Skip to content
Snippets Groups Projects
Commit a10cf202 authored by nimrod's avatar nimrod
Browse files

- Use /etc/ssl/cert.pem instead of /root/ca-certificates.crt in OpenBSD. It's

  the CA bundle from LibreSSL and is in the base OS. The update is already from
the same upstream.
- Better parsing and cleaning of certificate name, therefore the cerificates
  under /usr/share/ca-certificates are more properly names (not just numbered)
in OpenBSD.
- Use openssl certhash in OpenBSD instead of reimplementing the logic. Only
  available in 5.7 or later, added assertion for that.
- Updated TODO list, tests accordingly.
parent 7150f959
No related branches found
No related tags found
No related merge requests found
...@@ -76,9 +76,3 @@ Nimrod Adar, `contact me <nimrod@shore.co.il>`_ or visit my `website ...@@ -76,9 +76,3 @@ Nimrod Adar, `contact me <nimrod@shore.co.il>`_ or visit my `website
<https://www.shore.co.il/>`_. Patches are welcome via `git send-email <https://www.shore.co.il/>`_. Patches are welcome via `git send-email
<http://git-scm.com/book/en/v2/Git-Commands-Email>`_. The repository is located <http://git-scm.com/book/en/v2/Git-Commands-Email>`_. The repository is located
at: https://www.shore.co.il/git/. at: https://www.shore.co.il/git/.
TODO
----
- Actually name the CA certificates properly and without duplicate names. Right
now they're just numbered.
...@@ -2,7 +2,7 @@ ...@@ -2,7 +2,7 @@
# Update the CA certificates store. # Update the CA certificates store.
# Assumptions: # Assumptions:
# - Running on OpenBSD. # - Running on OpenBSD.
# - /root/ca-certificates.crt exists. # - /etc/ssl/cert.pem exists.
# - /etc/ssl/certs/ exists. # - /etc/ssl/certs/ exists.
# - /usr/share/ca-certificates exists. # - /usr/share/ca-certificates exists.
# - /usr/local/share/ca-certificates exists. # - /usr/local/share/ca-certificates exists.
...@@ -14,18 +14,21 @@ error () { ...@@ -14,18 +14,21 @@ error () {
exit 1 exit 1
} }
alias subject_hash='openssl x509 -noout -subject_hash -in'
alias cert_list='find /usr/share/ca-certificates/ \ alias cert_list='find /usr/share/ca-certificates/ \
/usr/local/share/ca-certificates/ -name *.crt' /usr/local/share/ca-certificates/ -name \*.crt'
clean_filename () {
perl -pe 's@ @_@g; s@http:@@g; s@/@@g; s@\n@@g'
}
organizationalunit () { organizationalunit () {
openssl x509 -noout -subject -in $1 -nameopt multiline | \ openssl x509 -noout -subject -in $1 -nameopt multiline | \
awk -F'= ' '/organizationalUnitName/ {print $2}' awk -F'= ' '/organizationalUnitName/ {print $2}' | clean_filename
} }
commonname () { commonname () {
openssl x509 -noout -subject -in $1 -nameopt multiline | \ openssl x509 -noout -subject -in $1 -nameopt multiline | \
awk -F'= ' '/commonName/ {print $2}' awk -F'= ' '/commonName/ {print $2}' | clean_filename
} }
subject () { subject () {
...@@ -49,23 +52,22 @@ gen_upstream_certs() { ...@@ -49,23 +52,22 @@ gen_upstream_certs() {
local certificate local certificate
awk '/-----BEGIN[A-Z0-9 ]*CERTIFICATE-----/ {n++} \ awk '/-----BEGIN[A-Z0-9 ]*CERTIFICATE-----/ {n++} \
n > 0 {print > ("/usr/share/ca-certificates/cert" (1+n) ".crt")}' \ n > 0 {print > ("/usr/share/ca-certificates/cert" (1+n) ".crt")}' \
/root/ca-certificates.crt /etc/ssl/cert.pem
#for certificate in /usr/share/ca-certificates/cert* for certificate in /usr/share/ca-certificates/cert*
#do do
# [ -f "$certificate" ] || continue [ -f "$certificate" ] || continue
# mv "$certificate" "$(subject $certificate).crt" mv "$certificate" "/usr/share/ca-certificates/$(subject $certificate).crt"
#done done
} }
gen_certs_symlinks () { gen_certs_symlinks () {
# Generate the symlinks by subject and hash in /etc/ssl/certs. # Generate the symlinks by subject and hash in /etc/ssl/certs.
local certificate local cert
for certificate in $(cert_list) for cert in $(cert_list)
do do
[ -f "$certificate" ] || continue ln -s "$cert" "/etc/ssl/certs/$(basename $cert | sed 's/crt$/pem/g')"
ln -s "$certificate" "/etc/ssl/certs/$(basename $certificate .crt).pem"
ln -s "$certificate" "/etc/ssl/certs/$(subject_hash $certificate)"
done done
openssl certhash /etc/ssl/certs
} }
gen_concat_cert () { gen_concat_cert () {
...@@ -80,8 +82,8 @@ do ...@@ -80,8 +82,8 @@ do
[ -d $directory ] || error $directory doesn\'t exist. [ -d $directory ] || error $directory doesn\'t exist.
done done
[ -r /root/ca-certificates.crt ] || \ [ -r /etc/ssl/cert.pem ] || \
error Can\'t access /root/ca-certificates.crt. error Can\'t access /etc/ssl/cert.pem.
clean_certs clean_certs
gen_upstream_certs gen_upstream_certs
......
...@@ -3,7 +3,8 @@ ...@@ -3,7 +3,8 @@
- name: Assert - name: Assert
assert: assert:
that: ansible_os_family in [ 'OpenBSD', 'Debian' ] that:
- (ansible_os_family == 'OpenBSD' and ansible_distribution_release | version_compare('5.7', '>=')) or ansible_os_family == 'Debian'
- name: APT install - name: APT install
when: ansible_pkg_mgr == 'apt' when: ansible_pkg_mgr == 'apt'
...@@ -41,7 +42,7 @@ ...@@ -41,7 +42,7 @@
when: ansible_os_family == 'OpenBSD' when: ansible_os_family == 'OpenBSD'
get_url: get_url:
url: http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem url: http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem
dest: /root/ca-certificates.crt dest: /etc/ssl/cert.pem
owner: root owner: root
group: wheel group: wheel
mode: 0o0644 mode: 0o0644
......
...@@ -24,7 +24,7 @@ def test_key_directory(File): ...@@ -24,7 +24,7 @@ def test_key_directory(File):
def test_concat_cert(File, Command): def test_concat_cert(File, Command):
assert File('/etc/ssl/certs/ca-certificates.crt').is_file assert File('/etc/ssl/certs/ca-certificates.crt').is_file
assert Command( assert Command(
'grep BEGIN /root/ca-certificates.crt | wc -l').stdout == Command( 'grep BEGIN /etc/ssl/cert.pem | wc -l').stdout == Command(
'grep BEGIN /usr/share/ca-certificates/*.crt | wc -l').stdout 'grep BEGIN /usr/share/ca-certificates/*.crt | wc -l').stdout
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment