c_rehash.in 3.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160
  1. #!/usr/local/bin/perl
  2. # Perl c_rehash script, scan all files in a directory
  3. # and add symbolic links to their hash values.
  4. my $openssl;
  5. my $dir;
  6. if(defined $ENV{OPENSSL}) {
  7. $openssl = $ENV{OPENSSL};
  8. } else {
  9. $openssl = "openssl";
  10. $ENV{OPENSSL} = $openssl;
  11. }
  12. $ENV{PATH} .= ":$dir/bin";
  13. if(! -x $openssl) {
  14. my $found = 0;
  15. foreach (split /:/, $ENV{PATH}) {
  16. if(-x "$_/$openssl") {
  17. $found = 1;
  18. last;
  19. }
  20. }
  21. if($found == 0) {
  22. print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
  23. exit 0;
  24. }
  25. }
  26. if(@ARGV) {
  27. @dirlist = @ARGV;
  28. } elsif($ENV{SSL_CERT_DIR}) {
  29. @dirlist = split /:/, $ENV{SSL_CERT_DIR};
  30. } else {
  31. $dirlist[0] = "$dir/certs";
  32. }
  33. foreach (@dirlist) {
  34. if(-d $_ and -w $_) {
  35. hash_dir($_);
  36. }
  37. }
  38. sub hash_dir {
  39. my %hashlist;
  40. print "Doing $_[0]\n";
  41. chdir $_[0];
  42. opendir(DIR, ".");
  43. my @flist = readdir(DIR);
  44. # Delete any existing symbolic links
  45. foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
  46. if(-l $_) {
  47. unlink $_;
  48. }
  49. }
  50. closedir DIR;
  51. FILE: foreach $fname (grep {/\.pem$/} @flist) {
  52. # Check to see if certificates and/or CRLs present.
  53. my ($cert, $crl) = check_file($fname);
  54. if(!$cert && !$crl) {
  55. print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
  56. next;
  57. }
  58. link_hash_cert($fname) if($cert);
  59. link_hash_crl($fname) if($crl);
  60. }
  61. }
  62. sub check_file {
  63. my ($is_cert, $is_crl) = (0,0);
  64. my $fname = $_[0];
  65. open IN, $fname;
  66. while(<IN>) {
  67. if(/^-----BEGIN (.*)-----/) {
  68. my $hdr = $1;
  69. if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
  70. $is_cert = 1;
  71. last if($is_crl);
  72. } elsif($hdr eq "X509 CRL") {
  73. $is_crl = 1;
  74. last if($is_cert);
  75. }
  76. }
  77. }
  78. close IN;
  79. return ($is_cert, $is_crl);
  80. }
  81. # Link a certificate to its subject name hash value, each hash is of
  82. # the form <hash>.<n> where n is an integer. If the hash value already exists
  83. # then we need to up the value of n, unless its a duplicate in which
  84. # case we skip the link. We check for duplicates by comparing the
  85. # certificate fingerprints
  86. sub link_hash_cert {
  87. my $fname = $_[0];
  88. $fname =~ s/'/'\\''/g;
  89. my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in '$fname'`;
  90. chomp $hash;
  91. chomp $fprint;
  92. $fprint =~ s/^.*=//;
  93. $fprint =~ tr/://d;
  94. my $suffix = 0;
  95. # Search for an unused hash filename
  96. while(exists $hashlist{"$hash.$suffix"}) {
  97. # Hash matches: if fingerprint matches its a duplicate cert
  98. if($hashlist{"$hash.$suffix"} eq $fprint) {
  99. print STDERR "WARNING: Skipping duplicate certificate $fname\n";
  100. return;
  101. }
  102. $suffix++;
  103. }
  104. $hash .= ".$suffix";
  105. print "$fname => $hash\n";
  106. $symlink_exists=eval {symlink("",""); 1};
  107. if ($symlink_exists) {
  108. symlink $fname, $hash;
  109. } else {
  110. system ("cp", $fname, $hash);
  111. }
  112. $hashlist{$hash} = $fprint;
  113. }
  114. # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
  115. sub link_hash_crl {
  116. my $fname = $_[0];
  117. $fname =~ s/'/'\\''/g;
  118. my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
  119. chomp $hash;
  120. chomp $fprint;
  121. $fprint =~ s/^.*=//;
  122. $fprint =~ tr/://d;
  123. my $suffix = 0;
  124. # Search for an unused hash filename
  125. while(exists $hashlist{"$hash.r$suffix"}) {
  126. # Hash matches: if fingerprint matches its a duplicate cert
  127. if($hashlist{"$hash.r$suffix"} eq $fprint) {
  128. print STDERR "WARNING: Skipping duplicate CRL $fname\n";
  129. return;
  130. }
  131. $suffix++;
  132. }
  133. $hash .= ".r$suffix";
  134. print "$fname => $hash\n";
  135. $symlink_exists=eval {symlink("",""); 1};
  136. if ($symlink_exists) {
  137. symlink $fname, $hash;
  138. } else {
  139. system ("cp", $fname, $hash);
  140. }
  141. $hashlist{$hash} = $fprint;
  142. }