blob: 22737f516ad6216e170d83e7d78504e9a20a2904 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
#!/usr/bin/env bash
#
# vim:ts=5:sw=5:expandtab
# we have a spaces softtab, that ensures readability with other editors too
# This file generates the file etc/ca_hashes.txt from the (root)certificate
# Bundles in etc (etc/*.pem)
TEMPDIR="/tmp"
# Check if we are in the right directory
if [[ ! -e etc ]]; then
echo "Please run this script from the base directory of the testssl.sh project"
exit 99
fi
echo "Extracting private key hashes from CA bundles"
echo -n > "$TEMPDIR/cahashes"
for bundle_fname in etc/*.pem; do
if [[ ! -r $bundle_fname ]]; then
echo "\"$bundle_fname\" cannot be found / not readable"
exit 99
fi
bundle_name=$(echo -n $bundle_fname|sed s/^etc\\///|sed 's/\.pem$//')
echo "CA Bundle: $bundle_name"
# Split up the certificate bundle
awk -v n=-1 "BEGIN {start=1}
/-----BEGIN CERTIFICATE-----/{ if (start) {inc=1; n++} }
inc { print >> (\"$TEMPDIR/$bundle_name.\" n \".$$.crt\") ; close (\"$TEMPDIR/$bundle_name.\" n \".$$.crt\") }
/---END CERTIFICATE-----/{ inc=0 }" $bundle_fname
for cert_fname in $TEMPDIR/$bundle_name.*.$$.crt; do
echo -n "."
hpkp_key_ca="$( ( openssl x509 -in "$cert_fname" -pubkey -noout | grep -v PUBLIC | openssl base64 -d |
openssl dgst -sha256 -binary | openssl enc -base64 ) 2>/dev/null )"
hpkp_name=$( openssl x509 -in "$cert_fname" -subject -noout 2>/dev/null | sed "s/^subject= //")
if [[ $(echo $hpkp_name|grep 'CN='|wc -l) -eq 1 ]]; then
hpkp_name=$(echo -n $hpkp_name|sed 's/^.*CN=//'|sed 's/\/.*$//')
fi
echo "$hpkp_key_ca $hpkp_name" >> "$TEMPDIR/cahashes"
done
echo
done
# Make a backup first
cp etc/ca_hashes.txt etc/ca_hashes.txt.bak
sort -u "$TEMPDIR/cahashes" > etc/ca_hashes.txt
|
