Changeset View
Changeset View
Standalone View
Standalone View
usr.sbin/certctl/certctl.sh
| Show All 24 Lines | |||||
| # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||||
| # POSSIBILITY OF SUCH DAMAGE. | # POSSIBILITY OF SUCH DAMAGE. | ||||
| # | # | ||||
| # $FreeBSD$ | # $FreeBSD$ | ||||
| ############################################################ CONFIGURATION | ############################################################ CONFIGURATION | ||||
| : ${DESTDIR:=} | : ${DESTDIR:=} | ||||
| : ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs} | |||||
| : ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} | |||||
| : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} | |||||
| : ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} | |||||
| : ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"} | : ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"} | ||||
| : ${VERBOSE:=0} | : ${VERBOSE:=0} | ||||
| ############################################################ GLOBALS | ############################################################ GLOBALS | ||||
| SCRIPTNAME="${0##*/}" | SCRIPTNAME="${0##*/}" | ||||
| ERRORS=0 | ERRORS=0 | ||||
| NOOP=0 | NOOP=0 | ||||
| UNPRIV=0 | |||||
| ############################################################ FUNCTIONS | ############################################################ FUNCTIONS | ||||
| do_hash() | do_hash() | ||||
| { | { | ||||
| local hash | local hash | ||||
| if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then | if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then | ||||
| Show All 11 Lines | create_trusted_link() | ||||
| local hash | local hash | ||||
| hash=$( do_hash "$1" ) || return | hash=$( do_hash "$1" ) || return | ||||
| if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then | if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then | ||||
| echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)" | echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)" | ||||
| return 1 | return 1 | ||||
| fi | fi | ||||
| [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" | [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" | ||||
| [ $NOOP -eq 0 ] && install -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" | [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" | ||||
| } | } | ||||
| create_blacklisted() | create_blacklisted() | ||||
| { | { | ||||
| local hash srcfile filename | local hash srcfile filename | ||||
| # If it exists as a file, we'll try that; otherwise, we'll scan | # If it exists as a file, we'll try that; otherwise, we'll scan | ||||
| if [ -e "$1" ]; then | if [ -e "$1" ]; then | ||||
| hash=$( do_hash "$1" ) || return | hash=$( do_hash "$1" ) || return | ||||
| srcfile=$(realpath "$1") | srcfile=$(realpath "$1") | ||||
| filename="$hash.0" | filename="$hash.0" | ||||
| elif [ -e "${CERTDESTDIR}/$1" ]; then | elif [ -e "${CERTDESTDIR}/$1" ]; then | ||||
| srcfile=$(realpath "${CERTDESTDIR}/$1") | srcfile=$(realpath "${CERTDESTDIR}/$1") | ||||
| filename="$1" | filename="$1" | ||||
| else | else | ||||
| return | return | ||||
| fi | fi | ||||
| [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" | [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" | ||||
| [ $NOOP -eq 0 ] && install -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" | [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" | ||||
| } | } | ||||
| do_scan() | do_scan() | ||||
| { | { | ||||
| local CFUNC CSEARCH CPATH CFILE | local CFUNC CSEARCH CPATH CFILE | ||||
| local oldIFS="$IFS" | local oldIFS="$IFS" | ||||
