c_rehash.in 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179
  1. #!/usr/local/bin/perl
  2. # Perl c_rehash script, scan all files in a directory
  3. # and add symbolic links to their hash values.
  4. my $openssl;
  5. my $dir;
  6. if(defined $ENV{OPENSSL}) {
  7. $openssl = $ENV{OPENSSL};
  8. } else {
  9. $openssl = "openssl";
  10. $ENV{OPENSSL} = $openssl;
  11. }
  12. my $pwd;
  13. eval "require Cwd";
  14. if (defined(&Cwd::getcwd)) {
  15. $pwd=Cwd::getcwd();
  16. } else {
  17. $pwd=`pwd`; chomp($pwd);
  18. }
  19. my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix delimiter?
  20. $ENV{PATH} .= "$path_delim$dir/bin";
  21. if(! -x $openssl) {
  22. my $found = 0;
  23. foreach (split /$path_delim/, $ENV{PATH}) {
  24. if(-x "$_/$openssl") {
  25. $found = 1;
  26. $openssl = "$_/$openssl";
  27. last;
  28. }
  29. }
  30. if($found == 0) {
  31. print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
  32. exit 0;
  33. }
  34. }
  35. if(@ARGV) {
  36. @dirlist = @ARGV;
  37. } elsif($ENV{SSL_CERT_DIR}) {
  38. @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
  39. } else {
  40. $dirlist[0] = "$dir/certs";
  41. }
  42. if (-d $dirlist[0]) {
  43. chdir $dirlist[0];
  44. $openssl="$pwd/$openssl" if (!-x $openssl);
  45. chdir $pwd;
  46. }
  47. foreach (@dirlist) {
  48. if(-d $_ and -w $_) {
  49. hash_dir($_);
  50. }
  51. }
  52. sub hash_dir {
  53. my %hashlist;
  54. print "Doing $_[0]\n";
  55. chdir $_[0];
  56. opendir(DIR, ".");
  57. my @flist = readdir(DIR);
  58. # Delete any existing symbolic links
  59. foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
  60. if(-l $_) {
  61. unlink $_;
  62. }
  63. }
  64. closedir DIR;
  65. FILE: foreach $fname (grep {/\.pem$/} @flist) {
  66. # Check to see if certificates and/or CRLs present.
  67. my ($cert, $crl) = check_file($fname);
  68. if(!$cert && !$crl) {
  69. print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
  70. next;
  71. }
  72. link_hash_cert($fname) if($cert);
  73. link_hash_crl($fname) if($crl);
  74. }
  75. }
  76. sub check_file {
  77. my ($is_cert, $is_crl) = (0,0);
  78. my $fname = $_[0];
  79. open IN, $fname;
  80. while(<IN>) {
  81. if(/^-----BEGIN (.*)-----/) {
  82. my $hdr = $1;
  83. if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
  84. $is_cert = 1;
  85. last if($is_crl);
  86. } elsif($hdr eq "X509 CRL") {
  87. $is_crl = 1;
  88. last if($is_cert);
  89. }
  90. }
  91. }
  92. close IN;
  93. return ($is_cert, $is_crl);
  94. }
  95. # Link a certificate to its subject name hash value, each hash is of
  96. # the form <hash>.<n> where n is an integer. If the hash value already exists
  97. # then we need to up the value of n, unless its a duplicate in which
  98. # case we skip the link. We check for duplicates by comparing the
  99. # certificate fingerprints
  100. sub link_hash_cert {
  101. my $fname = $_[0];
  102. $fname =~ s/'/'\\''/g;
  103. my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`;
  104. chomp $hash;
  105. chomp $fprint;
  106. $fprint =~ s/^.*=//;
  107. $fprint =~ tr/://d;
  108. my $suffix = 0;
  109. # Search for an unused hash filename
  110. while(exists $hashlist{"$hash.$suffix"}) {
  111. # Hash matches: if fingerprint matches its a duplicate cert
  112. if($hashlist{"$hash.$suffix"} eq $fprint) {
  113. print STDERR "WARNING: Skipping duplicate certificate $fname\n";
  114. return;
  115. }
  116. $suffix++;
  117. }
  118. $hash .= ".$suffix";
  119. print "$fname => $hash\n";
  120. $symlink_exists=eval {symlink("",""); 1};
  121. if ($symlink_exists) {
  122. symlink $fname, $hash;
  123. } else {
  124. open IN,"<$fname" or die "can't open $fname for read";
  125. open OUT,">$hash" or die "can't open $hash for write";
  126. print OUT <IN>; # does the job for small text files
  127. close OUT;
  128. close IN;
  129. }
  130. $hashlist{$hash} = $fprint;
  131. }
  132. # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
  133. sub link_hash_crl {
  134. my $fname = $_[0];
  135. $fname =~ s/'/'\\''/g;
  136. my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
  137. chomp $hash;
  138. chomp $fprint;
  139. $fprint =~ s/^.*=//;
  140. $fprint =~ tr/://d;
  141. my $suffix = 0;
  142. # Search for an unused hash filename
  143. while(exists $hashlist{"$hash.r$suffix"}) {
  144. # Hash matches: if fingerprint matches its a duplicate cert
  145. if($hashlist{"$hash.r$suffix"} eq $fprint) {
  146. print STDERR "WARNING: Skipping duplicate CRL $fname\n";
  147. return;
  148. }
  149. $suffix++;
  150. }
  151. $hash .= ".r$suffix";
  152. print "$fname => $hash\n";
  153. $symlink_exists=eval {symlink("",""); 1};
  154. if ($symlink_exists) {
  155. symlink $fname, $hash;
  156. } else {
  157. system ("cp", $fname, $hash);
  158. }
  159. $hashlist{$hash} = $fprint;
  160. }