Changeset View
Standalone View
usr.sbin/trustctl/trustctl.sh
- This file was added.
Property | Old Value | New Value |
---|---|---|
svn:eol-style | null | native \ No newline at end of property |
svn:executable | null | * \ No newline at end of property |
svn:keywords | null | FreeBSD=%H \ No newline at end of property |
svn:mime-type | null | text/plain \ No newline at end of property |
#!/bin/sh | |||||
#- | |||||
# SPDX-License-Identifier: BSD-2-Clause-FreeBSD | |||||
dteske: Remove blank line -- the "#-" marker should go on the line below the invocator | |||||
# | |||||
# Copyright 2018 Allan Jude <allanjude@freebsd.org> | |||||
# | |||||
# Redistribution and use in source and binary forms, with or without | |||||
# modification, are permitted providing that the following conditions | |||||
# are met: | |||||
# 1. Redistributions of source code must retain the above copyright | |||||
# notice, this list of conditions and the following disclaimer. | |||||
# 2. Redistributions in binary form must reproduce the above copyright | |||||
# notice, this list of conditions and the following disclaimer in the | |||||
# documentation and/or other materials provided with the distribution. | |||||
# | |||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |||||
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED | |||||
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY | |||||
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, | |||||
# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |||||
# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |||||
# POSSIBILITY OF SUCH DAMAGE. | |||||
# | |||||
# $FreeBSD$ | |||||
Done Inline ActionsChange blank line should to "#" to connect the license with the FreeBSD ident(1) tag dteske: Change blank line should to "#" to connect the license with the FreeBSD ident(1) tag | |||||
############################################################ CONFIGURATION | |||||
dteskeUnsubmitted Done Inline ActionsAdd blank line after "#x60 CONFIGURATION" and before the first variable. This makes it easier to jump to the top of the variables using "{" and "}" paragraph navigation in nvi/vi/vim (if you use those editors) or something comparable in other editors. dteske: Add blank line after "#x60 CONFIGURATION" and before the first variable. This makes it easier… | |||||
: ${TRUSTPATH:=/usr/share/certs/trusted /usr/local/share/certs /usr/local/etc/ssl/certs} | |||||
: ${BLACKLISTPATH:=/usr/share/certs/blacklisted /usr/local/etc/ssl/blacklisted} | |||||
: ${CERTDESTDIR:=/etc/ssl/certs} | |||||
Not Done Inline ActionsThese [inheritable] *PATH variables should probably follow the expected format of PATH and be colon-separated. Where you want to split SEARCHPATH and BLACKLISTPATH on colon, you can set IFS to : -- or if you need to preserve whitespace expansion of variables inside a loop, you can use oldIFS="$IFS"; IFS=:; set -- $*PATH"; IFS="$oldIFS" dteske: These [inheritable] `*PATH` variables should probably follow the expected format of `PATH` and… | |||||
Not Done Inline ActionsBLACKLISTPATH and TRUSTPATH are now colon-delimited. Need to update these defaults dteske: BLACKLISTPATH and TRUSTPATH are now colon-delimited. Need to update these defaults | |||||
: ${BLACKLISTDESTDIR:=/etc/ssl/blacklisted} | |||||
: ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"} | |||||
############################################################ GLOBALS | |||||
dteskeUnsubmitted Done Inline ActionsAdd blank line after "#x60 GLOBALS" dteske: Add blank line after "#x60 GLOBALS" | |||||
SCRIPTNAME=${0##*/} | |||||
Done Inline ActionsDon't use basename in a sub-shell, but instead SCRIPTNAME="${0##*/}" dteske: Don't use basename in a sub-shell, but instead `SCRIPTNAME="${0##*/}"` | |||||
dteskeUnsubmitted Done Inline ActionsAdd double-quotes around ${0##*/} dteske: Add double-quotes around `${0##*/}` | |||||
ERRORS=0 | |||||
VERBOSE=0 | |||||
############################################################ FUNCTIONS | |||||
Done Inline ActionsRemove whitespace between function name and parens local hash dteske: Remove whitespace between function name and parens
Insert newline before opening function curly… | |||||
Done Inline ActionsYou have enough globals, functions, and sundry that it's worth templatizing this file. The template structure is simple. # x 60 + single space + all-caps description of section And it has a 3-line footer: # x 80 Here you would put: ############################################################ CONFIGURATION : ${SEARCHPATH:=... ... ############################################################ GLOBALS SCRIPTNAME=... ... ############################################################ FUNCTIONS do_hash() { ... And then after the last function: ############################################################ MAIN dteske: You have enough globals, functions, and sundry that it's worth templatizing this file.
