packaging/certbundle.run

   1 #!/bin/bash
   2 # vim: syntax=sh
   3
   4 shopt -s nullglob
   5
   6 cafile="/var/lib/ca-certificates/ca-bundle.pem"
   7 cadir="/etc/ssl/certs"
   8
   9 for i in "$@"; do
  10         if [ "$i" = "-f" ]; then
  11                 fresh=1
  12         elif [ "$i" = "-v" ]; then
  13                 verbose=1
  14         fi
  15 done
  16
  17 if [ -z "$fresh" -a "$cafile" -nt "$cadir" ]; then
  18         exit 0
  19 fi
  20 echo "creating $cafile ..."
  21 cat > "$cafile.new" <<EOF
  22 #
  23 # automatically created by $0. Do not edit!
  24 #
  25 # Use of this file is deprecated and should only be used as last
  26 # resort by applications that cannot parse the $cadir directory.
  27 # You should avoid hardcoding any paths in applications anyways though.
  28 # Use e.g.
  29 # SSL_CTX_set_default_verify_paths() instead.
  30 #
  31 EOF
  32 for i in `find $cadir/*`; do
  33         fname=`echo $i | cut -f 5 -d '/'`
  34         if [[ ! $fname =~ ^[0-9a-z]{8}\.[0-9]$ ]]; then
  35                 continue
  36         fi
  37
  38         # only include certificates trusted for server auth
  39         if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
  40                 trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
  41                 case "$trust" in
  42                         *serverAuth*) ;;
  43                         *) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;;
  44                 esac
  45         fi
  46         openssl x509 -in "$i"
  47 done >> "$cafile.new"
  48 mv "$cafile.new" "$cafile"
  49
  50 chown root:system $cafile
  51 chmod 664 $cafile
  52 chsmack -a "System::Shared" $cafile