|
1
|
#!/bin/bash
|
|
2
|
# $Id: getcrl.sh.in,v 1.2 2007/01/22 14:21:17 semik Exp $
|
|
3
|
|
|
4
|
PATH=/bin:/usr/bin
|
|
5
|
|
|
6
|
usage="usage: $0 [-s] URL
|
|
7
|
-s: Log the message to standard error, as well as the system log
|
|
8
|
"
|
|
9
|
|
|
10
|
###
|
|
11
|
# config
|
|
12
|
###
|
|
13
|
|
|
14
|
CRTDIR='/home/CERT/crt'
|
|
15
|
CRLDIR='/home/CERT/crt'
|
|
16
|
pri='notice'
|
|
17
|
|
|
18
|
logger='/usr/bin/logger'
|
|
19
|
cut='/bin/cut'
|
|
20
|
tr='/usr/bin/tr'
|
|
21
|
ldapsearch='/usr/bin/ldapsearch'
|
|
22
|
wget='/usr/bin/wget'
|
|
23
|
openssl='/usr/bin/openssl'
|
|
24
|
mktemp='/usr/bin/mktemp'
|
|
25
|
rm='/bin/rm'
|
|
26
|
cp='/bin/cp'
|
|
27
|
grep='/bin/grep'
|
|
28
|
date='/bin/date'
|
|
29
|
date_mode='linux'
|
|
30
|
expr='/usr/bin/expr'
|
|
31
|
ls='/bin/ls'
|
|
32
|
test='/usr/bin/test'
|
|
33
|
|
|
34
|
tag='getcrl'
|
|
35
|
DEBUG=0
|
|
36
|
|
|
37
|
## ERRSTAT values
|
|
38
|
eSUCCESS=0
|
|
39
|
eOPT=1
|
|
40
|
eLOCALENV=2
|
|
41
|
eGET=3
|
|
42
|
eREAD=4
|
|
43
|
eVERIFY=5
|
|
44
|
eWRITE=6
|
|
45
|
|
|
46
|
function msg() {
|
|
47
|
# if [ "$syslog" ]
|
|
48
|
# then
|
|
49
|
$logger $syslog_s -t "$tag[$$]" -p daemon.$pri "$*"
|
|
50
|
# else
|
|
51
|
# echo -e "$*" >&2
|
|
52
|
# fi
|
|
53
|
}
|
|
54
|
|
|
55
|
function dbg() {
|
|
56
|
local opri=$pri
|
|
57
|
if $test $DEBUG -gt 0
|
|
58
|
then
|
|
59
|
pri='debug'
|
|
60
|
msg "$*"
|
|
61
|
pri=$opri
|
|
62
|
fi
|
|
63
|
}
|
|
64
|
|
|
65
|
function die() {
|
|
66
|
local status="$1"
|
|
67
|
local opri=$pri
|
|
68
|
shift
|
|
69
|
pri='err'
|
|
70
|
msg "$*"
|
|
71
|
exit $status
|
|
72
|
}
|
|
73
|
|
|
74
|
function getlines() {
|
|
75
|
local l
|
|
76
|
local ret
|
|
77
|
|
|
78
|
while read l
|
|
79
|
do
|
|
80
|
ret="$ret\n$l"
|
|
81
|
done
|
|
82
|
eval "$1=\"$ret\""
|
|
83
|
}
|
|
84
|
|
|
85
|
function get_ldap_url() {
|
|
86
|
local rc
|
|
87
|
local base
|
|
88
|
local tmp
|
|
89
|
local url
|
|
90
|
local attrs
|
|
91
|
local attrlist
|
|
92
|
local tmpfile
|
|
93
|
|
|
94
|
if $test "x$ldapsearch" = "x"
|
|
95
|
then
|
|
96
|
die $eGET "LDAP URLs not supported. Re-configure the package"
|
|
97
|
fi
|
|
98
|
attrs=`echo "$1" | $cut -d? -f2`
|
|
99
|
attrlist=`echo "$attrs" | $tr ',' ' '`
|
|
100
|
tmp=`echo "$1" | $cut -d? -f1`
|
|
101
|
url=`echo "$tmp" | $cut -d/ -f-3`
|
|
102
|
base=`echo "$tmp" | $cut -d/ -f4`
|
|
103
|
|
|
104
|
OUT=`$ldapsearch -LLL -t -T $WDIR -x -H "$url" -b"$base" '(objectclass=*)' $attrlist 2>&1 >/dev/null`
|
|
105
|
rc=$?
