Changeset View
Changeset View
Standalone View
Standalone View
usr.sbin/certctl/certctl.sh
| Show All 24 Lines | |||||
| # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||||
| # POSSIBILITY OF SUCH DAMAGE. | # POSSIBILITY OF SUCH DAMAGE. | ||||
| # | # | ||||
| # $FreeBSD$ | # $FreeBSD$ | ||||
| ############################################################ CONFIGURATION | ############################################################ CONFIGURATION | ||||
| : ${DESTDIR:=} | : ${DESTDIR:=} | ||||
| : ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$|\.0$"} | : ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$"} | ||||
michaelo: `\.[0-9]` should be dropped because this is the output form, it should not be an input form. | |||||
| : ${VERBOSE:=0} | : ${VERBOSE:=0} | ||||
| ############################################################ GLOBALS | ############################################################ GLOBALS | ||||
| SCRIPTNAME="${0##*/}" | SCRIPTNAME="${0##*/}" | ||||
| ERRORS=0 | ERRORS=0 | ||||
| NOOP=0 | NOOP=0 | ||||
| UNPRIV=0 | UNPRIV=0 | ||||
| Show All 9 Lines | if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then | ||||
| return 0 | return 0 | ||||
| else | else | ||||
| echo "Error: $1" >&2 | echo "Error: $1" >&2 | ||||
| ERRORS=$(( $ERRORS + 1 )) | ERRORS=$(( $ERRORS + 1 )) | ||||
| return 1 | return 1 | ||||
| fi | fi | ||||
| } | } | ||||
| get_decimal() | |||||
| { | |||||
| local checkdir hash decimal | |||||
| checkdir=$1 | |||||
| hash=$2 | |||||
| decimal=0 | |||||
| while [ -e "$checkdir/$hash.$decimal" ]; do | |||||
| decimal=$((decimal + 1)) | |||||
| done | |||||
| echo ${decimal} | |||||
| return 0 | |||||
| } | |||||
| create_trusted_link() | create_trusted_link() | ||||
| { | { | ||||
| local hash | local blisthash certhash hash | ||||
| local suffix | |||||
| hash=$( do_hash "$1" ) || return | hash=$( do_hash "$1" ) || return | ||||
| if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then | certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint ) | ||||
| echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)" | for blistfile in $(find $BLACKLISTDESTDIR -name "$hash.*"); do | ||||
Done Inline ActionsThe diff is really a band-aid because any kind of information can precede the BEGIN CERTIFICATE block. At best, certificate hash *not* subject hash is used to compare certs. openssl can write them out I guess. michaelo: The diff is really a band-aid because any kind of information can precede the `BEGIN… | |||||
Done Inline ActionsYes, this is intended to be a horrible looking band-aid that ends up being pretty fragile to boot. I wasn't sure how to get openssl to write out the certificate hash, the usage is pretty rough for me to figure out. kevans: Yes, this is intended to be a horrible looking band-aid that ends up being pretty fragile to… | |||||
| blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint ) | |||||
| if [ "$certhash" = "$blisthash" ]; then | |||||
| echo "Skipping blacklisted certificate $1 ($blistfile)" | |||||
| return 1 | return 1 | ||||
| fi | fi | ||||
| [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" | done | ||||
| [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" | suffix=$(get_decimal "$CERTDESTDIR" "$hash") | ||||
| [ $VERBOSE -gt 0 ] && echo "Adding $hash.$suffix to trust store" | |||||
| [ $NOOP -eq 0 ] && \ | |||||
| install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.$suffix" | |||||
| } | } | ||||
| create_blacklisted() | create_blacklisted() | ||||
| { | { | ||||
| local hash srcfile filename | local hash srcfile filename | ||||
| local suffix | |||||
| # If it exists as a file, we'll try that; otherwise, we'll scan | # If it exists as a file, we'll try that; otherwise, we'll scan | ||||
