2010-04-01 16:21:18 +00:00
|
|
|
#!/bin/bash
|
|
|
|
|
# vim: syntax=sh
|
|
|
|
|
|
2010-04-14 13:44:12 +00:00
|
|
|
shopt -s nullglob
|
|
|
|
|
|
2010-04-29 22:45:27 +00:00
|
|
|
cafile="/var/lib/ca-certificates/ca-bundle.pem"
|
2010-04-01 16:21:18 +00:00
|
|
|
cadir="/etc/ssl/certs"
|
|
|
|
|
|
|
|
|
|
for i in "$@"; do
|
|
|
|
|
if [ "$i" = "-f" ]; then
|
|
|
|
|
fresh=1
|
|
|
|
|
elif [ "$i" = "-v" ]; then
|
|
|
|
|
verbose=1
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
if [ -z "$fresh" -a "$cafile" -nt "$cadir" ]; then
|
|
|
|
|
exit 0
|
|
|
|
|
fi
|
|
|
|
|
echo "creating $cafile ..."
|
|
|
|
|
cat > "$cafile.new" <<EOF
|
|
|
|
|
#
|
|
|
|
|
# automatically created by $0. Do not edit!
|
2012-05-04 11:55:34 +00:00
|
|
|
#
|
2010-04-01 16:21:18 +00:00
|
|
|
# Use of this file is deprecated and should only be used as last
|
|
|
|
|
# resort by applications that cannot parse the $cadir directory.
|
2012-05-04 11:55:34 +00:00
|
|
|
# You should avoid hardcoding any paths in applications anyways though.
|
|
|
|
|
# Use e.g.
|
|
|
|
|
# SSL_CTX_set_default_verify_paths() instead.
|
2010-04-01 16:21:18 +00:00
|
|
|
#
|
|
|
|
|
EOF
|
|
|
|
|
for i in "$cadir"/*.pem; do
|
|
|
|
|
# only include certificates trusted for server auth
|
|
|
|
|
if grep -q "BEGIN TRUSTED CERTIFICATE" "$i"; then
|
|
|
|
|
trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
|
|
|
|
|
case "$trust" in
|
|
|
|
|
*serverAuth*) ;;
|
|
|
|
|
*) [ -z "$verbose" ] || echo "skipping $i" >&2; continue ;;
|
|
|
|
|
esac
|
|
|
|
|
fi
|
|
|
|
|
openssl x509 -in "$i"
|
|
|
|
|
done >> "$cafile.new"
|
|
|
|
|
mv "$cafile.new" "$cafile"
|
