1. Fix handling of "univention-certificate -path ..." handling
2. Fix handling of missing arguments to options.
3. Return useful exit values for scripting usage.
4. Print error messages to stderr to help parsing output.
5. Quote variables (password!)
6. Replace univention-baseconfig by univention-config-registry
7. Make variables function local
8. Update copyright
9. Remove trailing blanks on lines
10. Remove semicolon on end of line
11. Remove space before tabs
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh b/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh
index 0670e6b..d243fa8 100644
--- a/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/extensions-example.sh
@@ -1,11 +1,9 @@
-function createHostExtensionsFile () {
-
-        local fqdn="$1"
-        local hostname=${fqdn/.*/}
-        local extFile=$(mktemp)
-
-        cat <<EOF >>"$extFile"
+createHostExtensionsFile () {
+	local fqdn="$1"
+	local hostname=${fqdn/.*/}
+	local extFile=$(mktemp)
 
+	cat <<EOF >>"$extFile"
 extensions = myx509v3
 [ myx509v3 ]
 
@@ -16,7 +14,6 @@ authorityKeyIdentifier = keyid,issuer:always
 
 # alternative name
 subjectAltName = DNS:$fqdn, DNS:$hostname
-
 EOF
 
         echo "$extFile"
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py b/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py
index c5d7d64..7183850 100644
--- a/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/gencertificate.py
@@ -30,7 +30,7 @@
 # /usr/share/common-licenses/AGPL-3; if not, see
 # <http://www.gnu.org/licenses/>.
 
-__package__='' 	# workaround for PEP 366
+__package__=''	# workaround for PEP 366
 from listener import *
 import grp
 
@@ -80,7 +80,7 @@ def handler(dn, new, old):
 			univention.debug.debug(univention.debug.LISTENER, univention.debug.WARN, 'CERTIFICATE: Failed to get groupID for "%s"' % name)
 			gidNumber = 0
 
-		if new and not old:			
+		if new and not old:
 			if new.has_key('associatedDomain'):
 				domain=new['associatedDomain'][0]
 			else:
@@ -118,7 +118,7 @@ def handler(dn, new, old):
 def set_permissions(tmp1, directory, filename):
 	global uidNumber
 	global gidNumber
-	
+
 	univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Set permissons for = %s with owner/group %s/%s' % (directory, gidNumber, uidNumber))
 	os.chown(directory, uidNumber, gidNumber)
 	os.chmod(directory, 0750)
@@ -139,7 +139,7 @@ def create_certificate(name, serverUidNumber, domainname):
 	global uidNumber
 	global gidNumber
 	uidNumber = serverUidNumber
-	
+
 	ssldir='/etc/univention/ssl'
 	univention.debug.debug(univention.debug.LISTENER, univention.debug.PROCESS, 'CERTIFICATE: Creating certificate %s' % name)
 
@@ -162,7 +162,6 @@ def create_certificate(name, serverUidNumber, domainname):
 	p = os.popen('ln -sf %s/%s.%s %s/%s' % (ssldir,name,domainname,ssldir,name) )
 	p.close()
 
-	
 	a=os.path.walk(certpath,set_permissions, None)
 
 	return
@@ -190,4 +189,3 @@ def clean():
 
 def postrun():
 	return
-
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh b/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh
index 361e8fb..c95d283 100755
--- a/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/make-certificates.sh
@@ -3,7 +3,7 @@
 # Univention SSL
 #  gencertificate script
 #
-# Copyright 2004-2011 Univention GmbH
+# Copyright 2004-2012 Univention GmbH
 #
 # http://www.univention.de/
 #
@@ -35,9 +35,9 @@
 # http://www.pca.dfn.de/dfnpca/certify/ssl/handbuch/ossl092/
 
 if [ -n "$sslbase" ]; then
-        SSLBASE="$sslbase"
+	SSLBASE="$sslbase"
 else
-        SSLBASE=/etc/univention/ssl
+	SSLBASE=/etc/univention/ssl
 fi
 
 CA=ucsCA
@@ -57,23 +57,20 @@ else
 fi
 
 mk_config () {
-
-    local outfile=$1;
-    local password=$2;
+    local outfile=$1
+    local password=$2
     local days=$3
     local name=$4
 