The… | |||||
dteskeUnsubmitted Done Inline ActionsBlank line after "#x60 FUNCTIONS" dteske: Blank line after "#x60 FUNCTIONS" | |||||
do_hash() | |||||
Done Inline ActionsInsert single space after $( and before corresponding ) -- you already have a space after $(( and before )) -- this allows the word-jump features of readline keybindings to really shine-through, making editing easier in all editors that support them (which includes vi, nvi, vim, emacs, Mac OS X TextEdit, and a great number of others). Add double-quotes around $1 dteske: Insert single space after `$(` and before corresponding `)` -- you already have a space after… | |||||
{ | |||||
Done Inline ActionsInstead of testing exit status separately with $? combine to form: if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then dteske: Instead of testing exit status separately with `$?` combine to form:
```
if hash=$( openssl… | |||||
local hash | |||||
Done Inline ActionsAdd quotes around $hash unless the intention is to munge whitespace dteske: Add quotes around `$hash` unless the intention is to munge whitespace | |||||
if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then | |||||
echo "$hash" | |||||
return 0 | |||||
else | |||||
echo "Error: $1" >&2 | |||||
ERRORS=$(( $ERRORS + 1 )) | |||||
return 1 | |||||
fi | |||||
Done Inline ActionsInsert newline before opening function curly local hash dteske: Insert newline before opening function curly
Remove whitespace between function name and parens… | |||||
} | |||||
Done Inline ActionsShould be: hash=$( do_hash "$1" ) || return Insert whitespace after $( and before corresponding ). dteske: Should be:
```
hash=$( do_hash "$1" ) || return
```
Insert whitespace after `$(` and before… | |||||
Done Inline ActionsAdd quotes around $BLACKLISTDESTDIR/${hash}.0 dteske: Add quotes around `$BLACKLISTDESTDIR/${hash}.0`
Remove unnecessary curlies around `${hash}` | |||||
create_trusted_link() | |||||
Done Inline ActionsRemove unnecessary curlies around ${hash} dteske: Remove unnecessary curlies around `${hash}` | |||||
{ | |||||
local hash | |||||
hash=$( do_hash "$1" ) || return | |||||
Done Inline ActionsRemove unnecessary curlies around ${hash} dteske: Remove unnecessary curlies around `${hash}` | |||||
Done Inline ActionsAdd quotes around $1 dteske: Add quotes around `$1`
Add quotes around `$CERTDESTDIR/${hash}.0` | |||||
if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then | |||||
echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)" | |||||
return 1 | |||||
Done Inline ActionsRemove whitespace between function name and parens. local hash dteske: Remove whitespace between function name and parens.
Add newline before opening curly.
Add… | |||||
fi | |||||
Done Inline ActionsAdd single whitespace after $( and before corresponding ) dteske: Add single whitespace after `$(` and before corresponding `)`
Add double-quotes around `$1` | |||||
[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" | |||||
Done Inline ActionsRemove unnecessary curlies around ${hash} dteske: Remove unnecessary curlies around `${hash}` | |||||
ln -fs "$1" "$CERTDESTDIR/$hash.0" | |||||
Done Inline ActionsAdd double-quotes around $1 and $BLACKLISTDESTDIR/${hash}.0. dteske: Add double-quotes around `$1` and `$BLACKLISTDESTDIR/${hash}.0`.
Remove unnecessary curlies… | |||||
} | |||||
create_blacklisted() | |||||
Not Done Inline ActionsRemove whitespace between function name and parens. local CFILE dteske: Remove whitespace between function name and parens.
Add newline before opening curly.
Add… | |||||
{ | |||||
Done Inline ActionsAdd quotes around $2 dteske: Add quotes around `$2` | |||||
local hash | |||||
hash=$( do_hash "$1" ) || return | |||||
[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to blacklist" | |||||
cp "$1" "$BLACKLISTDESTDIR/$hash.0" | |||||
Done Inline ActionsDecrease the indentation by changing to: [ -e "$CFILE" ] || continue [ $VERBOSE -gt 0 ] && echo "Reading $CFILE" "$1" "$2/$CFILE" Note that I would add double-quotes around $CFILE, $1, and $2/$CFILE dteske: Decrease the indentation by changing to:
```
[ -e "$CFILE" ] || continue
[ $VERBOSE -gt 0 ] &&… | |||||
Not Done Inline ActionsIn this case $1 is the name of a function, we should still double quote that? allanjude: In this case $1 is the name of a function, we should still double quote that? | |||||
Done Inline ActionsYes. Prevents word splitting, so that you get expected results should someone try to overload the keyword in the scripts arguments dteske: Yes. Prevents word splitting, so that you get expected results should someone try to overload… | |||||
} | |||||
Done Inline ActionsYou might want to add a cd - before the end to restore the previous working directory (balancing out the initial cd). dteske: You might want to add a `cd -` before the end to restore the previous working directory… | |||||
do_scan() | |||||
{ | |||||
Done Inline ActionsRemove whitespace between function name and parens. local CFILE subject dteske: Remove whitespace between function name and parens.
