Changeset View
Changeset View
Standalone View
Standalone View
usr.sbin/certctl/certctl.sh
Show All 24 Lines | |||||
# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||||
# POSSIBILITY OF SUCH DAMAGE. | # POSSIBILITY OF SUCH DAMAGE. | ||||
# | # | ||||
# $FreeBSD$ | # $FreeBSD$ | ||||
############################################################ CONFIGURATION | ############################################################ CONFIGURATION | ||||
: ${DESTDIR:=} | : ${DESTDIR:=} | ||||
: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs} | |||||
: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} | |||||
: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} | |||||
: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} | |||||
: ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"} | : ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"} | ||||
: ${VERBOSE:=0} | : ${VERBOSE:=0} | ||||
############################################################ GLOBALS | ############################################################ GLOBALS | ||||
SCRIPTNAME="${0##*/}" | SCRIPTNAME="${0##*/}" | ||||
ERRORS=0 | ERRORS=0 | ||||
NOOP=0 | NOOP=0 | ||||
UNPRIV=0 | |||||
############################################################ FUNCTIONS | ############################################################ FUNCTIONS | ||||
do_hash() | do_hash() | ||||
{ | { | ||||
local hash | local hash | ||||
if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then | if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then | ||||
Show All 11 Lines | create_trusted_link() | ||||
local hash | local hash | ||||
hash=$( do_hash "$1" ) || return | hash=$( do_hash "$1" ) || return | ||||
if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then | if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then | ||||
echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)" | echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)" | ||||
return 1 | return 1 | ||||
fi | fi | ||||
[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" | [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" | ||||
[ $NOOP -eq 0 ] && install -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" | [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" | ||||
} | } | ||||
create_blacklisted() | create_blacklisted() | ||||
{ | { | ||||
local hash srcfile filename | local hash srcfile filename | ||||
# If it exists as a file, we'll try that; otherwise, we'll scan | # If it exists as a file, we'll try that; otherwise, we'll scan | ||||
if [ -e "$1" ]; then | if [ -e "$1" ]; then | ||||
hash=$( do_hash "$1" ) || return | hash=$( do_hash "$1" ) || return | ||||
srcfile=$(realpath "$1") | srcfile=$(realpath "$1") | ||||
filename="$hash.0" | filename="$hash.0" | ||||
elif [ -e "${CERTDESTDIR}/$1" ]; then | elif [ -e "${CERTDESTDIR}/$1" ]; then | ||||
srcfile=$(realpath "${CERTDESTDIR}/$1") | srcfile=$(realpath "${CERTDESTDIR}/$1") | ||||
filename="$1" | filename="$1" | ||||
else | else | ||||
return | return | ||||
fi | fi | ||||
[ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" | [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" | ||||
[ $NOOP -eq 0 ] && install -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" | [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" | ||||
} | } | ||||
do_scan() | do_scan() | ||||
{ | { | ||||
local CFUNC CSEARCH CPATH CFILE | local CFUNC CSEARCH CPATH CFILE | ||||
local oldIFS="$IFS" | local oldIFS="$IFS" | ||||
CFUNC="$1" | CFUNC="$1" | ||||
CSEARCH="$2" | CSEARCH="$2" | ||||
IFS=: | IFS=: | ||||
set -- $CSEARCH | set -- $CSEARCH | ||||
IFS="$oldIFS" | IFS="$oldIFS" | ||||
for CPATH in "$@"; do | for CPATH in "$@"; do | ||||
[ -d "$CPATH" ] || continue | [ -d "$CPATH" ] || continue | ||||
echo "Scanning $CPATH for certificates..." | echo "Scanning $CPATH for certificates..." | ||||
cd "$CPATH" | cd "$CPATH" | ||||
for CFILE in $EXTENSIONS; do | for CFILE in $EXTENSIONS; do | ||||
[ -e "$CFILE" ] || continue | [ -e "$CFILE" && $UNPRIV -eq 0 ] || continue | ||||
[ $VERBOSE -gt 0 ] && echo "Reading $CFILE" | [ $VERBOSE -gt 0 ] && echo "Reading $CFILE" | ||||
"$CFUNC" "$CPATH/$CFILE" | "$CFUNC" "$CPATH/$CFILE" | ||||
done | done | ||||
cd - | cd - | ||||
done | done | ||||
} | } | ||||
do_list() | do_list() | ||||
▲ Show 20 Lines • Show All 79 Lines • ▼ Show 20 Lines | |||||
usage() | usage() | ||||
{ | { | ||||
exec >&2 | exec >&2 | ||||
echo "Manage the TLS trusted certificates on the system" | echo "Manage the TLS trusted certificates on the system" | ||||
echo " $SCRIPTNAME [-v] list" | echo " $SCRIPTNAME [-v] list" | ||||
echo " List trusted certificates" | echo " List trusted certificates" | ||||
echo " $SCRIPTNAME [-v] blacklisted" | echo " $SCRIPTNAME [-v] blacklisted" | ||||
echo " List blacklisted certificates" | echo " List blacklisted certificates" | ||||
echo " $SCRIPTNAME [-nv] rehash" | echo " $SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash" | ||||
echo " Generate hash links for all certificates" | echo " Generate hash links for all certificates" | ||||
echo " $SCRIPTNAME [-nv] blacklist <file>" | echo " $SCRIPTNAME [-nv] blacklist <file>" | ||||
echo " Add <file> to the list of blacklisted certificates" | echo " Add <file> to the list of blacklisted certificates" | ||||
echo " $SCRIPTNAME [-nv] unblacklist <file>" | echo " $SCRIPTNAME [-nv] unblacklist <file>" | ||||
echo " Remove <file> from the list of blacklisted certificates" | echo " Remove <file> from the list of blacklisted certificates" | ||||
exit 64 | exit 64 | ||||
} | } | ||||
############################################################ MAIN | ############################################################ MAIN | ||||
while getopts nv flag; do | while getopts D:M:nUv flag; do | ||||
case "$flag" in | case "$flag" in | ||||
D) DESTDIR=${OPTARG} ;; | |||||
M) METALOG=${OPTARG} ;; | |||||
n) NOOP=1 ;; | n) NOOP=1 ;; | ||||
U) UNPRIV=1 ;; | |||||
v) VERBOSE=$(( $VERBOSE + 1 )) ;; | v) VERBOSE=$(( $VERBOSE + 1 )) ;; | ||||
esac | esac | ||||
done | done | ||||
shift $(( $OPTIND - 1 )) | shift $(( $OPTIND - 1 )) | ||||
: ${METALOG:=${DESTDIR}/METALOG} | |||||
INSTALLFLAGS= | |||||
[ $UNPRIV -eq 1 ] && INSTALLFLAGS=-U -M ${METALOG} -D ${DESTDIR} | |||||
: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs} | |||||
: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted} | |||||
: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs} | |||||
: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted} | |||||
[ $# -gt 0 ] || usage | [ $# -gt 0 ] || usage | ||||
case "$1" in | case "$1" in | ||||
list) cmd_list ;; | list) cmd_list ;; | ||||
rehash) cmd_rehash ;; | rehash) cmd_rehash ;; | ||||
blacklist) cmd_blacklist "$@" ;; | blacklist) cmd_blacklist "$@" ;; | ||||
unblacklist) cmd_unblacklist "$@" ;; | unblacklist) cmd_unblacklist "$@" ;; | ||||
blacklisted) cmd_blacklisted ;; | blacklisted) cmd_blacklisted ;; | ||||
Show All 10 Lines |