tools/c_rehash.in

   1 #!/usr/local/bin/perl
   2
   3
   4 # Perl c_rehash script, scan all files in a directory
   5 # and add symbolic links to their hash values.
   6
   7 my $openssl;
   8
   9 my $dir;
  10 my $prefix;
  11
  12 if(defined $ENV{OPENSSL}) {
  13         $openssl = $ENV{OPENSSL};
  14 } else {
  15         $openssl = "openssl";
  16         $ENV{OPENSSL} = $openssl;
  17 }
  18
  19 $ENV{PATH} .= ":$dir/bin";
  20
  21 if(! -x $openssl) {
  22         my $found = 0;
  23         foreach (split /:/, $ENV{PATH}) {
  24                 if(-x "$_/$openssl") {
  25                         $found = 1;
  26                         last;
  27                 }
  28         }
  29         if($found == 0) {
  30                 print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
  31                 exit 0;
  32         }
  33 }
  34
  35 if(@ARGV) {
  36         @dirlist = @ARGV;
  37 } elsif($ENV{SSL_CERT_DIR}) {
  38         @dirlist = split /:/, $ENV{SSL_CERT_DIR};
  39 } else {
  40         $dirlist[0] = "$dir/certs";
  41 }
  42
  43
  44 foreach (@dirlist) {
  45         if(-d $_ and -w $_) {
  46                 hash_dir($_);
  47         }
  48 }
  49
  50 sub hash_dir {
  51         my %hashlist;
  52         print "Doing $_[0]\n";
  53         chdir $_[0];
  54         opendir(DIR, ".");
  55         my @flist = readdir(DIR);
  56         # Delete any existing symbolic links
  57         foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
  58                 if(-l $_) {
  59                         unlink $_;
  60                 }
  61         }
  62         closedir DIR;
  63         FILE: foreach $fname (grep {/\.pem$/} @flist) {
  64                 # Check to see if certificates and/or CRLs present.
  65                 my ($cert, $crl) = check_file($fname);
  66                 if(!$cert && !$crl) {
  67                         print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
  68                         next;
  69                 }
  70                 link_hash_cert($fname) if($cert);
  71                 link_hash_crl($fname) if($crl);
  72         }
  73 }
  74
  75 sub check_file {
  76         my ($is_cert, $is_crl) = (0,0);
  77         my $fname = $_[0];
  78         open IN, $fname;
  79         while(<IN>) {
  80                 if(/^-----BEGIN (.*)-----/) {
  81                         my $hdr = $1;
  82                         if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
  83                                 $is_cert = 1;
  84                                 last if($is_crl);
  85                         } elsif($hdr eq "X509 CRL") {
  86                                 $is_crl = 1;
  87                                 last if($is_cert);
  88                         }
  89                 }
  90         }
  91         close IN;
  92         return ($is_cert, $is_crl);
  93 }
  94
  95
  96 # Link a certificate to its subject name hash value, each hash is of
  97 # the form <hash>.<n> where n is an integer. If the hash value already exists
  98 # then we need to up the value of n, unless its a duplicate in which
  99 # case we skip the link. We check for duplicates by comparing the
 100 # certificate fingerprints
 101
 102 sub link_hash_cert {
 103                 my $fname = $_[0];
 104                 $fname =~ s/'/'\\''/g;
 105                 my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`;
 106                 chomp $hash;
 107                 chomp $fprint;
 108                 $fprint =~ s/^.*=//;
 109                 $fprint =~ tr/://d;
 110                 my $suffix = 0;
 111                 # Search for an unused hash filename
 112                 while(exists $hashlist{"$hash.$suffix"}) {
 113                         # Hash matches: if fingerprint matches its a duplicate cert
 114                         if($hashlist{"$hash.$suffix"} eq $fprint) {
 115                                 print STDERR "WARNING: Skipping duplicate certificate $fname\n";
 116                                 return;
 117                         }
 118                         $suffix++;
 119                 }
 120                 $hash .= ".$suffix";
 121                 print "$fname => $hash\n";
 122                 $symlink_exists=eval {symlink("",""); 1};
 123                 if ($symlink_exists) {
 124                         symlink $fname, $hash;
 125                 } else {
 126                         system ("cp", $fname, $hash);
 127                 }
 128                 $hashlist{$hash} = $fprint;
 129 }
 130
 131 # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
 132
 133 sub link_hash_crl {
 134                 my $fname = $_[0];
 135                 $fname =~ s/'/'\\''/g;
 136                 my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
 137                 chomp $hash;
 138                 chomp $fprint;
 139                 $fprint =~ s/^.*=//;
 140                 $fprint =~ tr/://d;
 141                 my $suffix = 0;
 142                 # Search for an unused hash filename
 143                 while(exists $hashlist{"$hash.r$suffix"}) {
 144                         # Hash matches: if fingerprint matches its a duplicate cert
 145                         if($hashlist{"$hash.r$suffix"} eq $fprint) {
 146                                 print STDERR "WARNING: Skipping duplicate CRL $fname\n";
 147                                 return;
 148                         }
 149                         $suffix++;
 150                 }
 151                 $hash .= ".r$suffix";
 152                 print "$fname => $hash\n";
 153                 $symlink_exists=eval {symlink("",""); 1};
 154                 if ($symlink_exists) {
 155                         symlink $fname, $hash;
 156                 } else {
 157                         system ("cp", $fname, $hash);
 158                 }
 159                 $hashlist{$hash} = $fprint;
 160 }
 161