-
Notifications
You must be signed in to change notification settings - Fork 7
/
svc-cacert
110 lines (90 loc) · 3.22 KB
/
svc-cacert
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/bin/ksh
# 2016-12-02 (c) Olaf Bohlen <olbohlen@eenfach.de>
# this is a SMF service method to update root certificate copies
# for curl, openssl, etc.
# CDDL HEADER START
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.illumos.org/license/CDDL.
# See the License for the specific language governing permissions
# and limitations under the License.
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
# CDDL HEADER END
# include SMF
. /lib/svc/share/smf_include.sh
# our variables
typeset tmpcabundle
typeset cabundle
typeset cert
typeset hashval
typeset subject
typeset capath
typeset osslcerts
if [ -n "${SMF_FMRI}" ]; then
# make /etc/certs/CA configurable by SMF
capath=$(svcprop -p config/capath ${SMF_FMRI})
# get the cabundle file name by SMF
cabundle=$(svcprop -p config/cabundle ${SMF_FMRI})
# get a openssl cert dir by SMF
osslcerts=$(svcprop -p config/opensslcerts ${SMF_FMRI})
fi
# if capath is not set in SMF, set a default
if [ "x${capath}" == "x" ]; then
capath=/etc/certs/CA
fi
# if unset, set default
if [ "x${cabundle}" == "x" ]; then
cabundle=/etc/certs/ca-certificates.crt
fi
if [ "x${osslcerts}" == "x" ]; then
osslcerts=/etc/openssl/certs
fi
# check if capath is a directory, else break here
if ! [ -d ${capath} ]; then
printf "E: %s is not a directoy!\n" "${capath}" >/dev/fd/2
exit 1
fi
# check if osslcerts is a directory, else break here
if ! [ -d ${osslcerts} ]; then
printf "E: %s is not a directory!\n" "${osslcerts}" >/dev/fd/2
exit 1
fi
# check if capath has a newer mtime, else do not generate new certs
if [ ${capath} -nt ${osslcerts} ]; then
# generate a temporary new cabundle file
tmpcabundle=$(mktemp)
cat >${tmpcabundle} <<EOF
## OpenIndiana CA Root Certificate Bundle
##
## DO NOT EDIT THIS FILE - INSTEAD RUN svcadm refresh svc:/system/ca-certificates:default
##
## This is a bundled version of all root certificates in your OpenIndiana Installation.
## If you need to add new certificates, copy the cert in PEM format to /etc/certs/CA and
## run
##
## svcadm refresh svc:/system/ca-certificates:default
##
## This will create a new version of this file including all certificates
##
## this file was created at $(date +"%Y-%m-%d %H:%M:%S") local time.
##
EOF
cd ${capath}
for cert in *.pem; do
hashval=$(openssl x509 -noout -hash -in ${cert})
subject=$(openssl x509 -noout -subject -in ${cert})
# update for openssl
( cd ${osslcerts} && ln -s ${capath}/${cert} ${hashval}.0 2>/dev/null)
printf "%s\n======================================================================\n" "${subject}" >>${tmpcabundle}
cat ${cert} >>${tmpcabundle}
echo >>${tmpcabundle}
done
# now overwrite the real cabundle
cat ${tmpcabundle} >${cabundle}
fi