krd/angie-conv-image
1
0
Fork 0
Code
main
angie-conv-image/image-entry.d/77-openssl-ca-certs.envsh
Konstantin Demin 91ec2a4c86
treewide: rework certificate handling 
also:
- reorder some blocks in dockerfiles
- provide sane requirements.txt
2024-09-20 02:39:40 +03:00

134 lines
3.3 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/sh
unset def_bundle def_bundle_fp
def_bundle='/etc/ssl/certs/ca-certificates.crt'
def_bundle_fp="${def_bundle}.fp"
while : ; do
if [ -n "${SSL_CERT_FILE:-}" ] ; then
log_always "NOT merging CA certificates (if any): SSL_CERT_FILE is already set (=${SSL_CERT_FILE})"
break
fi
[ -d "${target_root}/tls/ca" ] || break
unset w
w=$(mktemp -d) || break
find "${target_root}/tls/ca/" -follow -type f | sort -V > "$w/all.list"
[ -s "$w/all.list" ] || break
## entering processing section
touch "$w/processing"
unset orig_ca_file
while read -r orig_ca_file ; do
[ -n "${orig_ca_file}" ] || continue
openssl-cert-auto-pem.sh "${orig_ca_file}"
done < "$w/all.list" > "$w/all.pem"
unset orig_ca_file
[ -s "$w/all.pem" ] || break
openssl-cert-auto-pem.sh "$w/all.pem" "$w/new.pem" "$w/new.fp" "$w/new.off"
[ -s "$w/new.pem" ] || break
[ -s "$w/new.fp" ] || break
[ -s "$w/new.off" ] || break
rm -f "$w/all.pem"
## leaving processing section
rm -f "$w/processing"
unset def_bundle_bind_mount
def_bundle_bind_mount=1
while : ; do
unset devno_root devno_bundle devno_bundle_fp
devno_root=$(env stat -c '%d' / )
[ -f "${def_bundle}" ] || break
devno_bundle=$(env stat -L -c '%d' "${def_bundle}")
[ "${devno_root}" = "${devno_bundle}" ] || break
[ -f "${def_bundle_fp}" ] || break
devno_bundle_fp=$(env stat -L -c '%d' "${def_bundle_fp}")
[ "${devno_root}" = "${devno_bundle_fp}" ] || break
def_bundle_bind_mount=0
break ; done
unset devno_root devno_bundle devno_bundle_fp
if [ "${def_bundle_bind_mount}" = 1 ] ; then
log_always "detected bind-mount inside ${def_bundle%/*}/"
log_always "this is merely misuse!"
if [ -s "${def_bundle}" ] ; then
openssl-cert-auto-pem.sh "${def_bundle}" "$w/cacert.pem" "$w/cacert.fp"
fi
else
ln -s "${def_bundle}" "$w/cacert.pem"
ln -s "${def_bundle_fp}" "$w/cacert.fp"
fi
unset with_def_bundle
with_def_bundle=0
while : ; do
[ -s "$w/cacert.pem" ] || break
[ -s "$w/cacert.fp" ] || break
with_def_bundle=1
break ; done
if [ "${with_def_bundle}" = 1 ] ; then
grep -Fxnv -f "$w/cacert.fp" "$w/new.fp" | cut -d : -f 1 > "$w/diff.ln"
[ -s "$w/diff.ln" ] || break
else
: > "$w/diff.ln"
fi
: > "${volume_root}/ca.pem"
if [ "${with_def_bundle}" = 1 ] ; then
cat < "$w/cacert.pem" > "${volume_root}/ca.pem"
else
log_always "NOT using ${def_bundle} - empty or missing"
fi
unset n
while read -r n ; do
[ -n "$n" ] || continue
off=$(sed -ne "${n}p" "$w/new.off")
[ -n "${off}" ] || continue
sed -ne "${off}p" "$w/new.pem"
done < "$w/diff.ln" >> "${volume_root}/ca.pem"
unset n off
set -a
SSL_CERT_FILE="${volume_root}/ca.pem"
## merely a quirk
SSL_CERT_DIR="${empty_dir}"
set +a
break ; done
unset def_bundle_fp def_bundle_bind_mount with_def_bundle
while ! [ -f "${volume_root}/ca.pem" ] ; do
[ -s "${def_bundle}" ] || break
ln -s "${def_bundle}" "${volume_root}/ca.pem"
break ; done
unset def_bundle
[ -f "${volume_root}/ca.pem" ] || : > "${volume_root}/ca.pem"
if [ -n "${w:-}" ] ; then
if [ -f "$w/processing" ] ; then
rm -f "$w/processing"
log_always "unable to merge CA certificates (see below for details):"
log_always "directory listing:"
env -C "$w" ls -lA >&2
log_always "directory listing (following symlinks):"
env -C "$w" ls -L -lA >&2
log_always "consider reading source code and contacting developers"
fi
rm -rf "$w"
fi
unset w
View Git Blame Copy Permalink