Add newline before opening curly.
Add… | |||||
local CFILE | |||||
Done Inline ActionsAdd double-quotes around $1 dteske: Add double-quotes around `$1` | |||||
cd "$2" | |||||
for CFILE in $EXTENSIONS; do | |||||
[ -e "$CFILE" ] || continue | |||||
[ $VERBOSE -gt 0 ] && echo "Reading $CFILE" | |||||
"$1" "$2/$CFILE" | |||||
done | |||||
cd - | |||||
} | |||||
do_list() | |||||
{ | |||||
local CFILE subject | |||||
cd "$1" | |||||
Done Inline ActionsDecrease the indentation level by using: if [ ! -s "$CFILE" ]; then echo "Unable to read $CFILE" >&2 ERRORS=$(( $ERRORS + 1 )) continue fi subject= if [ $VERBOSE -eq 0 ]; then subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | sed -n '/commonName/s/.*= //p' ) fi [ "$subject" ] || subject=$( openssl x509 -noout -subject -in "$CFILE" ) printf "%s\t%s\n" "$CFILE" "$subject" Notice that I would: dteske: Decrease the indentation level by using:
```
if [ ! -s "$CFILE" ]; then
echo "Unable… | |||||
for CFILE in *.0; do | |||||
if [ ! -s "$CFILE" ]; then | |||||
echo "Unable to read $CFILE" >&2 | |||||
ERRORS=$(( $ERRORS + 1 )) | |||||
Done Inline ActionsRemove whitespace between function name and parens. local BPATH CPATH dteske: Remove whitespace between function name and parens.
Add newline before opening curly.
Add… | |||||
continue | |||||
fi | |||||
Done Inline ActionsAdd double-quotes around $CERTDESTDIR dteske: Add double-quotes around `$CERTDESTDIR` | |||||
subject= | |||||
Done Inline ActionsAdd double-quotes around $BLACKLISTDESTDIR dteske: Add double-quotes around `$BLACKLISTDESTDIR` | |||||
if [ $VERBOSE -eq 0 ]; then | |||||
Done Inline ActionsLet's look at the contextual facts: This means that we can use set -- args to reset "argc" ($#) and argv ($@ and $*) to something else. Combined with a customized IFS value, this is how you can parse a string into an array ("$@" consisting of $# elements when referenced in the argument space of another program/function/builtin/keyword/etc) using a custom delimiter. All together, it takes the whitespace delimited $BLACKLISTPATH processed as you have it currently: for BPATH in $BLACKLISTPATH; do to a custom (in this case, :) delimited $BLACKLISTPATH processed using: local oldIFS="$IFS" # put at top of function near other locals IFS=: set -- $BLACKLISTPATH IFS="$oldIFS" for BPATH in "$@"; do dteske: Let's look at the contextual facts:
You are in a function.
You do not use any of `$#`, `$*`… | |||||
Done Inline ActionsDon't forget to mark this as done dteske: Don't forget to mark this as done | |||||
subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | | |||||
sed -n '/commonName/s/.*= //p' ) | |||||
fi | |||||
[ "$subject" ] || | |||||
Done Inline ActionsReduce indentation by changing to: [ -d "$PATH" ] || continue echo "Scanning $BPATH for blacklisted certificates..." do_scan create_blacklisted "$BPATH" Noticed that I would: dteske: Reduce indentation by changing to:
```
[ -d "$PATH" ] || continue
echo "Scanning $BPATH for… | |||||
subject=$( openssl x509 -noout -subject -in "$CFILE" ) | |||||
printf "%s\t%s\n" "$CFILE" "$subject" | |||||
Done Inline ActionsFollowing the advice above for $BLACKLISTPATH, here I would change a whitespace delimited $SEARCHPATH to a : delimited $SEARCHPATH using: IFS=: set -- $SEARCHPATH IFS="$oldIFS" for CPATH in "$@"; do dteske: Following the advice above for `$BLACKLISTPATH`, here I would change a whitespace delimited… | |||||
done | |||||
cd - | |||||
} | |||||
cmd_rehash() | |||||
{ | |||||
local BPATH CPATH | |||||
local oldIFS="$IFS" | |||||
Done Inline ActionsRemove whitespace between function name and parens. dteske: Remove whitespace between function name and parens.
