xref: /freebsd/usr.sbin/certctl/certctl.sh (revision 65a1d63665bf8b9cd2596d4319b31efc2232b722)
1#!/bin/sh
2#-
3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4#
5# Copyright 2018 Allan Jude <allanjude@freebsd.org>
6#
7# Redistribution and use in source and binary forms, with or without
8# modification, are permitted providing that the following conditions
9# are met:
10# 1. Redistributions of source code must retain the above copyright
11#    notice, this list of conditions and the following disclaimer.
12# 2. Redistributions in binary form must reproduce the above copyright
13#    notice, this list of conditions and the following disclaimer in the
14#    documentation and/or other materials provided with the distribution.
15#
16# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
20# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25# IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26# POSSIBILITY OF SUCH DAMAGE.
27#
28# $FreeBSD$
29
30############################################################ CONFIGURATION
31
32: ${DESTDIR:=}
33: ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs}
34: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted}
35: ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
36: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
37: ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"}
38: ${VERBOSE:=0}
39
40############################################################ GLOBALS
41
42SCRIPTNAME="${0##*/}"
43ERRORS=0
44NOOP=0
45
46############################################################ FUNCTIONS
47
48do_hash()
49{
50	local hash
51
52	if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then
53		echo "$hash"
54		return 0
55	else
56		echo "Error: $1" >&2
57		ERRORS=$(( $ERRORS + 1 ))
58		return 1
59	fi
60}
61
62create_trusted_link()
63{
64	local hash
65
66	hash=$( do_hash "$1" ) || return
67	if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then
68		echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)"
69		return 1
70	fi
71	[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store"
72	[ $NOOP -eq 0 ] && install -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0"
73}
74
75create_blacklisted()
76{
77	local hash srcfile filename
78
79	# If it exists as a file, we'll try that; otherwise, we'll scan
80	if [ -e "$1" ]; then
81		hash=$( do_hash "$1" ) || return
82		srcfile=$(realpath "$1")
83		filename="$hash.0"
84	elif [ -e "${CERTDESTDIR}/$1" ];  then
85		srcfile=$(realpath "${CERTDESTDIR}/$1")
86		filename="$1"
87	else
88		return
89	fi
90	[ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
91	[ $NOOP -eq 0 ] && install -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename"
92}
93
94do_scan()
95{
96	local CFUNC CSEARCH CPATH CFILE
97	local oldIFS="$IFS"
98	CFUNC="$1"
99	CSEARCH="$2"
100
101	IFS=:
102	set -- $CSEARCH
103	IFS="$oldIFS"
104	for CPATH in "$@"; do
105		[ -d "$CPATH" ] || continue
106		echo "Scanning $CPATH for certificates..."
107		cd "$CPATH"
108		for CFILE in $EXTENSIONS; do
109			[ -e "$CFILE" ] || continue
110			[ $VERBOSE -gt 0 ] && echo "Reading $CFILE"
111			"$CFUNC" "$CPATH/$CFILE"
112		done
113		cd -
114	done
115}
116
117do_list()
118{
119	local CFILE subject
120
121	if [ -e "$1" ]; then
122		cd "$1"
123		for CFILE in *.0; do
124			if [ ! -s "$CFILE" ]; then
125				echo "Unable to read $CFILE" >&2
126				ERRORS=$(( $ERRORS + 1 ))
127				continue
128			fi
129			subject=
130			if [ $VERBOSE -eq 0 ]; then
131				subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" |
132				    sed -n '/commonName/s/.*= //p' )
133			fi
134			[ "$subject" ] ||
135			    subject=$( openssl x509 -noout -subject -in "$CFILE" )
136			printf "%s\t%s\n" "$CFILE" "$subject"
137		done
138		cd -
139	fi
140}
141
142cmd_rehash()
143{
144
145	if [ $NOOP -eq 0 ]; then
146		if [ -e "$CERTDESTDIR" ]; then
147			find "$CERTDESTDIR" -type link -delete
148		else
149			mkdir -p "$CERTDESTDIR"
150		fi
151		if [ -e "$BLACKLISTDESTDIR" ]; then
152			find "$BLACKLISTDESTDIR" -type link -delete
153		else
154			mkdir -p "$BLACKLISTDESTDIR"
155		fi
156	fi
157
158	do_scan create_blacklisted "$BLACKLISTPATH"
159	do_scan create_trusted_link "$TRUSTPATH"
160}
161
162cmd_list()
163{
164	echo "Listing Trusted Certificates:"
165	do_list "$CERTDESTDIR"
166}
167
168cmd_blacklist()
169{
170	local BPATH
171
172	shift # verb
173	[ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
174	for BFILE in "$@"; do
175		echo "Adding $BFILE to blacklist"
176		create_blacklisted "$BFILE"
177	done
178}
179
180cmd_unblacklist()
181{
182	local BFILE hash
183
184	shift # verb
185	for BFILE in "$@"; do
186		if [ -s "$BFILE" ]; then
187			hash=$( do_hash "$BFILE" )
188			echo "Removing $hash.0 from blacklist"
189			[ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$hash.0"
190		elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then
191			echo "Removing $BFILE from blacklist"
192			[ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE"
193		else
194			echo "Cannot find $BFILE" >&2
195			ERRORS=$(( $ERRORS + 1 ))
196		fi
197	done
198}
199
200cmd_blacklisted()
201{
202	echo "Listing Blacklisted Certificates:"
203	do_list "$BLACKLISTDESTDIR"
204}
205
206usage()
207{
208	exec >&2
209	echo "Manage the TLS trusted certificates on the system"
210	echo "	$SCRIPTNAME [-v] list"
211	echo "		List trusted certificates"
212	echo "	$SCRIPTNAME [-v] blacklisted"
213	echo "		List blacklisted certificates"
214	echo "	$SCRIPTNAME [-nv] rehash"
215	echo "		Generate hash links for all certificates"
216	echo "	$SCRIPTNAME [-nv] blacklist <file>"
217	echo "		Add <file> to the list of blacklisted certificates"
218	echo "	$SCRIPTNAME [-nv] unblacklist <file>"
219	echo "		Remove <file> from the list of blacklisted certificates"
220	exit 64
221}
222
223############################################################ MAIN
224
225while getopts nv flag; do
226	case "$flag" in
227	n) NOOP=1 ;;
228	v) VERBOSE=$(( $VERBOSE + 1 )) ;;
229	esac
230done
231shift $(( $OPTIND - 1 ))
232
233[ $# -gt 0 ] || usage
234case "$1" in
235list)		cmd_list ;;
236rehash)		cmd_rehash ;;
237blacklist)	cmd_blacklist "$@" ;;
238unblacklist)	cmd_unblacklist "$@" ;;
239blacklisted)	cmd_blacklisted ;;
240*)		usage # NOTREACHED
241esac
242
243retval=$?
244[ $ERRORS -gt 0 ] && echo "Encountered $ERRORS errors" >&2
245exit $retval
246
247################################################################################
248# END
249################################################################################
250