c_rehash.in 4.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180
  1. #!/usr/local/bin/perl
  2. # Perl c_rehash script, scan all files in a directory
  3. # and add symbolic links to their hash values.
  4. my $openssl;
  5. my $dir;
  6. my $prefix;
  7. if(defined $ENV{OPENSSL}) {
  8. $openssl = $ENV{OPENSSL};
  9. } else {
  10. $openssl = "openssl";
  11. $ENV{OPENSSL} = $openssl;
  12. }
  13. my $pwd;
  14. eval "require Cwd";
  15. if (defined(&Cwd::getcwd)) {
  16. $pwd=Cwd::getcwd();
  17. } else {
  18. $pwd=`pwd`; chomp($pwd);
  19. }
  20. my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix delimiter?
  21. $ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); # prefix our path
  22. if(! -x $openssl) {
  23. my $found = 0;
  24. foreach (split /$path_delim/, $ENV{PATH}) {
  25. if(-x "$_/$openssl") {
  26. $found = 1;
  27. $openssl = "$_/$openssl";
  28. last;
  29. }
  30. }
  31. if($found == 0) {
  32. print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
  33. exit 0;
  34. }
  35. }
  36. if(@ARGV) {
  37. @dirlist = @ARGV;
  38. } elsif($ENV{SSL_CERT_DIR}) {
  39. @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
  40. } else {
  41. $dirlist[0] = "$dir/certs";
  42. }
  43. if (-d $dirlist[0]) {
  44. chdir $dirlist[0];
  45. $openssl="$pwd/$openssl" if (!-x $openssl);
  46. chdir $pwd;
  47. }
  48. foreach (@dirlist) {
  49. if(-d $_ and -w $_) {
  50. hash_dir($_);
  51. }
  52. }
  53. sub hash_dir {
  54. my %hashlist;
  55. print "Doing $_[0]\n";
  56. chdir $_[0];
  57. opendir(DIR, ".");
  58. my @flist = readdir(DIR);
  59. # Delete any existing symbolic links
  60. foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
  61. if(-l $_) {
  62. unlink $_;
  63. }
  64. }
  65. closedir DIR;
  66. FILE: foreach $fname (grep {/\.pem$/} @flist) {
  67. # Check to see if certificates and/or CRLs present.
  68. my ($cert, $crl) = check_file($fname);
  69. if(!$cert && !$crl) {
  70. print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
  71. next;
  72. }
  73. link_hash_cert($fname) if($cert);
  74. link_hash_crl($fname) if($crl);
  75. }
  76. }
  77. sub check_file {
  78. my ($is_cert, $is_crl) = (0,0);
  79. my $fname = $_[0];
  80. open IN, $fname;
  81. while(<IN>) {
  82. if(/^-----BEGIN (.*)-----/) {
  83. my $hdr = $1;
  84. if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
  85. $is_cert = 1;
  86. last if($is_crl);
  87. } elsif($hdr eq "X509 CRL") {
  88. $is_crl = 1;
  89. last if($is_cert);
  90. }
  91. }
  92. }
  93. close IN;
  94. return ($is_cert, $is_crl);
  95. }
  96. # Link a certificate to its subject name hash value, each hash is of
  97. # the form <hash>.<n> where n is an integer. If the hash value already exists
  98. # then we need to up the value of n, unless its a duplicate in which
  99. # case we skip the link. We check for duplicates by comparing the
  100. # certificate fingerprints
  101. sub link_hash_cert {
  102. my $fname = $_[0];
  103. $fname =~ s/'/'\\''/g;
  104. my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`;
  105. chomp $hash;
  106. chomp $fprint;
  107. $fprint =~ s/^.*=//;
  108. $fprint =~ tr/://d;
  109. my $suffix = 0;
  110. # Search for an unused hash filename
  111. while(exists $hashlist{"$hash.$suffix"}) {
  112. # Hash matches: if fingerprint matches its a duplicate cert
  113. if($hashlist{"$hash.$suffix"} eq $fprint) {
  114. print STDERR "WARNING: Skipping duplicate certificate $fname\n";
  115. return;
  116. }
  117. $suffix++;
  118. }
  119. $hash .= ".$suffix";
  120. print "$fname => $hash\n";
  121. $symlink_exists=eval {symlink("",""); 1};
  122. if ($symlink_exists) {
  123. symlink $fname, $hash;
  124. } else {
  125. open IN,"<$fname" or die "can't open $fname for read";
  126. open OUT,">$hash" or die "can't open $hash for write";
  127. print OUT <IN>; # does the job for small text files
  128. close OUT;
  129. close IN;
  130. }
  131. $hashlist{$hash} = $fprint;
  132. }
  133. # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
  134. sub link_hash_crl {
  135. my $fname = $_[0];
  136. $fname =~ s/'/'\\''/g;
  137. my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
  138. chomp $hash;
  139. chomp $fprint;
  140. $fprint =~ s/^.*=//;
  141. $fprint =~ tr/://d;
  142. my $suffix = 0;
  143. # Search for an unused hash filename
  144. while(exists $hashlist{"$hash.r$suffix"}) {
  145. # Hash matches: if fingerprint matches its a duplicate cert
  146. if($hashlist{"$hash.r$suffix"} eq $fprint) {
  147. print STDERR "WARNING: Skipping duplicate CRL $fname\n";
  148. return;
  149. }
  150. $suffix++;
  151. }
  152. $hash .= ".r$suffix";
  153. print "$fname => $hash\n";
  154. $symlink_exists=eval {symlink("",""); 1};
  155. if ($symlink_exists) {
  156. symlink $fname, $hash;
  157. } else {
  158. system ("cp", $fname, $hash);
  159. }
  160. $hashlist{$hash} = $fprint;
  161. }