usr.sbin/certctl/certctl.sh

   1 #!/bin/sh
   2 #-
   3 # SPDX-License-Identifier: BSD-2-Clause-FreeBSD
   4 #
   5 # Copyright 2018 Allan Jude <allanjude@freebsd.org>
   6 #
   7 # Redistribution and use in source and binary forms, with or without
   8 # modification, are permitted providing that the following conditions
   9 # are met:
  10 # 1. Redistributions of source code must retain the above copyright
  11 #    notice, this list of conditions and the following disclaimer.
  12 # 2. Redistributions in binary form must reproduce the above copyright
  13 #    notice, this list of conditions and the following disclaimer in the
  14 #    documentation and/or other materials provided with the distribution.
  15 #
  16 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
  17 # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  18 # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  19 # ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
  20 # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  21 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  22 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  23 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  24 # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
  25 # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  26 # POSSIBILITY OF SUCH DAMAGE.
  27 #
  28 # $FreeBSD$
  29
  30 ############################################################ CONFIGURATION
  31
  32 : ${DESTDIR:=}
  33 : ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs}
  34 : ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted}
  35 : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
  36 : ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
  37 : ${EXTENSIONS:="*.pem *.crt *.cer *.crl *.0"}
  38 : ${VERBOSE:=0}
  39
  40 ############################################################ GLOBALS
  41
  42 SCRIPTNAME="${0##*/}"
  43 ERRORS=0
  44 NOOP=0
  45
  46 ############################################################ FUNCTIONS
  47
  48 do_hash()
  49 {
  50         local hash
  51
  52         if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then
  53                 echo "$hash"
  54                 return 0
  55         else
  56                 echo "Error: $1" >&2
  57                 ERRORS=$(( $ERRORS + 1 ))
  58                 return 1
  59         fi
  60 }
  61
  62 create_trusted_link()
  63 {
  64         local hash
  65
  66         hash=$( do_hash "$1" ) || return
  67         if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then
  68                 echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)"
  69                 return 1
  70         fi
  71         [ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store"
  72         [ $NOOP -eq 0 ] && ln -fs $(realpath "$1") "$CERTDESTDIR/$hash.0"
  73 }
  74
  75 create_blacklisted()
  76 {
  77         local hash srcfile filename
  78
  79         # If it exists as a file, we'll try that; otherwise, we'll scan
  80         if [ -e "$1" ]; then
  81                 hash=$( do_hash "$1" ) || return
  82                 srcfile=$(realpath "$1")
  83                 filename="$hash.0"
  84         elif [ -e "${CERTDESTDIR}/$1" ];  then
  85                 srcfile=$(realpath "${CERTDESTDIR}/$1")
  86                 filename="$1"
  87         else
  88                 return
  89         fi
  90         [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
  91         [ $NOOP -eq 0 ] && ln -fs "$srcfile" "$BLACKLISTDESTDIR/$filename"
  92 }
  93
  94 do_scan()
  95 {
  96         local CFUNC CSEARCH CPATH CFILE
  97         local oldIFS="$IFS"
  98         CFUNC="$1"
  99         CSEARCH="$2"
 100
 101         IFS=:
 102         set -- $CSEARCH
 103         IFS="$oldIFS"
 104         for CPATH in "$@"; do
 105                 [ -d "$CPATH" ] || continue
 106                 echo "Scanning $CPATH for certificates..."
