1#!/usr/bin/perl 2 3 4# Perl c_rehash script, scan all files in a directory 5# and add symbolic links to their hash values. 6 7my $openssl; 8 9my $dir = "/etc"; 10my $prefix = "/etc"; 11 12if(defined $ENV{OPENSSL}) { 13 $openssl = $ENV{OPENSSL}; 14} else { 15 $openssl = "openssl"; 16 $ENV{OPENSSL} = $openssl; 17} 18 19my $pwd; 20eval "require Cwd"; 21if (defined(&Cwd::getcwd)) { 22 $pwd=Cwd::getcwd(); 23} else { 24 $pwd=`pwd`; chomp($pwd); 25} 26my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix delimiter? 27 28$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); # prefix our path 29 30if(! -x $openssl) { 31 my $found = 0; 32 foreach (split /$path_delim/, $ENV{PATH}) { 33 if(-x "$_/$openssl") { 34 $found = 1; 35 $openssl = "$_/$openssl"; 36 last; 37 } 38 } 39 if($found == 0) { 40 print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; 41 exit 0; 42 } 43} 44 45if(@ARGV) { 46 @dirlist = @ARGV; 47} elsif($ENV{SSL_CERT_DIR}) { 48 @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; 49} else { 50 $dirlist[0] = "$dir/certs"; 51} 52 53if (-d $dirlist[0]) { 54 chdir $dirlist[0]; 55 $openssl="$pwd/$openssl" if (!-x $openssl); 56 chdir $pwd; 57} 58 59foreach (@dirlist) { 60 if(-d $_ and -w $_) { 61 hash_dir($_); 62 } 63} 64 65sub hash_dir { 66 my %hashlist; 67 print "Doing $_[0]\n"; 68 chdir $_[0]; 69 opendir(DIR, "."); 70 my @flist = readdir(DIR); 71 # Delete any existing symbolic links 72 foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { 73 if(-l $_) { 74 unlink $_; 75 } 76 } 77 closedir DIR; 78 FILE: foreach $fname (grep {/\.pem$/} @flist) { 79 # Check to see if certificates and/or CRLs present. 80 my ($cert, $crl) = check_file($fname); 81 if(!$cert && !$crl) { 82 print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; 83 next; 84 } 85 link_hash_cert($fname) if($cert); 86 link_hash_crl($fname) if($crl); 87 } 88} 89 90sub check_file { 91 my ($is_cert, $is_crl) = (0,0); 92 my $fname = $_[0]; 93 open IN, $fname; 94 while(<IN>) { 95 if(/^-----BEGIN (.*)-----/) { 96 my $hdr = $1; 97 if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { 98 $is_cert = 1; 99 last if($is_crl); 100 } elsif($hdr eq "X509 CRL") { 101 $is_crl = 1; 102 last if($is_cert); 103 } 104 } 105 } 106 close IN; 107 return ($is_cert, $is_crl); 108} 109 110 111# Link a certificate to its subject name hash value, each hash is of 112# the form <hash>.<n> where n is an integer. If the hash value already exists 113# then we need to up the value of n, unless its a duplicate in which 114# case we skip the link. We check for duplicates by comparing the 115# certificate fingerprints 116 117sub link_hash_cert { 118 my $fname = $_[0]; 119 $fname =~ s/'/'\\''/g; 120 my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`; 121 chomp $hash; 122 chomp $fprint; 123 $fprint =~ s/^.*=//; 124 $fprint =~ tr/://d; 125 my $suffix = 0; 126 # Search for an unused hash filename 127 while(exists $hashlist{"$hash.$suffix"}) { 128 # Hash matches: if fingerprint matches its a duplicate cert 129 if($hashlist{"$hash.$suffix"} eq $fprint) { 130 print STDERR "WARNING: Skipping duplicate certificate $fname\n"; 131 return; 132 } 133 $suffix++; 134 } 135 $hash .= ".$suffix"; 136 print "$fname => $hash\n"; 137 $symlink_exists=eval {symlink("",""); 1}; 138 if ($symlink_exists) { 139 symlink $fname, $hash; 140 } else { 141 open IN,"<$fname" or die "can't open $fname for read"; 142 open OUT,">$hash" or die "can't open $hash for write"; 143 print OUT <IN>; # does the job for small text files 144 close OUT; 145 close IN; 146 } 147 $hashlist{$hash} = $fprint; 148} 149 150# Same as above except for a CRL. CRL links are of the form <hash>.r<n> 151 152sub link_hash_crl { 153 my $fname = $_[0]; 154 $fname =~ s/'/'\\''/g; 155 my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`; 156 chomp $hash; 157 chomp $fprint; 158 $fprint =~ s/^.*=//; 159 $fprint =~ tr/://d; 160 my $suffix = 0; 161 # Search for an unused hash filename 162 while(exists $hashlist{"$hash.r$suffix"}) { 163 # Hash matches: if fingerprint matches its a duplicate cert 164 if($hashlist{"$hash.r$suffix"} eq $fprint) { 165 print STDERR "WARNING: Skipping duplicate CRL $fname\n"; 166 return; 167 } 168 $suffix++; 169 } 170 $hash .= ".r$suffix"; 171 print "$fname => $hash\n"; 172 $symlink_exists=eval {symlink("",""); 1}; 173 if ($symlink_exists) { 174 symlink $fname, $hash; 175 } else { 176 system ("cp", $fname, $hash); 177 } 178 $hashlist{$hash} = $fprint; 179} 180 181