Various small fixes

sbin/attest-enroll

@@ -379,8 +379,8 @@ shift
 # Read default configuration if none given
 # shellcheck disable=SC1090
 if [[ -n ${CONF:-} && -f ${CONF} ]]; then
-	. "${CONF}"
 	if ! $configured; then
+		. "${CONF}"
 		export SAFEBOOT_ENROLL_CONF="$CONF"
 		configured=true
 	fi

sbin/gencert

@@ -51,9 +51,6 @@ if [[ -z $GENCERT_REALM ]]; then
 			GENCERT_REALM=${GENCERT_DOMAIN_REALM[$domain]}
 			break
 		fi
-		if ((${#GENCERT_DOMAIN_REALM[@]} > 0)); then
-			die "Could not determine realm name for $hostname"
-		fi
 		if (($(dig -t srv "_kerberos._udp.$domain" +short|wc -l) > 0)); then
 			GENCERT_REALM=${domain^^?}
 			break
@@ -100,6 +97,11 @@ hxtool issue-certificate					\
 	--certificate=PEM-FILE:cert.pem				\
 || die "skip: Could not issue PKINIT certificate for impersonation!"
 
+# Append the issuer certificate and any other certs in that file to the output
+# so that the full chain is included.
+openssl crl2pkcs7 -nocrl -certfile "${GENCERT_CRED#*:}"		\
+| openssl pkcs7 -print_certs >> cert.pem
+
 grep -q PRIVATE cert.pem && die "Private key in cert file?!"
 trap true EXIT
 echo "sensitive cert-key.pem cert.pem"

sbin/getkeytab

@@ -155,10 +155,18 @@ if [[ -z $GETKEYTAB_REALM ]]; then
 fi
 
 check_keytab() {
-	[[ -n ${1:-} && -s $1 ]]			\
-	&& ktutil --keytab="$1" list >/dev/null		\
-	&& kinit --anonymous "$GETKEYTAB_REALM"	\
-		 gss-token "host@$hostname"		\
+	[[ -n ${1:-} && -s $1 ]]				\
+	|| return 1
+	ktutil --keytab="$1" list >/dev/null			\
+	|| return 1
+	# Validate the keytab by using it as a service:
+	(
+		# Work around a gss-token(1) a bug in some versions where it
+		# exits with an error instead of success.  We don't care
+		# whether the client succeeds, just whether the server does.
+		kinit --anonymous "$GETKEYTAB_REALM"		\
+			gss-token "host@$hostname" || true
+	)							\
 	| KRB5_KTNAME="$1" gss-token -r
 }
 
@@ -173,13 +181,13 @@ d=$(mktemp -d)
 cd "$d"
 
 princ="host/${hostname}@${GETKEYTAB_REALM}"
-pkinit_cred="FILE:${HOST_CERT}${HOST_CERT_KEY+:",${HOST_CERT_KEY}"}"
+pkinit_cred="FILE:${HOST_CERT}${HOST_CERT_KEY:+",${HOST_CERT_KEY}"}"
 
 # Get a TGT using PKINIT
 kinit									\
 	${GETKEYTAB_KINIT_ARGS[0]:+"${GETKEYTAB_KINIT_ARGS[@]}"}	\
-	--cache cc							\
-	--pk-user "$pkinit_cred"					\
+	--cache=cc							\
+	--pk-user="$pkinit_cred"					\
 	"$princ"							\
 || die "Could not get TGT for ${princ} with PKINIT with ${pkinit_cred}"
 

sbin/tpm2-attest

@@ -819,10 +819,10 @@ unseal()
 ########################################
 
 verify_unsealed_usage='
-## verify_unsealed
+## verify-unsealed
 Usage:
 ```
-tpm2-attest verify_unsealed DIR
+tpm2-attest verify-unsealed DIR
 ```
 
 Assets returned by successful remote attestation should be signed.  This
@@ -836,11 +836,6 @@ verify-unsealed()
 	show_help "$1" "$verify_unsealed_usage"
 	(($# == 1)) || die "No arguments expected.$verify_unsealed_usage"
 
-	# We must either know a priori an anchor for the signer's certificate,
-	# or we must know the signature key.
-	[[ -n ${ENROLL_SIGN_ANCHOR:-} ]]	\
-	|| die "neither enrollment server public key certificate nor anchor configured"
-
 	cd "$1" || die "Not a directory: $1"
 
 	# Validate the signer's certificate