trunk/openssl-c_rehash/openssl-c_rehash.sh

#!/bin/sh
#
# Ben Secrest <blsecres@gmail.com>
#
# sh c_rehash script, scan all files in a directory
# and add symbolic links to their hash values.
#
# based on the c_rehash perl script distributed with openssl
#
# LICENSE: See OpenSSL license
# ^^acceptable?^^
#
# see: http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/openssl/openssl-c_rehash.sh?view=log
#

# default certificate location
DIR=/etc/openssl

# for filetype bitfield
IS_CERT=$(( 1 << 0 ))
IS_CRL=$(( 1 << 1 ))


# check to see if a file is a certificate file or a CRL file
# arguments:
#       1. the filename to be scanned
# returns:
#       bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
#
check_file()
{
    local IS_TYPE=0

    # make IFS a newline so we can process grep output line by line
    local OLDIFS=${IFS}
    IFS=$( printf "\n" )

    # XXX: could be more efficient to have two 'grep -m' but is -m portable?
    for LINE in $( grep '^-----BEGIN .*-----' ${1} )
    do
	if echo ${LINE} \
	    | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
	then
	    IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))

	    if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
	    then
	    	break
	    fi
	elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
	then
	    IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))

	    if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
	    then
	    	break
	    fi
	fi
    done

    # restore IFS
    IFS=${OLDIFS}

    return ${IS_TYPE}
}


#
# use openssl to fingerprint a file
#    arguments:
#	1. the filename to fingerprint
#	2. the method to use (x509, crl)
#    returns:
#	none
#    assumptions:
#	user will capture output from last stage of pipeline
#
fingerprint()
{
    ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
}


#
# link_hash - create links to certificate files
#    arguments:
#       1. the filename to create a link for
#	2. the type of certificate being linked (x509, crl)
#    returns:
#	0 on success, 1 otherwise
#
link_hash()
{
    local FINGERPRINT=$( fingerprint ${1} ${2} )
    local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
    local SUFFIX=0
    local LINKFILE=''
    local TAG=''

    if [ ${2} = "crl" ]
    then
    	TAG='r'
    fi

    LINKFILE=${HASH}.${TAG}${SUFFIX}

    while [ -f ${LINKFILE} ]
    do
	if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
	then
	    echo "WARNING: Skipping duplicate file ${1}" >&2
	    return 1
	fi	

	SUFFIX=$(( ${SUFFIX} + 1 ))
	LINKFILE=${HASH}.${TAG}${SUFFIX}
    done

    echo "${1} => ${LINKFILE}"

    # assume any system with a POSIX shell will either support symlinks or
    # do something to handle this gracefully
    ln -s ${1} ${LINKFILE}

    return 0
}


# hash_dir create hash links in a given directory
hash_dir()
{
    echo "Doing ${1}"

    cd ${1}

    ls -1 * 2>/dev/null | while read FILE
    do
        if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
	    	&& [ -h "${FILE}" ]
        then
            rm ${FILE}
        fi
    done

    ls -1 *.pem 2>/dev/null | while read FILE
    do
	check_file ${FILE}
        local FILE_TYPE=${?}
	local TYPE_STR=''

        if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
        then
            TYPE_STR='x509'
        elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
        then
            TYPE_STR='crl'
        else
            echo "WARNING: ${FILE} does not contain a certificate or CRL: skipping" >&2
	    continue
        fi

	link_hash ${FILE} ${TYPE_STR}
    done
}


# choose the name of an ssl application
if [ -n "${OPENSSL}" ]
then
    SSL_CMD=$(which ${OPENSSL} 2>/dev/null)
else
    SSL_CMD=/usr/bin/openssl
    OPENSSL=${SSL_CMD}
    export OPENSSL
fi

# fix paths
PATH=${PATH}:${DIR}/bin
export PATH

# confirm existance/executability of ssl command
if ! [ -x ${SSL_CMD} ]
then
    echo "${0}: rehashing skipped ('openssl' program not available)" >&2
    exit 0
fi

# determine which directories to process
old_IFS=$IFS
if [ ${#} -gt 0 ]
then
    IFS=':'
    DIRLIST=${*}
elif [ -n "${SSL_CERT_DIR}" ]
then
    DIRLIST=$SSL_CERT_DIR
else
    DIRLIST=${DIR}/certs
fi

IFS=':'