-	if test -e $outfile; then
-        rm $outfile;
+	if test -e "$outfile"; then
+		rm -f "$outfile"
 	fi
-    touch $outfile;
-    chmod 0600 $outfile;
+	touch "$outfile"
+	chmod 0600 "$outfile"
 
 	eval "$(univention-config-registry shell ssl/country ssl/state ssl/locality ssl/organization ssl/organizationalunit ssl/email)"
 
-
-    cat <<EOF >>$outfile
-
+    cat >"$outfile" <<EOF
 # HOME			= .
 # RANDFILE		= \$ENV::HOME/.rnd
 # oid_section		= new_oids
@@ -136,17 +133,16 @@ default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions		= v3_ca
-
 EOF
 
-if [ "$password" ]; then
-cat <<EOF >>$outfile
+	if [ -n "$password" ]; then
+		cat >>"$outfile" <<EOF
 input_password = $password
 output_password = $password
 EOF
-fi;
+	fi
 
-cat <<EOF >>$outfile
+	cat >>"$outfile" <<EOF
 
 string_mask = nombstr
 req_extensions = v3_req
@@ -219,38 +215,37 @@ nsComment               = This certificate is a Root CA Certificate
 
 issuerAltName           = issuer:copy
 authorityKeyIdentifier  = keyid:always,issuer:always
-
 EOF
-chmod 0600 $outfile
-
+	chmod 0600 "$outfile"
 }
 
 move_cert () {
-    local new;
-    local count=0;
-    local linkname;
-    local hash;
-    local OPWD=`pwd`;
-    cd "$SSLBASE";
-
-    for i; do
-	if [ -f "$i" ]; then
-	    new="${SSLBASE}/${CA}/certs/"`basename $i`;
-	    mv "$i" "$new";
-	    hash=`openssl x509 -hash -noout -in "$new"`;
-	    while :; do
-		linkname="${CA}/certs/""$hash"".""$count";
-		if [ -h "$linkname" ]; then
-		    count=$((count + 1));
-		    continue;
-		else
-		    ln -s "$new" "$linkname";
-		    break;
-		fi;
-	    done;
-	fi;
-    done;
-    cd "$OPWD"
+    local count=0
+	local OPWD=$(pwd)
+    cd "$SSLBASE"
+
+    local i
+    for i in "$@"; do
+		if [ -f "$i" ]
+		then
+			local new="${SSLBASE}/${CA}/certs/$(basename "$i")"
+			mv "$i" "$new"
+			local hash=$(openssl x509 -hash -noout -in "$new")
+			while :
+			do
+				local linkname="${CA}/certs/${hash}.${count}"
+				if [ -h "$linkname" ]
+				then
+					count=$((count + 1))
+					continue
+				else
+					ln -s "$new" "$linkname"
+					break
+				fi
+			done
+		fi
+	done
+	cd "$OPWD"
 }
 
 init () {
@@ -266,51 +261,50 @@ init () {
 		chmod 600 "$SSLBASE/password"
 		makepasswd > "$SSLBASE/password"
 	fi
-	PASSWD=`cat "$SSLBASE/password"`
+	local PASSWD=`cat "$SSLBASE/password"`
 
-	local OPWD=`pwd`;
+	local OPWD=$(pwd)
 
 	# create directory infrastructure
 	cd "$SSLBASE"
-	mkdir -m 700 -p ${CA};
-	mkdir -p ${CA}/{certs,crl,newcerts,private};
-	echo "01" > ${CA}/serial;
-	touch ${CA}/index.txt;
+	mkdir -m 700 -p "${CA}"
+	mkdir -p "${CA}/"{certs,crl,newcerts,private}
+	echo "01" >"${CA}/serial"
+	touch "${CA}/index.txt"
 
 	eval "$(ucr shell ssl/common)"
 
 	# make the root-CA configuration file
-	mk_config openssl.cnf $PASSWD $DEFAULT_DAYS "$ssl_common"
+	mk_config openssl.cnf "$PASSWD" "$DEFAULT_DAYS" "$ssl_common"
 
