From ce1601263f27936a263e6eadffa3fa069075e20e Mon Sep 17 00:00:00 2001
From: Jan Pokorný <jpokorny@redhat.com>
Date: Thu, 17 Oct 2013 22:33:32 +0200
Subject: Cert scripts: allow for self-signed chain, drop trust in CA_BUNDLE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Also in the client script, add support for GitHub to be accessed via
https.

Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
---
 scripts/certs/cert-check  | 77 ++++++++++++++++++++++++++++++-----------------
 scripts/certs/cert-import | 11 +++----
 2 files changed, 55 insertions(+), 33 deletions(-)

(limited to 'scripts/certs')

diff --git a/scripts/certs/cert-check b/scripts/certs/cert-check
index 3404ec0..d4dbe5b 100755
--- a/scripts/certs/cert-check
+++ b/scripts/certs/cert-check
@@ -56,33 +56,56 @@ cert_pick_file() {
 	[ -f "$1" ] && openssl ${cmd} -inform "${inform}" -in "$1"
 }
 
-# when CA cert is hosted on https server signed by this very CA
+# when CA cert(s) hosted on https server signed by this very CA
+# in case of cert chain, list them from root
+# TODO: check that the machine remains the same
 cert_pick_url_selfsigned() {
-	[[ "$1" =~ https://.* ]] || return 1
-	echo "Trying self-signed" >&2
-	local ret=
-	local start=${1##https://}
-	local host=${start%%/*}
-	local machine=${host%%:*}
-	local port=${host#*:}
-	[ "${port}" = "${machine}" ] && port=443
-	local cont=${start#*/}
-	local inform=$(guess_inform "${cont}")
-	[ "$(guess_cmd "${cont}")" = "x509" ] || return $?
-	( echo -e "GET /${cont} /HTTP 1.0\n"; sleep 2 ) \
-	  | openssl s_client -connect "${machine}:${port}" -crlf 2>/dev/null \
-	  | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
-	  | ( local tmpfile=$(mktemp /tmp/.XXXXXX)
-	      cat >${tmpfile}
-	      openssl verify -CAfile \
-	        <(awk '/-BEGIN CERTIFICATE-/{if(++i > 2){print; exit;}}{if(i == 2){print;}}' ${tmpfile} \
-                  | cat "${CA_BUNDLE}" "${HOMEBUNDLE}" -) \
-	        <(awk '/-BEGIN CERTIFICATE-/{if(++i > 2){exit;}}{if(i == 1){print;}}' ${tmpfile}) >&2;
-	      ret=$?
-	      [ $ret -eq 0 ] \
-	        && openssl x509 -inform "${inform}" -in ${tmpfile}
-	      rm -- ${tmpfile}
-	      return $ret )
+	local outtmpfile=$(mktemp /tmp/.XXXXXX) i=1
+	for c in $*; do
+		[[ "$c" =~ https://.* ]] || return 1
+		echo "Trying self-signed $c $i" >&2
+		local ret=
+		local start=${c##https://}
+		local host=${start%%/*}
+		local machine=${host%%:*}
+		local port=${host#*:}
+		[ "${port}" = "${machine}" ] && port=443
+		local cont=${start#*/}
+		local inform=$(guess_inform "${cont}")
+		[ "$(guess_cmd "${cont}")" = "x509" ] || return $?
+		{ echo -e "GET /${cont} HTTP/1.0\nHost: ${machine}\n"; sleep 2; } \
+		  | openssl s_client -connect "${machine}:${port}" -crlf 2>/dev/null \
+		  | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/{p;d};/^\r$/,/-BEGIN CERTIFICATE-/{/-BEGIN CERTIFICATE-/d;p}' \
+		  | { local tmpfile=$(mktemp /tmp/.XXXXXX)
+		      cat >${tmpfile}
+		      # try converting DER to PEM and appending to the original file
+		      awk '/-END CERTIFICATE-/{++i;next;}{if(i > 0){print;};}' ${tmpfile} \
+		        | tail -n+2 \
+		        | openssl x509 -inform DER -in /dev/stdin >${tmpfile}.1
+		      cat ${tmpfile}.1 >> ${tmpfile}
+		      rm ${tmpfile}.1
+		      [ $i -eq 1 ] \
+		        || openssl verify -CAfile \
+			  <(cat "${HOMEBUNDLE}" "${outtmpfile}") \
+			  <(awk '/-BEGIN CERTIFICATE-/{++i;}{if(i > 1){print;}}' ${tmpfile}) >&2
+		      ret=$?
+		      #echo "i: $i, ret: $ret; $outtmpfile, $tmpfile" >&2
+		      [ $ret -eq 0 ] \
+			&& openssl x509 -inform "${inform}" -in \
+			   <(awk '/-BEGIN CERTIFICATE-/{++i;}{if(i > 1){print;}}' ${tmpfile}) >>${outtmpfile}
+		      [ $i -eq $# ] \
+		        && {
+		          awk '/-END CERTIFICATE-/{print; exit;}{print;}' ${tmpfile} \
+		            | openssl verify -CAfile \
+		              <(cat "${HOMEBUNDLE}" "${outtmpfile}") \
+		              /dev/stdin >&2 || { ret=$?; rm -- ${outtmpfile} ${tmpfile}; return $ret; }
+		       }
+		      rm -- ${tmpfile}
+		      [ $ret -ne 0 ] && break; }
+		let i+=1
+	done
+	cat ${outtmpfile}
+	rm -- ${outtmpfile} ||:
 }
 
 cert_pick_url() {
@@ -135,7 +158,7 @@ cert_check() {
 	          crl)    ${WGET} -O- '{}' | openssl crl -outform PEM;; \
 	          *)      echo 'Sorry, URI {} not supported' >&2;; \
 	          esac" \
-	      | cat "${CA_BUNDLE}" "${HOMEBUNDLE}" - 2>/dev/null ) \
+	      | cat "${HOMEBUNDLE}" - 2>/dev/null ) \
 	   $(echo "${vercmd}" | grep -q crl && echo '-in') ${tmpfile} >&2
 	  ret=$?
 	  [ $ret -eq 0 ] && cat ${tmpfile}
diff --git a/scripts/certs/cert-import b/scripts/certs/cert-import
index 46e2fe0..8a28609 100755
--- a/scripts/certs/cert-import
+++ b/scripts/certs/cert-import
@@ -54,15 +54,14 @@ cert_import() {
 	done
 	[ $spec -eq 0 ] \
 	  && echo "run me without arguments to get usage help" && return
-	[ "$1" = "-nocrl" ] && shift && crl=0
 	(
-	  cert_pick "$@" | cert_check $crl \
-	    | tee >(openssl x509 \
+	    #| tee >(openssl x509 \
+	    #| tee >(openssl crl \
+	  cert_pick_check "$@" \
 	      | tee >(cert_import_homebundle $homebundle) \
 	      | tee >(cert_import_firefox $firefox) \
-	      | tee >(cert_import_mutt $mutt)) \
-	    | tee >(openssl crl \
-	      | tee >(cert_import_homebundle $homebundle))
+	      | tee >(cert_import_mutt $mutt) \
+	      | tee >(cert_import_homebundle $homebundle)
 	) |& colorize 1
 }
 
-- 
cgit