368 lines
8.5 KiB
Bash
368 lines
8.5 KiB
Bash
#!/bin/bash
|
|
#
|
|
# Copyright (C) 2013 Red Hat, Inc.
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
|
|
#set -vx
|
|
|
|
do_extract()
|
|
{
|
|
if [[ $1 = "warn_if_disabled" ]]; then
|
|
prepare_setup
|
|
if [[ $CURRENT_SETUP -ne 2 ]]; then
|
|
warning "Warning: The dynamic CA configuration feature is in the disabled state"
|
|
fi
|
|
fi
|
|
|
|
DEST=/etc/pki/ca-trust/extracted
|
|
|
|
# OpenSSL PEM bundle that includes trust flags
|
|
# (BEGIN TRUSTED CERTIFICATE)
|
|
/usr/bin/p11-kit extract --comment --format=openssl-bundle --filter=certificates --overwrite $DEST/openssl/ca-bundle.trust.crt
|
|
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/tls-ca-bundle.pem
|
|
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose email $DEST/pem/email-ca-bundle.pem
|
|
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
|
|
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
|
|
}
|
|
|
|
HAVE_NSS_32=0
|
|
HAVE_NSS_64=0
|
|
HAVE_P11_32=0
|
|
HAVE_P11_64=0
|
|
P11_32_CONSISTENT=1
|
|
P11_64_CONSISTENT=1
|
|
|
|
CURRENT_SETUP=0
|
|
FORCE=0
|
|
|
|
RPM_VFY_INFO=""
|
|
RPM_VFY_STATUS=0
|
|
|
|
SETUPFILE_P11_32=/usr/lib/p11-kit/p11-kit-redhat-setup-trust
|
|
SETUPFILE_P11_64=/usr/lib64/p11-kit/p11-kit-redhat-setup-trust
|
|
LIBFILE_NSS_32=/usr/lib/nss/libnssckbi.so
|
|
LIBFILE_NSS_64=/usr/lib64/nss/libnssckbi.so
|
|
|
|
INITIAL_BACKUP=/etc/pki/backup-traditional-original-config
|
|
RECENT_BACKUP=/etc/pki/backup-traditional-recent-config
|
|
|
|
CAB_FILE=/etc/pki/tls/certs/ca-bundle.crt
|
|
CABT_FILE=/etc/pki/tls/certs/ca-bundle.trust.crt
|
|
JAB_FILE=/etc/pki/java/cacerts
|
|
|
|
warning()
|
|
{
|
|
echo "update-ca-trust: $@" >&2
|
|
}
|
|
|
|
prepare_setup()
|
|
{
|
|
# result of test -L filename # 0: yes, a link # 1: no, not a link
|
|
test -L $CAB_FILE
|
|
CAB_LINK=$?
|
|
test -L $CABT_FILE
|
|
CABT_LINK=$?
|
|
test -L $JAB_FILE
|
|
CAJ_LINK=$?
|
|
|
|
if [[ $CAB_LINK -eq 1 && $CABT_LINK -eq 1 && $CAJ_LINK -eq 1 ]]; then
|
|
#echo "current_setup=1 (no links)"
|
|
CURRENT_SETUP=1
|
|
fi
|
|
|
|
if [[ $CAB_LINK -eq 0 && $CABT_LINK -eq 0 && $CAJ_LINK -eq 0 ]]; then
|
|
#echo "current_setup=2 (all links)"
|
|
CURRENT_SETUP=2
|
|
fi
|
|
}
|
|
|
|
prepare()
|
|
{
|
|
prepare_setup
|
|
|
|
test -e $LIBFILE_NSS_32
|
|
if [[ $? -eq 0 ]]; then
|
|
#echo "have nss 32"
|
|
HAVE_NSS_32=1
|
|
fi
|
|
|
|
test -e $LIBFILE_NSS_64
|
|
if [[ $? -eq 0 ]]; then
|
|
#echo "have nss 64"
|
|
HAVE_NSS_64=1
|
|
fi
|
|
|
|
test -e $SETUPFILE_P11_32
|
|
if [[ $? -eq 0 ]]; then
|
|
#echo "have p11 32"
|
|
HAVE_P11_32=1
|
|
fi
|
|
|
|
test -e $SETUPFILE_P11_64
|
|
if [[ $? -eq 0 ]]; then
|
|
#echo "have p11 64"
|
|
HAVE_P11_64=1
|
|
fi
|
|
|
|
if [[ $HAVE_NSS_32 -eq 1 && $HAVE_P11_32 -eq 0 ]]; then
|
|
#echo "p11 32 not consistent"
|
|
P11_32_CONSISTENT=0
|
|
fi
|
|
|
|
if [[ $HAVE_NSS_64 -eq 1 && $HAVE_P11_64 -eq 0 ]]; then
|
|
#echo "p11 64 not consistent"
|
|
P11_64_CONSISTENT=0
|
|
fi
|
|
|
|
if [[ $CURRENT_SETUP -ne 2 ]]; then
|
|
# result of rpm --verify: # 0: unchanged
|
|
RPM_VFY_INFO=`rpm -q --verify --nomtime ca-certificates`
|
|
RPM_VFY_STATUS=$?
