scripts to create CApath directories with roots or intermediaries

In case the user has a set of certificates *and* intermediaries,
it is necessary to prime both the `ca_trusted` directory and the
`ca_files` directories with respectively all root CA's and
all CA's (root or intermediate)

top1m/make_ca_files.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+
+if [[ ${1,,} == "-h" ]] || [[ ${1,,} == "-help" ]] || \
+    [[ ${1,,} == "-help" ]] || [[ ${#} -lt 1 ]]; then
+    echo "Usage: ${0} certs_dir [target_dir]"
+    echo "Create an OpenSSL -CApath compatible dir with intermediate certificates"
+    echo "using a set of potentially untrusted intermediate CA certificates"
+    echo "and trusted, root CAs"
+    echo
+    echo " certs_dir    - Directory containing untrusted certificates to test"
+    echo "                one certificate per file, in PEM format"
+    echo " target_dir   - where to create the -CApath directory,"
+    echo "                \`ca_files' by default"
+    echo
+    echo "Script expects make_ca_trusted.sh in same directory as it is"
+    if [[ ${#} -lt 1 ]]; then
+        exit 1
+    else
+        exit 0
+    fi
+fi
+
+UNTRUSTED="$1"
+DIR="${2:-ca_files}"
+
+# search for make_ca_trusted.sh
+MAKE_CA_TRUSTED="$(dirname $0)/make_ca_trusted.sh"
+if [ ! -x $MAKE_CA_TRUSTED ]; then
+    echo "$MAKE_CA_TRUSTED not executable or missing" >&2
+fi
+
+# search for openssl
+for f in "$(dirname $0)/openssl" \
+         "$(dirname $0)/../openssl" \
+         "$(which openssl 2>/dev/null)"; do
+    if [ -x "$f" ]; then
+        OPENSSL="$f"
+        break
+    fi
+done
+if [ ! -x "$OPENSSL" ]; then
+    echo "openssl not found!" >&2
+    return 1
+fi
+
+# create a directory with initial trust anchors
+"${MAKE_CA_TRUSTED}" "${DIR}"
+
+pushd "${DIR}" >/dev/null
+
+# find CA certificates in untrusted certs directory
+unset CA_FILES
+declare -a CA_FILES
+CA_FILES=()
+for file in "${UNTRUSTED}"/*; do
+    if ${OPENSSL} x509 -in "$file" -noout -text 2>/dev/null | \
+            grep -q 'CA:TRUE'; then
+        CA_FILES+=("$file")
+    fi
+done
+echo "CA's found: ${#CA_FILES[@]}"
+
+files_added=0
+# check which CA files are actually trusted, add them to the directory
+cont="True"
+while [[ $cont == "True" ]]; do
+    cont="False"
+    for file_id in "${!CA_FILES[@]}"; do
+        file="${CA_FILES[$file_id]}"
+        # making an "untrusted" file and using it to verify certificates
+        # ends up taking much more time (6m vs 2m for 2500 certs)
+        if ${OPENSSL} verify -CApath . -trusted_first\
+                "$file" 2>/dev/null | grep -q ': OK$'; then
+
+            unset CA_FILES[$file_id]
+
+            c_sha256hash=($(${OPENSSL} x509 -in "$file" -outform DER 2>/dev/null | \
+                ${OPENSSL} dgst -sha256 -r 2>/dev/null))
+            if [ -e "${c_sha256hash}.pem" ]; then
+                continue
+            fi
+
+            cp "$file" "${c_sha256hash}.pem"
+            files_added=$((files_added+1))
+            cont="True"
+
+            c_hash=$(${OPENSSL} x509 -in "$file" -noout -hash 2>/dev/null)
+
+            for ((i=0; i<=100; i++)); do
+                if [[ ${c_hash}.$i -ef ${c_sha256hash}.pem ]]; then
+                    # already linked, skip
+                    break
+                fi
+                if [[ ! -e ${c_hash}.$i ]]; then
+                    ln -s "${c_sha256hash}.pem" "${c_hash}.$i"
+                    break
+                fi
+            done
+        fi
+    done
+done
+echo "CAs added: $files_added"
+
+popd >/dev/null

top1m/make_ca_trusted.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+
+if [[ ${1,,} == "-h" ]] || [[ ${1,,} == "-help" ]] || \
+    [[ ${1,,} == "--help" ]]; then
+    echo "Usage: $0 [dir_name]"
+    echo "Convert the system default trust store into an OpenSSL -CApath"
+    echo "compatible dir"
+    echo
+    echo "dir_name - name of the directory in which the certificates will be"
+    echo "           placed, \`ca_trusted' by default"
+    exit 0
+fi
+
+DIR="${1:-ca_trusted}"
+
+# sanity check the target directory
+if [[ -e $DIR ]] && [[ ! -d $DIR ]]; then
+    echo "$DIR must either not exist or be a directory!" >&2
+    exit 1
+fi
+
+# prepare directory
+if [[ ! -e $DIR ]]; then
+    mkdir "$DIR"
+    if [ $? -ne 0 ]; then
+        echo "mkdir failed, check your privileges" >&2
+        return 1
+    fi
+fi
+
+pushd "$DIR" >/dev/null
+
+# search for trust anchors
+for f in "${CACERTS}" \
+         /etc/pki/tls/certs/ca-bundle.crt \
+         /etc/ssl/certs/ca-certificates.crt \
+         "$(dirname $0)/../ca-bundle.crt" \
+         "$(dirname $0)/../../ca-bundle.crt"; do
+    if [ -e "$f" ]; then
+        CACERTS="$f"
+        break
+    fi
+done
+if [ ! -e "$CACERTS" ]; then
+    echo "No CA trust root store found" >&2
+    return 1
+fi
+
+# search for openssl
+for f in "$(dirname $0)/../openssl" \
+         "$(dirname $0)/../../openssl" \
+         "$(which openssl 2>/dev/null)"; do
+    if [ -x "$f" ]; then
+        OPENSSL="$f"
+        break
+    fi
+done
+if [ ! -x "$OPENSSL" ]; then
+    echo "openssl not found!" >&2
+    return 1
+fi
+
+# split the file with all CA certs into single certs
+awk '
+  split_after == 1 {n++;split_after=0}
+  /-----END CERTIFICATE-----/ {split_after=1}
+  {print > ".tmp.cert" n ".pem"}' < "$CACERTS"
+
+# rename the files to their sha256 hashes
+for file in .tmp.cert*.pem; do
+    f_hash=($(${OPENSSL} x509 -in "${file}" -outform der 2>/dev/null | \
+              ${OPENSSL} dgst -r -sha256 2>/dev/null))
+    f_name="${f_hash[0]}.pem"
+    mv ${file} ${f_name}
+done
+
+# create links that make the directory into -CApath compatible dir
+for file in *.pem; do
+    h=$(${OPENSSL} x509 -in "$file" -noout -hash 2>/dev/null)
+    for ((num=0; num<=100; num++)); do
+        if [[ ${h}.${num} -ef ${file} ]]; then
+            # file already linked, skip
+            break
+        fi
+        if [[ ! -e ${h}.${num} ]]; then
+            ln -s "${file}" "${h}.${num}"
+            break
+        fi
+    done
+done
+
+popd >/dev/null