[ca] / lib / func.sh

### -*-sh-*-

## Set up configuration.
ca_user=ca ca_group=ca ca_owner=root
if [ -f etc/config ]; then . etc/config; fi

runas_ca () {
  ## runas_ca
  ##
  ## Make sure we're running as the CA user.  I don't trust ASN.1 parsers
  ## to run as root against untrusted input -- especially OpenSSL's one.

  case $(id -un) in
    $ca_user) ;;
    *) exec sudo -u $ca_user "$0" "$@" ;;
  esac
}

linkserial () {
  ## linkserial CERT [SERIAL]
  ##
  ## Make a link for the certificate according to its serial number.

  cert=$1 suffix=$2
  serial=$(openssl x509 -serial -noout -in "$cert")
  serial=${serial##*=}
  t=index/byserial$suffix/$serial.pem
  if [ -L "$t" ]; then
    other=$(readlink "$t")
    echo "Duplicate serial numbers: ${other##*/}, ${cert##*/}"
    badness=1
    return
  fi
  lns "$cert" "$t"
}

linkhash () {
  ## linkhash CERT [SUFFIX]
  ##
  ## Make links for the certificate according to its hash.

  cert=$1 suffix=$2
  fpr=$(openssl x509 -fingerprint -noout -in "$cert")
  for opt in subject_hash subject_hash_old; do
    n=0
    hash=$(openssl x509 -$opt -noout -in "$cert")
    while t=index/byhash$suffix/$hash.$n; [ -L "$t" ]; do
      ofpr=$(openssl x509 -fingerprint -noout -in "$t")
      other=$(readlink "$t")
      case "${cert##*/}" in "${other##*/}") continue ;; esac
      case "$ofpr" in
	"$fpr")
	  echo "Duplicate certificates: ${other##*/}, ${cert##*/}"
	  badness=1
	  return
	  ;;
      esac
      n=$(expr $n + 1)
    done
    lns "$cert" "$t"
  done
}
Commit	Line	Data
b294f6b5 MW	1	### --sh--
b294f6b5 MW	2
ab54a4bc MW	3	## Set up configuration.
	4	ca_user=ca ca_group=ca ca_owner=root
	5	if [ -f etc/config ]; then . etc/config; fi
	6
b294f6b5 MW	7	runas_ca () {
	8	## runas_ca
	9	##
	10	## Make sure we're running as the CA user. I don't trust ASN.1 parsers
	11	## to run as root against untrusted input -- especially OpenSSL's one.
	12
	13	case $(id -un) in
ab54a4bc MW	14	$ca_user) ;;
ab54a4bc MW	15	*) exec sudo -u $ca_user "$0" "$@" ;;
b294f6b5 MW	16	esac
	17	}
	18
	19	linkserial () {
	20	## linkserial CERT [SERIAL]
	21	##
	22	## Make a link for the certificate according to its serial number.
	23
	24	cert=$1 suffix=$2
	25	serial=$(openssl x509 -serial -noout -in "$cert")
	26	serial=${serial##*=}
	27	t=index/byserial$suffix/$serial.pem
	28	if [ -L "$t" ]; then
	29	other=$(readlink "$t")
	30	echo "Duplicate serial numbers: ${other##/}, ${cert##/}"
	31	badness=1
	32	return
	33	fi
	34	lns "$cert" "$t"
	35	}
	36
	37	linkhash () {
	38	## linkhash CERT [SUFFIX]
	39	##
	40	## Make links for the certificate according to its hash.
	41
	42	cert=$1 suffix=$2
	43	fpr=$(openssl x509 -fingerprint -noout -in "$cert")
	44	for opt in subject_hash subject_hash_old; do
	45	n=0
	46	hash=$(openssl x509 -$opt -noout -in "$cert")
	47	while t=index/byhash$suffix/$hash.$n; [ -L "$t" ]; do
	48	ofpr=$(openssl x509 -fingerprint -noout -in "$t")
	49	other=$(readlink "$t")
	50	case "${cert##/}" in "${other##/}") continue ;; esac
	51	case "$ofpr" in
	52	"$fpr")
	53	echo "Duplicate certificates: ${other##/}, ${cert##/}"
	54	badness=1
	55	return
	56	;;
	57	esac
	58	n=$(expr $n + 1)
	59	done
	60	lns "$cert" "$t"
	61	done
	62	}