| Current Path : /usr/bin/ |
| Current File : //usr/bin/update-ca-trust |
#!/bin/bash
#
# Copyright (C) 2013 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#set -vx
do_extract()
{
if [[ $1 = "warn_if_disabled" ]]; then
prepare_setup
if [[ $CURRENT_SETUP -ne 2 ]]; then
warning "Warning: The dynamic CA configuration feature is in the disabled state"
fi
fi
DEST=/etc/pki/ca-trust/extracted
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/p11-kit extract --comment --format=openssl-bundle --filter=certificates --overwrite $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
}
HAVE_NSS_32=0
HAVE_NSS_64=0
HAVE_P11_32=0
HAVE_P11_64=0
P11_32_CONSISTENT=1
P11_64_CONSISTENT=1
CURRENT_SETUP=0
FORCE=0
RPM_VFY_INFO=""
RPM_VFY_STATUS=0
SETUPFILE_P11_32=/usr/lib/p11-kit/p11-kit-redhat-setup-trust
SETUPFILE_P11_64=/usr/lib64/p11-kit/p11-kit-redhat-setup-trust
LIBFILE_NSS_32=/usr/lib/nss/libnssckbi.so
LIBFILE_NSS_64=/usr/lib64/nss/libnssckbi.so
INITIAL_BACKUP=/etc/pki/backup-traditional-original-config
RECENT_BACKUP=/etc/pki/backup-traditional-recent-config
CAB_FILE=/etc/pki/tls/certs/ca-bundle.crt
CABT_FILE=/etc/pki/tls/certs/ca-bundle.trust.crt
JAB_FILE=/etc/pki/java/cacerts
warning()
{
echo "update-ca-trust: $@" >&2
}
prepare_setup()
{
# result of test -L filename # 0: yes, a link # 1: no, not a link
test -L $CAB_FILE
CAB_LINK=$?
test -L $CABT_FILE
CABT_LINK=$?
test -L $JAB_FILE
CAJ_LINK=$?
if [[ $CAB_LINK -eq 1 && $CABT_LINK -eq 1 && $CAJ_LINK -eq 1 ]]; then
#echo "current_setup=1 (no links)"
CURRENT_SETUP=1
fi
if [[ $CAB_LINK -eq 0 && $CABT_LINK -eq 0 && $CAJ_LINK -eq 0 ]]; then
#echo "current_setup=2 (all links)"
CURRENT_SETUP=2
fi
}
prepare()
{
prepare_setup
test -e $LIBFILE_NSS_32
if [[ $? -eq 0 ]]; then
#echo "have nss 32"
HAVE_NSS_32=1
fi
test -e $LIBFILE_NSS_64
if [[ $? -eq 0 ]]; then
#echo "have nss 64"
HAVE_NSS_64=1
fi
test -e $SETUPFILE_P11_32
if [[ $? -eq 0 ]]; then
#echo "have p11 32"
HAVE_P11_32=1
fi
test -e $SETUPFILE_P11_64
if [[ $? -eq 0 ]]; then
#echo "have p11 64"
HAVE_P11_64=1
fi
if [[ $HAVE_NSS_32 -eq 1 && $HAVE_P11_32 -eq 0 ]]; then
#echo "p11 32 not consistent"
P11_32_CONSISTENT=0
fi
if [[ $HAVE_NSS_64 -eq 1 && $HAVE_P11_64 -eq 0 ]]; then
#echo "p11 64 not consistent"
P11_64_CONSISTENT=0
fi
if [[ $CURRENT_SETUP -ne 2 ]]; then
# result of rpm --verify: # 0: unchanged
RPM_VFY_INFO=`rpm -q --verify --nomtime ca-certificates`
RPM_VFY_STATUS=$?
#echo "rpm status: $RPM_VFY_INFO"
fi
}
report_if_p11_inconsistent()
{
if [[ $P11_32_CONSISTENT -eq 0 ]]; then
warning "nss 32 bit is installed. You should install p11-kit-trust 32 bit."
fi
if [[ $P11_64_CONSISTENT -eq 0 ]]; then
warning "nss 64 bit is installed. You should install p11-kit-trust 64 bit."
fi
}
report_if_not_enabled_and_bundles_modified()
{
if [[ $CURRENT_SETUP -ne 2 ]]; then
if [[ $RPM_VFY_STATUS -ne 0 ]]; then
warning "Legacy CA bundle files aren't in the default state, they have been modified."
warning "You should research the configuration changes that have been performed and add equivalent configuration after enabling the new dynamic configuration"
warning "Below is a list of files that have been modified:"
warning "$RPM_VFY_INFO"
fi
fi
}
do_check()
{
prepare
if [[ $CURRENT_SETUP -eq 1 ]]; then
echo "PEM/JAVA Status: DISABLED."
echo " (Legacy setup with static files.)"
fi
if [[ $CURRENT_SETUP -eq 2 ]]; then
echo "PEM/JAVA Status: ENABLED."
echo " (Legacy filenames are links to files produced by update-ca-trust.)"
fi
if [[ $CURRENT_SETUP -eq 0 ]]; then
echo "PEM/JAVA Status: INCONSISTENT."
