Revise CACERTS autodetection logic, ensure that CACERTS/CAPATH is readable/directory, add undocumented CAPATH env override.

This takes advantage of the new --cafile logic to avoid running CACERTS autodetection when a file is provided on the command line. It then ensures the readability of that file, whether provided or autodetected. This also adds an undocumented CAPATH environment variable alternative to --capath, to go along with the existing undocumented CACERTS environment variable alternative to --cafile, to provide legacy support for preexisting users.
2024-11-04 23:13:41 +01:00 · 2015-09-05 00:37:44 -07:00 · 2015-09-05 00:37:44 -07:00 · 6adda69af5
commit 6adda69af5
parent 5dc692566a
1 changed files with 15 additions and 6 deletions
--- a/21
+++ b/21
@ -54,7 +54,6 @@ if [[ -e $DIRNAMEPATH/openssl.cnf ]]; then
    export OPENSSL_CONF="$DIRNAMEPATH/openssl.cnf"
 fi

-CACERTS=""
 # RSA ciphers are put at the end to force Google servers to accept ECDSA ciphers
 # (probably a result of a workaround for the bug in Apple implementation of ECDSA)
 CIPHERSUITE="ALL:COMPLEMENTOFALL:+aRSA"
@ -132,7 +131,6 @@ OUTPUTFORMAT="terminal"
 TIMEOUT=30
 # place where to put the found intermediate CA certificates and where
 # trust anchors are stored
-CAPATH=""
 SAVECRT=""
 TEST_CURVES="False"
 has_curves="False"
@ -1304,6 +1302,8 @@ do
        --cafile)
            CACERTS="$2"
            shift 2
+            # We need to bypass autodetection if this is provided.
+            CACERTS_ARG_SET=1
            ;;
        --capath)
            CAPATH="$2"
@ -1377,17 +1377,26 @@ if [[ $TEST_CURVES == "True" ]]; then
    fi
 fi

-# find a list of trusted CAs on the local system, or use the provided list
-if [[ -z "$CACERTS" ]]; then
+if [[ -z $CACERTS ]] && ! [[ -n $CACERTS_ARG_SET ]]; then
+    # find a list of trusted CAs on the local system, or use the provided list
    for f in /etc/pki/tls/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt; do
        if [[ -e "$f" ]]; then
            CACERTS="$f"
            break
        fi
    done
+    if [[ ! -e "$CACERTS" ]]; then
+        CACERTS="$DIRNAMEPATH/ca-bundle.crt"
+    fi
 fi
-if [[ ! -e "$CACERTS" ]]; then
-    CACERTS="$DIRNAMEPATH/ca-bundle.crt"
+if ! [[ -e $CACERTS && -r $CACERTS ]]; then
+    echo "--cafile $CACERTS is not a readable file, aborting." 1>&2
+    exit 1
+fi
+
+if [[ -n $CAPATH ]] && ! [[ -d $CAPATH ]]; then
+    echo "--capath $CAPATH is not a directory, aborting." 1>&2
+    exit 1
 fi

 if [[ $VERBOSE != 0 ]] ; then