Add newline before opening curly. | |||||
rm -rf "$CERTDESTDIR" | |||||
mkdir -p "$CERTDESTDIR" | |||||
mkdir -p "$BLACKLISTDESTDIR" | |||||
Done Inline ActionsRemove whitespace between function name and parens. local BFILE dteske: Remove whitespace between function name and parens.
Add newline before opening curly.
Add… | |||||
IFS=: | |||||
set -- $BLACKLISTPATH | |||||
Done Inline ActionsCombine the comment about shift to one line like so: shift # verb Notice that I would simply state what is being shifted-out. dteske: Combine the comment about `shift` to one line like so:
```
shift # verb
```
Notice that I would… | |||||
IFS="$oldIFS" | |||||
Done Inline ActionsAdd double-quotes around $BLACKLISTDESTDIR dteske: Add double-quotes around `$BLACKLISTDESTDIR` | |||||
for BPATH in "$@"; do | |||||
Done Inline ActionsAdd double-quotes around $@ dteske: Add double-quotes around `$@` | |||||
[ -d "$BPATH" ] || continue | |||||
echo "Scanning $BPATH for blacklisted certificates..." | |||||
Done Inline ActionsAdd double-quotes around $BFILE dteske: Add double-quotes around `$BFILE` | |||||
do_scan create_blacklisted "$BPATH" | |||||
done | |||||
IFS=: | |||||
Done Inline ActionsRemove whitespace between function name and parens. local BFILE hash dteske: Remove whitespace between function name and parens.
Add newline before opening curly.
Add… | |||||
set -- $TRUSTPATH | |||||
IFS="$oldIFS" | |||||
Done Inline ActionsCombine shift and comment to a single-line and only say what is being shifted: shift # verb We know shift removes arguments, just tell us what it was. dteske: Combine `shift` and comment to a single-line and only say what is being shifted:
```
shift #… | |||||
for CPATH in "$@"; do | |||||
Done Inline ActionsAdd double-quotes around $@ dteske: Add double-quotes around `$@` | |||||
[ -d "$CPATH" ] || continue | |||||
Done Inline ActionsAdd double-quotes around $BFILE dteske: Add double-quotes around `$BFILE` | |||||
echo "Scanning $CPATH for trusted certificates..." | |||||
Done Inline ActionsAdd a single space after $( and before ). dteske: Add a single space after `$(` and before `)`. | |||||
do_scan create_trusted_link "$CPATH" | |||||
Done Inline ActionsRemove unnecessary curlies around ${hash} dteske: Remove unnecessary curlies around `${hash}` | |||||
done | |||||
Done Inline ActionsChange to: rm -f "$BLACKLISTDESTDIR/$hash.0" Note that I would: dteske: Change to:
```
rm -f "$BLACKLISTDESTDIR/$hash.0"
```
Note that I would:
Add double-quotes… | |||||
} | |||||
Done Inline ActionsAdd double-quotes around $BLACKLISTDESTDIR/$BFILE dteske: Add double-quotes around `$BLACKLISTDESTDIR/$BFILE` | |||||
cmd_list() | |||||
Done Inline ActionsAdd double-quotes around $BLACKLISTDESTDIR/$BFILE dteske: Add double-quotes around `$BLACKLISTDESTDIR/$BFILE` | |||||
{ | |||||
echo "Listing Trusted Certificates:" | |||||
do_list "$CERTDESTDIR" | |||||
} | |||||
cmd_blacklist() | |||||
{ | |||||
local BPATH | |||||
Done Inline ActionsRemove whitespace between function name and parens. dteske: Remove whitespace between function name and parens.
Add newline before opening curly. | |||||
shift # verb | |||||
Done Inline ActionsAdd double-quotes around $BLACKLISTDESTDIR dteske: Add double-quotes around `$BLACKLISTDESTDIR` | |||||
mkdir -p "$BLACKLISTDESTDIR" | |||||
for BFILE in "$@"; do | |||||
echo "Adding $BFILE to blacklist" | |||||
Done Inline ActionsRemove whitespace between function name and parens. dteske: Remove whitespace between function name and parens.
Add newline before opening curly. | |||||
create_blacklisted "$BFILE" | |||||
Done Inline ActionsUsage is supposed to be printed on stderr. exec >&2 This will cause all following output to be redirected to stderr. dteske: Usage is supposed to be printed on stderr.
