diff options
Diffstat (limited to '')
-rwxr-xr-x | sbin/update-ca-certificates | 216 | ||||
-rw-r--r-- | sbin/update-ca-certificates.8 | 100 |
2 files changed, 316 insertions, 0 deletions
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates new file mode 100755 index 0000000..5a0a1da --- /dev/null +++ b/sbin/update-ca-certificates @@ -0,0 +1,216 @@ +#!/bin/sh -e +# +# update-ca-certificates +# +# Copyright (c) 2003 Fumitoshi UKAI <ukai@debian.or.jp> +# Copyright (c) 2009 Philipp Kern <pkern@debian.org> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301, +# USA. +# + +verbose=0 +fresh=0 +default=0 +CERTSCONF=/etc/ca-certificates.conf +CERTSDIR=/usr/share/ca-certificates +LOCALCERTSDIR=/usr/local/share/ca-certificates +CERTBUNDLE=ca-certificates.crt +ETCCERTSDIR=/etc/ssl/certs +HOOKSDIR=/etc/ca-certificates/update.d + +while [ $# -gt 0 ]; +do + case $1 in + --verbose|-v) + verbose=1;; + --fresh|-f) + fresh=1;; + --default|-d) + default=1 + fresh=1;; + --certsconf) + shift + CERTSCONF="$1";; + --certsdir) + shift + CERTSDIR="$1";; + --localcertsdir) + shift + LOCALCERTSDIR="$1";; + --certbundle) + shift + CERTBUNDLE="$1";; + --etccertsdir) + shift + ETCCERTSDIR="$1";; + --hooksdir) + shift + HOOKSDIR="$1";; + --help|-h|*) + echo "$0: [--verbose] [--fresh]" + exit;; + esac + shift +done + +if [ ! -s "$CERTSCONF" ] +then + fresh=1 +fi + +cleanup() { + rm -f "$TEMPBUNDLE" + rm -f "$ADDED" + rm -f "$REMOVED" +} +trap cleanup 0 + +# Helper files. (Some of them are not simple arrays because we spawn +# subshells later on.) +TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new" +ADDED="$(mktemp -p "${TMPDIR:-/tmp}" "ca-certificates.tmp.XXXXXX")" +REMOVED="$(mktemp -p "${TMPDIR:-/tmp}" "ca-certificates.tmp.XXXXXX")" + +# Adds a certificate to the list of trusted ones. This includes a symlink +# in /etc/ssl/certs to the certificate file and its inclusion into the +# bundle. +add() { + CERT="$1" + PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \ + -e 's/[()]/=/g' \ + -e 's/,/_/g').pem" + if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ] + then + ln -sf "$CERT" "$PEM" + echo "+$PEM" >> "$ADDED" + fi + # Add trailing newline to certificate, if it is missing (#635570) + sed -e '$a\' "$CERT" >> "$TEMPBUNDLE" +} + +remove() { + CERT="$1" + PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem" + if test -L "$PEM" + then + rm -f "$PEM" + echo "-$PEM" >> "$REMOVED" + fi +} + +cd "$ETCCERTSDIR" +if [ "$fresh" = 1 ]; then + echo "Clearing symlinks in $ETCCERTSDIR..." + find . -type l -print | while read -r symlink + do + case $(readlink "$symlink") in + $CERTSDIR*|$LOCALCERTSDIR*) rm -f "$symlink";; + esac + done + find . -type l -print | while read -r symlink + do + test -f "$symlink" || rm -f "$symlink" + done + echo "done." +fi + +echo "Updating certificates in $ETCCERTSDIR..." + +# Add default certificate authorities if requested +if [ "$default" = 1 ]; then + find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read -r crt + do + add "$crt" + done +fi + +# Handle certificates that should be removed. This is an explicit act +# by prefixing lines in the configuration files with exclamation marks (!). +sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read -r crt +do + remove "$CERTSDIR/$crt" +done + +sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read -r crt +do + if ! test -f "$CERTSDIR/$crt" + then + echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2 + continue + fi + add "$CERTSDIR/$crt" +done + +# Now process certificate authorities installed by the local system +# administrator. +if [ -d "$LOCALCERTSDIR" ] +then + find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read -r crt + do + add "$crt" + done +fi + +ADDED_CNT=$(wc -l < "$ADDED") +REMOVED_CNT=$(wc -l < "$REMOVED") + +if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ] +then + # only run if set of files has changed + # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl rehash` + # from exiting with an error. See #895482, #895473. + find "$ETCCERTSDIR" -type l ! -exec test -e {} \; -print | while read -r orphan + do + rm -f "$orphan" + if [ "$verbose" = 1 ]; then + echo "Removed orphan symlink $orphan" + fi + done + if [ "$verbose" = 0 ] + then + openssl rehash . > /dev/null + else + openssl rehash -v . + fi +fi + +# chmod and mv only if TEMPBUNDLE exists or install may fail, #996005 +if [ -f "$TEMPBUNDLE" ] +then + chmod 0644 "$TEMPBUNDLE" + mv -f "$TEMPBUNDLE" "$CERTBUNDLE" + # Restore proper SELinux label after moving the file + [ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" >/dev/null 2>&1 +fi + +echo "$ADDED_CNT added, $REMOVED_CNT removed; done." + +if [ -d "$HOOKSDIR" ] +then + + echo "Running hooks in $HOOKSDIR..." + VERBOSE_ARG= + [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose" + eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read -r hook + do + ( cat "$ADDED" + cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?." + done + echo "done." + +fi + +# vim:set et sw=2: diff --git a/sbin/update-ca-certificates.8 b/sbin/update-ca-certificates.8 new file mode 100644 index 0000000..6b11566 --- /dev/null +++ b/sbin/update-ca-certificates.8 @@ -0,0 +1,100 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH UPDATE-CA-CERTIFICATES 8 "20 April 2003" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp <n> insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +update-ca-certificates \- update /etc/ssl/certs and ca-certificates.crt +.SH SYNOPSIS +.B update-ca-certificates +.RI [ options ] +.SH DESCRIPTION +This manual page documents briefly the +.B update-ca-certificates +command. +.PP +\fBupdate-ca-certificates\fP is a program that manages the collection of +TLS certificates for the local machine and generates ca-certificates.crt. +ca-certificates.crt is a single-file of concatenated certificates. +The collection of individual certificates is stored at /etc/ssl/certs. +.PP +The program reads the configuration file /etc/ca-certificates.conf. Each line +gives a pathname of a CA certificate under /usr/share/ca-certificates that +should be trusted. Lines that begin with "#" are comment lines and thus ignored. +Lines that begin with "!" are deselected, causing the deactivation of the CA +certificate in question. +.PP +Certificates must be in PEM format and have a .crt extension in order to be +included by update-ca-certificates. Furthermore, all certificates with a .crt +extension found below /usr/local/share/ca-certificates are also included and +implicitly trusted. +.PP +To add one or more certificates to the machine, copy the certificates in PEM +format with the *.crt extension to /usr/local/share/ca-certificates. There +should be one certificate per file, and not multiple certificates in a single +file. Then run update-ca-certificates to merge the new certificates into the +existing machine store at /etc/ssl/certs. +.PP +Before terminating, \fBupdate-ca-certificates\fP invokes +\fBrun-parts\fP on /etc/ca-certificates/update.d and calls each hook with +a list of certificates: those added are prefixed with a +, those removed are +prefixed with a -. +.SH OPTIONS +A summary of options is included below. +.TP +.B \-h, \-\-help +Show summary of options. +.TP +.B \-v, \-\-verbose +Be verbose. Output \fBopenssl rehash\fP. +.TP +.B \-f, \-\-fresh +Fresh updates. Remove symlinks in /etc/ssl/certs directory. +.TP +.B \-\-certsconf +Change the configuration file. By default, the file +/etc/ca-certificates.conf is used. +.TP +.B \-\-certsdir +Change the certificate directory. By default, the directory +/usr/share/ca-certificates is used. +.TP +.B \-\-localcertsdir +Change the local certificate directory. By default, the directory +/usr/local/share/ca-certificates is used. +.TP +.B \-\-etccertsdir +Change the /etc certificate directory. By default, the directory +/etc/ssl/certs is used. +.TP +.SH FILES +.TP +.I /etc/ca-certificates.conf +A configuration file. +.TP +.I /etc/ssl/certs/ca-certificates.crt +A single-file version of CA certificates. This holds all CA certificates +that were activated in /etc/ca-certificates.conf. +.TP +.I /usr/share/ca-certificates +Directory of CA certificates provided by the distribution. +.TP +.I /usr/local/share/ca-certificates +Directory of local CA certificates, with .crt extension, provided by the user. +.SH SEE ALSO +.BR openssl (1) +.SH AUTHOR +This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>, +for the Debian project (but may be used by others). |