1#!/bin/sh 2#- 3# SPDX-License-Identifier: BSD-2-Clause 4# 5# Copyright 2018 Allan Jude <allanjude@freebsd.org> 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted providing that the following conditions 9# are met: 10# 1. Redistributions of source code must retain the above copyright 11# notice, this list of conditions and the following disclaimer. 12# 2. Redistributions in binary form must reproduce the above copyright 13# notice, this list of conditions and the following disclaimer in the 14# documentation and/or other materials provided with the distribution. 15# 16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 17# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 18# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 20# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26# POSSIBILITY OF SUCH DAMAGE. 27# 28 29set -u 30 31############################################################ CONFIGURATION 32 33: ${DESTDIR:=} 34: ${DISTBASE:=} 35 36############################################################ GLOBALS 37 38SCRIPTNAME="${0##*/}" 39ERRORS=0 40NOOP=false 41UNPRIV=false 42VERBOSE=false 43 44############################################################ FUNCTIONS 45 46info() 47{ 48 echo "${0##*/}: $@" >&2 49} 50 51verbose() 52{ 53 if "${VERBOSE}" ; then 54 info "$@" 55 fi 56} 57 58perform() 59{ 60 if ! "${NOOP}" ; then 61 "$@" 62 fi 63} 64 65cert_files_in() 66{ 67 find -L "$@" -type f \( \ 68 -name '*.pem' -or \ 69 -name '*.crt' -or \ 70 -name '*.cer' \ 71 \) 2>/dev/null 72} 73 74eolcvt() 75{ 76 cat "$@" | tr -s '\r' '\n' 77} 78 79do_hash() 80{ 81 local hash 82 83 if hash=$(openssl x509 -noout -subject_hash -in "$1") ; then 84 echo "$hash" 85 return 0 86 else 87 info "Error: $1" 88 ERRORS=$((ERRORS + 1)) 89 return 1 90 fi 91} 92 93get_decimal() 94{ 95 local checkdir hash decimal 96 97 checkdir=$1 98 hash=$2 99 decimal=0 100 101 while [ -e "$checkdir/$hash.$decimal" ] ; do 102 decimal=$((decimal + 1)) 103 done 104 105 echo ${decimal} 106 return 0 107} 108 109create_trusted() 110{ 111 local hash certhash otherfile otherhash 112 local suffix 113 local link=${2:+-lrs} 114 115 hash=$(do_hash "$1") || return 116 certhash=$(openssl x509 -sha1 -in "$1" -noout -fingerprint) 117 for otherfile in $(find $UNTRUSTDESTDIR -name "$hash.*") ; do 118 otherhash=$(openssl x509 -sha1 -in "$otherfile" -noout -fingerprint) 119 if [ "$certhash" = "$otherhash" ] ; then 120 info "Skipping untrusted certificate $hash ($otherfile)" 121 return 0 122 fi 123 done 124 for otherfile in $(find $CERTDESTDIR -name "$hash.*") ; do 125 otherhash=$(openssl x509 -sha1 -in "$otherfile" -noout -fingerprint) 126 if [ "$certhash" = "$otherhash" ] ; then 127 verbose "Skipping duplicate entry for certificate $hash" 128 return 0 129 fi 130 done 131 suffix=$(get_decimal "$CERTDESTDIR" "$hash") 132 verbose "Adding $hash.$suffix to trust store" 133 perform install ${INSTALLFLAGS} -m 0444 ${link} \ 134 "$(realpath "$1")" "$CERTDESTDIR/$hash.$suffix" 135} 136 137# Accepts either dot-hash form from `certctl list` or a path to a valid cert. 138resolve_certname() 139{ 140 local hash srcfile filename 141 local suffix 142 143 # If it exists as a file, we'll try that; otherwise, we'll scan 144 if [ -e "$1" ] ; then 145 hash=$(do_hash "$1") || return 146 srcfile=$(realpath "$1") 147 suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash") 148 filename="$hash.$suffix" 149 echo "$srcfile" "$hash.$suffix" 150 elif [ -e "${CERTDESTDIR}/$1" ] ; then 151 srcfile=$(realpath "${CERTDESTDIR}/$1") 152 hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//') 153 suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash") 154 filename="$hash.$suffix" 155 echo "$srcfile" "$hash.$suffix" 156 fi 157} 158 159create_untrusted() 160{ 161 local srcfile filename 162 local link=${2:+-lrs} 163 164 set -- $(resolve_certname "$1") 165 srcfile=$1 166 filename=$2 167 168 if [ -z "$srcfile" -o -z "$filename" ] ; then 169 return 170 fi 171 172 verbose "Adding $filename to untrusted list" 173 perform install ${INSTALLFLAGS} -m 0444 ${link} \ 174 "$srcfile" "$UNTRUSTDESTDIR/$filename" 175} 176 177do_scan() 178{ 179 local CFUNC CSEARCH CPATH CFILE CERT SPLITDIR 180 local oldIFS="$IFS" 181 CFUNC="$1" 182 CSEARCH="$2" 183 184 IFS=: 185 set -- $CSEARCH 186 IFS="$oldIFS" 187 for CFILE in $(cert_files_in "$@") ; do 188 verbose "Reading $CFILE" 189 case $(eolcvt "$CFILE" | egrep -c '^-+BEGIN CERTIFICATE-+$') in 190 0) 191 ;; 192 1) 193 "$CFUNC" "$CFILE" link 194 ;; 195 *) 196 verbose "Multiple certificates found, splitting..." 197 SPLITDIR=$(mktemp -d) 198 eolcvt "$CFILE" | egrep '^(---|[0-9A-Za-z/+=]+$)' | \ 199 split -p '^-+BEGIN CERTIFICATE-+$' - "$SPLITDIR/x" 200 for CERT in $(find "$SPLITDIR" -type f) ; do 201 "$CFUNC" "$CERT" 202 done 203 rm -rf "$SPLITDIR" 204 ;; 205 esac 206 done 207} 208 209do_list() 210{ 211 local CFILE subject 212 213 for CFILE in $(find "$@" \( -type f -or -type l \) -name '*.[0-9]') ; do 214 if [ ! -s "$CFILE" ] ; then 215 info "Unable to read $CFILE" 216 ERRORS=$((ERRORS + 1)) 217 continue 218 fi 219 subject= 220 if ! "$VERBOSE" ; then 221 subject=$(openssl x509 -noout -subject -nameopt multiline -in "$CFILE" | sed -n '/commonName/s/.*= //p') 222 fi 223 if [ -z "$subject" ] ; then 224 subject=$(openssl x509 -noout -subject -in "$CFILE") 225 fi 226 printf "%s\t%s\n" "${CFILE##*/}" "$subject" 227 done 228} 229 230cmd_rehash() 231{ 232 233 if [ -e "$CERTDESTDIR" ] ; then 234 perform find "$CERTDESTDIR" \( -type f -or -type l \) -delete 235 else 236 perform install -d -m 0755 "$CERTDESTDIR" 237 fi 238 if [ -e "$UNTRUSTDESTDIR" ] ; then 239 perform find "$UNTRUSTDESTDIR" \( -type f -or -type l \) -delete 240 else 241 perform install -d -m 0755 "$UNTRUSTDESTDIR" 242 fi 243 244 do_scan create_untrusted "$UNTRUSTPATH" 245 do_scan create_trusted "$TRUSTPATH" 246} 247 248cmd_list() 249{ 250 info "Listing Trusted Certificates:" 251 do_list "$CERTDESTDIR" 252} 253 254cmd_untrust() 255{ 256 local UTFILE 257 258 shift # verb 259 perform install -d -m 0755 "$UNTRUSTDESTDIR" 260 for UTFILE in "$@"; do 261 info "Adding $UTFILE to untrusted list" 262 create_untrusted "$UTFILE" 263 done 264} 265 266cmd_trust() 267{ 268 local UTFILE untrustedhash certhash hash 269 270 shift # verb 271 for UTFILE in "$@"; do 272 if [ -s "$UTFILE" ] ; then 273 hash=$(do_hash "$UTFILE") 274 certhash=$(openssl x509 -sha1 -in "$UTFILE" -noout -fingerprint) 275 for UNTRUSTEDFILE in $(find $UNTRUSTDESTDIR -name "$hash.