e42c2ba50a
Resolves: RHEL-54695 update-ca-trust: return warnings on a unsupported argument instead of error
138 lines
4.4 KiB
Bash
Executable File
138 lines
4.4 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
#set -vx
|
|
set -eu
|
|
|
|
# For backwards compatibility reasons, future versions of this script must
|
|
# support the syntax "update-ca-trust extract" trigger the generation of output
|
|
# files in $DEST.
|
|
|
|
DEST=/etc/pki/ca-trust/extracted
|
|
|
|
# Prevent p11-kit from reading user configuration files.
|
|
export P11_KIT_NO_USER_CONFIG=1
|
|
|
|
usage() {
|
|
fold -s -w 76 >&2 <<-EOF
|
|
Usage: $0 [extract] [-o DIR|--output=DIR]
|
|
|
|
Update the system trust store in $DEST.
|
|
|
|
COMMANDS
|
|
(absent/empty command): Same as the extract command without arguments.
|
|
|
|
extract: Instruct update-ca-trust to scan the source configuration in
|
|
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
|
|
updated versions of the consolidated configuration files stored below
|
|
the $DEST directory hierarchy.
|
|
|
|
EXTRACT OPTIONS
|
|
-o DIR, --output=DIR: Write the extracted trust store into the given
|
|
directory instead of updating $DEST.
|
|
EOF
|
|
}
|
|
|
|
extract() {
|
|
USER_DEST=
|
|
|
|
# can't use getopt here. ca-certificates can't depend on a lot
|
|
# of other libraries since openssl depends on ca-certificates
|
|
# just fail when we hand parse
|
|
|
|
while [ $# -ne 0 ]; do
|
|
case "$1" in
|
|
"-o"|"--output")
|
|
if [ $# -lt 2 ]; then
|
|
echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
|
|
echo >&2
|
|
exit 1
|
|
fi
|
|
USER_DEST=$2
|
|
shift 2
|
|
continue
|
|
;;
|
|
"--")
|
|
shift
|
|
break
|
|
;;
|
|
*)
|
|
echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [ -n "$USER_DEST" ]; then
|
|
DEST=$USER_DEST
|
|
# Attempt to create the directories if they do not exist
|
|
# yet (rhbz#2241240)
|
|
/usr/bin/mkdir -p \
|
|
"$DEST"/openssl \
|
|
"$DEST"/pem \
|
|
"$DEST"/java \
|
|
"$DEST"/edk2
|
|
fi
|
|
|
|
# OpenSSL PEM bundle that includes trust flags
|
|
# (BEGIN TRUSTED CERTIFICATE)
|
|
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
|
|
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
|
|
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
|
|
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
|
|
/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
|
|
/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
|
|
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
|
|
# by GnuTLS)
|
|
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
|
|
|
|
# p11-kit extract will have made this directory unwritable; when run with
|
|
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
|
|
# not be the case. See rhbz#2241240.
|
|
if [ -n "$USER_DEST" ]; then
|
|
/usr/bin/chmod u+w "$DEST/pem/directory-hash"
|
|
fi
|
|
|
|
# Debian compatibility: their /etc/ssl/certs has this bundle
|
|
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
|
|
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
|
|
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
|
|
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
|
|
|
|
# Remove write permissions again
|
|
if [ -n "$USER_DEST" ]; then
|
|
/usr/bin/chmod u-w "$DEST/pem/directory-hash"
|
|
fi
|
|
}
|
|
|
|
if [ $# -lt 1 ]; then
|
|
set -- extract
|
|
fi
|
|
|
|
case "$1" in
|
|
"extract")
|
|
shift
|
|
extract "$@"
|
|
;;
|
|
"--help")
|
|
usage
|
|
exit 0
|
|
;;
|
|
"-o"|"--output")
|
|
echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
|
|
echo >&2
|
|
exit 1
|
|
;;
|
|
"enable")
|
|
echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
|
|
echo >&2
|
|
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
|
|
extract
|
|
;;
|
|
*)
|
|
echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
|
|
echo >&2
|
|
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
|
|
extract
|
|
;;
|
|
esac
|