certctl.sh (365680) | certctl.sh (365681) |
---|---|
1#!/bin/sh 2#- 3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4# 5# Copyright 2018 Allan Jude <allanjude@freebsd.org> 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted providing that the following conditions --- 11 unchanged lines hidden (view full) --- 20# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26# POSSIBILITY OF SUCH DAMAGE. 27# | 1#!/bin/sh 2#- 3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4# 5# Copyright 2018 Allan Jude <allanjude@freebsd.org> 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted providing that the following conditions --- 11 unchanged lines hidden (view full) --- 20# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26# POSSIBILITY OF SUCH DAMAGE. 27# |
28# $FreeBSD: stable/11/usr.sbin/certctl/certctl.sh 365680 2020-09-13 01:08:18Z kevans $ | 28# $FreeBSD: stable/11/usr.sbin/certctl/certctl.sh 365681 2020-09-13 01:09:22Z kevans $ |
29 30############################################################ CONFIGURATION 31 32: ${DESTDIR:=} | 29 30############################################################ CONFIGURATION 31 32: ${DESTDIR:=} |
33: ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$|\.0$"} | 33: ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$"} |
34: ${VERBOSE:=0} 35 36############################################################ GLOBALS 37 38SCRIPTNAME="${0##*/}" 39ERRORS=0 40NOOP=0 41UNPRIV=0 --- 9 unchanged lines hidden (view full) --- 51 return 0 52 else 53 echo "Error: $1" >&2 54 ERRORS=$(( $ERRORS + 1 )) 55 return 1 56 fi 57} 58 | 34: ${VERBOSE:=0} 35 36############################################################ GLOBALS 37 38SCRIPTNAME="${0##*/}" 39ERRORS=0 40NOOP=0 41UNPRIV=0 --- 9 unchanged lines hidden (view full) --- 51 return 0 52 else 53 echo "Error: $1" >&2 54 ERRORS=$(( $ERRORS + 1 )) 55 return 1 56 fi 57} 58 |
59get_decimal() 60{ 61 local checkdir hash decimal 62 63 checkdir=$1 64 hash=$2 65 decimal=0 66 67 while [ -e "$checkdir/$hash.$decimal" ]; do 68 decimal=$((decimal + 1)) 69 done 70 71 echo ${decimal} 72 return 0 73} 74 |
|
59create_trusted_link() 60{ | 75create_trusted_link() 76{ |
61 local hash | 77 local blisthash certhash hash 78 local suffix |
62 63 hash=$( do_hash "$1" ) || return | 79 80 hash=$( do_hash "$1" ) || return |
64 if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then 65 echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)" 66 return 1 67 fi 68 [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store" 69 [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0" | 81 certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint ) 82 for blistfile in $(find $BLACKLISTDESTDIR -name "$hash.*"); do 83 blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint ) 84 if [ "$certhash" = "$blisthash" ]; then 85 echo "Skipping blacklisted certificate $1 ($blistfile)" 86 return 1 87 fi 88 done 89 suffix=$(get_decimal "$CERTDESTDIR" "$hash") 90 [ $VERBOSE -gt 0 ] && echo "Adding $hash.$suffix to trust store" 91 [ $NOOP -eq 0 ] && \ 92 install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.$suffix" |
70} 71 72create_blacklisted() 73{ 74 local hash srcfile filename | 93} 94 95create_blacklisted() 96{ 97 local hash srcfile filename |
98 local suffix |
|
75 76 # If it exists as a file, we'll try that; otherwise, we'll scan 77 if [ -e "$1" ]; then 78 hash=$( do_hash "$1" ) || return 79 srcfile=$(realpath "$1") | 99 100 # If it exists as a file, we'll try that; otherwise, we'll scan 101 if [ -e "$1" ]; then 102 hash=$( do_hash "$1" ) || return 103 srcfile=$(realpath "$1") |
80 filename="$hash.0" | 104 suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash") 105 filename="$hash.$suffix" |
81 elif [ -e "${CERTDESTDIR}/$1" ]; then 82 srcfile=$(realpath "${CERTDESTDIR}/$1") | 106 elif [ -e "${CERTDESTDIR}/$1" ]; then 107 srcfile=$(realpath "${CERTDESTDIR}/$1") |
83 filename="$1" | 108 hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//') 109 suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash") 110 filename="$hash.$suffix" |
84 else 85 return 86 fi 87 [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" 88 [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" 89} 90 91do_scan() --- 18 unchanged lines hidden (view full) --- 110} 111 112do_list() 113{ 114 local CFILE subject 115 116 if [ -e "$1" ]; then 117 cd "$1" | 111 else 112 return 113 fi 114 [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist" 115 [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename" 116} 117 118do_scan() --- 18 unchanged lines hidden (view full) --- 137} 138 139do_list() 140{ 141 local CFILE subject 142 143 if [ -e "$1" ]; then 144 cd "$1" |
118 for CFILE in *.0; do | 145 for CFILE in *.[0-9]; do |
119 if [ ! -s "$CFILE" ]; then 120 echo "Unable to read $CFILE" >&2 121 ERRORS=$(( $ERRORS + 1 )) 122 continue 123 fi 124 subject= 125 if [ $VERBOSE -eq 0 ]; then 126 subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | --- 42 unchanged lines hidden (view full) --- 169 for BFILE in "$@"; do 170 echo "Adding $BFILE to blacklist" 171 create_blacklisted "$BFILE" 172 done 173} 174 175cmd_unblacklist() 176{ | 146 if [ ! -s "$CFILE" ]; then 147 echo "Unable to read $CFILE" >&2 148 ERRORS=$(( $ERRORS + 1 )) 149 continue 150 fi 151 subject= 152 if [ $VERBOSE -eq 0 ]; then 153 subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | --- 42 unchanged lines hidden (view full) --- 196 for BFILE in "$@"; do 197 echo "Adding $BFILE to blacklist" 198 create_blacklisted "$BFILE" 199 done 200} 201 202cmd_unblacklist() 203{ |
177 local BFILE hash | 204 local BFILE blisthash certhash hash |
178 179 shift # verb 180 for BFILE in "$@"; do 181 if [ -s "$BFILE" ]; then 182 hash=$( do_hash "$BFILE" ) | 205 206 shift # verb 207 for BFILE in "$@"; do 208 if [ -s "$BFILE" ]; then 209 hash=$( do_hash "$BFILE" ) |
183 echo "Removing $hash.0 from blacklist" 184 [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$hash.0" | 210 certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint ) 211 for BLISTEDFILE in $(find $BLACKLISTDESTDIR -name "$hash.*"); do 212 blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint ) 213 if [ "$certhash" = "$blisthash" ]; then 214 echo "Removing $(basename "$BLISTEDFILE") from blacklist" 215 [ $NOOP -eq 0 ] && rm -f $BLISTEDFILE 216 fi 217 done |
185 elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then 186 echo "Removing $BFILE from blacklist" 187 [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE" 188 else 189 echo "Cannot find $BFILE" >&2 190 ERRORS=$(( $ERRORS + 1 )) 191 fi 192 done --- 63 unchanged lines hidden --- | 218 elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then 219 echo "Removing $BFILE from blacklist" 220 [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE" 221 else 222 echo "Cannot find $BFILE" >&2 223 ERRORS=$(( $ERRORS + 1 )) 224 fi 225 done --- 63 unchanged lines hidden --- |