|
|
106
|
if $test $rc -ne 0
|
|
107
|
then
|
|
108
|
$test -n "$OUT" && msg "$OUT"
|
|
109
|
ERRSTAT=$eGET
|
|
110
|
return $rc
|
|
111
|
fi
|
|
112
|
# || die 1 "ldapsearch $1: $?"
|
|
113
|
|
|
114
|
tmpfile=`($ls $WDIR | $grep ^ldapsearch)` 2>&1
|
|
115
|
# || die 1 "ldapsearch $1: no crl fetched"
|
|
116
|
rc=$?
|
|
117
|
if $test $rc -ne 0
|
|
118
|
then
|
|
119
|
$test -n "$tmpfile" && msg "$tmpfile"
|
|
120
|
ERRSTAT=$eGET
|
|
121
|
return $rc
|
|
122
|
fi
|
|
123
|
echo "$WDIR/$tmpfile"
|
|
124
|
return $rc
|
|
125
|
# openssl crl -inform DER -in "$WDIR/$tmpfile" -out $WDIR/crl.pem || exit 1
|
|
126
|
}
|
|
127
|
|
|
128
|
function get_wget_url() {
|
|
129
|
local rc
|
|
130
|
|
|
131
|
OUT=`$wget -q -O $WDIR/crl "$1"`
|
|
132
|
rc=$?
|
|
133
|
if $test $rc -ne 0
|
|
134
|
then
|
|
135
|
$test -n "$OUT" && msg "$OUT"
|
|
136
|
ERRSTAT=$eGET
|
|
137
|
fi
|
|
138
|
echo "$WDIR/crl"
|
|
139
|
return $rc
|
|
140
|
}
|
|
141
|
|
|
142
|
function get_url() {
|
|
143
|
local rc
|
|
144
|
local crlfile
|
|
145
|
|
|
146
|
if echo "$1" | $grep ^ldap: >/dev/null
|
|
147
|
then
|
|
148
|
crlfile=`get_ldap_url "$1"`
|
|
149
|
rc=$?
|
|
150
|
else
|
|
151
|
crlfile=`get_wget_url "$1"`
|
|
152
|
rc=$?
|
|
153
|
fi
|
|
154
|
if $test $rc -ne 0 -o -z "$crlfile"
|
|
155
|
then
|
|
156
|
ERRSTAT=$eGET
|
|
157
|
return 1
|
|
158
|
fi
|
|
159
|
if $grep -e '-----BEGIN .*CRL' $crlfile >/dev/null
|
|
160
|
then
|
|
161
|
OUT=`$openssl crl -in $crlfile -out $WDIR/crl.pem 2>&1`
|
|
162
|
rc=$?
|
|
163
|
else
|
|
164
|
OUT=`$openssl crl -inform DER -in $crlfile -out $WDIR/crl.pem 2>&1`
|
|
165
|
rc=$?
