diff options
-rwxr-xr-x | scripts/certs/cert-check | 56 | ||||
-rwxr-xr-x | scripts/certs/cert-import | 36 | ||||
-rw-r--r-- | scripts/firstrun/00-certs-common | 12 |
3 files changed, 69 insertions, 35 deletions
diff --git a/scripts/certs/cert-check b/scripts/certs/cert-check index 5c50a1f..fe015ed 100755 --- a/scripts/certs/cert-check +++ b/scripts/certs/cert-check @@ -23,15 +23,33 @@ WGET="wget -nv -U ''" guess_inform() { case "{1##*.}" in - crt) echo DER;; - pem|*) echo PEM;; + der) echo DER;; + crt|pem|*) echo PEM;; + esac +} + +guess_vercmd() { + echo "$1" | grep -q 'X509 CRL' && echo 'crl' || echo 'verify' +} + +vercmd2cmd() { + echo "$1" | grep -q 'crl' && echo 'crl' || echo 'x509' +} + +guess_cmd() { + echo "YYYYYYY $1" >>/tmp/test + case "$(basename "$1")" in + crl*|revoke*|*crl) echo "crl";; + *crt|*) echo "x509";; esac } cert_pick_file() { + [[ "$1" =~ .*://.* ]] && return 1 echo "Trying file" >&2 local inform=$(guess_inform "$1") - [ -f "$1" ] && openssl x509 -inform "${inform}" -in "$1" + local cmd=$(guess_cmd "$1") + [ -f "$1" ] && openssl ${cmd} -inform "${inform}" -in "$1" } # when CA cert is hosted on https server signed by this very CA @@ -43,9 +61,10 @@ cert_pick_url_selfsigned() { local host=${start%%/*} local machine=${host%%:*} local port=${host#*:} - [ "${port}" = "" ] && port=443 + [ "${port}" = "${machine}" ] && port=443 local cont=${start#*/} local inform=$(guess_inform "${cont}") + [ "$(guess_cmd "${cont}")" = "x509" ] || return $? ( echo -e "GET /${cont} /HTTP 1.0\n"; sleep 2 ) \ | openssl s_client -connect "${machine}:${port}" -crlf 2>/dev/null \ | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \ @@ -65,6 +84,7 @@ cert_pick_url_selfsigned() { cert_pick_url() { echo "Trying URL.." >&2 local inform=$(guess_inform "$1") + local cmd=$(guess_cmd "$1") (if ! ${WGET} "$1" -O- && [[ "$1" =~ https://.* ]]; then local start=${1##https://} local host=${start%%/*} @@ -76,7 +96,7 @@ cert_pick_url() { || cert_pick_check -nocrl "${machine}" "${port}" echo "<<< recursion" >&2 ) >&2 \ && ${WGET} --no-check-certificate "$1" -O- - fi) | openssl x509 -inform "${inform}" + fi) | openssl ${cmd} -inform "${inform}" } cert_pick_from_server() { @@ -102,18 +122,20 @@ cert_pick() { cert_check() { local ret= tmpfile=$(mktemp /tmp/.XXXXXX) cat >${tmpfile} - openssl verify $([ "$1" != "0" ] && echo '-crl_check') -CAfile \ - <( openssl x509 -noout -text -in ${tmpfile} \ - | sed -n 's|.*URI:\(.\+\.cr[tl]\)|\1|p' \ - | xargs -I '{}' bash -c " case '{}' in \ - *crt) ${WGET} -O- '{}' | openssl x509 -inform DER -outform PEM;; \ - *crl) ${WGET} -O- '{}' | openssl crl -inform DER -outform PEM;; \ - *) echo 'Sorry, {} not supported' >&2; \ + export vercmd=$(local fst; read fst < <(head -n1 "${tmpfile}"); guess_vercmd "${fst}") + openssl ${vercmd} $([ "$1" != "0" ] && echo '-crl_check') -CAfile \ + <( openssl $(vercmd2cmd "${vercmd}") -noout -text -in ${tmpfile} \ + | sed -n 's|.