summaryrefslogtreecommitdiffstats
path: root/sbin/update-ca-certificates
diff options
context:
space:
mode:
Diffstat (limited to '')
-rwxr-xr-xsbin/update-ca-certificates216
-rw-r--r--sbin/update-ca-certificates.8100
2 files changed, 316 insertions, 0 deletions
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
new file mode 100755
index 0000000..5a0a1da
--- /dev/null
+++ b/sbin/update-ca-certificates
@@ -0,0 +1,216 @@
+#!/bin/sh -e
+#
+# update-ca-certificates
+#
+# Copyright (c) 2003 Fumitoshi UKAI <ukai@debian.or.jp>
+# Copyright (c) 2009 Philipp Kern <pkern@debian.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301,
+# USA.
+#
+
+verbose=0
+fresh=0
+default=0
+CERTSCONF=/etc/ca-certificates.conf
+CERTSDIR=/usr/share/ca-certificates
+LOCALCERTSDIR=/usr/local/share/ca-certificates
+CERTBUNDLE=ca-certificates.crt
+ETCCERTSDIR=/etc/ssl/certs
+HOOKSDIR=/etc/ca-certificates/update.d
+
+while [ $# -gt 0 ];
+do
+ case $1 in
+ --verbose|-v)
+ verbose=1;;
+ --fresh|-f)
+ fresh=1;;
+ --default|-d)
+ default=1
+ fresh=1;;
+ --certsconf)
+ shift
+ CERTSCONF="$1";;
+ --certsdir)
+ shift
+ CERTSDIR="$1";;
+ --localcertsdir)
+ shift
+ LOCALCERTSDIR="$1";;
+ --certbundle)
+ shift
+ CERTBUNDLE="$1";;
+ --etccertsdir)
+ shift
+ ETCCERTSDIR="$1";;
+ --hooksdir)
+ shift
+ HOOKSDIR="$1";;
+ --help|-h|*)
+ echo "$0: [--verbose] [--fresh]"
+ exit;;
+ esac
+ shift
+done
+
+if [ ! -s "$CERTSCONF" ]
+then
+ fresh=1
+fi
+
+cleanup() {
+ rm -f "$TEMPBUNDLE"
+ rm -f "$ADDED"
+ rm -f "$REMOVED"
+}
+trap cleanup 0
+
+# Helper files. (Some of them are not simple arrays because we spawn
+# subshells later on.)
+TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"
+ADDED="$(mktemp -p "${TMPDIR:-/tmp}" "ca-certificates.tmp.XXXXXX")"
+REMOVED="$(mktemp -p "${TMPDIR:-/tmp}" "ca-certificates.tmp.XXXXXX")"
+
+# Adds a certificate to the list of trusted ones. This includes a symlink
+# in /etc/ssl/certs to the certificate file and its inclusion into the
+# bundle.
+add() {
+ CERT="$1"
+ PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
+ -e 's/[()]/=/g' \
+ -e 's/,/_/g').pem"
+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
+ then
+ ln -sf "$CERT" "$PEM"
+ echo "+$PEM" >> "$ADDED"
+ fi
+ # Add trailing newline to certificate, if it is missing (#635570)
+ sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
+}
+
+remove() {
+ CERT="$1"
+ PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem"
+ if test -L "$PEM"
+ then
+ rm -f "$PEM"
+ echo "-$PEM" >> "$REMOVED"
+ fi
+}
+
+cd "$ETCCERTSDIR"
+if [ "$fresh" = 1 ]; then
+ echo "Clearing symlinks in $ETCCERTSDIR..."
+ find . -type l -print | while read -r symlink
+ do
+ case $(readlink "$symlink") in
+ $CERTSDIR*|$LOCALCERTSDIR*) rm -f "$symlink";;
+ esac
+ done
+ find . -type l -print | while read -r symlink
+ do
+ test -f "$symlink" || rm -f "$symlink"
+ done
+ echo "done."
+fi
+
+echo "Updating certificates in $ETCCERTSDIR..."
+
+# Add default certificate authorities if requested
+if [ "$default" = 1 ]; then
+ find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read -r crt
+ do
+ add "$crt"
+ done
+fi
+
+# Handle certificates that should be removed. This is an explicit act
+# by prefixing lines in the configuration files with exclamation marks (!).
+sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read -r crt
+do
+ remove "$CERTSDIR/$crt"
+done
+
+sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read -r crt
+do
+ if ! test -f "$CERTSDIR/$crt"
+ then
+ echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2
+ continue
+ fi
+ add "$CERTSDIR/$crt"
+done
+
+# Now process certificate authorities installed by the local system
+# administrator.
+if [ -d "$LOCALCERTSDIR" ]
+then
+ find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read -r crt
+ do
+ add "$crt"
+ done
+fi
+
+ADDED_CNT=$(wc -l < "$ADDED")
+REMOVED_CNT=$(wc -l < "$REMOVED")
+
+if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
+then
+ # only run if set of files has changed
+ # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl rehash`
+ # from exiting with an error. See #895482, #895473.