# process directories
for CERT_DIR in ${DIRLIST}
do
    if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
    then
        IFS=$old_IFS
        hash_dir ${CERT_DIR}
        IFS=':'
    fi
done
1	#!/bin/sh
2	#
3	# Ben Secrest <blsecres@gmail.com>
4	#
5	# sh c_rehash script, scan all files in a directory
6	# and add symbolic links to their hash values.
7	#
8	# based on the c_rehash perl script distributed with openssl
9	#
10	# LICENSE: See OpenSSL license
11	# ^^acceptable?^^
12	#
13	# see: http://cvs.pld-linux.org/cgi-bin/viewvc.cgi/cvs/packages/openssl/openssl-c_rehash.sh?view=log
14	#
15
16	# default certificate location
17	DIR=/etc/openssl
18
19	# for filetype bitfield
20	IS_CERT=$(( 1 << 0 ))
21	IS_CRL=$(( 1 << 1 ))
22
23
24	# check to see if a file is a certificate file or a CRL file
25	# arguments:
26	# 1. the filename to be scanned
27	# returns:
28	# bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
29	#
30	check_file()
31	{
32	local IS_TYPE=0
33
34	# make IFS a newline so we can process grep output line by line
35	local OLDIFS=${IFS}
36	IFS=$( printf "\n" )
37
38	# XXX: could be more efficient to have two 'grep -m' but is -m portable?
39	for LINE in $( grep '^-----BEGIN .*-----' ${1} )
40	do
41	if echo ${LINE} \
42	\| grep -q -E '^-----BEGIN (X509 \|TRUSTED )?CERTIFICATE-----'
43	then
44	IS_TYPE=$(( ${IS_TYPE} \| ${IS_CERT} ))
45
46	if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
47	then
48	break
49	fi
50	elif echo ${LINE} \| grep -q '^-----BEGIN X509 CRL-----'
51	then
52	IS_TYPE=$(( ${IS_TYPE} \| ${IS_CRL} ))
53
54	if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
55	then
56	break
57	fi
58	fi
59	done
60
61	# restore IFS
62	IFS=${OLDIFS}
63
64	return ${IS_TYPE}
65	}
66
67
68	#
69	# use openssl to fingerprint a file
70	# arguments:
71	# 1. the filename to fingerprint
72	# 2. the method to use (x509, crl)
73	# returns:
74	# none
75	# assumptions:
76	# user will capture output from last stage of pipeline
77	#
78	fingerprint()
79	{
80	${SSL_CMD} ${2} -fingerprint -noout -in ${1} \| sed 's/^.*=//' \| tr -d ':'
81	}
82
83
84	#
85	# link_hash - create links to certificate files
86	# arguments:
87	# 1. the filename to create a link for
88	# 2. the type of certificate being linked (x509, crl)
89	# returns:
90	# 0 on success, 1 otherwise
91	#
92	link_hash()
93	{
94	local FINGERPRINT=$( fingerprint ${1} ${2} )
95	local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
96	local SUFFIX=0
97	local LINKFILE=''
98	local TAG=''
99
100	if [ ${2} = "crl" ]
101	then
102	TAG='r'
103	fi
104
105	LINKFILE=${HASH}.${TAG}${SUFFIX}
106
107	while [ -f ${LINKFILE} ]
108	do
109	if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
110	then
111	echo "WARNING: Skipping duplicate file ${1}" >&2
112	return 1
113	fi
114
115	SUFFIX=$(( ${SUFFIX} + 1 ))
116	LINKFILE=${HASH}.${TAG}${SUFFIX}
117	done
118
119	echo "${1} => ${LINKFILE}"
120
121	# assume any system with a POSIX shell will either support symlinks or
122	# do something to handle this gracefully
123	ln -s ${1} ${LINKFILE}
124
125	return 0
126	}
127
128
129	# hash_dir create hash links in a given directory
130	hash_dir()
131	{
132	echo "Doing ${1}"
133
134	cd ${1}
135
136	ls -1 * 2>/dev/null \| while read FILE
137	do
138	if echo ${FILE} \| grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
139	&& [ -h "${FILE}" ]
140	then
141	rm ${FILE}
142	fi
143	done
144
145	ls -1 *.pem 2>/dev/null \| while read FILE
146	do
147	check_file ${FILE}
148	local FILE_TYPE=${?}
149	local TYPE_STR=''
150
151	if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
152	then
153	TYPE_STR='x509'
154	elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
155	then
156	TYPE_STR='crl'
157	else
158	echo "WARNING: ${FILE} does not contain a certificate or CRL: skipping" >&2
159	continue
160	fi
161
162	link_hash ${FILE} ${TYPE_STR}
163	done
164	}
165
166
167	# choose the name of an ssl application
168	if [ -n "${OPENSSL}" ]
169	then
170	SSL_CMD=$(which ${OPENSSL} 2>/dev/null)
171	else
172	SSL_CMD=/usr/bin/openssl
173	OPENSSL=${SSL_CMD}
174	export OPENSSL
175	fi
176
177	# fix paths
178	PATH=${PATH}:${DIR}/bin
179	export PATH
180
181	# confirm existance/executability of ssl command
182	if ! [ -x ${SSL_CMD} ]
183	then
184	echo "${0}: rehashing skipped ('openssl' program not available)" >&2
185	exit 0
186	fi
187
188	# determine which directories to process
189	old_IFS=$IFS
190	if [ ${#} -gt 0 ]
191	then
192	IFS=':'
193	DIRLIST=${*}
194	elif [ -n "${SSL_CERT_DIR}" ]
195	then
196	DIRLIST=$SSL_CERT_DIR
197	else
198	DIRLIST=${DIR}/certs
199	fi
200
201	IFS=':'
202
203	# process directories
204	for CERT_DIR in ${DIRLIST}
205	do
206	if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
207	then
208	IFS=$old_IFS
209	hash_dir ${CERT_DIR}
210	IFS=':'
211	fi
212	done