From 9ae6e105bb689faf004f60bb4f9f0ea56e3b8fde Mon Sep 17 00:00:00 2001 From: Otavio Salvador Date: Mon, 23 May 2016 17:45:25 -0300 Subject: openssl: Add Shell-Script based c_rehash utility The PLD Linux distribution has ported the c_rehash[1] utility from Perl to Shell-Script, allowing it to be shipped by default. 1. https://git.pld-linux.org/?p=packages/openssl.git;a=blob;f=openssl-c_rehash.sh;h=0ea22637ee6dbce845a9e2caf62540aaaf5d0761 The OpenSSL upstream intends[2] to convert the utility for C however did not yet finished the conversion. 2. https://rt.openssl.org/Ticket/Display.html?id=2324 This patch adds this script and thus removed the Perl requirement for it. (From OE-Core rev: cb6150f1a779e356f120d5e45c91fda75789970a) Signed-off-by: Otavio Salvador Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- .../openssl/openssl/openssl-c_rehash.sh | 210 +++++++++++++++++++++ 1 file changed, 210 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh (limited to 'meta/recipes-connectivity/openssl/openssl') diff --git a/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh new file mode 100644 index 0000000000..0ea22637ee --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh @@ -0,0 +1,210 @@ +#!/bin/sh +# +# Ben Secrest +# +# sh c_rehash script, scan all files in a directory +# and add symbolic links to their hash values. +# +# based on the c_rehash perl script distributed with openssl +# +# LICENSE: See OpenSSL license +# ^^acceptable?^^ +# + +# default certificate location +DIR=/etc/openssl + +# for filetype bitfield +IS_CERT=$(( 1 << 0 )) +IS_CRL=$(( 1 << 1 )) + + +# check to see if a file is a certificate file or a CRL file +# arguments: +# 1. the filename to be scanned +# returns: +# bitfield of file type; uses ${IS_CERT} and ${IS_CRL} +# +check_file() +{ + local IS_TYPE=0 + + # make IFS a newline so we can process grep output line by line + local OLDIFS=${IFS} + IFS=$( printf "\n" ) + + # XXX: could be more efficient to have two 'grep -m' but is -m portable? + for LINE in $( grep '^-----BEGIN .*-----' ${1} ) + do + if echo ${LINE} \ + | grep -q -E '^-----BEGIN (X509 |TRUSTED )?CERTIFICATE-----' + then + IS_TYPE=$(( ${IS_TYPE} | ${IS_CERT} )) + + if [ $(( ${IS_TYPE} & ${IS_CRL} )) -ne 0 ] + then + break + fi + elif echo ${LINE} | grep -q '^-----BEGIN X509 CRL-----' + then + IS_TYPE=$(( ${IS_TYPE} | ${IS_CRL} )) + + if [ $(( ${IS_TYPE} & ${IS_CERT} )) -ne 0 ] + then + break + fi + fi + done + + # restore IFS + IFS=${OLDIFS} + + return ${IS_TYPE} +} + + +# +# use openssl to fingerprint a file +# arguments: +# 1. the filename to fingerprint +# 2. the method to use (x509, crl) +# returns: +# none +# assumptions: +# user will capture output from last stage of pipeline +# +fingerprint() +{ + ${SSL_CMD} ${2} -fingerprint -noout -in ${1} | sed 's/^.*=//' | tr -d ':' +} + + +# +# link_hash - create links to certificate files +# arguments: +# 1. the filename to create a link for +# 2. the type of certificate being linked (x509, crl) +# returns: +# 0 on success, 1 otherwise +# +link_hash() +{ + local FINGERPRINT=$( fingerprint ${1} ${2} ) + local HASH=$( ${SSL_CMD} ${2} -hash -noout -in ${1} ) + local SUFFIX=0 + local LINKFILE='' + local TAG='' + + if [ ${2} = "crl" ] + then + TAG='r' + fi + + LINKFILE=${HASH}.${TAG}${SUFFIX} + + while [ -f ${LINKFILE} ] + do + if [ ${FINGERPRINT} = $( fingerprint ${LINKFILE} ${2} ) ] + then + echo "WARNING: Skipping duplicate file ${1}" >&2 + return 1 + fi + + SUFFIX=$(( ${SUFFIX} + 1 )) + LINKFILE=${HASH}.${TAG}${SUFFIX} + done + + echo "${1} => ${LINKFILE}" + + # assume any system with a POSIX shell will either support symlinks or + # do something to handle this gracefully + ln -s ${1} ${LINKFILE} + + return 0 +} + + +# hash_dir create hash links in a given directory +hash_dir() +{ + echo "Doing ${1}" + + cd ${1} + + ls -1 * 2>/dev/null | while read FILE + do + if echo ${FILE} | grep -q -E '^[[:xdigit:]]{8}\.r?[[:digit:]]+$' \ + && [ -h "${FILE}" ] + then + rm ${FILE} + fi + done + + ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE + do + check_file ${FILE} + local FILE_TYPE=${?} + local TYPE_STR='' + + if [ $(( ${FILE_TYPE} & ${IS_CERT} )) -ne 0 ] + then + TYPE_STR='x509' + elif [ $(( ${FILE_TYPE} & ${IS_CRL} )) -ne 0 ] + then + TYPE_STR='crl' + else + echo "WARNING: ${FILE} does not contain a certificate or CRL: skipping" >&2 + continue + fi + + link_hash ${FILE} ${TYPE_STR} + done +} + + +# choose the name of an ssl application +if [ -n "${OPENSSL}" ] +then + SSL_CMD=$(which ${OPENSSL} 2>/dev/null) +else + SSL_CMD=/usr/bin/openssl + OPENSSL=${SSL_CMD} + export OPENSSL +fi + +# fix paths +PATH=${PATH}:${DIR}/bin +export PATH + +# confirm existance/executability of ssl command +if ! [ -x ${SSL_CMD} ] +then + echo "${0}: rehashing skipped ('openssl' program not available)" >&2 + exit 0 +fi + +# determine which directories to process +old_IFS=$IFS +if [ ${#} -gt 0 ] +then + IFS=':' + DIRLIST=${*} +elif [ -n "${SSL_CERT_DIR}" ] +then + DIRLIST=$SSL_CERT_DIR +else + DIRLIST=${DIR}/certs +fi + +IFS=':' + +# process directories +for CERT_DIR in ${DIRLIST} +do + if [ -d ${CERT_DIR} -a -w ${CERT_DIR} ] + then + IFS=$old_IFS + hash_dir ${CERT_DIR} + IFS=':' + fi +done -- cgit 1.2.3-korg