*URI:\(.\+\)|\1|p' \ + | xargs -I '{}' bash -c "case \$(guess_cmd '{}') in \ + verify) ${WGET} -O- '{}' | openssl x509 -outform PEM;; \ + crl) ${WGET} -O- '{}' | openssl crl -outform PEM;; \ + *) echo 'Sorry, URI {} not supported' >&2;; \ esac" \ | cat "${CA_BUNDLE}" "${HOMEBUNDLE}" - 2>/dev/null ) \ - ${tmpfile} >&2 + $(echo "${vercmd}" | grep -q crl && echo '-in') ${tmpfile} >&2 ret=$? [ $ret -eq 0 ] && cat ${tmpfile} + unset vercmd rm -- ${tmpfile} echo "$ret" >&2 return $ret @@ -150,10 +172,8 @@ teardown() { } [[ "${BASH_SOURCE[0]}" != "${0}" ]] || \ - [ $# -lt 1 ] \ + { [ $# -lt 1 ] \ && echo "usage: $0" \ "[-nocrl] file-or-url-or-server [server-port=443]" \ - || ( setup - ( cert_pick_check "$@"; echo $? ) \ - |& colorize 1 - teardown $? ) + || { setup; { cert_pick_check "$@"; echo $?; } |& colorize 1; teardown $?; } + } diff --git a/scripts/certs/cert-import b/scripts/certs/cert-import index 90e28c1..8e2bad5 100755 --- a/scripts/certs/cert-import +++ b/scripts/certs/cert-import @@ -38,6 +38,7 @@ cert_import_firefox() { done < <(cat) } +# CRL can only be appended to homebundle cert_import() { local homebundle=0 firefox=0 mutt=0 crl=1 spec=0 while true; do @@ -55,32 +56,33 @@ cert_import() { && echo "run me without arguments to get usage help" && return [ "$1" = "-nocrl" ] && shift && crl=0 ( - (cert_pick "$@" | cert_check $crl) \ + cert_pick "$@" | cert_check $crl \ | tee >( openssl x509 \ | tee >(cert_import_homebundle $homebundle) \ | tee >(cert_import_firefox $firefox) \ - | cert_import_mutt $mutt ) + | cert_import_mutt $mutt ) \ + | tee >( openssl crl \ + | cert_import_homebundle $homebundle) ) |& colorize 1 } -setup() { - set -u - RESTOREUMASK=$(umask -p) - umask 077 -} - -teardown() { - ${RESTOREUMASK} - unset RESTOREUMASK - return $1 -} +#setup() { +# set -u +# RESTOREUMASK=$(umask -p) +# umask 077 +#} +# +#teardown() { +# ${RESTOREUMASK} +# unset RESTOREUMASK +# unset vercmd +# return $1 +#} [[ "${BASH_SOURCE[0]}" != "${0}" ]] || \ - [ $# -lt 1 ] \ + { [ $# -lt 1 ] \ && echo "usage: $0" \ "(homebundle|mutt|firefox|all)*" \ "[-nocrl] file-or-server [port=443]" \ - || ( setup - cert_import "$@" - teardown $? ) + || { setup; cert_import "$@"; teardown $?; }; } diff --git a/scripts/firstrun/00-certs-common b/scripts/firstrun/00-certs-common new file mode 100644 index 0000000..83d92d9 --- /dev/null +++ b/scripts/firstrun/00-certs-common @@ -0,0 +1,12 @@ +pushd ../certs >/dev/null + +# Fedora project authority +# ./cert-import homebundle admin.fedoraproject.org # good to do first? +./cert-import homebundle firefox https://admin.fedoraproject.org/ca/cacert.pem +./cert-import homebundle -nocrl https://admin.fedoraproject.org/ca/crl.pem + +# CAcert.org ... should utilize cert_pick_url_selfsigned (not tested yet) +# ./cert-import homebundle firefox https://www.cacert.org/certs/root.crt +# ./cert-import homebundle -nocrl https://crl.cacert.org/revoke.crl + +popd >/dev/null |