-
-	openssl genrsa -des3 -passout pass:"$PASSWD" -out ${CA}/private/CAkey.pem 2048
-	yes '' | openssl req -config openssl.cnf -new -x509 -days $DEFAULT_DAYS -key ${CA}/private/CAkey.pem -out ${CA}/CAcert.pem
+	openssl genrsa -des3 -passout pass:"$PASSWD" -out "${CA}/private/CAkey.pem" 2048
+	yes '' | openssl req -config openssl.cnf -new -x509 -days "$DEFAULT_DAYS" -key "${CA}/private/CAkey.pem" -out "${CA}/CAcert.pem"
 
 	# copy the public key to a place, from where browsers can access it
-	openssl x509 -in ${CA}/CAcert.pem -out /var/www/ucs-root-ca.crt
+	openssl x509 -in "${CA}/CAcert.pem" -out /var/www/ucs-root-ca.crt
 
 	# mv the certificate to the certs dir and link it to its hash value
-	cp ${CA}/CAcert.pem ${CA}/newcerts/00.pem
-	move_cert ${CA}/newcerts/00.pem
+	cp "${CA}/CAcert.pem" "${CA}/newcerts/00.pem"
+	move_cert "${CA}/newcerts/00.pem"
 
 	# generate root ca request
-	openssl x509 -x509toreq -in ${CA}/CAcert.pem -signkey ${CA}/private/CAkey.pem -out ${CA}/CAreq.pem -passin pass:$PASSWD
+	openssl x509 -x509toreq -in "${CA}/CAcert.pem" -signkey "${CA}/private/CAkey.pem" -out "${CA}/CAreq.pem" -passin pass:"$PASSWD"
 
-	find ${CA} -type f | xargs chmod 600
-	find ${CA} -type d | xargs chmod 700
+	find "${CA}" -type f -exec chmod 600 {} +
+	find "${CA}" -type d -exec chmod 700 {} +
 
-	chmod 755 ${CA}
-	chmod 644 ${CA}/CAcert.pem
-	#generate empty crl at installation time	
-	openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD"
-	openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der
+	chmod 755 "${CA}"
+	chmod 644 "${CA}/CAcert.pem"
+	#generate empty crl at installation time
+	openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD"
+	openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der
 
 	cd "$OPWD"
 }
 
 
 list_cert_names () {
-   local OPWD=`pwd`
+	local OPWD=$(pwd)
    cd "$SSLBASE"
    awk 'BEGIN { FS="\t"; }
     { if ( $1 == "V" )
@@ -323,80 +317,80 @@ list_cert_names () {
 		}
 	    }
 	}
-    }'< ${CA}/index.txt
+    }' <"${CA}/index.txt"
     cd "$OPWD"
 }
 
 
 has_valid_cert () {
-    list_cert_names | egrep -q "$1$";
+    list_cert_names | egrep -q "$1$"
 }
 
 renew_cert () {
-	local OPWD=`pwd`;
-	cd "$SSLBASE";
-	
+	local OPWD=$(pwd)
+	cd "$SSLBASE"
+
 	if [ -z "$1" ]; then
-		echo "missing certificate name" 1>&2;
-		return 1;
+		echo "missing certificate name" 1>&2
+		return 1
 	fi
-	
-	local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`;
+
+	local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`
 	if [ -z "$NUM" ]; then
-		echo "no certificate for $1 registered" 1>&2;
-		return 1;
-	fi;
-	
+		echo "no certificate for $1 registered" >&2
+		return 1
+	fi
+
 	if [ -z "$2" ]; then
 		days=$DEFAULT_DAYS
 	fi
-	
+
 	# revoke cert
-	revoke_cert $1
+	revoke_cert "$1"
 
 	# get host extension file
 	hostExt=$(ucr get ssl/host/extensions)
 	if [ -s "$hostExt" ]; then
-		source $hostExt
+		. "$hostExt"
 		extFile=$(createHostExtensionsFile "$1")
-	fi	
-	
+	fi
+
 	# sign the request
 	if [ -s "$extFile" ]; then
-		openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \
-		-out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
+		openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \
+			-out "$1/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
 		rm -f "$extFile"
 	else
-		openssl ca -batch -config openssl.cnf -days $days -in "$1/req.pem" \
-		-out "$1/cert.pem" -passin pass:"$PASSWD"
+		openssl ca -batch -config openssl.cnf -days "$days" -in "$1/req.pem" \
+			-out "$1/cert.pem" -passin pass:"$PASSWD"
 	fi
-	
+
 	# move the new certificate to its place
-	move_cert ${CA}/newcerts/*;
-	cd "$OPWD";
+	move_cert "${CA}/newcerts/"*
+	cd "$OPWD"
 }
 