| CFUNC="$1" | CFUNC="$1" | ||||
| CSEARCH="$2" | CSEARCH="$2" | ||||
| IFS=: | IFS=: | ||||
| set -- $CSEARCH | set -- $CSEARCH | ||||
| IFS="$oldIFS" | IFS="$oldIFS" | ||||
| for CPATH in "$@"; do | for CPATH in "$@"; do | ||||
| [ -d "$CPATH" ] || continue | [ -d "$CPATH" ] || continue | ||||
| echo "Scanning $CPATH for certificates..." | echo "Scanning $CPATH for certificates..." | ||||
| cd "$CPATH" | cd "$CPATH" | ||||
| for CFILE in $EXTENSIONS; do | for CFILE in $EXTENSIONS; do | ||||
| [ -e "$CFILE" ] || continue | [ -e "$CFILE" && $UNPRIV -eq 0 ] || continue | ||||
| [ $VERBOSE -gt 0 ] && echo "Reading $CFILE" | [ $VERBOSE -gt 0 ] && echo "Reading $CFILE" | ||||
| "$CFUNC" "$CPATH/$CFILE" | "$CFUNC" "$CPATH/$CFILE" | ||||
| done | done | ||||
| cd - | cd - | ||||
| done | done | ||||
| } | } | ||||
| do_list() | do_list() | ||||
| ▲ Show 20 Lines • Show All 79 Lines • ▼ Show 20 Lines | |||||
| usage() | usage() | ||||
| { | { | ||||
| exec >&2 | exec >&2 | ||||
| echo "Manage the TLS trusted certificates on the system" | echo "Manage the TLS trusted certificates on the system" | ||||
| echo " $SCRIPTNAME [-v] list" | echo " $SCRIPTNAME [-v] list" | ||||
| echo " List trusted certificates" | echo " List trusted certificates" | ||||
| echo " $SCRIPTNAME [-v] blacklisted" | echo " $SCRIPTNAME [-v] blacklisted" | ||||
| echo " List blacklisted certificates" | echo " List blacklisted certificates" | ||||
| echo " $SCRIPTNAME [-nv] rehash" | echo " $SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash" | ||||
| echo " Generate hash links for all certificates" | echo " Generate hash links for all certificates" | ||||
| echo " $SCRIPTNAME [-nv] blacklist <file>" | echo " $SCRIPTNAME [-nv] blacklist <file>" | ||||
| echo " Add <file> to the list of blacklisted certificates" | echo " Add <file> to the list of blacklisted certificates" | ||||
| echo " $SCRIPTNAME [-nv] unblacklist <file>" | echo " $SCRIPTNAME [-nv] unblacklist <file>" | ||||
| echo " Remove <file> from the list of blacklisted certificates" | echo " Remove <file> from the list of blacklisted certificates" | ||||
| exit 64 | exit 64 | ||||
| } | } | ||||
| ############################################################ MAIN | ############################################################ MAIN | ||||
| while getopts nv flag; do | while getopts D:M:nUv flag; do | ||||
| case "$flag" in | case "$flag" in | ||||
| D) DESTDIR=${OPTARG} ;; | |||||
| M) METALOG=${OPTARG} ;; | |||||
| n) NOOP=1 ;; | n) NOOP=1 ;; | ||||
| U) UNPRIV=1 ;; | |||||
| v) VERBOSE=$(( $VERBOSE + 1 )) ;; | v) VERBOSE=$(( $VERBOSE + 1 )) ;; | ||||
| esac | esac | ||||
| done | done | ||||
| shift $(( $OPTIND - 1 )) | shift $(( $OPTIND - 1 )) | ||||
| : ${METALOG:=${DESTDIR}/METALOG} | |||||
| INSTALLFLAGS= | |||||
| [ $UNPRIV -eq 1 ] && INSTALLFLAGS=-U -M ${METALOG} -D ${DESTDIR} | |||||
| : ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs} | |||||
| : ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} | |||||
| : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} | |||||
| : ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} | |||||
| [ $# -gt 0 ] || usage | [ $# -gt 0 ] || usage | ||||
| case "$1" in | case "$1" in | ||||
| list) cmd_list ;; | list) cmd_list ;; | ||||
| rehash) cmd_rehash ;; | rehash) cmd_rehash ;; | ||||
| blacklist) cmd_blacklist "$@" ;; | blacklist) cmd_blacklist "$@" ;; | ||||
| unblacklist) cmd_unblacklist "$@" ;; | unblacklist) cmd_unblacklist "$@" ;; | ||||
| blacklisted) cmd_blacklisted ;; | blacklisted) cmd_blacklisted ;; | ||||
| Show All 10 Lines | |||||