| if [ -e "$1" ]; then | if [ -e "$1" ]; then | ||||
| hash=$( do_hash "$1" ) || return | hash=$( do_hash "$1" ) || return | ||||
| srcfile=$(realpath "$1") | srcfile=$(realpath "$1") | ||||
| filename="$hash.0" | suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash") | ||||
| filename="$hash.$suffix" | |||||
| elif [ -e "${CERTDESTDIR}/$1" ]; then | elif [ -e "${CERTDESTDIR}/$1" ]; then | ||||
| srcfile=$(realpath "${CERTDESTDIR}/$1") | srcfile=$(realpath "${CERTDESTDIR}/$1") | ||||
| filename="$1" | hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//') | ||||
| suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash") | |||||
| filename="$hash.$suffix" | |||||
| else | else | ||||
| return | return | ||||
| fi | fi | ||||
| [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" | [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" | ||||
| [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" | [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" | ||||
| } | } | ||||
| do_scan() | do_scan() | ||||
| Show All 18 Lines | |||||
| } | } | ||||
| do_list() | do_list() | ||||
| { | { | ||||
| local CFILE subject | local CFILE subject | ||||
| if [ -e "$1" ]; then | if [ -e "$1" ]; then | ||||
| cd "$1" | cd "$1" | ||||
| for CFILE in *.0; do | for CFILE in *.[0-9]; do | ||||
| if [ ! -s "$CFILE" ]; then | if [ ! -s "$CFILE" ]; then | ||||
| echo "Unable to read $CFILE" >&2 | echo "Unable to read $CFILE" >&2 | ||||
| ERRORS=$(( $ERRORS + 1 )) | ERRORS=$(( $ERRORS + 1 )) | ||||
| continue | continue | ||||
| fi | fi | ||||
| subject= | subject= | ||||
| if [ $VERBOSE -eq 0 ]; then | if [ $VERBOSE -eq 0 ]; then | ||||
| subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | | subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | | ||||
| ▲ Show 20 Lines • Show All 42 Lines • ▼ Show 20 Lines | cmd_blacklist() | ||||
| for BFILE in "$@"; do | for BFILE in "$@"; do | ||||
| echo "Adding $BFILE to blacklist" | echo "Adding $BFILE to blacklist" | ||||
| create_blacklisted "$BFILE" | create_blacklisted "$BFILE" | ||||
| done | done | ||||
| } | } | ||||
| cmd_unblacklist() | cmd_unblacklist() | ||||
| { | { | ||||
| local BFILE hash | local BFILE blisthash certhash hash | ||||
| shift # verb | shift # verb | ||||
| for BFILE in "$@"; do | for BFILE in "$@"; do | ||||
| if [ -s "$BFILE" ]; then | if [ -s "$BFILE" ]; then | ||||
| hash=$( do_hash "$BFILE" ) | hash=$( do_hash "$BFILE" ) | ||||
| echo "Removing $hash.0 from blacklist" | certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint ) | ||||
| [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$hash.0" | for BLISTEDFILE in $(find $BLACKLISTDESTDIR -name "$hash.*"); do | ||||
Done Inline ActionsSame as above. michaelo: Same as above. | |||||
| blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint ) | |||||
| if [ "$certhash" = "$blisthash" ]; then | |||||
| echo "Removing $(basename "$BLISTEDFILE") from blacklist" | |||||
| [ $NOOP -eq 0 ] && rm -f $BLISTEDFILE | |||||
| fi | |||||
| done | |||||
| elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then | elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then | ||||
| echo "Removing $BFILE from blacklist" | echo "Removing $BFILE from blacklist" | ||||
| [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE" | [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE" | ||||
| else | else | ||||
| echo "Cannot find $BFILE" >&2 | echo "Cannot find $BFILE" >&2 | ||||
| ERRORS=$(( $ERRORS + 1 )) | ERRORS=$(( $ERRORS + 1 )) | ||||
| fi | fi | ||||
| done | done | ||||
| ▲ Show 20 Lines • Show All 63 Lines • Show Last 20 Lines | |||||
\.[0-9] should be dropped because this is the output form, it should not be an input form. Same as with c_rehash.