3 # SPDX-License-Identifier: BSD-2-Clause-FreeBSD
5 # Copyright 2018 Allan Jude <allanjude@freebsd.org>
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted providing that the following conditions
10 # 1. Redistributions of source code must retain the above copyright
11 # notice, this list of conditions and the following disclaimer.
12 # 2. Redistributions in binary form must reproduce the above copyright
13 # notice, this list of conditions and the following disclaimer in the
14 # documentation and/or other materials provided with the distribution.
16 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
18 # WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
20 # DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
24 # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
25 # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 # POSSIBILITY OF SUCH DAMAGE.
30 ############################################################ CONFIGURATION
33 : ${FILEPAT:="\.pem$|\.crt$|\.cer$|\.crl$"}
36 ############################################################ GLOBALS
43 ############################################################ FUNCTIONS
49 if hash=$( openssl x509 -noout -subject_hash -in "$1" ); then
54 ERRORS=$(( $ERRORS + 1 ))
61 local checkdir hash decimal
67 while [ -e "$checkdir/$hash.$decimal" ]; do
68 decimal=$((decimal + 1))
77 local blisthash certhash hash
80 hash=$( do_hash "$1" ) || return
81 certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint )
82 for blistfile in $(find $BLACKLISTDESTDIR -name "$hash.*"); do
83 blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint )
84 if [ "$certhash" = "$blisthash" ]; then
85 echo "Skipping blacklisted certificate $1 ($blistfile)"
89 suffix=$(get_decimal "$CERTDESTDIR" "$hash")
90 [ $VERBOSE -gt 0 ] && echo "Adding $hash.$suffix to trust store"
92 install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.$suffix"
97 local hash srcfile filename
100 # If it exists as a file, we'll try that; otherwise, we'll scan
102 hash=$( do_hash "$1" ) || return
103 srcfile=$(realpath "$1")
104 suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash")
105 filename="$hash.$suffix"
106 elif [ -e "${CERTDESTDIR}/$1" ]; then
107 srcfile=$(realpath "${CERTDESTDIR}/$1")
108 hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//')
109 suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash")
110 filename="$hash.$suffix"
114 [ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
115 [ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename"
120 local CFUNC CSEARCH CPATH CFILE
128 for CPATH in "$@"; do
129 [ -d "$CPATH" ] || continue
130 echo "Scanning $CPATH for certificates..."
131 for CFILE in $(ls -1 "${CPATH}" | grep -Ee "${FILEPAT}"); do
132 [ -e "$CPATH/$CFILE" ] || continue
133 [ $VERBOSE -gt 0 ] && echo "Reading $CFILE"
134 "$CFUNC" "$CPATH/$CFILE"
145 for CFILE in *.[0-9]; do
146 if [ ! -s "$CFILE" ]; then
147 echo "Unable to read $CFILE" >&2
148 ERRORS=$(( $ERRORS + 1 ))
152 if [ $VERBOSE -eq 0 ]; then
153 subject=$( openssl x509 -noout -subject -nameopt multiline -in "$CFILE" |
154 sed -n '/commonName/s/.*= //p' )
157 subject=$( openssl x509 -noout -subject -in "$CFILE" )
158 printf "%s\t%s\n" "$CFILE" "$subject"
167 if [ $NOOP -eq 0 ]; then
168 if [ -e "$CERTDESTDIR" ]; then
169 find "$CERTDESTDIR" -type link -delete
171 mkdir -p "$CERTDESTDIR"
173 if [ -e "$BLACKLISTDESTDIR" ]; then
174 find "$BLACKLISTDESTDIR" -type link -delete
176 mkdir -p "$BLACKLISTDESTDIR"
180 do_scan create_blacklisted "$BLACKLISTPATH"
181 do_scan create_trusted_link "$TRUSTPATH"
186 echo "Listing Trusted Certificates:"
187 do_list "$CERTDESTDIR"
195 [ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
196 for BFILE in "$@"; do
197 echo "Adding $BFILE to blacklist"
198 create_blacklisted "$BFILE"
204 local BFILE blisthash certhash hash
207 for BFILE in "$@"; do
208 if [ -s "$BFILE" ]; then
209 hash=$( do_hash "$BFILE" )
210 certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint )
211 for BLISTEDFILE in $(find $BLACKLISTDESTDIR -name "$hash.*"); do
212 blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint )
213 if [ "$certhash" = "$blisthash" ]; then
214 echo "Removing $(basename "$BLISTEDFILE") from blacklist"
215 [ $NOOP -eq 0 ] && rm -f $BLISTEDFILE
218 elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then
219 echo "Removing $BFILE from blacklist"
220 [ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE"
222 echo "Cannot find $BFILE" >&2
223 ERRORS=$(( $ERRORS + 1 ))
230 echo "Listing Blacklisted Certificates:"
231 do_list "$BLACKLISTDESTDIR"
237 echo "Manage the TLS trusted certificates on the system"
238 echo " $SCRIPTNAME [-v] list"
239 echo " List trusted certificates"
240 echo " $SCRIPTNAME [-v] blacklisted"
241 echo " List blacklisted certificates"
242 echo " $SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash"
243 echo " Generate hash links for all certificates"
244 echo " $SCRIPTNAME [-nv] blacklist <file>"
245 echo " Add <file> to the list of blacklisted certificates"
246 echo " $SCRIPTNAME [-nv] unblacklist <file>"
247 echo " Remove <file> from the list of blacklisted certificates"
251 ############################################################ MAIN
253 while getopts D:M:nUv flag; do
255 D) DESTDIR=${OPTARG} ;;
256 M) METALOG=${OPTARG} ;;
259 v) VERBOSE=$(( $VERBOSE + 1 )) ;;
262 shift $(( $OPTIND - 1 ))
264 : ${METALOG:=${DESTDIR}/METALOG}
266 [ $UNPRIV -eq 1 ] && INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR}"
267 : ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}/usr/local/share/certs:${DESTDIR}/usr/local/etc/ssl/certs}
268 : ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}/usr/local/etc/ssl/blacklisted}
269 : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
270 : ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
272 [ $# -gt 0 ] || usage
275 rehash) cmd_rehash ;;
276 blacklist) cmd_blacklist "$@" ;;
277 unblacklist) cmd_unblacklist "$@" ;;
278 blacklisted) cmd_blacklisted ;;
279 *) usage # NOTREACHED
283 [ $ERRORS -gt 0 ] && echo "Encountered $ERRORS errors" >&2
286 ################################################################################
288 ################################################################################