diff options
| author | Michael Shuler <michael@pbandjelly.org> | 2011-09-17 17:11:42 -0500 |
|---|---|---|
| committer | Michael Shuler <michael@pbandjelly.org> | 2011-09-17 17:17:13 -0500 |
| commit | 778b0a8b2cd632c2ce204fe7e754886f0843a51c (patch) | |
| tree | 6ea9768bf8aed503ec063291911f818816b565be /sbin/update-ca-certificates | |
| parent | c49c7706fe46d4a4abcb4c426e2d33f4b5e1924c (diff) | |
| download | ca-certificates-778b0a8b2cd632c2ce204fe7e754886f0843a51c.tar.gz | |
Import Debian version 20090624debian/20090624
Diffstat (limited to 'sbin/update-ca-certificates')
| -rwxr-xr-x[-rw-r--r--] | sbin/update-ca-certificates | 130 |
1 files changed, 93 insertions, 37 deletions
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates index 46e4c10..728e909 100644..100755 --- a/sbin/update-ca-certificates +++ b/sbin/update-ca-certificates @@ -3,6 +3,7 @@ # update-ca-certificates # # Copyright (c) 2003 Fumitoshi UKAI <ukai@debian.or.jp> +# Copyright (c) 2009 Philipp Kern <pkern@debian.org> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -37,8 +38,47 @@ done CERTSCONF=/etc/ca-certificates.conf CERTSDIR=/usr/share/ca-certificates +LOCALCERTSDIR=/usr/local/share/ca-certificates CERTBUNDLE=ca-certificates.crt ETCCERTSDIR=/etc/ssl/certs + +cleanup() { + rm -f "$TEMPBUNDLE" + rm -f "$ADDED" + rm -f "$REMOVED" +} +trap cleanup 0 + +# Helper files. (Some of them are not simple arrays because we spawn +# subshells later on.) +TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")" +ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" +REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")" + +# Adds a certificate to the list of trusted ones. This includes a symlink +# in /etc/ssl/certs to the certificate file and its inclusion into the +# bundle. +add() { + CERT="$1" + PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem" + if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ] + then + ln -sf "$CERT" "$PEM" + echo +$PEM >> "$ADDED" + fi + cat "$CERT" >> "$TEMPBUNDLE" +} + +remove() { + CERT="$1" + PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem" + if test -L "$PEM" + then + rm -f "$PEM" + echo -$PEM >> "$REMOVED" + fi +} + cd $ETCCERTSDIR if [ "$fresh" = 1 ]; then echo -n "Clearing symlinks in $ETCCERTSDIR..." @@ -54,49 +94,65 @@ if [ "$fresh" = 1 ]; then done echo "done." fi -echo -n "Updating certificates in $ETCCERTSDIR...." -bundletmp=`mktemp "${CERTBUNDLE}.tmp.XXXXXX"` -removed="$(sed -ne 's/^!//p' $CERTSCONF | while read crt +echo -n "Updating certificates in $ETCCERTSDIR... " + +# Handle certificates that should be removed. This is an explicit act +# by prefixing lines in the configuration files with exclamation marks (!). +sed -n -e '/^$/d' -e 's/^!//p' $CERTSCONF | while read crt do - if test "$crt" = ""; then continue; fi - pem=$(basename "$crt" .crt).pem - if test -e "$pem"; then - rm -f "$pem" - echo "-$ETCCERTSDIR/$pem" - fi -done)" - -added="$(sed -e '/^#/d' -e '/^!/d' $CERTSCONF | while read crt + remove "$CERTSDIR/$crt" +done + +sed -e '/^$/d' -e '/^#/d' -e '/^!/d' $CERTSCONF | while read crt do - if test "$crt" = ""; then continue; fi - if ! test -f "$CERTSDIR/$crt"; then continue; fi - pem=$(basename "$crt" .crt).pem - if ! test -e "$pem"; then echo "+$ETCCERTSDIR/$pem"; fi - ln -sf "$CERTSDIR/$crt" "$pem" - cat "$CERTSDIR/$crt" >> "$bundletmp" -done)" -chmod 0644 "$bundletmp" -mv -f "$bundletmp" "$CERTBUNDLE" - -if [ -n "$added" ] || [ -n "$removed" ]; then - # only run if set of files has changed + if ! test -f "$CERTSDIR/$crt" + then + echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2 + continue + fi + add "$CERTSDIR/$crt" +done - if [ "$verbose" = 0 ]; then +# Now process certificate authorities installed by the local system +# administrator. +if [ -d "$LOCALCERTSDIR" ] +then + find -L "$LOCALCERTSDIR" -type f | while read crt + do + add "$crt" + done +fi + +chmod 0644 "$TEMPBUNDLE" +mv -f "$TEMPBUNDLE" "$CERTBUNDLE" + +ADDED_CNT=$(wc -l < "$ADDED") +REMOVED_CNT=$(wc -l < "$REMOVED") + +if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ] +then + # only run if set of files has changed + if [ "$verbose" = 0 ] + then c_rehash . > /dev/null 2>&1 else c_rehash . fi - echo "done." - - HOOKSDIR=/etc/ca-certificates/update.d - echo -n "Running hooks in $HOOKSDIR...." - VERBOSE_ARG= - [ "$verbose" = 0 ] || VERBOSE_ARG=--verbose - eval run-parts $VERB_ARG --test -- $HOOKSDIR | while read hook; do - printf -- "${removed:+$removed\n}${added:+$added\n}" | eval $hook - done - echo "done." -else - echo "done." fi + +echo "$ADDED_CNT added, $REMOVED_CNT removed; done." + +HOOKSDIR=/etc/ca-certificates/update.d +echo -n "Running hooks in $HOOKSDIR...." +VERBOSE_ARG= +[ "$verbose" = 0 ] || VERBOSE_ARG=--verbose +eval run-parts $VERB_ARG --test -- $HOOKSDIR | while read hook +do + ( cat $ADDED + cat $REMOVED ) | $hook || echo E: $hook exited with code $?. +done +echo "done." + +# vim:set et sw=2: + |