|
|
166
|
fi
|
|
167
|
if $test $rc -ne 0
|
|
168
|
then
|
|
169
|
$test -n "$OUT" && msg "$OUT"
|
|
170
|
ERRSTAT=$eGET
|
|
171
|
fi
|
|
172
|
return $rc
|
|
173
|
}
|
|
174
|
|
|
175
|
function str2num() {
|
|
176
|
$expr "$1" + 0
|
|
177
|
}
|
|
178
|
|
|
179
|
function date2iso() {
|
|
180
|
local rc
|
|
181
|
|
|
182
|
# Linux: date +%Y%m%d%H%M%S -d "$1"
|
|
183
|
# BSD: date -j -f '%b %d %T %Y %Z' '+%Y%m%d%H%M%S' '$1'
|
|
184
|
|
|
185
|
case $date_mode in
|
|
186
|
bsd)
|
|
187
|
OUT=`$date -j -f '%b %d %T %Y %Z' '+%Y%m%d%H%M%S' "$1"`;
|
|
188
|
;;
|
|
189
|
linux)
|
|
190
|
OUT=`date +%Y%m%d%H%M%S -d "$1"`;
|
|
191
|
;;
|
|
192
|
esac
|
|
193
|
|
|
194
|
rc=$?
|
|
195
|
if $test $rc -ne 0
|
|
196
|
then
|
|
197
|
$test -n "$OUT" && msg "$OUT"
|
|
198
|
else
|
|
199
|
echo "$OUT"
|
|
200
|
fi
|
|
201
|
return $rc
|
|
202
|
}
|
|
203
|
|
|
204
|
function date2iso_old() {
|
|
205
|
local MON
|
|
206
|
local day
|
|
207
|
local yr
|
|
208
|
local hr
|
|
209
|
local min
|
|
210
|
local sec
|
|
211
|
local MONTHS
|
|
212
|
local -a MONTHS
|
|
213
|
MONTHS=("Jan" "Feb" "Mar" "Apr" "May" "Jun" "Jul" "Aug" "Sep" "Oct" "Nov" "Dec")
|
|
214
|
local mon
|
|
215
|
|
|
216
|
MON=`echo "$1" | $cut -d' ' -f1`
|
|
217
|
day=`echo "$1" | $cut -b5-6`
|
|
218
|
hr=`echo "$1" | $cut -b8-9`
|
|
219
|
min=`echo "$1" | $cut -b11-12`
|
|
220
|
sec=`echo "$1" | $cut -b14-15`
|
|
221
|
yr=`echo "$1" | $cut -b17-20`
|
|
222
|
# fix the month
|
|
223
|
|
|
224
|
mon=0
|
|
225
|
while $test $mon -lt 12
|
|
226
|
do
|
|
227
|
if eval "$test \"$MON\" = \"${MONTHS[$mon]}\""
|
|
228
|
then
|
|
229
|
break
|
|
230
|
fi
|
|
231
|
mon=`expr $mon + 1`
|
|
232
|
done
|
|
233
|
mon=`expr $mon + 1`
|
|
234
|
|
|
235
|
mon=`str2num $mon`
|
|
236
|
day=`str2num $day`
|
|
237
|
hr=`str2num $hr`
|
|
238
|
min=`str2num $min`
|
|
239
|
sec=`str2num $sec`
|
|
240
|
yr=`str2num $yr`
|
|
241
|
printf "%.4d%.2d%.2d%.2d%.2d%.2d" $yr $mon $day $hr $min $sec
|
|
242
|
}
|
|
243
|
|
|
244
|
# function crl_fix_ldap() {
|
|
245
|
# local attr
|
|
246
|
# attr=`echo $url | cut -d? -f2`
|
|
247
|
# val=`cat $WDIR/crl | grep -vi ^dn: | sed -e "/$attr/I s/[ \t]*$attr\(;binary\)\?: //I;"`
|
|
248
|
# echo "$val" | openssl crl -inform DER
|
|
249
|
# }
|
|
250
|
|
|
251
|
### Start the work
|
|
252
|
###
|
|
253
|
# PHASE 1 - getting the commands
|
|
254
|
###
|
|
255
|
syslog_s="-s" # let's talk to stderr initially
|
|
256
|
ERRSTAT=$eOPT # error exit status for the first phase
|
|
257
|
|
|
258
|
# get params
|
|
259
|
TEMP=`getopt s $*`
|
|
260
|
if $test $? -ne 0
|
|
261
|
then
|
|
262
|
die $ERRSTAT "$usage
|
|
263
|
Terminating..."
