2
0
mirror of https://github.com/mozilla/cipherscan.git synced 2024-11-25 15:33:41 +01:00
cipherscan/top1m/make_ca_files.sh

105 lines
3.0 KiB
Bash
Raw Normal View History

#!/usr/bin/env bash
if [[ ${1,,} == "-h" ]] || [[ ${1,,} == "-help" ]] || \
[[ ${1,,} == "-help" ]] || [[ ${#} -lt 1 ]]; then
echo "Usage: ${0} certs_dir [target_dir]"
echo "Create an OpenSSL -CApath compatible dir with intermediate certificates"
echo "using a set of potentially untrusted intermediate CA certificates"
echo "and trusted, root CAs"
echo
echo " certs_dir - Directory containing untrusted certificates to test"
echo " one certificate per file, in PEM format"
echo " target_dir - where to create the -CApath directory,"
echo " \`ca_files' by default"
echo
echo "Script expects make_ca_trusted.sh in same directory as it is"
if [[ ${#} -lt 1 ]]; then
exit 1
else
exit 0
fi
fi
UNTRUSTED="$1"
DIR="${2:-ca_files}"
# search for make_ca_trusted.sh
MAKE_CA_TRUSTED="$(dirname $0)/make_ca_trusted.sh"
if [ ! -x $MAKE_CA_TRUSTED ]; then
echo "$MAKE_CA_TRUSTED not executable or missing" >&2
fi
# search for openssl
for f in "$(dirname $0)/openssl" \
"$(dirname $0)/../openssl" \
"$(which openssl 2>/dev/null)"; do
if [ -x "$f" ]; then
OPENSSL="$f"
break
fi
done
if [ ! -x "$OPENSSL" ]; then
echo "openssl not found!" >&2
return 1
fi
# create a directory with initial trust anchors
"${MAKE_CA_TRUSTED}" "${DIR}"
pushd "${DIR}" >/dev/null
# find CA certificates in untrusted certs directory
unset CA_FILES
declare -a CA_FILES
CA_FILES=()
for file in "${UNTRUSTED}"/*; do
if ${OPENSSL} x509 -in "$file" -noout -text 2>/dev/null | \
grep -q 'CA:TRUE'; then
CA_FILES+=("$file")
fi
done
echo "CA's found: ${#CA_FILES[@]}"
files_added=0
# check which CA files are actually trusted, add them to the directory
cont="True"
while [[ $cont == "True" ]]; do
cont="False"
for file_id in "${!CA_FILES[@]}"; do
file="${CA_FILES[$file_id]}"
# making an "untrusted" file and using it to verify certificates
# ends up taking much more time (6m vs 2m for 2500 certs)
if ${OPENSSL} verify -CApath . -trusted_first\
"$file" 2>/dev/null | grep -q ': OK$'; then
unset CA_FILES[$file_id]
c_sha256hash=($(${OPENSSL} x509 -in "$file" -outform DER 2>/dev/null | \
${OPENSSL} dgst -sha256 -r 2>/dev/null))
if [ -e "${c_sha256hash}.pem" ]; then
continue
fi
cp "$file" "${c_sha256hash}.pem"
files_added=$((files_added+1))
cont="True"
c_hash=$(${OPENSSL} x509 -in "$file" -noout -hash 2>/dev/null)
for ((i=0; i<=100; i++)); do
if [[ ${c_hash}.$i -ef ${c_sha256hash}.pem ]]; then
# already linked, skip
break
fi
if [[ ! -e ${c_hash}.$i ]]; then
ln -s "${c_sha256hash}.pem" "${c_hash}.$i"
break
fi
done
fi
done
done
echo "CAs added: $files_added"
popd >/dev/null