diff options
| author | Jan Pokorný <jpokorny@redhat.com> | 2013-10-17 22:33:32 +0200 |
|---|---|---|
| committer | Jan Pokorný <jpokorny@redhat.com> | 2013-10-17 22:36:28 +0200 |
| commit | ce1601263f27936a263e6eadffa3fa069075e20e (patch) | |
| tree | 47562c9cea6bdae87307c4c731a60be3f9860e43 | |
| parent | 0fd901b89bc6a2082cbe94a81d76a073331681fd (diff) | |
| download | dotfiles-ce1601263f27936a263e6eadffa3fa069075e20e.tar.gz dotfiles-ce1601263f27936a263e6eadffa3fa069075e20e.tar.xz dotfiles-ce1601263f27936a263e6eadffa3fa069075e20e.zip | |
Cert scripts: allow for self-signed chain, drop trust in CA_BUNDLE
Also in the client script, add support for GitHub to be accessed via
https.
Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
| -rwxr-xr-x | scripts/certs/cert-check | 77 | ||||
| -rwxr-xr-x | scripts/certs/cert-import | 11 | ||||
| -rw-r--r-- | scripts/firstrun/00-certs-common | 6 |
3 files changed, 61 insertions, 33 deletions
diff --git a/scripts/certs/cert-check b/scripts/certs/cert-check index 3404ec0..d4dbe5b 100755 --- a/scripts/certs/cert-check +++ b/scripts/certs/cert-check @@ -56,33 +56,56 @@ cert_pick_file() { [ -f "$1" ] && openssl ${cmd} -inform "${inform}" -in "$1" } -# when CA cert is hosted on https server signed by this very CA +# when CA cert(s) hosted on https server signed by this very CA +# in case of cert chain, list them from root +# TODO: check that the machine remains the same cert_pick_url_selfsigned() { - [[ "$1" =~ https://.* ]] || return 1 - echo "Trying self-signed" >&2 - local ret= - local start=${1##https://} - local host=${start%%/*} - local machine=${host%%:*} - local port=${host#*:} - [ "${port}" = "${machine}" ] && port=443 - local cont=${start#*/} - local inform=$(guess_inform "${cont}") - [ "$(guess_cmd "${cont}")" = "x509" ] || return $? - ( echo -e "GET /${cont} /HTTP 1.0\n"; sleep 2 ) \ - | openssl s_client -connect "${machine}:${port}" -crlf 2>/dev/null \ - | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ - | ( local tmpfile=$(mktemp /tmp/.XXXXXX) - cat >${tmpfile} - openssl verify -CAfile \ - <(awk '/-BEGIN CERTIFICATE-/{if(++i > 2){print; exit;}}{if(i == 2){print;}}' ${tmpfile} \ - | cat "${CA_BUNDLE}" "${HOMEBUNDLE}" -) \ - <(awk '/-BEGIN CERTIFICATE-/{if(++i > 2){exit;}}{if(i == 1){print;}}' ${tmpfile}) >&2; - ret=$? - [ $ret -eq 0 ] \ - && openssl x509 -inform "${inform}" -in ${tmpfile} - rm -- ${tmpfile} - return $ret ) + local outtmpfile=$(mktemp /tmp/.XXXXXX) i=1 + for c in $*; do + [[ "$c" =~ https://.