 # Parameter 1: Name des CN dessen Zertifikat wiederufen werden soll
 
 revoke_cert () {
-	local OPWD=`pwd`;
-	cd "$SSLBASE";
+	local OPWD=`pwd`
+	cd "$SSLBASE"
 
 	if [ -z "$1" ]; then
-		echo "missing certificate name" 1>&2;
-		return 1;
+		echo "missing certificate name" >&2
+		return 1
 	fi
 
-	local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`;
+	local NUM=`list_cert_names | grep "$1" | sed -e 's/^\([0-9A-Fa-f]*\).*/\1/1'`
 	if [ -z "$NUM" ]; then
-		echo "no certificate for $1 registered" 1>&2;
-		return 1;
-	fi;
-	openssl ca -config openssl.cnf -revoke ${CA}/certs/${NUM}.pem -passin pass:"$PASSWD"
-	openssl ca -config openssl.cnf -gencrl -out ${CA}/crl/crl.pem -passin pass:"$PASSWD"
-	openssl crl -in ${CA}/crl/crl.pem -out /var/www/${CA}.crl -inform pem -outform der
-
-	cd "$OPWD";
+		echo "no certificate for $1 registered" >&2
+		return 1
+	fi
+	openssl ca -config openssl.cnf -revoke "${CA}/certs/${NUM}.pem" -passin pass:"$PASSWD"
+	openssl ca -config openssl.cnf -gencrl -out "${CA}/crl/crl.pem" -passin pass:"$PASSWD"
+	openssl crl -in "${CA}/crl/crl.pem" -out "/var/www/${CA}.crl" -inform pem -outform der
+
+	cd "$OPWD"
 }
 
 
@@ -410,40 +404,40 @@ gencert () {
 	local OPWD=`pwd`
 	cd "$SSLBASE"
 	if has_valid_cert "$2"; then
-	    revoke_cert "$2";
-	fi;
+		revoke_cert "$2"
+	fi
 
-	days=$(/usr/sbin/univention-config-registry get ssl/default/days)
+	local days=$(/usr/sbin/univention-config-registry get ssl/default/days)
 	if [ -z "$days" ]; then
 		days=$DEFAULT_DAYS
 	fi
 	# generate a key pair
-	mkdir -pm 700 $name
-	mk_config "$name/openssl.cnf" "" $days "$cn"
+	mkdir -pm 700 "$name"
+	mk_config "$name/openssl.cnf" "" "$days" "$cn"
 	openssl genrsa -out "$name/private.key" 1024
 	yes '' | openssl req -config "$name/openssl.cnf" -new -key "$name/private.key" -out "$name/req.pem"
 
 	# get host extension file
-	hostExt=$(ucr get ssl/host/extensions)
+	local hostExt=$(ucr get ssl/host/extensions)
 	if [ -s "$hostExt" ]; then
-		source $hostExt
-		extFile=$(createHostExtensionsFile "$cn")
-	fi	
+		. "$hostExt"
+		local extFile=$(createHostExtensionsFile "$cn")
+	fi
 
 	# sign the key
 	if [ -s "$extFile" ]; then
 		openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \
-		-out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
+			-out "$name/cert.pem" -passin pass:"$PASSWD" -extfile "$extFile"
 		rm -f "$extFile"
 	else
 		openssl ca -batch -config openssl.cnf -days $days -in "$name/req.pem" \
-		-out "$name/cert.pem" -passin pass:"$PASSWD"
+			-out "$name/cert.pem" -passin pass:"$PASSWD"
 	fi
 
