bin/c_rehash

   1 #!/bin/perl
   2
   3
   4 # Perl c_rehash script, scan all files in a directory
   5 # and add symbolic links to their hash values.
   6
   7 my $openssl;
   8
   9 my $dir = "/usr/ssl";
  10
  11 if(defined $ENV{OPENSSL}) {
  12         $openssl = $ENV{OPENSSL};
  13 } else {
  14         $openssl = "openssl";
  15         $ENV{OPENSSL} = $openssl;
  16 }
  17
  18 $ENV{PATH} .= ":$dir/bin";
  19
  20 if(! -f $openssl) {
  21         my $found = 0;
  22         foreach (split /:/, $ENV{PATH}) {
  23                 if(-f "$_/$openssl") {
  24                         $found = 1;
  25                         last;
  26                 }
  27         }
  28         if($found == 0) {
  29                 print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
  30                 exit 0;
  31         }
  32 }
  33
  34 if(@ARGV) {
  35         @dirlist = @ARGV;
  36 } elsif($ENV{SSL_CERT_DIR}) {
  37         @dirlist = split /:/, $ENV{SSL_CERT_DIR};
  38 } else {
  39         $dirlist[0] = "$dir/certs";
  40 }
  41
  42
  43 foreach (@dirlist) {
  44         if(-d $_ and -w $_) {
  45                 hash_dir($_);
  46         }
  47 }
  48
  49 sub hash_dir {
  50         my %hashlist;
  51         print "Doing $_[0]\n";
  52         chdir $_[0];
  53         opendir(DIR, ".");
  54         my @flist = readdir(DIR);
  55         # Delete any existing symbolic links
  56         foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
  57                 if(-l $_) {
  58                         unlink $_;
  59                 }
  60         }
  61         closedir DIR;
  62         FILE: foreach $fname (grep {/\.pem$/} @flist) {
  63                 # Check to see if certificates and/or CRLs present.
  64                 my ($cert, $crl) = check_file($fname);
  65                 if(!$cert && !$crl) {
  66                         print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
  67                         next;
  68                 }
  69                 link_hash_cert($fname) if($cert);
  70                 link_hash_crl($fname) if($crl);
  71         }
  72 }
  73
  74 sub check_file {
  75         my ($is_cert, $is_crl) = (0,0);
  76         my $fname = $_[0];
  77         open IN, $fname;
  78         while(<IN>) {
  79                 if(/^-----BEGIN (.*)-----/) {
  80                         my $hdr = $1;
  81                         if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
  82                                 $is_cert = 1;
  83                                 last if($is_crl);
  84                         } elsif($hdr eq "X509 CRL") {
  85                                 $is_crl = 1;
  86                                 last if($is_cert);
  87                         }
  88                 }
  89         }
  90         close IN;
  91         return ($is_cert, $is_crl);
  92 }
  93
  94
  95 # Link a certificate to its subject name hash value, each hash is of
  96 # the form <hash>.<n> where n is an integer. If the hash value already exists
  97 # then we need to up the value of n, unless its a duplicate in which
  98 # case we skip the link. We check for duplicates by comparing the
  99 # certificate fingerprints
 100
 101 sub link_hash_cert {
 102                 my $fname = $_[0];
 103                 my ($hash, $fprint) = `$openssl x509 -hash -fingerprint -noout -in $fname`;
 104                 chomp $hash;
 105                 chomp $fprint;
 106                 $fprint =~ s/^.*=//;
 107                 $fprint =~ tr/://d;
 108                 my $suffix = 0;
 109                 # Search for an unused hash filename
 110                 while(exists $hashlist{"$hash.$suffix"}) {
 111                         # Hash matches: if fingerprint matches its a duplicate cert
 112                         if($hashlist{"$hash.$suffix"} eq $fprint) {
 113                                 print STDERR "WARNING: Skipping duplicate certificate $fname\n";
 114                                 return;
 115                         }
 116                         $suffix++;
 117                 }
 118                 $hash .= ".$suffix";
 119                 print "$fname => $hash\n";
 120                 $symlink_exists=eval {symlink("",""); 1};
 121                 if ($symlink_exists) {
 122                         symlink $fname, $hash;
 123                 } else {
 124                         system ("cp", $fname, $hash);
 125                 }
 126                 $hashlist{$hash} = $fprint;
 127 }
 128
 129 # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
 130
 131 sub link_hash_crl {
 132                 my $fname = $_[0];
 133                 my ($hash, $fprint) = `$openssl crl -hash -fingerprint -noout -in $fname`;
 134                 chomp $hash;
 135                 chomp $fprint;
 136                 $fprint =~ s/^.*=//;
 137                 $fprint =~ tr/://d;
 138                 my $suffix = 0;
 139                 # Search for an unused hash filename
 140                 while(exists $hashlist{"$hash.r$suffix"}) {
 141                         # Hash matches: if fingerprint matches its a duplicate cert
 142                         if($hashlist{"$hash.r$suffix"} eq $fprint) {
 143                                 print STDERR "WARNING: Skipping duplicate CRL $fname\n";
 144                                 return;
 145                         }
 146                         $suffix++;
 147                 }
 148                 $hash .= ".r$suffix";
 149                 print "$fname => $hash\n";
 150                 $symlink_exists=eval {symlink("",""); 1};
 151                 if ($symlink_exists) {
 152                         symlink $fname, $hash;
 153                 } else {
 154                         system ("cp", $fname, $hash);
 155                 }
 156                 $hashlist{$hash} = $fprint;
 157 }
 158