ca-certificates/update-ca-trust
Frantisek Krenzelok 81a090f89a update-ca-trust: Support --output and non-root operation
Related: RHEL-44988

original issue - FC-986

Add the --output option to update-ca-trust so that trust stores can be
written to a different output directory. This is useful to prepare trust
store directories that can be used in containers.

Additionally, fix running update-ca-trust as non-root user
(specifically, without CAP_DAC_OVERRIDE) which was previously required
to create two symbolic links.

Quote all uses of $DEST since a user-specified path could contain
spaces.
2024-06-28 17:33:51 +02:00

127 lines
3.6 KiB
Bash

#!/bin/sh
#set -vx
set -eu
# For backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST.
DEST=/etc/pki/ca-trust/extracted
# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1
usage() {
fold -s -w 76 >&2 <<-EOF
Usage: $0 [extract] [-o DIR|--output=DIR]
Update the system trust store in $DEST.
COMMANDS
(absent/empty command): Same as the extract command described below.
extract: Instruct update-ca-trust to scan the source configuration in
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
updated versions of the consolidated configuration files stored below
the $DEST directory hierarchy.
EXTRACT OPTIONS
-o DIR, --output=DIR: Write the extracted trust store into the given
directory instead of updating $DEST.
EOF
}
extract() {
USER_DEST=
if ! TEMP=$(getopt -o "ho:" --long "help,output:" -n "$0" -- "$@"); then
echo >&2 ""
usage
exit 1
fi
eval set -- "$TEMP"
unset TEMP
while true; do
case "$1" in
"-o"|"--output")
USER_DEST=$2
shift 2
continue
;;
"--")
shift
break
;;
*)
usage
exit 1
;;
esac
done
if [ $# -ne 0 ]; then
echo >&2 "Error: Unexpected positional arguments:" "$@"
echo >&2
usage
exit
fi
if [ -n "$USER_DEST" ]; then
DEST=$USER_DEST
fi
# Attempt to create the directories if they do not exist yet (rhbz#2241240)
mkdir -p \
"$DEST"/openssl \
"$DEST"/pem \
"$DEST"/java \
"$DEST"/edk2
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
# by GnuTLS)
/usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
# p11-kit extract will have made this directory unwritable; when run with
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
# not be the case. See rhbz#2241240.
chmod u+w "$DEST/pem/directory-hash"
# Debian compatibility: their /etc/ssl/certs has this bundle
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
# Remove write permissions again
chmod u-w "$DEST/pem/directory-hash"
}
if [ "$#" -lt 1 ]; then
set -- extract
fi
case "$1" in
"extract")
shift
extract "$@"
;;
"--"*|"-"*)
# First parameter seems to be an option, assume the command is 'extract'
extract "$@"
;;
*)
echo >&2 "Error: Unknown command: $1"
echo >&2
usage
exit 1
;;
esac