bin/make-cert, bin/fix-cert-chain: Hack certificate chains for compatiblity.

[distorted-letsencrypt] / bin / fix-cert-chain

diff --git a/bin/fix-cert-chain b/bin/fix-cert-chain
new file mode 100755 (executable)
index 0000000..dc9a313
--- /dev/null
+++ b/bin/fix-cert-chain
@@ -0,0 +1,41 @@
+#! /bin/sh -e
+
+bad_issuers="
+O = Digital Signature Trust Co., CN = DST Root CA X3
+"
+
+case $# in
+  1) certs=$1 ;;
+  *) echo >&2 "usage: $0 CERTLIST-FILE"; exit 2 ;;
+esac
+
+nl="
+"
+mode=skip all=
+while IFS= read -r line; do
+  case $line,$mode in
+    "-----BEGIN CERTIFICATE-----",skip)
+      mode=keep
+      buf="$line$nl"
+      ;;
+    "-----END CERTIFICATE-----",keep)
+      mode=skip
+      buf="$buf$line"
+      keep=t
+      case "$nl$nl$all$nl$nl" in
+       *"$nl$nl$buf$nl$nl"*) keep=nil ;;
+      esac
+      case $keep in
+       t)
+         issuer=$(echo "$buf" | openssl x509 -noout -issuer)
+         case $bad_issuers in $"$nl$issuer$nl"*) keep=nil ;; esac
+         ;;
+      esac
+      case $keep in t) all="${all:+$all$nl$nl}$buf" ;; esac
+      ;;
+    *,keep) buf="$buf$line$nl" ;;
+  esac
+done <"$certs"
+
+case $all in "") echo >&2 "$0: no certificates found"; exit 127 ;; esac
+echo "$all"