diff --git a/README.rst b/README.rst index 0409ca8d65e206634bb6b3aa75601f56497c83af..9336ee513e25b03fd5b6b6bf5cc28bd0c5deb9b5 100644 --- a/README.rst +++ b/README.rst @@ -76,9 +76,3 @@ Nimrod Adar, `contact me `_ or visit my `website `_. Patches are welcome via `git send-email `_. The repository is located at: https://www.shore.co.il/git/. - -TODO ----- - -- Actually name the CA certificates properly and without duplicate names. Right - now they're just numbered. diff --git a/files/update-ca-certificates b/files/update-ca-certificates index 77b72002be237a3193bfe7fa2e1ef719bab261c0..e105233cfc326189ce4b0931c00766d5d00d8a37 100755 --- a/files/update-ca-certificates +++ b/files/update-ca-certificates @@ -2,7 +2,7 @@ # Update the CA certificates store. # Assumptions: # - Running on OpenBSD. -# - /root/ca-certificates.crt exists. +# - /etc/ssl/cert.pem exists. # - /etc/ssl/certs/ exists. # - /usr/share/ca-certificates exists. # - /usr/local/share/ca-certificates exists. @@ -14,18 +14,21 @@ error () { exit 1 } -alias subject_hash='openssl x509 -noout -subject_hash -in' alias cert_list='find /usr/share/ca-certificates/ \ - /usr/local/share/ca-certificates/ -name *.crt' + /usr/local/share/ca-certificates/ -name \*.crt' + +clean_filename () { + perl -pe 's@ @_@g; s@http:@@g; s@/@@g; s@\n@@g' +} organizationalunit () { openssl x509 -noout -subject -in $1 -nameopt multiline | \ - awk -F'= ' '/organizationalUnitName/ {print $2}' + awk -F'= ' '/organizationalUnitName/ {print $2}' | clean_filename } commonname () { openssl x509 -noout -subject -in $1 -nameopt multiline | \ - awk -F'= ' '/commonName/ {print $2}' + awk -F'= ' '/commonName/ {print $2}' | clean_filename } subject () { @@ -49,23 +52,22 @@ gen_upstream_certs() { local certificate awk '/-----BEGIN[A-Z0-9 ]*CERTIFICATE-----/ {n++} \ n > 0 {print > ("/usr/share/ca-certificates/cert" (1+n) ".crt")}' \ - /root/ca-certificates.crt - #for certificate in /usr/share/ca-certificates/cert* - #do - # [ -f "$certificate" ] || continue - # mv "$certificate" "$(subject $certificate).crt" - #done + /etc/ssl/cert.pem + for certificate in /usr/share/ca-certificates/cert* + do + [ -f "$certificate" ] || continue + mv "$certificate" "/usr/share/ca-certificates/$(subject $certificate).crt" + done } gen_certs_symlinks () { # Generate the symlinks by subject and hash in /etc/ssl/certs. - local certificate - for certificate in $(cert_list) + local cert + for cert in $(cert_list) do - [ -f "$certificate" ] || continue - ln -s "$certificate" "/etc/ssl/certs/$(basename $certificate .crt).pem" - ln -s "$certificate" "/etc/ssl/certs/$(subject_hash $certificate)" + ln -s "$cert" "/etc/ssl/certs/$(basename $cert | sed 's/crt$/pem/g')" done + openssl certhash /etc/ssl/certs } gen_concat_cert () { @@ -80,8 +82,8 @@ do [ -d $directory ] || error $directory doesn\'t exist. done -[ -r /root/ca-certificates.crt ] || \ - error Can\'t access /root/ca-certificates.crt. +[ -r /etc/ssl/cert.pem ] || \ + error Can\'t access /etc/ssl/cert.pem. clean_certs gen_upstream_certs diff --git a/tasks/main.yml b/tasks/main.yml index 9685fd6e68cd2f48750049b30b5cc6d4a3297508..45d0f0f2dc5e061439f0cad8211e076444399ab4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,7 +3,8 @@ - name: Assert assert: - that: ansible_os_family in [ 'OpenBSD', 'Debian' ] + that: + - (ansible_os_family == 'OpenBSD' and ansible_distribution_release | version_compare('5.7', '>=')) or ansible_os_family == 'Debian' - name: APT install when: ansible_pkg_mgr == 'apt' @@ -41,7 +42,7 @@ when: ansible_os_family == 'OpenBSD' get_url: url: http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem - dest: /root/ca-certificates.crt + dest: /etc/ssl/cert.pem owner: root group: wheel mode: 0o0644 diff --git a/tests/test_ca_store.py b/tests/test_ca_store.py index 95dcbbb02f4a2fd6b3d47cfbc7084d6ff43535de..7c00b7576f61b0eb73bad9428bbfb88443ead9e6 100644 --- a/tests/test_ca_store.py +++ b/tests/test_ca_store.py @@ -24,7 +24,7 @@ def test_key_directory(File): def test_concat_cert(File, Command): assert File('/etc/ssl/certs/ca-certificates.crt').is_file assert Command( - 'grep BEGIN /root/ca-certificates.crt | wc -l').stdout == Command( + 'grep BEGIN /etc/ssl/cert.pem | wc -l').stdout == Command( 'grep BEGIN /usr/share/ca-certificates/*.crt | wc -l').stdout