trunk/openssl-c_rehash/openssl-c_rehash.sh

#!/bin/sh
#
# Ben Secrest <blsecres@gmail.com>
#
# sh c_rehash script, scan all files in a directory
# and add symbolic links to their hash values.
#
# based on the c_rehash perl script distributed with openssl
#
# LICENSE: See OpenSSL license
# ^^acceptable?^^
#
# see: http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/openssl/openssl-c_rehash.sh?view=log
# Versioning goes like upstream-cvs-commit.internal version
#        cvs=1.6 internal=1 -> 1.6.1
#

# default certificate location
DIR=/etc/openssl

# for filetype bitfield
IS_CERT=$(( 1 << 0 ))
IS_CRL=$(( 1 << 1 ))


# check to see if a file is a certificate file or a CRL file
# arguments:
#       1. the filename to be scanned
# returns:
#       bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
#
check_file()
{
    local IS_TYPE=0

    # make IFS a newline so we can process grep output line by line
    local OLDIFS=${IFS}
    IFS=$( printf "\n" )

    # XXX: could be more efficient to have two 'grep -m' but is -m portable?
    for LINE in $( grep '^-----BEGIN .*-----' ${1} )
    do
	if echo ${LINE} \
	    | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
	then
	    IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))

	    if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
	    then
	    	break
	    fi
	elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
	then
	    IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))

	    if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
	    then
	    	break
	    fi
	fi
    done

    # restore IFS
    IFS=${OLDIFS}

    return ${IS_TYPE}
}


#
# use openssl to fingerprint a file
#    arguments:
#	1. the filename to fingerprint
#	2. the method to use (x509, crl)
#    returns:
#	none
#    assumptions:
#	user will capture output from last stage of pipeline
#
fingerprint()
{
    ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
}


#
# link_hash - create links to certificate files
#    arguments:
#       1. the filename to create a link for
#	2. the type of certificate being linked (x509, crl)
#    returns:
#	0 on success, 1 otherwise
#
link_hash()
{
    local FINGERPRINT=$( fingerprint ${1} ${2} )
    local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
    local SUFFIX=0
    local LINKFILE=''
    local TAG=''

    if [ ${2} = "crl" ]
    then
    	TAG='r'
    fi

    LINKFILE=${HASH}.${TAG}${SUFFIX}

    while [ -f ${LINKFILE} ]
    do
	if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
	then
	    echo "WARNING: Skipping duplicate file ${1}" >&2
	    return 1
	fi	

	SUFFIX=$(( ${SUFFIX} + 1 ))
	LINKFILE=${HASH}.${TAG}${SUFFIX}
    done

    echo "${1} => ${LINKFILE}"

    # assume any system with a POSIX shell will either support symlinks or
    # do something to handle this gracefully
    ln -s ${1} ${LINKFILE}

    return 0
}


# hash_dir create hash links in a given directory
hash_dir()
{
    echo "Doing ${1}"

    cd ${1}

    ls -1 * 2>/dev/null | while read FILE
    do
        if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
	    	&& [ -h "${FILE}" ]
        then
            rm ${FILE}
        fi
    done

    ls -1 *.pem 2>/dev/null | while read FILE
    do
	check_file ${FILE}
        local FILE_TYPE=${?}
	local TYPE_STR=''

        if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
        then
            TYPE_STR='x509'
        elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
        then
            TYPE_STR='crl'
        else
            echo "WARNING: ${FILE} does not contain a certificate or CRL: skipping" >&2
	    continue
        fi

	link_hash ${FILE} ${TYPE_STR}
    done
}


# choose the name of an ssl application
if [ -n "${OPENSSL}" ]
then
    SSL_CMD=$(type -P ${OPENSSL})
else
    SSL_CMD=/usr/bin/openssl
    OPENSSL=${SSL_CMD}
    export OPENSSL
fi

# fix paths
PATH=${PATH}:${DIR}/bin
export PATH

# confirm existance/executability of ssl command
if ! [ -x ${SSL_CMD} ]
then
    echo "${0}: rehashing skipped ('openssl' program not available)" >&2
    exit 0
fi

# determine which directories to process
old_IFS=$IFS
if [ ${#} -gt 0 ]
then
    IFS=':'
    DIRLIST=${*}
elif [ -n "${SSL_CERT_DIR}" ]
then
    DIRLIST=$SSL_CERT_DIR
else
    DIRLIST=${DIR}/certs
fi

IFS=':'