+ find "$ETCCERTSDIR" -type l ! -exec test -e {} \; -print | while read -r orphan
+ do
+ rm -f "$orphan"
+ if [ "$verbose" = 1 ]; then
+ echo "Removed orphan symlink $orphan"
+ fi
+ done
+ if [ "$verbose" = 0 ]
+ then
+ openssl rehash . > /dev/null
+ else
+ openssl rehash -v .
+ fi
+fi
+
+# chmod and mv only if TEMPBUNDLE exists or install may fail, #996005
+if [ -f "$TEMPBUNDLE" ]
+then
+ chmod 0644 "$TEMPBUNDLE"
+ mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+ # Restore proper SELinux label after moving the file
+ [ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" >/dev/null 2>&1
+fi
+
+echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
+
+if [ -d "$HOOKSDIR" ]
+then
+
+ echo "Running hooks in $HOOKSDIR..."
+ VERBOSE_ARG=
+ [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
+ eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read -r hook
+ do
+ ( cat "$ADDED"
+ cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
+ done
+ echo "done."
+
+fi
+
+# vim:set et sw=2:
diff --git a/sbin/update-ca-certificates.8 b/sbin/update-ca-certificates.8
new file mode 100644
index 0000000..6b11566
--- /dev/null
+++ b/sbin/update-ca-certificates.8
@@ -0,0 +1,100 @@
+.\" Hey, EMACS: -*- nroff -*-
+.\" First parameter, NAME, should be all caps
+.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
+.\" other parameters are allowed: see man(7), man(1)
+.TH UPDATE-CA-CERTIFICATES 8 "20 April 2003"
+.\" Please adjust this date whenever revising the manpage.
+.\"
+.\" Some roff macros, for reference:
+.\" .nh disable hyphenation
+.\" .hy enable hyphenation
+.\" .ad l left justify
+.\" .ad b justify to both left and right margins
+.\" .nf disable filling
+.\" .fi enable filling
+.\" .br insert line break
+.\" .sp <n> insert n+1 empty lines
+.\" for manpage-specific macros, see man(7)
+.SH NAME
+update-ca-certificates \- update /etc/ssl/certs and ca-certificates.crt
+.SH SYNOPSIS
+.B update-ca-certificates
+.RI [ options ]
+.SH DESCRIPTION
+This manual page documents briefly the
+.B update-ca-certificates
+command.
+.PP
+\fBupdate-ca-certificates\fP is a program that manages the collection of
+TLS certificates for the local machine and generates ca-certificates.crt.
+ca-certificates.crt is a single-file of concatenated certificates.
+The collection of individual certificates is stored at /etc/ssl/certs.
+.PP
+The program reads the configuration file /etc/ca-certificates.conf. Each line
+gives a pathname of a CA certificate under /usr/share/ca-certificates that
+should be trusted. Lines that begin with "#" are comment lines and thus ignored.
+Lines that begin with "!" are deselected, causing the deactivation of the CA
+certificate in question.
+.PP
+Certificates must be in PEM format and have a .crt extension in order to be
+included by update-ca-certificates. Furthermore, all certificates with a .crt
+extension found below /usr/local/share/ca-certificates are also included and
+implicitly trusted.
+.PP
+To add one or more certificates to the machine, copy the certificates in PEM
+format with the *.crt extension to /usr/local/share/ca-certificates. There
+should be one certificate per file, and not multiple certificates in a single
+file. Then run update-ca-certificates to merge the new certificates into the
+existing machine store at /etc/ssl/certs.
+.PP
+Before terminating, \fBupdate-ca-certificates\fP invokes
+\fBrun-parts\fP on /etc/ca-certificates/update.d and calls each hook with
+a list of certificates: those added are prefixed with a +, those removed are
+prefixed with a -.
+.SH OPTIONS
+A summary of options is included below.
+.TP
+.B \-h, \-\-help
+Show summary of options.
+.TP
+.B \-v, \-\-verbose
+Be verbose. Output \fBopenssl rehash\fP.
+.TP
+.B \-f, \-\-fresh
+Fresh updates. Remove symlinks in /etc/ssl/certs directory.
+.TP
+.B \-\-certsconf
+Change the configuration file. By default, the file
+/etc/ca-certificates.conf is used.
+.TP
+.B \-\-certsdir
+Change the certificate directory. By default, the directory
+/usr/share/ca-certificates is used.
+.TP
+.B \-\-localcertsdir
+Change the local certificate directory. By default, the directory
+/usr/local/share/ca-certificates is used.
+.TP
+.B \-\-etccertsdir
+Change the /etc certificate directory. By default, the directory
+/etc/ssl/certs is used.
+.TP
+.SH FILES
+.TP
+.I /etc/ca-certificates.conf
+A configuration file.
+.TP
+.I /etc/ssl/certs/ca-certificates.crt
+A single-file version of CA certificates. This holds all CA certificates
+that were activated in /etc/ca-certificates.conf.
+.TP
+.I /usr/share/ca-certificates
+Directory of CA certificates provided by the distribution.
+.TP
+.I /usr/local/share/ca-certificates
+Directory of local CA certificates, with .crt extension, provided by the user.
+.SH SEE ALSO
+.BR openssl (1)
+.SH AUTHOR
+This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>,
+for the Debian project (but may be used by others).