From a10cf202dcdb00b17c87f7a776db2ac618d20225 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Wed, 3 Aug 2016 20:42:16 +0300
Subject: [PATCH] - Use /etc/ssl/cert.pem instead of /root/ca-certificates.crt
 in OpenBSD. It's   the CA bundle from LibreSSL and is in the base OS. The
 update is already from the same upstream. - Better parsing and cleaning of
 certificate name, therefore the cerificates   under
 /usr/share/ca-certificates are more properly names (not just numbered) in
 OpenBSD. - Use openssl certhash in OpenBSD instead of reimplementing the
 logic. Only   available in 5.7 or later, added assertion for that. - Updated
 TODO list, tests accordingly.

---
 README.rst                   |  6 ------
 files/update-ca-certificates | 38 +++++++++++++++++++-----------------
 tasks/main.yml               |  5 +++--
 tests/test_ca_store.py       |  2 +-
 4 files changed, 24 insertions(+), 27 deletions(-)

diff --git a/README.rst b/README.rst
index 0409ca8..9336ee5 100644
--- a/README.rst
+++ b/README.rst
@@ -76,9 +76,3 @@ Nimrod Adar, `contact me <nimrod@shore.co.il>`_ or visit my `website
 <https://www.shore.co.il/>`_. Patches are welcome via `git send-email
 <http://git-scm.com/book/en/v2/Git-Commands-Email>`_. The repository is located
 at: https://www.shore.co.il/git/.
-
-TODO
-----
-
-- Actually name the CA certificates properly and without duplicate names. Right
-  now they're just numbered.
diff --git a/files/update-ca-certificates b/files/update-ca-certificates
index 77b7200..e105233 100755
--- a/files/update-ca-certificates
+++ b/files/update-ca-certificates
@@ -2,7 +2,7 @@
 # Update the CA certificates store.
 # Assumptions:
 # - Running on OpenBSD.
-# - /root/ca-certificates.crt exists.
+# - /etc/ssl/cert.pem exists.
 # - /etc/ssl/certs/ exists.
 # - /usr/share/ca-certificates exists.
 # - /usr/local/share/ca-certificates exists.
@@ -14,18 +14,21 @@ error () {
     exit 1
 }
 
-alias subject_hash='openssl x509 -noout -subject_hash -in'
 alias cert_list='find /usr/share/ca-certificates/ \
-    /usr/local/share/ca-certificates/ -name *.crt'
+    /usr/local/share/ca-certificates/ -name \*.crt'
+
+clean_filename () {
+    perl -pe 's@ @_@g; s@http:@@g; s@/@@g; s@\n@@g'
+}
 
 organizationalunit () {
     openssl x509 -noout -subject -in $1 -nameopt multiline | \
-        awk -F'= ' '/organizationalUnitName/ {print $2}'
+        awk -F'= ' '/organizationalUnitName/ {print $2}' | clean_filename
 }
 
 commonname () {
     openssl x509 -noout -subject -in $1 -nameopt multiline | \
-        awk -F'= ' '/commonName/ {print $2}'
+        awk -F'= ' '/commonName/ {print $2}' | clean_filename
 }
 
 subject () {
@@ -49,23 +52,22 @@ gen_upstream_certs() {
     local certificate
     awk '/-----BEGIN[A-Z0-9 ]*CERTIFICATE-----/ {n++} \
         n > 0 {print > ("/usr/share/ca-certificates/cert" (1+n) ".crt")}' \
-        /root/ca-certificates.crt
-    #for certificate in /usr/share/ca-certificates/cert*
-    #do
-    #    [ -f "$certificate" ] || continue
-    #    mv "$certificate" "$(subject $certificate).crt"
-    #done
+        /etc/ssl/cert.pem
+    for certificate in /usr/share/ca-certificates/cert*
+    do
+        [ -f "$certificate" ] || continue
+        mv "$certificate" "/usr/share/ca-certificates/$(subject $certificate).crt"
+    done
 }
 
 gen_certs_symlinks () {
 # Generate the symlinks by subject and hash in /etc/ssl/certs.
-    local certificate
-    for certificate in $(cert_list)
+    local cert
+    for cert in $(cert_list)
     do
-        [ -f "$certificate" ] || continue
-        ln -s "$certificate" "/etc/ssl/certs/$(basename $certificate .crt).pem"
-        ln -s "$certificate" "/etc/ssl/certs/$(subject_hash $certificate)"
+        ln -s "$cert" "/etc/ssl/certs/$(basename $cert | sed 's/crt$/pem/g')"
     done
+    openssl certhash /etc/ssl/certs
 }
 
 gen_concat_cert () {
@@ -80,8 +82,8 @@ do
     [ -d $directory ] || error $directory doesn\'t exist.
 done
 
-[ -r /root/ca-certificates.crt ] || \
-    error Can\'t access /root/ca-certificates.crt.
+[ -r /etc/ssl/cert.pem ] || \
+    error Can\'t access /etc/ssl/cert.pem.
 
 clean_certs
 gen_upstream_certs
diff --git a/tasks/main.yml b/tasks/main.yml
index 9685fd6..45d0f0f 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -3,7 +3,8 @@
 
 - name: Assert
   assert:
-    that: ansible_os_family in [ 'OpenBSD', 'Debian' ]
+    that:
+        - (ansible_os_family == 'OpenBSD' and ansible_distribution_release | version_compare('5.7', '>=')) or ansible_os_family == 'Debian'
 
 - name: APT install
   when: ansible_pkg_mgr == 'apt'
@@ -41,7 +42,7 @@
   when: ansible_os_family == 'OpenBSD'
   get_url:
     url: http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem
-    dest: /root/ca-certificates.crt
+    dest: /etc/ssl/cert.pem
     owner: root
     group: wheel
     mode: 0o0644
diff --git a/tests/test_ca_store.py b/tests/test_ca_store.py
index 95dcbbb..7c00b75 100644
--- a/tests/test_ca_store.py
+++ b/tests/test_ca_store.py
@@ -24,7 +24,7 @@ def test_key_directory(File):
 def test_concat_cert(File, Command):
     assert File('/etc/ssl/certs/ca-certificates.crt').is_file
     assert Command(
-        'grep BEGIN /root/ca-certificates.crt | wc -l').stdout == Command(
+        'grep BEGIN /etc/ssl/cert.pem | wc -l').stdout == Command(
             'grep BEGIN /usr/share/ca-certificates/*.crt | wc -l').stdout
 
 
-- 
GitLab