rootfs/usr/sbin/update-ca-certificates

#!/bin/sh -e
#
# update-ca-certificates
#
# Copyright (c) 2003 Fumitoshi UKAI <ukai@debian.or.jp>
# Copyright (c) 2009 Philipp Kern <pkern@debian.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301,
# USA.
#

verbose=0
fresh=0
default=0
CERTSCONF=$SYSROOT/etc/ca-certificates.conf
CERTSDIR=$SYSROOT/usr/share/ca-certificates
LOCALCERTSDIR=$SYSROOT/usr/local/share/ca-certificates
CERTBUNDLE=ca-certificates.crt
ETCCERTSDIR=$SYSROOT/etc/ssl/certs
FSROOT=../../../ # to get from $ETCCERTSDIR to the root of the file system
HOOKSDIR=$SYSROOT/etc/ca-certificates/update.d

while [ $# -gt 0 ];
do
  case $1 in
    --verbose|-v)
      verbose=1;;
    --fresh|-f)
      fresh=1;;
    --default|-d)
      default=1
      fresh=1;;
    --certsconf)
      shift
      CERTSCONF="$1";;
    --certsdir)
      shift
      CERTSDIR="$1";;
    --localcertsdir)
      shift
      LOCALCERTSDIR="$1";;
    --certbundle)
      shift
      CERTBUNDLE="$1";;
    --etccertsdir)
      shift
      ETCCERTSDIR="$1";;
    --hooksdir)
      shift
      HOOKSDIR="$1";;
    --help|-h|*)
      echo "$0: [--verbose] [--fresh]"
      exit;;
  esac
  shift
done

if [ -z "$SYSROOT" ]; then
  local_which () {
    if [ $# -lt 1 ]; then
      return 1
    fi

    (
      IFS=:
      for entry in $PATH; do
        if [ -x "$entry/$1" ]; then
          echo "$entry/$1"
          exit 0
        fi
      done
      exit 1
    )
  }

  case "$0" in
    */*)
      sbindir=$(cd ${0%/*} && pwd)
      ;;
    *)
      sbindir=$(cd $(dirname $(local_which $0)) && pwd)
      ;;
  esac
  prefix=${sbindir%/*}
  SYSROOT=${prefix%/*}
  if [ ! -d "$SYSROOT/usr/share/ca-certificates" ]; then
    SYSROOT=
  fi
fi

if [ ! -s "$CERTSCONF" ]
then
  fresh=1
fi

cleanup() {
  rm -f "$TEMPBUNDLE"
  rm -f "$ADDED"
  rm -f "$REMOVED"
}
trap cleanup 0

# Helper files.  (Some of them are not simple arrays because we spawn
# subshells later on.)
TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"
ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"

# Adds a certificate to the list of trusted ones.  This includes a symlink
# in /etc/ssl/certs to the certificate file and its inclusion into the
# bundle.
add() {
  CERT="$1"
  PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
                                                  -e 's/[()]/=/g' \
                                                  -e 's/,/_/g').pem"
  DST="$(echo ${CERT} | sed -e "s|^$SYSROOT||" -e "s|^/|$FSROOT|" )"
  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "${DST}" ]
  then
    ln -sf "${DST}" "$PEM"
    echo "+$PEM" >> "$ADDED"
  fi
  # Add trailing newline to certificate, if it is missing (#635570)
  sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
}

remove() {
  CERT="$1"
  PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem"
  if test -L "$PEM"
  then
    rm -f "$PEM"
    echo "-$PEM" >> "$REMOVED"
  fi
}

cd "$ETCCERTSDIR"
if [ "$fresh" = 1 ]; then
  echo "Clearing symlinks in $ETCCERTSDIR..."
  find . -type l -print | while read symlink
  do
    case $(readlink "$symlink") in
      $CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
    esac
  done
  find . -type l -print | while read symlink
  do
    test -f "$symlink" || rm -f "$symlink"
  done
  echo "done."
fi

echo "Updating certificates in $ETCCERTSDIR..."

# Add default certificate authorities if requested
if [ "$default" = 1 ]; then
  find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt
  do
    add "$crt"
  done
fi

# Handle certificates that should be removed.  This is an explicit act
# by prefixing lines in the configuration files with exclamation marks (!).
sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read crt
do
  remove "$CERTSDIR/$crt"
done

sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read crt
do
  if ! test -f "$CERTSDIR/$crt"
  then
    echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2
    continue
  fi
  add "$CERTSDIR/$crt"
done

# Now process certificate authorities installed by the local system
# administrator.
if [ -d "$LOCALCERTSDIR" ]
then
  find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read crt
  do
    add "$crt"
  done
fi

ADDED_CNT=$(wc -l < "$ADDED")
REMOVED_CNT=$(wc -l < "$REMOVED")

if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
then
  # only run if set of files has changed
  # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl rehash`
  # from exiting with an error. See #895482, #895473.
  find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan
  do
    rm -f "$orphan"
    if [ "$verbose" = 1 ]; then
      echo "Removed orphan symlink $orphan"
    fi
  done
  if [ "$verbose" = 0 ]
  then
    openssl rehash . > /dev/null
  else
    openssl rehash -v .
  fi
fi

# chmod and mv only if TEMPBUNDLE exists or install may fail, #996005
if [ -f "$TEMPBUNDLE" ]
then
  chmod 0644 "$TEMPBUNDLE"
  mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
  # Restore proper SELinux label after moving the file
  [ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" >/dev/null 2>&1
fi

echo "$ADDED_CNT added, $REMOVED_CNT removed; done."

if [ -d "$HOOKSDIR" ]
then

  echo "Running hooks in $HOOKSDIR..."
  eval run-parts --test "$HOOKSDIR" | while read hook
  do
    ( cat "$ADDED"
      cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
  done
  echo "done."

fi

# vim:set et sw=2: