diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 17:11:11 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 17:11:11 +0000 |
commit | ba28aa09cebfba17fd16de2af6fedf7ecc76eea5 (patch) | |
tree | 44e2ff1493776a06e95c359c53a1cabca5d8a8d4 /utils/create_ca_hashes.sh | |
parent | Initial commit. (diff) | |
download | testssl.sh-upstream.tar.xz testssl.sh-upstream.zip |
Adding upstream version 3.2~rc3+dfsg.upstream/3.2_rc3+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'utils/create_ca_hashes.sh')
-rwxr-xr-x | utils/create_ca_hashes.sh | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/utils/create_ca_hashes.sh b/utils/create_ca_hashes.sh new file mode 100755 index 0000000..22737f5 --- /dev/null +++ b/utils/create_ca_hashes.sh @@ -0,0 +1,47 @@ +#!/usr/bin/env bash +# +# vim:ts=5:sw=5:expandtab +# we have a spaces softtab, that ensures readability with other editors too + +# This file generates the file etc/ca_hashes.txt from the (root)certificate +# Bundles in etc (etc/*.pem) + +TEMPDIR="/tmp" + +# Check if we are in the right directory +if [[ ! -e etc ]]; then + echo "Please run this script from the base directory of the testssl.sh project" + exit 99 +fi + +echo "Extracting private key hashes from CA bundles" +echo -n > "$TEMPDIR/cahashes" +for bundle_fname in etc/*.pem; do + if [[ ! -r $bundle_fname ]]; then + echo "\"$bundle_fname\" cannot be found / not readable" + exit 99 + fi + bundle_name=$(echo -n $bundle_fname|sed s/^etc\\///|sed 's/\.pem$//') + echo "CA Bundle: $bundle_name" + # Split up the certificate bundle + awk -v n=-1 "BEGIN {start=1} + /-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} } + inc { print >> (\"$TEMPDIR/$bundle_name.\" n \".$$.crt\") ; close (\"$TEMPDIR/$bundle_name.\" n \".$$.crt\") } + /---END CERTIFICATE-----/{ inc=0 }" $bundle_fname + for cert_fname in $TEMPDIR/$bundle_name.*.$$.crt; do + echo -n "." + hpkp_key_ca="$( ( openssl x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | openssl base64 -d | + openssl dgst -sha256 -binary | openssl enc -base64 ) 2>/dev/null )" + hpkp_name=$( openssl x509 -in "$cert_fname" -subject -noout 2>/dev/null | sed "s/^subject= //") + if [[ $(echo $hpkp_name|grep 'CN='|wc -l) -eq 1 ]]; then + hpkp_name=$(echo -n $hpkp_name|sed 's/^.*CN=//'|sed 's/\/.*$//') + fi + echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/cahashes" + done + echo +done + +# Make a backup first +cp etc/ca_hashes.txt etc/ca_hashes.txt.bak + +sort -u "$TEMPDIR/cahashes" > etc/ca_hashes.txt |