 	# move the new certificate to its place
-	move_cert ${CA}/newcerts/*;
+	move_cert "${CA}/newcerts/"*
 
-	find $name -type f | xargs chmod 600
-	find $name -type d | xargs chmod 700
+	find "$name" -type f -exec chmod 600 {} +
+	find "$name" -type d -exec chmod 700 {} +
 	cd "$OPWD"
 }
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate
index 6d1a963..9950253 100755
--- a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate
@@ -3,7 +3,7 @@
 # Univention SSL
 #  openssl wrapper
 #
-# Copyright 2004-2011 Univention GmbH
+# Copyright 2004-2012 Univention GmbH
 #
 # http://www.univention.de/
 #
@@ -29,7 +29,7 @@
 # License with the Debian GNU/Linux or Univention distribution in file
 # /usr/share/common-licenses/AGPL-3; if not, see
 # <http://www.gnu.org/licenses/>.
-
+set -o errfail
 
 usage ()
 {
@@ -50,12 +50,12 @@ usage ()
 	echo "        dump"
 	echo "        list"
 	echo ""
-	echo "Options"
+	echo "Options:"
 	echo "        -name <name>"
 	echo "        -days <days>"
 	echo ""
 
-	exit
+	exit 2
 }
 
 command="$1"
@@ -63,38 +63,34 @@ shift
 
 if [ "$command" != "new" -a "$command" != "revoke" -a "$command" != "renew" -a "$command" != "check" -a "$command" != "list" -a "$command" != "dump" ]; then
 	if [ -n "$command" ]; then
-		usage "unknown command: $command"
+		usage "unknown command: $command" >&2
 	else
-		usage
+		usage >&2
 	fi
 fi
 
 while [ $# -gt 0 ]; do
 	case "$1" in
 	"-path")
-		shift
-		path="$1"
-		shift
+		path="$2"
+		shift 2 || usage "Missing argument to -path" >&2
 		;;
 	"-name")
-		shift
-		name="$1"
-		shift
+		name="$2"
+		shift 2 || usage "Missing argument to -name" >&2
 		;;
 	"-days")
-		shift
-		days="$1"
-		shift
+		days="$2" || usage "Missing argument to -days" >&2
+		shift 2
 		;;
 	*)
-		usage "unknown option $1"
-		shift
+		usage "unknown option $1" >&2
 		;;
 	esac
 done
 
 if [ "$command" != "list" -a -z "$name" ]; then
-	usage "missing -name"
+	usage "missing -name" >&2
 fi
 
 cd /etc/univention/ssl
@@ -105,8 +101,8 @@ case "$command" in
 	"new")
 		echo "Creating certificate: $name"
 		gencert "/etc/univention/ssl/$name" "$name"
-		getent group "DC Backup Hosts" 2>&1 >/dev/null
-		if [ $? = 0 ]; then
+		if getent group "DC Backup Hosts" 2>&1 >/dev/null
+		then
 			chgrp -R "DC Backup Hosts" "/etc/univention/ssl/$name"
 			chmod -R g+rx "/etc/univention/ssl/$name"
 		fi
@@ -117,18 +113,20 @@ case "$command" in
 		;;
 	"renew")
 		if [ -z "$days" ]; then
-			usage "missing -days"
+			usage "missing -days" >&2
 		fi
 		echo "Renew certificate: $name"
 		renew_cert "$name" "$days"
 		;;
 	"check")
 		echo -n "Certificate \"$name\" is "
-		has_valid_cert $name
-		if [ $? = 0 ]; then
+		if has_valid_cert "$name"
+		then
 			echo "valid"
+			exit 0
 		else
 			echo "invalid"
+			exit 1
 		fi
 		;;
 	"list")
@@ -137,7 +135,6 @@ case "$command" in
 		;;
 	"dump")
 		echo "Dump certificate: $name"
-		openssl x509 -in /etc/univention/ssl/$name/cert.pem -noout -text
+		openssl x509 -in "/etc/univention/ssl/$name/cert.pem" -noout -text
 		;;
 esac
-
diff --git a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity
index 98bbbca..c87bf26 100755
--- a/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity
+++ b/branches/ucs-3.0/ucs/base/univention-ssl/univention-certificate-check-validity
@@ -37,9 +37,9 @@ import calendar
 
 from M2Crypto import X509
 
-import univention_baseconfig
+from univention.config_registry import ConfigRegistry
 
-_bc = univention_baseconfig.baseConfig()
+_bc = ConfigRegistry()
 _bc.load()
 
 def get_validity_date(certFile):