echo " (Some legacy files, some symbolic links.)"
fi
report_if_p11_inconsistent
echo "PKCS#11 module Status, see symbolic links reported below:"
ls -l /etc/alternatives/libnssckbi.so*
echo " (link resolving to NSS: using legacy static list)"
echo " (link resolving to p11-kit: using the new source configuration)"
return 0
}
create_backup()
{
# - We'll potentially create two backups. An "initial" and a "most recent".
# - The initial backup will be created, only, if it doesn't exist yet.
# - The initial backup will never be overwritten.
# - The most recent backup will be overwritten each time this script
# is run to "enable" the new-style extracted system.
# - The most recent backup will be restored each time this script
# is run to "disable" the new-style extracted system,
# thereby switching back to the traditional system.
test -e $INITIAL_BACKUP
BACKUPDIR_TEST=$?
if [[ $BACKUPDIR_TEST -eq 1 ]]; then
# Initial backup directory doesn't exist yet
mkdir -p $INITIAL_BACKUP
cp --dereference --preserve --force \
$CAB_FILE $CABT_FILE $JAB_FILE $INITIAL_BACKUP
fi
mkdir -p $RECENT_BACKUP
cp --dereference --preserve --force \
$CAB_FILE $CABT_FILE $JAB_FILE $RECENT_BACKUP
}
restore_backup()
{
test -d $RECENT_BACKUP
BACKUPDIR_TEST=$?
if [[ $BACKUPDIR_TEST -eq 1 ]]; then
warning "recent backup dir doesn't exist, aborting"
exit 1
fi
pushd $RECENT_BACKUP >/dev/null
test -e ca-bundle.crt
T1=$?
test -e ca-bundle.trust.crt
T2=$?
test -e cacerts
T3=$?
if [[ $T1 -eq 1 || $T2 -eq 1 || $T3 -eq 1 ]]; then
warning "at least one backup file doesn't exist, aborting"
exit 1
fi
rm -f $CAB_FILE
cp --dereference --preserve --force ca-bundle.crt $CAB_FILE
rm -f $CABT_FILE
cp --dereference --preserve --force ca-bundle.trust.crt $CABT_FILE
rm -f $JAB_FILE
cp --dereference --preserve --force cacerts $JAB_FILE
popd >/dev/null
}
create_links()
{
rm -f $CAB_FILE
rm -f $CABT_FILE
rm -f $JAB_FILE
ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem $CAB_FILE
ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt $CABT_FILE
ln -s /etc/pki/ca-trust/extracted/java/cacerts $JAB_FILE
}
setup_p11()
{
ACTION=$1
if [[ $HAVE_P11_32 -eq 1 ]]; then
$SETUPFILE_P11_32 $ACTION
fi
if [[ $HAVE_P11_64 -eq 1 ]]; then
$SETUPFILE_P11_64 $ACTION
fi
}
do_enable()
{
prepare
if [[ $FORCE -eq 0 ]]; then
report_if_p11_inconsistent
report_if_not_enabled_and_bundles_modified
if [[ $P11_32_CONSISTENT -eq 0 || $P11_64_CONSISTENT -eq 0 ]]; then
warning "aborting, because the nss / p11-kit setup is inconsistent."
exit 1
fi
fi
ABORT=0
if [[ $FORCE -eq 0 && $CURRENT_SETUP -eq 0 ]]; then
warning "Aborting because of inconsistent PEM/JAVA setup."
ABORT=1
fi
if [[ $FORCE -eq 0 && $RPM_VFY_STATUS -ne 0 ]]; then
warning "Aborting because system uses modified legacy bundle files."
ABORT=1
fi
if [[ $ABORT -eq 1 ]]; then
warning "If you're certain, use force-enable"
exit 1
fi
if [[ $CURRENT_SETUP -ne 2 ]]; then
# only change files if PEM/JAVA files currently aren't (cleanly) enabled
create_backup
create_links
fi
setup_p11 enable
return 0
}
do_disable()
{
prepare
if [[ $FORCE -eq 0 && $CURRENT_SETUP -eq 0 ]]; then
warning "Aborting because of inconsistent setup. If you're certain, use force-disable"
exit 1
fi
if [[ $CURRENT_SETUP -ne 1 ]]; then
# only change files if PEM/JAVA files currently aren't (cleanly) disabled
restore_backup
fi
setup_p11 disable
return 0
}
if [[ $# -eq 0 ]]; then
# no parameters
do_extract silent
exit $?
fi
if [[ "$1" = "extract" ]]; then
do_extract warn_if_disabled
exit $?
fi
if [[ "$1" = "enable" ]]; then
do_enable
exit $?
fi
if [[ "$1" = "disable" ]]; then
do_disable
exit $?
fi
if [[ "$1" = "force-enable" ]]; then
FORCE=1
do_enable
exit $?
fi
if [[ "$1" = "force-disable" ]]; then
FORCE=1
do_disable
exit $?
fi
if [[ "$1" = "check" ]]; then
do_check
exit $?
fi
echo "usage: $0 [extract | check | enable | disable | force-enable | force-disable ]"
Copyright 2K16 - 2K18 Indonesian Hacker Rulez
;?>)