Add the following line before this first echo:
```… | |||||
done | |||||
} | |||||
cmd_unblacklist() | |||||
{ | |||||
local BFILE hash | |||||
shift # verb | |||||
for BFILE in "$@"; do | |||||
if [ -s "$BFILE" ]; then | |||||
hash=$( do_hash "$BFILE" ) | |||||
echo "Removing $hash.0 from blacklist" | |||||
rm -f "$BLACKLISTDESTDIR/$hash.0" | |||||
elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then | |||||
echo "Removing $BFILE from blacklist" | |||||
Done Inline ActionsAdd double-quotes around $1 dteske: Add double-quotes around `$1` | |||||
rm -f "$BLACKLISTDESTDIR/$BFILE" | |||||
else | |||||
echo "Cannot find $BFILE" >&2 | |||||
Done Inline ActionsCombine to form: list) cmd_list ;; dteske: Combine to form:
```
list) cmd_list ;;
``` | |||||
ERRORS=$(( $ERRORS + 1 )) | |||||
fi | |||||
done | |||||
Done Inline ActionsCombine to form: rehash) cmd_rehash ;; dteske: Combine to form:
```
rehash) cmd_rehash ;;
``` | |||||
} | |||||
cmd_blacklisted() | |||||
Done Inline ActionsAdd double-quotes around $@ and combine lines to form: blacklist) cmd_blacklist "$@" dteske: Add double-quotes around `$@` and combine lines to form:
```
blacklist) cmd_blacklist "$@"
``` | |||||
Done Inline ActionsCorrection: blacklist) cmd_blacklist "$@" ;; dteske: Correction:
```
blacklist) cmd_blacklist "$@" ;;
``` | |||||
{ | |||||
echo "Listing Blacklisted Certificates:" | |||||
do_list "$BLACKLISTDESTDIR" | |||||
Done Inline ActionsAdd double-quotes around $@ and combine lines to form: unblacklist) cmd_unblacklist "$@" dteske: Add double-quotes around `$@` and combine lines to form:
```
unblacklist) cmd_unblacklist "$@"… | |||||
Done Inline ActionsCorrection: unblacklist) cmd_unblacklist "$@" ;; dteske: Correction:
```
unblacklist) cmd_unblacklist "$@" ;;
``` | |||||
} | |||||
usage() | |||||
Done Inline ActionsCombine to form: blacklisted) cmd_blacklisted ;; dteske: Combine to form:
```
blacklisted) cmd_blacklisted ;;
``` | |||||
{ | |||||
exec >&2 | |||||
echo "Manage the TLS trusted certificates on the system" | |||||
Done Inline Actionscase patterns should be indented to the same level as the case and esac lines. dteske: `case` patterns should be indented to the same level as the `case` and `esac` lines. | |||||
Done Inline ActionsThe fallback for a case statement does not need the ;; terminator. *) usage # NOTREACHED dteske: The fallback for a `case` statement does not need the `;;` terminator.
Remove unnecessary… | |||||
echo " $SCRIPTNAME list" | |||||
echo " List trusted certificates" | |||||
echo " $SCRIPTNAME blacklisted" | |||||
echo " List blacklisted certificates" | |||||
echo " $SCRIPTNAME rehash" | |||||
echo " Rehash the list of trusted certificates" | |||||
Done Inline ActionsThis stanza destroys the exit status of the desired function. Consider the following solution: retval=$? [ $ERRORS -gt 0 ] && echo "Encountered $ERRORS errors" >&2 exit $retval dteske: This stanza destroys the exit status of the desired function. Consider the following solution… | |||||
echo " $SCRIPTNAME blacklist <file>" | |||||
echo " Add <file> to the list of blacklisted certificates" | |||||
echo " $SCRIPTNAME unblacklist <file>" | |||||
echo " Remove <file> from the list of blacklisted certificates" | |||||
exit 64 | |||||
} | |||||
############################################################ MAIN | |||||
dteskeUnsubmitted Done Inline ActionsAdd a blank line after "#x60 MAIN" dteske: Add a blank line after "#x60 MAIN" | |||||
[ $# -gt 0 ] || usage | |||||
case "$1" in | |||||
list) cmd_list ;; | |||||
rehash) cmd_rehash ;; | |||||
blacklist) cmd_blacklist "$@" ;; | |||||
unblacklist) cmd_unblacklist "$@" ;; | |||||
blacklisted) cmd_blacklisted ;; | |||||
*) usage # NOTREACHED | |||||
esac | |||||
retval=$? | |||||
[ $ERRORS -gt 0 ] && echo "Encountered $ERRORS errors" >&2 | |||||
exit $retval | |||||
################################################################################ | |||||
# END | |||||
################################################################################ |
Remove blank line -- the "#-" marker should go on the line below the invocator