|
|
264
|
fi
|
|
265
|
eval set -- "$TEMP"
|
|
266
|
while true
|
|
267
|
do
|
|
268
|
case "$1" in
|
|
269
|
-s) OPT_s='-s'; shift;;
|
|
270
|
--) shift; break;;
|
|
271
|
*) die $ERRSTAT "Internal error";;
|
|
272
|
esac
|
|
273
|
done
|
|
274
|
|
|
275
|
# The last arg is the URL
|
|
276
|
url="$1"
|
|
277
|
$test -n "$url" || die $ERRSTAT "$usage"
|
|
278
|
syslog_s="$OPT_s" # go for user choice of logging
|
|
279
|
|
|
280
|
msg "Starting with $url"
|
|
281
|
|
|
282
|
WDIR=`$mktemp -dt getcrl.XXXXXX` || exit 1
|
|
283
|
trap "$rm -rf $WDIR" EXIT
|
|
284
|
|
|
285
|
ERRSTAT=$eGET
|
|
286
|
get_url "$url" || die $ERRSTAT "Error downloading the CRL. Exiting."
|
|
287
|
|
|
288
|
### get the hash
|
|
289
|
ERRSTAT=$eREAD
|
|
290
|
HASH=`$openssl crl -out /dev/null -hash -in $WDIR/crl.pem 2>&1`
|
|
291
|
if $test $? -ne 0
|
|
292
|
then
|
|
293
|
$test -n "$HASH" && msg "$HASH"
|
|
294
|
die $ERRSTAT "Error getting CRL hash. Exiting."
|
|
295
|
fi
|
|
296
|
dbg $HASH
|
|
297
|
|
|
298
|
### verify the CRL
|
|
299
|
ERRSTAT=$eVERIFY
|
|
300
|
OUT=`$openssl crl -out /dev/null -CApath $CRTDIR -in $WDIR/crl.pem 2>&1`
|
|
301
|
if $test $? -ne 0
|
|
302
|
then
|
|
303
|
$test -n "$OUT" && msg "$OUT";
|
|
304
|
die $ERRSTAT "CRL verification error. Exiting."
|
|
305
|
fi
|
|
306
|
|
|
307
|
### get the new update
|
|
308
|
ERRSTAT=$eREAD
|
|
309
|
nupdatestr=`$openssl crl -lastupdate -out /dev/null -in $WDIR/crl.pem | $cut -d= -f2` || die $ERRSTAT "Error reading lastupdate from new CRL"
|
|
310
|
|
|
311
|
nupdate=`date2iso "$nupdatestr"`
|
|
312
|
|
|
313
|
### find the old crl
|
|
314
|
ERRSTAT=$eWRITE
|
|
315
|
if $test ! -e $CRLDIR/$HASH.r0
|
|
316
|
then
|
|
317
|
oupdate='00000000000000'
|
|
318
|
else
|
|
319
|
oupdatestr=`$openssl crl -lastupdate -out /dev/null -in $CRLDIR/$HASH.r0 | $cut -d= -f2` || die $eREAD "Error reading lastupdate from old CRL. Exiting."
|
|
320
|
### get the old update
|
|
321
|
oupdate=`date2iso "$oupdatestr"`
|
|
322
|
fi
|
|
323
|
|
|
324
|
### are we younger?
|
|
325
|
if $test $nupdate -gt $oupdate
|
|
326
|
then
|
|
327
|
msg "New CRL is younger than the installed one."
|
|
328
|
OUT=`$cp $WDIR/crl.pem $CRLDIR/$HASH.r0 2>&1`
|
|
329
|
if $test $? -ne 0
|
|
330
|
then
|
|
331
|
die $cWRITE "CRL installation error. Exiting"
|
|
332
|
fi
|
|
333
|
else
|
|
334
|
msg "New CRL is not younger than the installed one. Skipping."
|
|
335
|
fi
|
|
336
|
die $eSUCCESS "Task completed."
|