)
+# 2016-12-23 tidy code - place default variables in alphabetical order.
+# 2016-12-27 update checks to work with openssl in FIPS mode (1.93)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
-VERSION="1.92"
+VERSION="1.93"
 
 # defaults
-CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl"
-CA="https://acme-staging.api.letsencrypt.org"
-DEFAULT_REVOKE_CA="https://acme-v01.api.letsencrypt.org"
-ACCOUNT_KEY_TYPE="rsa"
 ACCOUNT_KEY_LENGTH=4096
-WORKING_DIR=~/.getssl
-DOMAIN_KEY_LENGTH=4096
-SSLCONF="$(openssl version -d 2>/dev/null| cut -d\" -f2)/openssl.cnf"
-VALIDATE_VIA_DNS=""
-RELOAD_CMD=""
-RENEW_ALLOW="30"
-REUSE_PRIVATE_KEY="true"
-PRIVATE_KEY_ALG="rsa"
-SERVER_TYPE="https"
-CHECK_REMOTE="true"
-USE_SINGLE_ACL="false"
+ACCOUNT_KEY_TYPE="rsa"
+CA="https://acme-staging.api.letsencrypt.org"
+CA_CERT_LOCATION=""
+CHALLENGE_CHECK_TYPE="http"
 CHECK_ALL_AUTH_DNS="false"
-DNS_WAIT=10
-DNS_EXTRA_WAIT=""
+CHECK_REMOTE="true"
 CHECK_REMOTE_WAIT=0
-PUBLIC_DNS_SERVER=""
-CHALLENGE_CHECK_TYPE="http"
+CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl"
+CSR_SUBJECT="/"
 DEACTIVATE_AUTH="false"
-PREVIOUSLY_VALIDATED="true"
+DEFAULT_REVOKE_CA="https://acme-v01.api.letsencrypt.org"
+DNS_EXTRA_WAIT=""
+DNS_WAIT=10
+DOMAIN_KEY_LENGTH=4096
 DUAL_RSA_ECDSA="false"
-SKIP_HTTP_TOKEN_CHECK="false"
-CSR_SUBJECT="/"
 GETSSL_IGNORE_CP_PRESERVE="false"
-IGNORE_DIRECTORY_DOMAIN="false"
 HTTP_TOKEN_CHECK_WAIT=0
+IGNORE_DIRECTORY_DOMAIN="false"
 ORIG_UMASK=$(umask)
-_USE_DEBUG=0
-_CREATE_CONFIG=0
+PREVIOUSLY_VALIDATED="true"
+PRIVATE_KEY_ALG="rsa"
+PUBLIC_DNS_SERVER=""
+RELOAD_CMD=""
+RENEW_ALLOW="30"
+REUSE_PRIVATE_KEY="true"
+SERVER_TYPE="https"
+SKIP_HTTP_TOKEN_CHECK="false"
+SSLCONF="$(openssl version -d 2>/dev/null| cut -d\" -f2)/openssl.cnf"
+TOKEN_USER_ID=""
+USE_SINGLE_ACL="false"
+VALIDATE_VIA_DNS=""
+WORKING_DIR=~/.getssl
 _CHECK_ALL=0
+_CREATE_CONFIG=0
 _FORCE_RENEW=0
-_QUIET=0
 _MUTE=0
-_UPGRADE=0
-_UPGRADE_CHECK=1
+_QUIET=0
 _RECREATE_CSR=0
 _REVOKE=0
+_UPGRADE=0
+_UPGRADE_CHECK=1
+_USE_DEBUG=0
+
 
 # store copy of original command in case of upgrading script and re-running
 ORIGCMD="$0 $*"
@@ -710,7 +715,7 @@ get_signing_params() { # get signing parameters from key
     jwk='{"crv":"'"$crv"'","kty":"EC","x":"'"$x64"'","y":"'"$y64"'"}'
     debug "jwk $jwk"
   else
-    error_exit "Invlid key file"
+    error_exit "Invalid key file"
   fi
   thumbprint="$(printf "%s" "$jwk" | openssl dgst -sha256 -binary | urlbase64)"
   debug "jwk alg = $jwkalg"