|
|
#echo "rpm status: $RPM_VFY_INFO"
|
|
fi
|
|
}
|
|
|
|
report_if_p11_inconsistent()
|
|
{
|
|
if [[ $P11_32_CONSISTENT -eq 0 ]]; then
|
|
warning "nss 32 bit is installed. You should install p11-kit-trust 32 bit."
|
|
fi
|
|
|
|
if [[ $P11_64_CONSISTENT -eq 0 ]]; then
|
|
warning "nss 64 bit is installed. You should install p11-kit-trust 64 bit."
|
|
fi
|
|
}
|
|
|
|
report_if_not_enabled_and_bundles_modified()
|
|
{
|
|
if [[ $CURRENT_SETUP -ne 2 ]]; then
|
|
if [[ $RPM_VFY_STATUS -ne 0 ]]; then
|
|
warning "Legacy CA bundle files aren't in the default state, they have been modified."
|
|
warning "You should research the configuration changes that have been performed and add equivalent configuration after enabling the new dynamic configuration"
|
|
warning "Below is a list of files that have been modified:"
|
|
warning "$RPM_VFY_INFO"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
do_check()
|
|
{
|
|
prepare
|
|
|
|
if [[ $CURRENT_SETUP -eq 1 ]]; then
|
|
echo "PEM/JAVA Status: DISABLED."
|
|
echo " (Legacy setup with static files.)"
|
|
fi
|
|
|
|
if [[ $CURRENT_SETUP -eq 2 ]]; then
|
|
echo "PEM/JAVA Status: ENABLED."
|
|
echo " (Legacy filenames are links to files produced by update-ca-trust.)"
|
|
fi
|
|
|
|
if [[ $CURRENT_SETUP -eq 0 ]]; then
|
|
echo "PEM/JAVA Status: INCONSISTENT."
|
|
echo " (Some legacy files, some symbolic links.)"
|
|
fi
|
|
|
|
report_if_p11_inconsistent
|
|
|
|
echo "PKCS#11 module Status, see symbolic links reported below:"
|
|
ls -l /etc/alternatives/libnssckbi.so*
|
|
echo " (link resolving to NSS: using legacy static list)"
|
|
echo " (link resolving to p11-kit: using the new source configuration)"
|
|
|
|
return 0
|
|
}
|
|
|
|
create_backup()
|
|
{
|
|
# - We'll potentially create two backups. An "initial" and a "most recent".
|
|
# - The initial backup will be created, only, if it doesn't exist yet.
|
|
# - The initial backup will never be overwritten.
|
|
# - The most recent backup will be overwritten each time this script
|
|
# is run to "enable" the new-style extracted system.
|
|
# - The most recent backup will be restored each time this script
|
|
# is run to "disable" the new-style extracted system,
|
|
# thereby switching back to the traditional system.
|
|
|
|
test -e $INITIAL_BACKUP
|
|
BACKUPDIR_TEST=$?
|
|
if [[ $BACKUPDIR_TEST -eq 1 ]]; then
|
|
# Initial backup directory doesn't exist yet
|
|
mkdir -p $INITIAL_BACKUP
|
|
cp --dereference --preserve --force \
|
|
$CAB_FILE $CABT_FILE $JAB_FILE $INITIAL_BACKUP
|
|
fi
|
|
|
|
mkdir -p $RECENT_BACKUP
|
|
cp --dereference --preserve --force \
|
|
$CAB_FILE $CABT_FILE $JAB_FILE $RECENT_BACKUP
|
|
}
|
|
|
|
restore_backup()
|
|
{
|
|
test -d $RECENT_BACKUP
|
|
BACKUPDIR_TEST=$?
|
|
if [[ $BACKUPDIR_TEST -eq 1 ]]; then
|
|
warning "recent backup dir doesn't exist, aborting"
|
|
exit 1
|
|
fi
|
|
|
|
pushd $RECENT_BACKUP >/dev/null
|
|
|
|
test -e ca-bundle.crt
|
|
T1=$?
|
|
test -e ca-bundle.trust.crt
|
|
T2=$?
