Merge pull request #80 from floatingatoll/cacerts_logic

Replace CACERTS env logic with --cafile parameter.
2024-11-04 15:03:41 +01:00 · 2015-09-18 09:35:06 -04:00 · 2015-09-18 09:35:06 -04:00 · 5e2b12d940
commit 5e2b12d940
parent b951fd5588 6adda69af5
1 changed files with 33 additions and 14 deletions
--- a/47
+++ b/47
@ -104,19 +104,6 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
    export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
 fi

-# find a list of trusted CAs on the local system, or use the provided list
-if [[ -z "$CACERTS" ]]; then
-    for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
-        if [[ -e "$f" ]]; then
-            CACERTS="$f"
-            break
-        fi
-    done
-fi
-if [[ ! -e "$CACERTS" ]]; then
-    CACERTS="$DIRNAMEPATH/ca-bundle.crt"
-fi
-
 # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
 # (probably a result of a workaround for the bug in Apple implementation of ECDSA)
 CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
@ -194,7 +181,6 @@ OUTPUTFORMAT="terminal"
 TIMEOUT=30
 # place where to put the found intermediate CA certificates and where
 # trust anchors are stored
-CAPATH=""
 SAVECRT=""
 TEST_CURVES="True"
 has_curves="False"
@ -1363,6 +1349,12 @@ do
            DELAY=$2
            shift 2
            ;;
+        --cafile)
+            CACERTS="$2"
+            shift 2
+            # We need to bypass autodetection if this is provided.
+            CACERTS_ARG_SET=1
+            ;;
        --capath)
            CAPATH="$2"
            shift 2
@ -1398,6 +1390,11 @@ do
    esac
 done

+if [[ -n $CAPATH && -n $CACERTS ]]; then
+    echo "Both directory and file with CA certificates specified" 1>&2
+    exit 1
+fi
+
 # echo parameters left: $@

 TEMPTARGET=$(sed -e 's/^.* //'<<<"${@}")
@ -1430,6 +1427,28 @@ if [[ $TEST_CURVES == "True" ]]; then
    fi
 fi

+if [[ -z $CACERTS ]] && ! [[ -n $CACERTS_ARG_SET ]]; then
+    # find a list of trusted CAs on the local system, or use the provided list
+    for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
+        if [[ -e "$f" ]]; then
+            CACERTS="$f"
+            break
+        fi
+    done
+    if [[ ! -e "$CACERTS" ]]; then
+        CACERTS="$DIRNAMEPATH/ca-bundle.crt"
+    fi
+fi
+if ! [[ -e $CACERTS && -r $CACERTS ]]; then
+    echo "--cafile $CACERTS is not a readable file, aborting." 1>&2
+    exit 1
+fi
+
+if [[ -n $CAPATH ]] && ! [[ -d $CAPATH ]]; then
+    echo "--capath $CAPATH is not a directory, aborting." 1>&2
+    exit 1
+fi
+
 if [[ $VERBOSE != 0 ]] ; then
    [[ -n "$CACERTS" ]] && echo "Using trust anchors from $CACERTS"
    echo "Loading $($OPENSSLBIN ciphers -v $CIPHERSUITE 2>/dev/null|grep Kx|wc -l) ciphersuites from $(echo -n $($OPENSSLBIN version 2>/dev/null))"