- shell version of c_rehash perl script (Author: Ben Secrest <blsecres@gmail.com>)

Changed files:
    openssl-c_rehash.sh -> 1.1

diff --git a/openssl-c_rehash.sh b/openssl-c_rehash.sh
new file mode 100644 (file)
index 0000000..1069eea
--- /dev/null
+++ b/openssl-c_rehash.sh
@@ -0,0 +1,218 @@
+#!/bin/sh
+#
+# Ben Secrest <blsecres@gmail.com>
+#
+# sh c_rehash script, scan all files in a directory
+# and add symbolic links to their hash values.
+#
+# based on the c_rehash perl script distributed with openssl
+#
+# LICENSE: See OpenSSL license
+# ^^acceptable?^^
+#
+
+# default certificate location
+DIR=/etc/openssl
+
+# for filetype bitfield
+IS_CERT=$(( 1 << 0 ))
+IS_CRL=$(( 1 << 1 ))
+
+
+# check to see if a file is a certificate file or a CRL file
+# arguments:
+#       1. the filename to be scanned
+# returns:
+#       bitfield of file type; uses ${IS_CERT} and ${IS_CRL}
+#
+check_file()
+{
+    local IS_TYPE=0
+
+    # make IFS a newline so we can process grep output line by line
+    local OLDIFS=${IFS}
+    IFS=$( printf "\n" )
+
+    # XXX: could be more efficient to have two 'grep -m' but is -m portable?
+    for LINE in $( grep '^-----BEGIN .*-----' ${1} )
+    do
+       if echo ${LINE} \
+           | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----'
+       then
+           IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} ))
+
+           if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ]
+           then
+               break
+           fi
+       elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----'
+       then
+           IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} ))
+
+           if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ]
+           then
+               break
+           fi
+       fi
+    done
+
+    # restore IFS
+    IFS=${OLDIFS}
+
+    return ${IS_TYPE}
+}
+
+
+#
+# use openssl to fingerprint a file
+#    arguments:
+#      1. the filename to fingerprint
+#      2. the method to use (x509, crl)
+#    returns:
+#      none
+#    assumptions:
+#      user will capture output from last stage of pipeline
+#
+fingerprint()
+{
+    ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':'
+}
+
+
+#
+# link_hash - create links to certificate files
+#    arguments:
+#       1. the filename to create a link for
+#      2. the type of certificate being linked (x509, crl)
+#    returns:
+#      0 on success, 1 otherwise
+#
+link_hash()
+{
+    local FINGERPRINT=$( fingerprint ${1} ${2} )
+    local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} )
+    local SUFFIX=0
+    local LINKFILE=''
+    local TAG=''
+
+    if [ ${2} = "crl" ]
+    then
+       TAG='r'
+    fi
+
+    LINKFILE=${HASH}.${TAG}${SUFFIX}
+
+    while [ -f ${LINKFILE} ]
+    do
+       if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ]
+       then
+           printf "WARNING: Skipping duplicate file ${1}\n" >&2
+           return 1
+       fi      
+
+       SUFFIX=$(( ${SUFFIX} + 1 ))
+       LINKFILE=${HASH}.${TAG}${SUFFIX}
+    done
+
+    printf "${1} => ${LINKFILE}\n"
+
+    # assume any system with a POSIX shell will either support symlinks or
+    # do something to handle this gracefully
+    ln -s ${1} ${LINKFILE}
+
+    return 0
+}
+
+
+# hash_dir create hash links in a given directory
+hash_dir()
+{
+    printf "Doing ${1}\n"
+
+    cd ${1}
+
+    for FILE in *
+    do
+       # no files in directory at all, no point in continuing
+       if ! [ -f ${FILE} ]
+       then
+           return 1
+       fi
+
+        if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \
+               && [ -h "${FILE}" ]
+        then
+            rm ${FILE}
+        fi
+    done
+
+    for FILE in *.pem
+    do
+       # no pem files so FILE gets set to the unexpanded *.pem
+       if ! [ -f ${FILE} ]
+       then
+           break
+       fi
+
+       check_file ${FILE}
+        local FILE_TYPE=${?}
+       local TYPE_STR=''
+
+        if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ]
+        then
+            TYPE_STR='x509'
+        elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ]
+        then
+            TYPE_STR='crl'
+        else
+            printf "WARNING: ${FILE} does not contain a certificate or CRL: skipping\n" >&2
+           continue
+        fi
+
+       link_hash ${FILE} ${TYPE_STR}
+    done
+}
+
+
+# choose the name of an ssl application
+if [ -n "${OPENSSL}" ]
+then
+    SSL_CMD=${OPENSSL}
+else
+    SSL_CMD=openssl
+    OPENSSL=${SSL_CMD}
+    export ${OPENSSL}
+fi
+
+# fix paths
+PATH=${PATH}:${DIR}/bin
+export PATH
+
+# confirm existance/executability of ssl command
+if ! [ -x $( which ${SSL_CMD} ) ]
+then
+    printf "${0}: rehashing skipped ('openssl' program not available)\n" >&2
+    exit 0
+fi
+
+# determine which directories to process
+# XXX: can't handle directories with spaces in names
+# XXX: ...use \n as dir separator and manipulate IFS?
+if [ ${#} -gt 0 ]
+then
+    DIRLIST=${*}
+elif [ -n "${SSL_CERT_DIR}" ]
+then
+    DIRLIST=$( echo ${SSL_CERT_DIR} | tr ':' ' ' )
+else
+    DIRLIST=${DIR}/certs
+fi
+
+# process directories
+for CERT_DIR in ${DIRLIST}
+do
+    if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ]
+    then
+        hash_dir ${CERT_DIR}
+    fi
+done