|
|
test -e cacerts
|
|
T3=$?
|
|
|
|
if [[ $T1 -eq 1 || $T2 -eq 1 || $T3 -eq 1 ]]; then
|
|
warning "at least one backup file doesn't exist, aborting"
|
|
exit 1
|
|
fi
|
|
|
|
rm -f $CAB_FILE
|
|
cp --dereference --preserve --force ca-bundle.crt $CAB_FILE
|
|
|
|
rm -f $CABT_FILE
|
|
cp --dereference --preserve --force ca-bundle.trust.crt $CABT_FILE
|
|
|
|
rm -f $JAB_FILE
|
|
cp --dereference --preserve --force cacerts $JAB_FILE
|
|
|
|
popd >/dev/null
|
|
}
|
|
|
|
create_links()
|
|
{
|
|
rm -f $CAB_FILE
|
|
rm -f $CABT_FILE
|
|
rm -f $JAB_FILE
|
|
|
|
ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem $CAB_FILE
|
|
ln -s /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt $CABT_FILE
|
|
ln -s /etc/pki/ca-trust/extracted/java/cacerts $JAB_FILE
|
|
}
|
|
|
|
setup_p11()
|
|
{
|
|
ACTION=$1
|
|
|
|
if [[ $HAVE_P11_32 -eq 1 ]]; then
|
|
$SETUPFILE_P11_32 $ACTION
|
|
fi
|
|
|
|
if [[ $HAVE_P11_64 -eq 1 ]]; then
|
|
$SETUPFILE_P11_64 $ACTION
|
|
fi
|
|
}
|
|
|
|
do_enable()
|
|
{
|
|
prepare
|
|
|
|
if [[ $FORCE -eq 0 ]]; then
|
|
report_if_p11_inconsistent
|
|
report_if_not_enabled_and_bundles_modified
|
|
|
|
if [[ $P11_32_CONSISTENT -eq 0 || $P11_64_CONSISTENT -eq 0 ]]; then
|
|
warning "aborting, because the nss / p11-kit setup is inconsistent."
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
ABORT=0
|
|
|
|
if [[ $FORCE -eq 0 && $CURRENT_SETUP -eq 0 ]]; then
|
|
warning "Aborting because of inconsistent PEM/JAVA setup."
|
|
ABORT=1
|
|
fi
|
|
|
|
if [[ $FORCE -eq 0 && $RPM_VFY_STATUS -ne 0 ]]; then
|
|
warning "Aborting because system uses modified legacy bundle files."
|
|
ABORT=1
|
|
fi
|
|
|
|
if [[ $ABORT -eq 1 ]]; then
|
|
warning "If you're certain, use force-enable"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ $CURRENT_SETUP -ne 2 ]]; then
|
|
# only change files if PEM/JAVA files currently aren't (cleanly) enabled
|
|
create_backup
|
|
create_links
|
|
fi
|
|
|
|
setup_p11 enable
|
|
return 0
|
|
}
|
|
|
|
do_disable()
|
|
{
|
|
prepare
|
|
|
|
if [[ $FORCE -eq 0 && $CURRENT_SETUP -eq 0 ]]; then
|
|
warning "Aborting because of inconsistent setup. If you're certain, use force-disable"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ $CURRENT_SETUP -ne 1 ]]; then
|
|
# only change files if PEM/JAVA files currently aren't (cleanly) disabled
|
|
restore_backup
|
|
fi
|
|
|
|
setup_p11 disable
|
|
return 0
|
|
}
|
|
|
|
if [[ $# -eq 0 ]]; then
|
|
# no parameters
|
|
do_extract silent
|
|
exit $?
|
|
fi
|
|
|
|
if [[ "$1" = "extract" ]]; then
|
|
do_extract warn_if_disabled
|
|
exit $?
|
|
fi
|
|
|
|
if [[ "$1" = "enable" ]]; then
|
|
do_enable
|
|
exit $?
|
|
fi
|
|
|
|
if [[ "$1" = "disable" ]]; then
|
|
do_disable
|
|
exit $?
|
|
fi
|
|
|
|
if [[ "$1" = "force-enable" ]]; then
|
|
FORCE=1
|
|
do_enable
|
|
exit $?
|
|
fi
|
|
|
|
if [[ "$1" = "force-disable" ]]; then
|
|
FORCE=1
|
|
do_disable
|
|
exit $?
|
|
fi
|
|
|
|
if [[ "$1" = "check" ]]; then
|
|
do_check
|
|
exit $?
|
|
fi
|
|
|
|
echo "usage: $0 [extract | check | enable | disable | force-enable | force-disable ]"
|