* ]] || return 1 + echo "Trying self-signed $c $i" >&2 + local ret= + local start=${c##https://} + local host=${start%%/*} + local machine=${host%%:*} + local port=${host#*:} + [ "${port}" = "${machine}" ] && port=443 + local cont=${start#*/} + local inform=$(guess_inform "${cont}") + [ "$(guess_cmd "${cont}")" = "x509" ] || return $? + { echo -e "GET /${cont} HTTP/1.0\nHost: ${machine}\n"; sleep 2; } \ + | openssl s_client -connect "${machine}:${port}" -crlf 2>/dev/null \ + | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/{p;d};/^\r$/,/-BEGIN CERTIFICATE-/{/-BEGIN CERTIFICATE-/d;p}' \ + | { local tmpfile=$(mktemp /tmp/.XXXXXX) + cat >${tmpfile} + # try converting DER to PEM and appending to the original file + awk '/-END CERTIFICATE-/{++i;next;}{if(i > 0){print;};}' ${tmpfile} \ + | tail -n+2 \ + | openssl x509 -inform DER -in /dev/stdin >${tmpfile}.1 + cat ${tmpfile}.1 >> ${tmpfile} + rm ${tmpfile}.1 + [ $i -eq 1 ] \ + || openssl verify -CAfile \ + <(cat "${HOMEBUNDLE}" "${outtmpfile}") \ + <(awk '/-BEGIN CERTIFICATE-/{++i;}{if(i > 1){print;}}' ${tmpfile}) >&2 + ret=$? + #echo "i: $i, ret: $ret; $outtmpfile, $tmpfile" >&2 + [ $ret -eq 0 ] \ + && openssl x509 -inform "${inform}" -in \ + <(awk '/-BEGIN CERTIFICATE-/{++i;}{if(i > 1){print;}}' ${tmpfile}) >>${outtmpfile} + [ $i -eq $# ] \ + && { + awk '/-END CERTIFICATE-/{print; exit;}{print;}' ${tmpfile} \ + | openssl verify -CAfile \ + <(cat "${HOMEBUNDLE}" "${outtmpfile}") \ + /dev/stdin >&2 || { ret=$?; rm -- ${outtmpfile} ${tmpfile}; return $ret; } + } + rm -- ${tmpfile} + [ $ret -ne 0 ] && break; } + let i+=1 + done + cat ${outtmpfile} + rm -- ${outtmpfile} ||: } cert_pick_url() { @@ -135,7 +158,7 @@ cert_check() { crl) ${WGET} -O- '{}' | openssl crl -outform PEM;; \ *) echo 'Sorry, URI {} not supported' >&2;; \ esac" \ - | cat "${CA_BUNDLE}" "${HOMEBUNDLE}" - 2>/dev/null ) \ + | cat "${HOMEBUNDLE}" - 2>/dev/null ) \ $(echo "${vercmd}" | grep -q crl && echo '-in') ${tmpfile} >&2 ret=$? [ $ret -eq 0 ] && cat ${tmpfile} diff --git a/scripts/certs/cert-import b/scripts/certs/cert-import index 46e2fe0..8a28609 100755 --- a/scripts/certs/cert-import +++ b/scripts/certs/cert-import @@ -54,15 +54,14 @@ cert_import() { done [ $spec -eq 0 ] \ && echo "run me without arguments to get usage help" && return - [ "$1" = "-nocrl" ] && shift && crl=0 ( - cert_pick "$@" | cert_check $crl \ - | tee >(openssl x509 \ + #| tee >(openssl x509 \ + #| tee >(openssl crl \ + cert_pick_check "$@" \ | tee >(cert_import_homebundle $homebundle) \ | tee >(cert_import_firefox $firefox) \ - | tee >(cert_import_mutt $mutt)) \ - | tee >(openssl crl \ - | tee >(cert_import_homebundle $homebundle)) + | tee >(cert_import_mutt $mutt) \ + | tee >(cert_import_homebundle $homebundle) ) |& colorize 1 } diff --git a/scripts/firstrun/00-certs-common b/scripts/firstrun/00-certs-common index 83d92d9..cd1e754 100644 --- a/scripts/firstrun/00-certs-common +++ b/scripts/firstrun/00-certs-common @@ -9,4 +9,10 @@ pushd ../certs >/dev/null # ./cert-import homebundle firefox https://www.cacert.org/certs/root.crt # ./cert-import homebundle -nocrl https://crl.cacert.org/revoke.crl +# GitHub +./cert-import homebundle -nocrl \ + https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.pem \ + https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt +./cert-import homebundle -nocrl www.github.com + popd >/dev/null |