blob: 6620fdcb53f795b7ee4b6e2ecc3ccc389c70326a [file] [log] [blame]
Brad Bishopd7bf8c12018-02-25 22:55:05 -05001#!/bin/sh
2#
3# Ben Secrest <blsecres@gmail.com>
4#
5# sh c_rehash script, scan all files in a directory
6# and add symbolic links to their hash values.
7#
8# based on the c_rehash perl script distributed with openssl
9#
10# LICENSE: See OpenSSL license
11# ^^acceptable?^^
12#
13
14# default certificate location
15DIR=/etc/openssl
16
17# for filetype bitfield
18IS_CERT=$(( 1 << 0 ))
19IS_CRL=$(( 1 << 1 ))
20
21
22# check to see if a file is a certificate file or a CRL file
23# arguments:
24# 1. the filename to be scanned
25# returns:
26# bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
27#
28check_file()
29{
30 local IS_TYPE=0
31
32 # make IFS a newline so we can process grep output line by line
33 local OLDIFS=${IFS}
34 IFS=$( printf "\n" )
35
36 # XXX: could be more efficient to have two 'grep -m' but is -m portable?
37 for LINE in $( grep '^-----BEGIN .*-----' ${1} )
38 do
39 if echo ${LINE} \
40 | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
41 then
42 IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))
43
44 if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
45 then
46 break
47 fi
48 elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
49 then
50 IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))
51
52 if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
53 then
54 break
55 fi
56 fi
57 done
58
59 # restore IFS
60 IFS=${OLDIFS}
61
62 return ${IS_TYPE}
63}
64
65
66#
67# use openssl to fingerprint a file
68# arguments:
69# 1. the filename to fingerprint
70# 2. the method to use (x509, crl)
71# returns:
72# none
73# assumptions:
74# user will capture output from last stage of pipeline
75#
76fingerprint()
77{
78 ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
79}
80
81
82#
83# link_hash - create links to certificate files
84# arguments:
85# 1. the filename to create a link for
86# 2. the type of certificate being linked (x509, crl)
87# returns:
88# 0 on success, 1 otherwise
89#
90link_hash()
91{
92 local FINGERPRINT=$( fingerprint ${1} ${2} )
93 local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
94 local SUFFIX=0
95 local LINKFILE=''
96 local TAG=''
97
98 if [ ${2} = "crl" ]
99 then
100 TAG='r'
101 fi
102
103 LINKFILE=${HASH}.${TAG}${SUFFIX}
104
105 while [ -f ${LINKFILE} ]
106 do
107 if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
108 then
109 echo "NOTE: Skipping duplicate file ${1}" >&2
110 return 1
111 fi
112
113 SUFFIX=$(( ${SUFFIX} + 1 ))
114 LINKFILE=${HASH}.${TAG}${SUFFIX}
115 done
116
117 echo "${3} => ${LINKFILE}"
118
119 # assume any system with a POSIX shell will either support symlinks or
120 # do something to handle this gracefully
121 ln -s ${3} ${LINKFILE}
122
123 return 0
124}
125
126
127# hash_dir create hash links in a given directory
128hash_dir()
129{
130 echo "Doing ${1}"
131
132 cd ${1}
133
134 ls -1 * 2>/dev/null | while read FILE
135 do
136 if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
137 && [ -h "${FILE}" ]
138 then
139 rm ${FILE}
140 fi
141 done
142
143 ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE
144 do
145 REAL_FILE=${FILE}
146 # if we run on build host then get to the real files in rootfs
147 if [ -n "${SYSROOT}" -a -h ${FILE} ]
148 then
149 FILE=$( readlink ${FILE} )
150 # check the symlink is absolute (or dangling in other word)
151 if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ]
152 then
153 REAL_FILE=${SYSROOT}/${FILE}
154 fi
155 fi
156
157 check_file ${REAL_FILE}
158 local FILE_TYPE=${?}
159 local TYPE_STR=''
160
161 if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
162 then
163 TYPE_STR='x509'
164 elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
165 then
166 TYPE_STR='crl'
167 else
168 echo "NOTE: ${FILE} does not contain a certificate or CRL: skipping" >&2
169 continue
170 fi
171
172 link_hash ${REAL_FILE} ${TYPE_STR} ${FILE}
173 done
174}
175
176
177# choose the name of an ssl application
178if [ -n "${OPENSSL}" ]
179then
180 SSL_CMD=$(which ${OPENSSL} 2>/dev/null)
181else
182 SSL_CMD=/usr/bin/openssl
183 OPENSSL=${SSL_CMD}
184 export OPENSSL
185fi
186
187# fix paths
188PATH=${PATH}:${DIR}/bin
189export PATH
190
191# confirm existance/executability of ssl command
192if ! [ -x ${SSL_CMD} ]
193then
194 echo "${0}: rehashing skipped ('openssl' program not available)" >&2
195 exit 0
196fi
197
198# determine which directories to process
199old_IFS=$IFS
200if [ ${#} -gt 0 ]
201then
202 IFS=':'
203 DIRLIST=${*}
204elif [ -n "${SSL_CERT_DIR}" ]
205then
206 DIRLIST=$SSL_CERT_DIR
207else
208 DIRLIST=${DIR}/certs
209fi
210
211IFS=':'
212
213# process directories
214for CERT_DIR in ${DIRLIST}
215do
216 if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
217 then
218 IFS=$old_IFS
219 hash_dir ${CERT_DIR}
220 IFS=':'
221 fi
222done