 107                 cd "$CPATH"
 108                 for CFILE in $EXTENSIONS; do
 109                         [ -e "$CFILE" ] || continue
 110                         [ $VERBOSE -gt 0 ] && echo "Reading $CFILE"
 111                         "$CFUNC" "$CPATH/$CFILE"
 112                 done
 113                 cd -
 114         done
 115 }
 116
 117 do_list()
 118 {
 119         local CFILE subject
 120
 121         if [ -e "$1" ]; then
 122                 cd "$1"
 123                 for CFILE in *.0; do
 124                         if [ ! -s "$CFILE" ]; then
 125                                 echo "Unable to read $CFILE" >&2
 126                                 ERRORS=$(( $ERRORS + 1 ))
 127                                 continue
 128                         fi
 129                         subject=
 130                         if [ $VERBOSE -eq 0 ]; then
 131                                 subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" |
 132                                     sed -n '/commonName/s/.*= //p' )
 133                         fi
 134                         [ "$subject" ] ||
 135                             subject=$( openssl x509 -noout -subject -in "$CFILE" )
 136                         printf "%s\t%s\n" "$CFILE" "$subject"
 137                 done
 138                 cd -
 139         fi
 140 }
 141
 142 cmd_rehash()
 143 {
 144
 145         [ $NOOP -eq 0 ] && rm -rf "$CERTDESTDIR"
 146         [ $NOOP -eq 0 ] && mkdir -p "$CERTDESTDIR"
 147         [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
 148
 149         do_scan create_blacklisted "$BLACKLISTPATH"
 150         do_scan create_trusted_link "$TRUSTPATH"
 151 }
 152
 153 cmd_list()
 154 {
 155         echo "Listing Trusted Certificates:"
 156         do_list "$CERTDESTDIR"
 157 }
 158
 159 cmd_blacklist()
 160 {
 161         local BPATH
 162
 163         shift # verb
 164         [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
 165         for BFILE in "$@"; do
 166                 echo "Adding $BFILE to blacklist"
 167                 create_blacklisted "$BFILE"
 168         done
 169 }
 170
 171 cmd_unblacklist()
 172 {
 173         local BFILE hash
 174
 175         shift # verb
 176         for BFILE in "$@"; do
 177                 if [ -s "$BFILE" ]; then
 178                         hash=$( do_hash "$BFILE" )
 179                         echo "Removing $hash.0 from blacklist"
 180                         [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$hash.0"
 181                 elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then
 182                         echo "Removing $BFILE from blacklist"
 183                         [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE"
 184                 else
 185                         echo "Cannot find $BFILE" >&2
 186                         ERRORS=$(( $ERRORS + 1 ))
 187                 fi
 188         done
 189 }
 190
 191 cmd_blacklisted()
 192 {
 193         echo "Listing Blacklisted Certificates:"
 194         do_list "$BLACKLISTDESTDIR"
 195 }
 196
 197 usage()
 198 {
 199         exec >&2
 200         echo "Manage the TLS trusted certificates on the system"
 201         echo "  $SCRIPTNAME [-v] list"
 202         echo "          List trusted certificates"
 203         echo "  $SCRIPTNAME [-v] blacklisted"
 204         echo "          List blacklisted certificates"
 205         echo "  $SCRIPTNAME [-nv] rehash"
 206         echo "          Generate hash links for all certificates"
 207         echo "  $SCRIPTNAME [-nv] blacklist <file>"
 208         echo "          Add <file> to the list of blacklisted certificates"
 209         echo "  $SCRIPTNAME [-nv] unblacklist <file>"
 210         echo "          Remove <file> from the list of blacklisted certificates"
 211         exit 64
 212 }
 213
 214 ############################################################ MAIN
 215
 216 while getopts nv flag; do
 217         case "$flag" in
 218         n) NOOP=1 ;;
 219         v) VERBOSE=$(( $VERBOSE + 1 )) ;;
 220         esac
 221 done
 222 shift $(( $OPTIND - 1 ))
 223
 224 [ $# -gt 0 ] || usage
 225 case "$1" in
 226 list)           cmd_list ;;
 227 rehash)         cmd_rehash ;;
 228 blacklist)      cmd_blacklist "$@" ;;
 229 unblacklist)    cmd_unblacklist "$@" ;;
 230 blacklisted)    cmd_blacklisted ;;
 231 *)              usage # NOTREACHED
 232 esac
 233
 234 retval=$?
 235 [ $ERRORS -gt 0 ] && echo "Encountered $ERRORS errors" >&2
 236 exit $retval
 237
 238 ################################################################################
 239 # END
 240 ################################################################################