\!/ KyuuKazami \!/

Path : /usr/bin/
Upload :
Current File : //usr/bin/update-ca-trust

#!/bin/bash
#
# Copyright (C) 2013 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

#set -vx

do_extract()
{
	if [[ $1 = "warn_if_disabled" ]]; then
		prepare_setup
		if [[ $CURRENT_SETUP -ne 2 ]]; then
			warning "Warning: The dynamic CA configuration feature is in the disabled state"
		fi
	fi

	DEST=/etc/pki/ca-trust/extracted

	# OpenSSL PEM bundle that includes trust flags
	# (BEGIN TRUSTED CERTIFICATE)
	/usr/bin/p11-kit extract --comment --format=openssl-bundle --filter=certificates --overwrite $DEST/openssl/ca-bundle.trust.crt
	/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/tls-ca-bundle.pem
	/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose email $DEST/pem/email-ca-bundle.pem
	/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
	/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
}

HAVE_NSS_32=0
HAVE_NSS_64=0
HAVE_P11_32=0
HAVE_P11_64=0
P11_32_CONSISTENT=1
P11_64_CONSISTENT=1

CURRENT_SETUP=0
FORCE=0

RPM_VFY_INFO=""
RPM_VFY_STATUS=0

SETUPFILE_P11_32=/usr/lib/p11-kit/p11-kit-redhat-setup-trust
SETUPFILE_P11_64=/usr/lib64/p11-kit/p11-kit-redhat-setup-trust
LIBFILE_NSS_32=/usr/lib/nss/libnssckbi.so
LIBFILE_NSS_64=/usr/lib64/nss/libnssckbi.so

INITIAL_BACKUP=/etc/pki/backup-traditional-original-config
RECENT_BACKUP=/etc/pki/backup-traditional-recent-config

CAB_FILE=/etc/pki/tls/certs/ca-bundle.crt
CABT_FILE=/etc/pki/tls/certs/ca-bundle.trust.crt
JAB_FILE=/etc/pki/java/cacerts

warning()
{
	echo "update-ca-trust: $@" >&2
}

prepare_setup()
{
	# result of test -L filename # 0: yes, a link # 1: no, not a link
	test -L $CAB_FILE
	CAB_LINK=$?
	test -L $CABT_FILE
	CABT_LINK=$?
	test -L $JAB_FILE
	CAJ_LINK=$?

	if [[ $CAB_LINK -eq 1 && $CABT_LINK -eq 1 && $CAJ_LINK -eq 1 ]]; then
		#echo "current_setup=1 (no links)"
		CURRENT_SETUP=1
	fi

	if [[ $CAB_LINK -eq 0 && $CABT_LINK -eq 0 && $CAJ_LINK -eq 0 ]]; then
		#echo "current_setup=2 (all links)"
		CURRENT_SETUP=2
	fi
}

prepare()
{
	prepare_setup
	
	test -e $LIBFILE_NSS_32
	if [[ $? -eq 0 ]]; then
		#echo "have nss 32"
		HAVE_NSS_32=1
	fi
	
	test -e $LIBFILE_NSS_64
	if [[ $? -eq 0 ]]; then
		#echo "have nss 64"
		HAVE_NSS_64=1
	fi
	
	test -e $SETUPFILE_P11_32
	if [[ $? -eq 0 ]]; then
		#echo "have p11 32"
		HAVE_P11_32=1
	fi

	test -e $SETUPFILE_P11_64
	if [[ $? -eq 0 ]]; then
		#echo "have p11 64"
		HAVE_P11_64=1
	fi
	
	if [[ $HAVE_NSS_32 -eq 1 && $HAVE_P11_32 -eq 0 ]]; then
		#echo "p11 32 not consistent"
		P11_32_CONSISTENT=0
	fi
	
	if [[ $HAVE_NSS_64 -eq 1 && $HAVE_P11_64 -eq 0 ]]; then
		#echo "p11 64 not consistent"
		P11_64_CONSISTENT=0
	fi

	if [[ $CURRENT_SETUP -ne 2 ]]; then
		# result of rpm --verify: # 0: unchanged
		RPM_VFY_INFO=`rpm -q --verify --nomtime ca-certificates`
		RPM_VFY_STATUS=$?
		#echo "rpm status: $RPM_VFY_INFO"
	fi
}

report_if_p11_inconsistent()
{
	if [[ $P11_32_CONSISTENT -eq 0 ]]; then
		warning "nss 32 bit is installed. You should install p11-kit-trust 32 bit."
	fi

	if [[ $P11_64_CONSISTENT -eq 0 ]]; then
		warning "nss 64 bit is installed. You should install p11-kit-trust 64 bit."
	fi
}

report_if_not_enabled_and_bundles_modified()
{
	if [[ $CURRENT_SETUP -ne 2 ]]; then
		if [[ $RPM_VFY_STATUS -ne 0 ]]; then
			warning "Legacy CA bundle files aren't in the default state, they have been modified."
			warning "You should research the configuration changes that have been performed and add equivalent configuration after enabling the new dynamic configuration"
			warning "Below is a list of files that have been modified:"
			warning "$RPM_VFY_INFO"
		fi
	fi
}

do_check()
{
	prepare
	
	if [[ $CURRENT_SETUP -eq 1 ]]; then
		echo "PEM/JAVA Status: DISABLED."
		echo "   (Legacy setup with static files.)"
	fi

	if [[ $CURRENT_SETUP -eq 2 ]]; then
		echo "PEM/JAVA Status: ENABLED."
		echo "    (Legacy filenames are links to files produced by update-ca-trust.)"
	fi