# process directories
for CERT_DIR in ${DIRLIST}
do
    if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
    then
        IFS=$old_IFS
        hash_dir ${CERT_DIR}
        IFS=':'
    fi
done
1	#!/bin/sh
2	#
3	# Ben Secrest <blsecres@gmail.com>
4	#
5	# sh c_rehash script, scan all files in a directory
6	# and add symbolic links to their hash values.
7	#
8	# based on the c_rehash perl script distributed with openssl
9	#
10	# LICENSE: See OpenSSL license
11	# ^^acceptable?^^
12	#
13	# see: http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/openssl/openssl-c_rehash.sh?view=log
14	# Versioning goes like upstream-cvs-commit.internal version
15	# cvs=1.6 internal=1 -> 1.6.1
16	#
17
18	# default certificate location
19	DIR=/etc/openssl
20
21	# for filetype bitfield
22	IS_CERT=$(( 1 << 0 ))
23	IS_CRL=$(( 1 << 1 ))
24
25
26	# check to see if a file is a certificate file or a CRL file
27	# arguments:
28	# 1. the filename to be scanned
29	# returns:
30	# bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
31	#
32	check_file()
33	{
34	local IS_TYPE=0
35
36	# make IFS a newline so we can process grep output line by line
37	local OLDIFS=${IFS}
38	IFS=$( printf "\n" )
39
40	# XXX: could be more efficient to have two 'grep -m' but is -m portable?
41	for LINE in $( grep '^-----BEGIN .*-----' ${1} )
42	do
43	if echo ${LINE} \
44	\| grep -q -E '^-----BEGIN (X509 \|TRUSTED )?CERTIFICATE-----'
45	then
46	IS_TYPE=$(( ${IS_TYPE} \| ${IS_CERT} ))
47
48	if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
49	then
50	break
51	fi
52	elif echo ${LINE} \| grep -q '^-----BEGIN X509 CRL-----'
53	then
54	IS_TYPE=$(( ${IS_TYPE} \| ${IS_CRL} ))
55
56	if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
57	then
58	break
59	fi
60	fi
61	done
62
63	# restore IFS
64	IFS=${OLDIFS}
65
66	return ${IS_TYPE}
67	}
68
69
70	#
71	# use openssl to fingerprint a file
72	# arguments:
73	# 1. the filename to fingerprint
74	# 2. the method to use (x509, crl)
75	# returns:
76	# none
77	# assumptions:
78	# user will capture output from last stage of pipeline
79	#
80	fingerprint()
81	{
82	${SSL_CMD} ${2} -fingerprint -noout -in ${1} \| sed 's/^.*=//' \| tr -d ':'
83	}
84
85
86	#
87	# link_hash - create links to certificate files
88	# arguments:
89	# 1. the filename to create a link for
90	# 2. the type of certificate being linked (x509, crl)
91	# returns:
92	# 0 on success, 1 otherwise
93	#
94	link_hash()
95	{
96	local FINGERPRINT=$( fingerprint ${1} ${2} )
97	local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
98	local SUFFIX=0
99	local LINKFILE=''
100	local TAG=''
101
102	if [ ${2} = "crl" ]
103	then
104	TAG='r'
105	fi
106
107	LINKFILE=${HASH}.${TAG}${SUFFIX}
108
109	while [ -f ${LINKFILE} ]
110	do
111	if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
112	then
113	echo "WARNING: Skipping duplicate file ${1}" >&2
114	return 1
115	fi
116
117	SUFFIX=$(( ${SUFFIX} + 1 ))
118	LINKFILE=${HASH}.${TAG}${SUFFIX}
119	done
120
121	echo "${1} => ${LINKFILE}"
122
123	# assume any system with a POSIX shell will either support symlinks or
124	# do something to handle this gracefully
125	ln -s ${1} ${LINKFILE}
126
127	return 0
128	}
129
130
131	# hash_dir create hash links in a given directory
132	hash_dir()
133	{
134	echo "Doing ${1}"
135
136	cd ${1}
137
138	ls -1 * 2>/dev/null \| while read FILE
139	do
140	if echo ${FILE} \| grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
141	&& [ -h "${FILE}" ]
142	then
143	rm ${FILE}
144	fi
145	done
146
147	ls -1 *.pem 2>/dev/null \| while read FILE
148	do
149	check_file ${FILE}
150	local FILE_TYPE=${?}
151	local TYPE_STR=''
152
153	if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
154	then
155	TYPE_STR='x509'
156	elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
157	then
158	TYPE_STR='crl'
159	else
160	echo "WARNING: ${FILE} does not contain a certificate or CRL: skipping" >&2
161	continue
162	fi
163
164	link_hash ${FILE} ${TYPE_STR}
165	done
166	}
167
168
169	# choose the name of an ssl application
170	if [ -n "${OPENSSL}" ]
171	then
172	SSL_CMD=$(type -P ${OPENSSL})
173	else
174	SSL_CMD=/usr/bin/openssl
175	OPENSSL=${SSL_CMD}
176	export OPENSSL
177	fi
178
179	# fix paths
180	PATH=${PATH}:${DIR}/bin
181	export PATH
182
183	# confirm existance/executability of ssl command
184	if ! [ -x ${SSL_CMD} ]
185	then
186	echo "${0}: rehashing skipped ('openssl' program not available)" >&2
187	exit 0
188	fi
189
190	# determine which directories to process
191	old_IFS=$IFS
192	if [ ${#} -gt 0 ]
193	then
194	IFS=':'
195	DIRLIST=${*}
196	elif [ -n "${SSL_CERT_DIR}" ]
197	then
198	DIRLIST=$SSL_CERT_DIR
199	else
200	DIRLIST=${DIR}/certs
201	fi
202
203	IFS=':'
204
205	# process directories
206	for CERT_DIR in ${DIRLIST}
207	do
208	if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
209	then
210	IFS=$old_IFS
211	hash_dir ${CERT_DIR}
212	IFS=':'
213	fi
214	done