git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/blob

1 #!/bin/sh

2 #

3 # Ben Secrest <blsecres@gmail.com>

4 #

5 # sh c_rehash script, scan all files in a directory

6 # and add symbolic links to their hash values.

7 #

8 # based on the c_rehash perl script distributed with openssl

9 #

10 # LICENSE: See OpenSSL license

11 # ^^acceptable?^^

12 #

14 # default certificate location

15 DIR=/etc/openssl

17 # for filetype bitfield

18 IS_CERT=$(( 1 << 0 ))

19 IS_CRL=$(( 1 << 1 ))

22 # check to see if a file is a certificate file or a CRL file

23 # arguments:

24 # 1. the filename to be scanned

25 # returns:

26 # bitfield of file type; uses ${IS_CERT} and ${IS_CRL}

27 #

28 check_file()

29 {

30 local IS_TYPE=0

32 # make IFS a newline so we can process grep output line by line

33 local OLDIFS=${IFS}

34 IFS=$( printf "\n" )

36 # XXX: could be more efficient to have two 'grep -m' but is -m portable?

37 for LINE in $( grep '^-----BEGIN .*-----' ${1} )

38 do

39 if echo ${LINE} \

40 | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'

41 then

42 IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))

             if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]

45 then

46 break

47 fi

         elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'

49 then

50 IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))

             if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]

53 then

54 break

55 fi

56 fi

57 done

59 # restore IFS

60 IFS=${OLDIFS}

62 return ${IS_TYPE}

63 }

66 #

67 # use openssl to fingerprint a file

68 # arguments:

69 # 1. the filename to fingerprint

70 # 2. the method to use (x509, crl)

71 # returns:

72 # none

73 # assumptions:

74 # user will capture output from last stage of pipeline

75 #

76 fingerprint()

77 {

     ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'

79 }

82 #

83 # link_hash - create links to certificate files

84 # arguments:

85 # 1. the filename to create a link for

86 # 2. the type of certificate being linked (x509, crl)

87 # returns:

88 # 0 on success, 1 otherwise

89 #

90 link_hash()

91 {

92 local FINGERPRINT=$( fingerprint ${1} ${2} )

93 local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )

94 local SUFFIX=0

95 local LINKFILE=''

96 local TAG=''

     if [ ${2} = "crl" ]

99 then

100 TAG='r'

101 fi

102

103 LINKFILE=${HASH}.${TAG}${SUFFIX}

104

     while [ -f ${LINKFILE} ]

106 do

         if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]

108 then

             echo "WARNING: Skipping duplicate file ${1}" >&2

110 return 1

111 fi

112

113 SUFFIX=$(( ${SUFFIX} + 1 ))

114 LINKFILE=${HASH}.${TAG}${SUFFIX}

115 done

116

     echo "${1} => ${LINKFILE}"

118

119 # assume any system with a POSIX shell will either support symlinks or

120 # do something to handle this gracefully

121 ln -s ${1} ${LINKFILE}

122

123 return 0

124 }

125

126

127 # hash_dir create hash links in a given directory

128 hash_dir()

129 {

130 echo "Doing ${1}"

131

132 cd ${1}

133

     ls -1 * 2>/dev/null | while read FILE

135 do

         if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \

                 && [ -h "${FILE}" ]

138 then

139 rm ${FILE}

140 fi

141 done

142

     ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE

144 do

145 check_file ${FILE}

146 local FILE_TYPE=${?}

147 local TYPE_STR=''

148

         if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]

150 then

151 TYPE_STR='x509'

         elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]

153 then

154 TYPE_STR='crl'

155 else

             echo "WARNING: ${FILE} does not contain a certificate or CRL: skipping" >&2

157 continue

158 fi

159

160 link_hash ${FILE} ${TYPE_STR}

161 done

162 }

163

164

165 # choose the name of an ssl application

 if [ -n "${OPENSSL}" ]

167 then

168 SSL_CMD=$(which ${OPENSSL} 2>/dev/null)

169 else

170 SSL_CMD=/usr/bin/openssl

171 OPENSSL=${SSL_CMD}

172 export OPENSSL

173 fi

174

175 # fix paths

 PATH=${PATH}:${DIR}/bin

177 export PATH

178

179 # confirm existance/executability of ssl command

 if ! [ -x ${SSL_CMD} ]

181 then

     echo "${0}: rehashing skipped ('openssl' program not available)" >&2

183 exit 0

184 fi

185

186 # determine which directories to process

187 old_IFS=$IFS

 if [ ${#} -gt 0 ]

189 then

190 IFS=':'

191 DIRLIST=${*}

 elif [ -n "${SSL_CERT_DIR}" ]

193 then

194 DIRLIST=$SSL_CERT_DIR

195 else

196 DIRLIST=${DIR}/certs

197 fi

198

199 IFS=':'

200

201 # process directories

202 for CERT_DIR in ${DIRLIST}

203 do

     if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]

205 then

206 IFS=$old_IFS

207 hash_dir ${CERT_DIR}

208 IFS=':'

209 fi

210 done