3 # SPDX-License-Identifier: BSD-2-Clause-FreeBSD
5 # Copyright 2018 Allan Jude <allanjude@freebsd.org>
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted providing that the following conditions
10 # 1. Redistributions of source code must retain the above copyright
11 # notice, this list of conditions and the following disclaimer.
12 # 2. Redistributions in binary form must reproduce the above copyright
13 # notice, this list of conditions and the following disclaimer in the
14 # documentation and/or other materials provided with the distribution.
16 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
20 # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24 # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25 # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 # POSSIBILITY OF SUCH DAMAGE.
30 ############################################################ CONFIGURATION
33 : ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs}
34 : ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted}
35 : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
36 : ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
37 : ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"}
40 ############################################################ GLOBALS
46 ############################################################ FUNCTIONS
52 if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then
57 ERRORS=$(( $ERRORS + 1 ))
66 hash=$( do_hash "$1" ) || return
67 if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then
68 echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)"
71 [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store"
72 [ $NOOP -eq 0 ] && ln -fs $(realpath "$1") "$CERTDESTDIR/$hash.0"
77 local hash srcfile filename
79 # If it exists as a file, we'll try that; otherwise, we'll scan
81 hash=$( do_hash "$1" ) || return
82 srcfile=$(realpath "$1")
84 elif [ -e "${CERTDESTDIR}/$1" ]; then
85 srcfile=$(realpath "${CERTDESTDIR}/$1")
90 [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
91 [ $NOOP -eq 0 ] && ln -fs "$srcfile" "$BLACKLISTDESTDIR/$filename"
96 local CFUNC CSEARCH CPATH CFILE
104 for CPATH in "$@"; do
105 [ -d "$CPATH" ] || continue
106 echo "Scanning $CPATH for certificates..."
108 for CFILE in $EXTENSIONS; do
109 [ -e "$CFILE" ] || continue
110 [ $VERBOSE -gt 0 ] && echo "Reading $CFILE"
111 "$CFUNC" "$CPATH/$CFILE"
124 if [ ! -s "$CFILE" ]; then
125 echo "Unable to read $CFILE" >&2
126 ERRORS=$(( $ERRORS + 1 ))
130 if [ $VERBOSE -eq 0 ]; then
131 subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" |
132 sed -n '/commonName/s/.*= //p' )
135 subject=$( openssl x509 -noout -subject -in "$CFILE" )
136 printf "%s\t%s\n" "$CFILE" "$subject"
145 [ $NOOP -eq 0 ] && rm -rf "$CERTDESTDIR"
146 [ $NOOP -eq 0 ] && mkdir -p "$CERTDESTDIR"
147 [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
149 do_scan create_blacklisted "$BLACKLISTPATH"
150 do_scan create_trusted_link "$TRUSTPATH"
155 echo "Listing Trusted Certificates:"
156 do_list "$CERTDESTDIR"
164 [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
165 for BFILE in "$@"; do
166 echo "Adding $BFILE to blacklist"
167 create_blacklisted "$BFILE"
176 for BFILE in "$@"; do
177 if [ -s "$BFILE" ]; then
178 hash=$( do_hash "$BFILE" )
179 echo "Removing $hash.0 from blacklist"
180 [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$hash.0"
181 elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then
182 echo "Removing $BFILE from blacklist"
183 [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE"
185 echo "Cannot find $BFILE" >&2
186 ERRORS=$(( $ERRORS + 1 ))
193 echo "Listing Blacklisted Certificates:"
194 do_list "$BLACKLISTDESTDIR"
200 echo "Manage the TLS trusted certificates on the system"
201 echo " $SCRIPTNAME [-v] list"
202 echo " List trusted certificates"
203 echo " $SCRIPTNAME [-v] blacklisted"
204 echo " List blacklisted certificates"
205 echo " $SCRIPTNAME [-nv] rehash"
206 echo " Generate hash links for all certificates"
207 echo " $SCRIPTNAME [-nv] blacklist <file>"
208 echo " Add <file> to the list of blacklisted certificates"
209 echo " $SCRIPTNAME [-nv] unblacklist <file>"
210 echo " Remove <file> from the list of blacklisted certificates"
214 ############################################################ MAIN
216 while getopts nv flag; do
219 v) VERBOSE=$(( $VERBOSE + 1 )) ;;
222 shift $(( $OPTIND - 1 ))
224 [ $# -gt 0 ] || usage
227 rehash) cmd_rehash ;;
228 blacklist) cmd_blacklist "$@" ;;
229 unblacklist) cmd_unblacklist "$@" ;;
230 blacklisted) cmd_blacklisted ;;
231 *) usage # NOTREACHED
235 [ $ERRORS -gt 0 ] && echo "Encountered $ERRORS errors" >&2
238 ################################################################################
240 ################################################################################