	if [[ $CURRENT_SETUP -eq 0 ]]; then
		echo "PEM/JAVA Status: INCONSISTENT."
		echo "   (Some legacy files, some symbolic links.)"
	fi
	
	report_if_p11_inconsistent
	
	echo "PKCS#11 module Status, see symbolic links reported below:"
	ls -l /etc/alternatives/libnssckbi.so*
	echo "    (link resolving to NSS: using legacy static list)"
	echo "    (link resolving to p11-kit: using the new source configuration)"
	
	return 0
}

create_backup()
{
	# - We'll potentially create two backups. An "initial" and a "most recent".
	# - The initial backup will be created, only, if it doesn't exist yet.
	# - The initial backup will never be overwritten.
	# - The most recent backup will be overwritten each time this script
	#       is run to "enable" the new-style extracted system.
	# - The most recent backup will be restored each time this script
	#       is run to "disable" the new-style extracted system,
	#       thereby switching back to the traditional system.
	
	test -e $INITIAL_BACKUP
	BACKUPDIR_TEST=$?
	if [[ $BACKUPDIR_TEST -eq 1 ]]; then
		# Initial backup directory doesn't exist yet
		mkdir -p $INITIAL_BACKUP
		cp --dereference --preserve --force \
			$CAB_FILE $CABT_FILE $JAB_FILE $INITIAL_BACKUP
	fi

	mkdir -p $RECENT_BACKUP
	cp --dereference --preserve --force \
		$CAB_FILE $CABT_FILE $JAB_FILE $RECENT_BACKUP
}

restore_backup()
{
	test -d $RECENT_BACKUP
	BACKUPDIR_TEST=$?
	if [[ $BACKUPDIR_TEST -eq 1 ]]; then
		warning "recent backup dir doesn't exist, aborting"
		exit 1
	fi
	
	pushd $RECENT_BACKUP >/dev/null
	
	test -e ca-bundle.crt
	T1=$?
	test -e ca-bundle.trust.crt
	T2=$?
	test -e cacerts
	T3=$?
	
	if [[ $T1 -eq 1 || $T2 -eq 1 || $T3 -eq 1 ]]; then
		warning "at least one backup file doesn't exist, aborting"
		exit 1
	fi
	
	rm -f $CAB_FILE
	cp --dereference --preserve --force ca-bundle.crt $CAB_FILE

	rm -f $CABT_FILE
	cp --dereference --preserve --force ca-bundle.trust.crt $CABT_FILE

	rm -f $JAB_FILE
	cp --dereference --preserve --force cacerts $JAB_FILE

	popd >/dev/null
}

create_links()
{
	rm -f $CAB_FILE
	rm -f $CABT_FILE
	rm -f $JAB_FILE

	ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem $CAB_FILE
	ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt $CABT_FILE
	ln -s /etc/pki/ca-trust/extracted/java/cacerts $JAB_FILE
}

setup_p11()
{
	ACTION=$1
	
	if [[ $HAVE_P11_32 -eq 1 ]]; then
		$SETUPFILE_P11_32 $ACTION
	fi

	if [[ $HAVE_P11_64 -eq 1 ]]; then
		$SETUPFILE_P11_64 $ACTION
	fi
}

do_enable()
{
	prepare
	
	if [[ $FORCE -eq 0 ]]; then
		report_if_p11_inconsistent
		report_if_not_enabled_and_bundles_modified

		if [[ $P11_32_CONSISTENT -eq 0 || $P11_64_CONSISTENT -eq 0 ]]; then
			warning "aborting, because the nss / p11-kit setup is inconsistent."
			exit 1
		fi
	fi

	ABORT=0

	if [[ $FORCE -eq 0 && $CURRENT_SETUP -eq 0 ]]; then
		warning "Aborting because of inconsistent PEM/JAVA setup."
		ABORT=1
	fi

	if [[ $FORCE -eq 0 && $RPM_VFY_STATUS -ne 0 ]]; then
		warning "Aborting because system uses modified legacy bundle files."
		ABORT=1
	fi

	if [[ $ABORT -eq 1 ]]; then
		warning "If you're certain, use force-enable"
		exit 1
	fi

	if [[ $CURRENT_SETUP -ne 2 ]]; then
		# only change files if PEM/JAVA files currently aren't (cleanly) enabled
		create_backup
		create_links
	fi
	
	setup_p11 enable
	return 0
}

do_disable()
{
	prepare
	
	if [[ $FORCE -eq 0 && $CURRENT_SETUP -eq 0 ]]; then
		warning "Aborting because of inconsistent setup. If you're certain, use force-disable"
		exit 1
	fi
	
	if [[ $CURRENT_SETUP -ne 1 ]]; then
		# only change files if PEM/JAVA files currently aren't (cleanly) disabled
		restore_backup
	fi

	setup_p11 disable
	return 0
}

if [[ $# -eq 0 ]]; then
  # no parameters
  do_extract silent
  exit $?
fi

if [[ "$1" = "extract" ]]; then
  do_extract warn_if_disabled
  exit $?
fi

if [[ "$1" = "enable" ]]; then
  do_enable
  exit $?
fi

if [[ "$1" = "disable" ]]; then
  do_disable
  exit $?
fi

if [[ "$1" = "force-enable" ]]; then
  FORCE=1
  do_enable
  exit $?
fi

if [[ "$1" = "force-disable" ]]; then
  FORCE=1
  do_disable
  exit $?
fi

if [[ "$1" = "check" ]]; then
  do_check
  exit $?
fi

echo "usage: $0 [extract | check | enable | disable | force-enable | force-disable ]"

@KyuuKazami