*") ; do 276 untrustedhash=$(openssl x509 -sha1 -in "$UNTRUSTEDFILE" -noout -fingerprint) 277 if [ "$certhash" = "$untrustedhash" ] ; then 278 info "Removing $(basename "$UNTRUSTEDFILE") from untrusted list" 279 perform rm -f $UNTRUSTEDFILE 280 fi 281 done 282 elif [ -e "$UNTRUSTDESTDIR/$UTFILE" ] ; then 283 info "Removing $UTFILE from untrusted list" 284 perform rm -f "$UNTRUSTDESTDIR/$UTFILE" 285 else 286 info "Cannot find $UTFILE" 287 ERRORS=$((ERRORS + 1)) 288 fi 289 done 290} 291 292cmd_untrusted() 293{ 294 info "Listing Untrusted Certificates:" 295 do_list "$UNTRUSTDESTDIR" 296} 297 298usage() 299{ 300 exec >&2 301 echo "Manage the TLS trusted certificates on the system" 302 echo " $SCRIPTNAME [-v] list" 303 echo " List trusted certificates" 304 echo " $SCRIPTNAME [-v] untrusted" 305 echo " List untrusted certificates" 306 echo " $SCRIPTNAME [-nUv] [-D <destdir>] [-d <distbase>] [-M <metalog>] rehash" 307 echo " Generate hash links for all certificates" 308 echo " $SCRIPTNAME [-nv] untrust <file>" 309 echo " Add <file> to the list of untrusted certificates" 310 echo " $SCRIPTNAME [-nv] trust <file>" 311 echo " Remove <file> from the list of untrusted certificates" 312 exit 64 313} 314 315############################################################ MAIN 316 317while getopts D:d:M:nUv flag; do 318 case "$flag" in 319 D) DESTDIR=${OPTARG} ;; 320 d) DISTBASE=${OPTARG} ;; 321 M) METALOG=${OPTARG} ;; 322 n) NOOP=true ;; 323 U) UNPRIV=true ;; 324 v) VERBOSE=true ;; 325 esac 326done 327shift $((OPTIND - 1)) 328 329DESTDIR=${DESTDIR%/} 330 331if ! [ -z "${CERTCTL_VERBOSE:-}" ] ; then 332 VERBOSE=true 333fi 334: ${METALOG:=${DESTDIR}/METALOG} 335INSTALLFLAGS= 336if "$UNPRIV" ; then 337 INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR}" 338fi 339: ${LOCALBASE:=$(sysctl -n user.localbase)} 340: ${TRUSTPATH:=${DESTDIR}${DISTBASE}/usr/share/certs/trusted:${DESTDIR}${LOCALBASE}/share/certs:${DESTDIR}${LOCALBASE}/etc/ssl/certs} 341: ${UNTRUSTPATH:=${DESTDIR}${DISTBASE}/usr/share/certs/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted} 342: ${CERTDESTDIR:=${DESTDIR}${DISTBASE}/etc/ssl/certs} 343: ${UNTRUSTDESTDIR:=${DESTDIR}${DISTBASE}/etc/ssl/untrusted} 344 345[ $# -gt 0 ] || usage 346case "$1" in 347list) cmd_list ;; 348rehash) cmd_rehash ;; 349blacklist) cmd_untrust "$@" ;; 350untrust) cmd_untrust "$@" ;; 351trust) cmd_trust "$@" ;; 352unblacklist) cmd_trust "$@" ;; 353untrusted) cmd_untrusted ;; 354blacklisted) cmd_untrusted ;; 355*) usage # NOTREACHED 356esac 357 358retval=$? 359if [ $ERRORS -gt 0 ] ; then 360 info "Encountered $ERRORS errors" 361fi 362exit $retval 363 364################################################################################ 365# END 366################################################################################ 367