mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-05 15:33:42 +01:00
105 lines
3.0 KiB
Bash
105 lines
3.0 KiB
Bash
|
#!/bin/bash
|
||
|
|
|
||
|
|
if [[ ${1,,} == "-h" ]] || [[ ${1,,} == "-help" ]] || \
|
||
|
|
[[ ${1,,} == "-help" ]] || [[ ${#} -lt 1 ]]; then
|
||
|
|
echo "Usage: ${0} certs_dir [target_dir]"
|
||
|
|
echo "Create an OpenSSL -CApath compatible dir with intermediate certificates"
|
||
|
|
echo "using a set of potentially untrusted intermediate CA certificates"
|
||
|
|
echo "and trusted, root CAs"
|
||
|
|
echo
|
||
|
|
echo " certs_dir - Directory containing untrusted certificates to test"
|
||
|
|
echo " one certificate per file, in PEM format"
|
||
|
|
echo " target_dir - where to create the -CApath directory,"
|
||
|
|
echo " \`ca_files' by default"
|
||
|
|
echo
|
||
|
|
echo "Script expects make_ca_trusted.sh in same directory as it is"
|
||
|
|
if [[ ${#} -lt 1 ]]; then
|
||
|
|
exit 1
|
||
|
|
else
|
||
|
|
exit 0
|
||
|
|
fi
|
||
|
|
fi
|
||
|
|
|
||
|
|
UNTRUSTED="$1"
|
||
|
|
DIR="${2:-ca_files}"
|
||
|
|
|
||
|
|
# search for make_ca_trusted.sh
|
||
|
|
MAKE_CA_TRUSTED="$(dirname $0)/make_ca_trusted.sh"
|
||
|
|
if [ ! -x $MAKE_CA_TRUSTED ]; then
|
||
|
|
echo "$MAKE_CA_TRUSTED not executable or missing" >&2
|
||
|
|
fi
|
||
|
|
|
||
|
|
# search for openssl
|
||
|
|
for f in "$(dirname $0)/openssl" \
|
||
|
|
"$(dirname $0)/../openssl" \
|
||
|
|
"$(which openssl 2>/dev/null)"; do
|
||
|
|
if [ -x "$f" ]; then
|
||
|
|
OPENSSL="$f"
|
||
|
|
break
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
if [ ! -x "$OPENSSL" ]; then
|
||
|
|
echo "openssl not found!" >&2
|
||
|
|
return 1
|
||
|
|
fi
|
||
|
|
|
||
|
|
# create a directory with initial trust anchors
|
||
|
|
"${MAKE_CA_TRUSTED}" "${DIR}"
|
||
|
|
|
||
|
|
pushd "${DIR}" >/dev/null
|
||
|
|
|
||
|
|
# find CA certificates in untrusted certs directory
|
||
|
|
unset CA_FILES
|
||
|
|
declare -a CA_FILES
|
||
|
|
CA_FILES=()
|
||
|
|
for file in "${UNTRUSTED}"/*; do
|
||
|
|
if ${OPENSSL} x509 -in "$file" -noout -text 2>/dev/null | \
|
||
|
|
grep -q 'CA:TRUE'; then
|
||
|
|
CA_FILES+=("$file")
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
echo "CA's found: ${#CA_FILES[@]}"
|
||
|
|
|
||
|
|
files_added=0
|
||
|
|
# check which CA files are actually trusted, add them to the directory
|
||
|
|
cont="True"
|
||
|
|
while [[ $cont == "True" ]]; do
|
||
|
|
cont="False"
|
||
|
|
for file_id in "${!CA_FILES[@]}"; do
|
||
|
|
file="${CA_FILES[$file_id]}"
|
||
|
|
# making an "untrusted" file and using it to verify certificates
|
||
|
|
# ends up taking much more time (6m vs 2m for 2500 certs)
|
||
|
|
if ${OPENSSL} verify -CApath . -trusted_first\
|
||
|
|
"$file" 2>/dev/null | grep -q ': OK$'; then
|
||
|
|
|
||
|
|
unset CA_FILES[$file_id]
|
||
|
|
|
||
|
|
c_sha256hash=($(${OPENSSL} x509 -in "$file" -outform DER 2>/dev/null | \
|
||
|
|
${OPENSSL} dgst -sha256 -r 2>/dev/null))
|
||
|
|
if [ -e "${c_sha256hash}.pem" ]; then
|
||
|
|
continue
|
||
|
|
fi
|
||
|
|
|
||
|
|
cp "$file" "${c_sha256hash}.pem"
|
||
|
|
files_added=$((files_added+1))
|
||
|
|
cont="True"
|
||
|
|
|
||
|
|
c_hash=$(${OPENSSL} x509 -in "$file" -noout -hash 2>/dev/null)
|
||
|
|
|
||
|
|
for ((i=0; i<=100; i++)); do
|
||
|
|
if [[ ${c_hash}.$i -ef ${c_sha256hash}.pem ]]; then
|
||
|
|
# already linked, skip
|
||
|
|
break
|
||
|
|
fi
|
||
|
|
if [[ ! -e ${c_hash}.$i ]]; then
|
||
|
|
ln -s "${c_sha256hash}.pem" "${c_hash}.$i"
|
||
|
|
break
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
fi
|
||
|
|
done
|
||
|
|
done
|
||
|
|
echo "CAs added: $files_added"
|
||
|
|
|
||
|
|
popd >/dev/null
|