Changeset View
Changeset View
Standalone View
Standalone View
usr.sbin/certctl/certctl.sh
Show All 24 Lines | |||||
# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | ||||
# POSSIBILITY OF SUCH DAMAGE. | # POSSIBILITY OF SUCH DAMAGE. | ||||
# | # | ||||
# $FreeBSD$ | # $FreeBSD$ | ||||
############################################################ CONFIGURATION | ############################################################ CONFIGURATION | ||||
: ${DESTDIR:=} | : ${DESTDIR:=} | ||||
: ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$|\.0$"} | : ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$"} | ||||
michaelo: `\.[0-9]` should be dropped because this is the output form, it should not be an input form. | |||||
: ${VERBOSE:=0} | : ${VERBOSE:=0} | ||||
############################################################ GLOBALS | ############################################################ GLOBALS | ||||
SCRIPTNAME="${0##*/}" | SCRIPTNAME="${0##*/}" | ||||
ERRORS=0 | ERRORS=0 | ||||
NOOP=0 | NOOP=0 | ||||
UNPRIV=0 | UNPRIV=0 | ||||
Show All 9 Lines | if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then | ||||
return 0 | return 0 | ||||
else | else | ||||
echo "Error: $1" >&2 | echo "Error: $1" >&2 | ||||
ERRORS=$(( $ERRORS + 1 )) | ERRORS=$(( $ERRORS + 1 )) | ||||
return 1 | return 1 | ||||
fi | fi | ||||
} | } | ||||
get_decimal() | |||||
{ | |||||
local checkdir hash decimal | |||||
checkdir=$1 | |||||
hash=$2 | |||||
decimal=0 | |||||
while [ -e "$checkdir/$hash.$decimal" ]; do | |||||
decimal=$((decimal + 1)) | |||||
done | |||||
echo ${decimal} | |||||
return 0 | |||||
} | |||||
create_trusted_link() | create_trusted_link() | ||||
{ | { | ||||
local hash | local blisthash certhash hash | ||||
local suffix | |||||
hash=$( do_hash "$1" ) || return | hash=$( do_hash "$1" ) || return | ||||
if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then | certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint ) | ||||
echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)" | for blistfile in $(find $BLACKLISTDESTDIR -name "$hash.*"); do | ||||
Done Inline ActionsThe diff is really a band-aid because any kind of information can precede the BEGIN CERTIFICATE block. At best, certificate hash *not* subject hash is used to compare certs. openssl can write them out I guess. michaelo: The diff is really a band-aid because any kind of information can precede the `BEGIN… | |||||
Done Inline ActionsYes, this is intended to be a horrible looking band-aid that ends up being pretty fragile to boot. I wasn't sure how to get openssl to write out the certificate hash, the usage is pretty rough for me to figure out. kevans: Yes, this is intended to be a horrible looking band-aid that ends up being pretty fragile to… | |||||
blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint ) | |||||
if [ "$certhash" = "$blisthash" ]; then | |||||
echo "Skipping blacklisted certificate $1 ($blistfile)" | |||||
return 1 | return 1 | ||||
fi | fi | ||||
[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" | done | ||||
[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" | suffix=$(get_decimal "$CERTDESTDIR" "$hash") | ||||
[ $VERBOSE -gt 0 ] && echo "Adding $hash.$suffix to trust store" | |||||
[ $NOOP -eq 0 ] && \ | |||||
install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.$suffix" | |||||
} | } | ||||
create_blacklisted() | create_blacklisted() | ||||
{ | { | ||||
local hash srcfile filename | local hash srcfile filename | ||||
local suffix | |||||
# If it exists as a file, we'll try that; otherwise, we'll scan | # If it exists as a file, we'll try that; otherwise, we'll scan | ||||
if [ -e "$1" ]; then | if [ -e "$1" ]; then | ||||
hash=$( do_hash "$1" ) || return | hash=$( do_hash "$1" ) || return | ||||
srcfile=$(realpath "$1") | srcfile=$(realpath "$1") | ||||
filename="$hash.0" | suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash") | ||||
filename="$hash.$suffix" | |||||
elif [ -e "${CERTDESTDIR}/$1" ]; then | elif [ -e "${CERTDESTDIR}/$1" ]; then | ||||
srcfile=$(realpath "${CERTDESTDIR}/$1") | srcfile=$(realpath "${CERTDESTDIR}/$1") | ||||
filename="$1" | hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//') | ||||
suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash") | |||||
filename="$hash.$suffix" | |||||
else | else | ||||
return | return | ||||
fi | fi | ||||
[ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" | [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" | ||||
[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" | [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" | ||||
} | } | ||||
do_scan() | do_scan() | ||||
Show All 18 Lines | |||||
} | } | ||||
do_list() | do_list() | ||||
{ | { | ||||
local CFILE subject | local CFILE subject | ||||
if [ -e "$1" ]; then | if [ -e "$1" ]; then | ||||
cd "$1" | cd "$1" | ||||
for CFILE in *.0; do | for CFILE in *.[0-9]; do | ||||
if [ ! -s "$CFILE" ]; then | if [ ! -s "$CFILE" ]; then | ||||
echo "Unable to read $CFILE" >&2 | echo "Unable to read $CFILE" >&2 | ||||
ERRORS=$(( $ERRORS + 1 )) | ERRORS=$(( $ERRORS + 1 )) | ||||
continue | continue | ||||
fi | fi | ||||
subject= | subject= | ||||
if [ $VERBOSE -eq 0 ]; then | if [ $VERBOSE -eq 0 ]; then | ||||
subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | | subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | | ||||
▲ Show 20 Lines • Show All 42 Lines • ▼ Show 20 Lines | cmd_blacklist() | ||||
for BFILE in "$@"; do | for BFILE in "$@"; do | ||||
echo "Adding $BFILE to blacklist" | echo "Adding $BFILE to blacklist" | ||||
create_blacklisted "$BFILE" | create_blacklisted "$BFILE" | ||||
done | done | ||||
} | } | ||||
cmd_unblacklist() | cmd_unblacklist() | ||||
{ | { | ||||
local BFILE hash | local BFILE blisthash certhash hash | ||||
shift # verb | shift # verb | ||||
for BFILE in "$@"; do | for BFILE in "$@"; do | ||||
if [ -s "$BFILE" ]; then | if [ -s "$BFILE" ]; then | ||||
hash=$( do_hash "$BFILE" ) | hash=$( do_hash "$BFILE" ) | ||||
echo "Removing $hash.0 from blacklist" | certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint ) | ||||
[ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$hash.0" | for BLISTEDFILE in $(find $BLACKLISTDESTDIR -name "$hash.*"); do | ||||
Done Inline ActionsSame as above. michaelo: Same as above. | |||||
blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint ) | |||||
if [ "$certhash" = "$blisthash" ]; then | |||||
echo "Removing $(basename "$BLISTEDFILE") from blacklist" | |||||
[ $NOOP -eq 0 ] && rm -f $BLISTEDFILE | |||||
fi | |||||
done | |||||
elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then | elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then | ||||
echo "Removing $BFILE from blacklist" | echo "Removing $BFILE from blacklist" | ||||
[ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE" | [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE" | ||||
else | else | ||||
echo "Cannot find $BFILE" >&2 | echo "Cannot find $BFILE" >&2 | ||||
ERRORS=$(( $ERRORS + 1 )) | ERRORS=$(( $ERRORS + 1 )) | ||||
fi | fi | ||||
done | done | ||||
▲ Show 20 Lines • Show All 63 Lines • Show Last 20 Lines |
\.[0-9] should be dropped because this is the output form, it should not be an input form. Same as with c_rehash.