Commit | Line | Data |
---|---|---|
b294f6b5 MW |
1 | ### -*-sh-*- |
2 | ||
ab54a4bc MW |
3 | ## Set up configuration. |
4 | ca_user=ca ca_group=ca ca_owner=root | |
5 | if [ -f etc/config ]; then . etc/config; fi | |
6 | ||
b294f6b5 MW |
7 | runas_ca () { |
8 | ## runas_ca | |
9 | ## | |
10 | ## Make sure we're running as the CA user. I don't trust ASN.1 parsers | |
11 | ## to run as root against untrusted input -- especially OpenSSL's one. | |
12 | ||
13 | case $(id -un) in | |
ab54a4bc MW |
14 | $ca_user) ;; |
15 | *) exec sudo -u $ca_user "$0" "$@" ;; | |
b294f6b5 MW |
16 | esac |
17 | } | |
18 | ||
19 | linkserial () { | |
20 | ## linkserial CERT [SERIAL] | |
21 | ## | |
22 | ## Make a link for the certificate according to its serial number. | |
23 | ||
24 | cert=$1 suffix=$2 | |
25 | serial=$(openssl x509 -serial -noout -in "$cert") | |
26 | serial=${serial##*=} | |
27 | t=index/byserial$suffix/$serial.pem | |
28 | if [ -L "$t" ]; then | |
29 | other=$(readlink "$t") | |
30 | echo "Duplicate serial numbers: ${other##*/}, ${cert##*/}" | |
31 | badness=1 | |
32 | return | |
33 | fi | |
34 | lns "$cert" "$t" | |
35 | } | |
36 | ||
37 | linkhash () { | |
38 | ## linkhash CERT [SUFFIX] | |
39 | ## | |
40 | ## Make links for the certificate according to its hash. | |
41 | ||
42 | cert=$1 suffix=$2 | |
43 | fpr=$(openssl x509 -fingerprint -noout -in "$cert") | |
44 | for opt in subject_hash subject_hash_old; do | |
45 | n=0 | |
46 | hash=$(openssl x509 -$opt -noout -in "$cert") | |
47 | while t=index/byhash$suffix/$hash.$n; [ -L "$t" ]; do | |
48 | ofpr=$(openssl x509 -fingerprint -noout -in "$t") | |
49 | other=$(readlink "$t") | |
50 | case "${cert##*/}" in "${other##*/}") continue ;; esac | |
51 | case "$ofpr" in | |
52 | "$fpr") | |
53 | echo "Duplicate certificates: ${other##*/}, ${cert##*/}" | |
54 | badness=1 | |
55 | return | |
56 | ;; | |
57 | esac | |
58 | n=$(expr $n + 1) | |
59 | done | |
60 | lns "$cert" "$t" | |
61 | done | |
62 | } |