1
0
angie-conv-image/image-entry.d/77-openssl-ca-certs.envsh
2024-09-17 14:11:00 +03:00

131 lines
3.3 KiB
Bash
Executable File

#!/bin/sh
unset def_bundle def_bundle_fp
def_bundle='/etc/ssl/certs/ca-certificates.crt'
def_bundle_fp="${def_bundle}.fp"
while : ; do
if [ -n "${SSL_CERT_FILE:-}" ] ; then
log_always "NOT merging CA certificates (if any): SSL_CERT_FILE is already set (=${SSL_CERT_FILE})"
break
fi
[ -d "${target_root}/tls/ca" ] || break
unset w
w=$(mktemp -d) || break
find "${target_root}/tls/ca/" -follow -type f | sort -V > "$w/all.list"
[ -s "$w/all.list" ] || break
## entering processing section
touch "$w/processing"
unset orig_ca_file
while read -r orig_ca_file ; do
[ -n "${orig_ca_file}" ] || continue
openssl-cert-auto-pem.sh "${orig_ca_file}"
done < "$w/all.list" > "$w/all.pem"
unset orig_ca_file
[ -s "$w/all.pem" ] || break
openssl-cert-fingerprint.sh "$w/all.pem" | sort -uV > "$w/all.fp"
[ -s "$w/all.fp" ] || break
## leaving processing section
rm -f "$w/processing"
unset dev_root dev_bundle dev_bundle_fp
dev_root=$(env stat -c '%d' / )
dev_bundle=$(env stat -L -c '%d' "${def_bundle}")
dev_bundle_fp=$(env stat -L -c '%d' "${def_bundle_fp}")
unset def_bundle_bind_mount
def_bundle_bind_mount=1
while : ; do
[ "${dev_root}" = "${dev_bundle}" ] || break
[ "${dev_root}" = "${dev_bundle_fp}" ] || break
[ "${dev_bundle}" = "${dev_bundle_fp}" ] || break
def_bundle_bind_mount=0
break ; done
unset dev_root dev_bundle dev_bundle_fp
if [ "${def_bundle_bind_mount}" = 1 ] ; then
log_always "detected bind-mount inside ${def_bundle%/*}/"
log_always "this is merely misuse!"
openssl-cert-auto-pem.sh "${def_bundle}" > "$w/cacert.pem"
openssl-cert-fingerprint.sh "$w/cacert.pem" | sort -uV > "$w/cacert.fp"
else
ln -s "${def_bundle}" "$w/cacert.pem"
ln -s "${def_bundle_fp}" "$w/cacert.fp"
fi
unset with_def_bundle
with_def_bundle=0
while : ; do
[ -s "$w/cacert.pem" ] || break
[ -s "$w/cacert.fp" ] || break
with_def_bundle=1
break ; done
if [ "${with_def_bundle}" = 1 ] ; then
grep -Fxv -f "$w/cacert.fp" "$w/all.fp" > "$w/diff.fp"
[ -s "$w/diff.fp" ] || break
## entering processing section
touch "$w/processing"
grep -Fxn -f "$w/diff.fp" "$w/all.fp" | cut -d : -f 1 > "$w/diff.lineno"
[ -s "$w/diff.lineno" ] || break
## leaving processing section
rm -f "$w/processing"
else
: > "$w/diff.lineno"
fi
: > "${volume_root}/ca.pem"
if [ "${with_def_bundle}" = 1 ] ; then
cat < "$w/cacert.pem" > "${volume_root}/ca.pem"
else
log_always "NOT using ${def_bundle} - empty or missing"
fi
unset n
while read -r n ; do
[ -n "$n" ] || continue
off=$(sed -ne "${n}p" "$w/all.off")
sed -ne "${off}p" "$w/all.pem" | openssl x509
done < "$w/diff.lineno" >> "${volume_root}/ca.pem"
unset n off
set -a
SSL_CERT_FILE="${volume_root}/ca.pem"
## merely a quirk
SSL_CERT_DIR="${empty_dir}"
set +a
break ; done
unset def_bundle_bind_mount with_def_bundle
[ -f "${volume_root}/ca.pem" ] || ln -s "${def_bundle}" "${volume_root}/ca.pem"
unset def_bundle def_bundle_fp
if [ -n "${w:-}" ] ; then
if [ -f "$w/processing" ] ; then
rm -f "$w/processing"
log_always "unable to merge CA certificates (see below for details):"
log_always "directory listing:"
env -C "$w" ls -lA >&2
log_always "directory listing (following symlinks):"
env -C "$w" ls -L -lA >&2
log_always "consider reading source code and contacting developers"
fi
rm -rf "$w"
fi
unset w