diff --git a/c_rehash.c b/c_rehash.c new file mode 100644 index 0000000..5575492 --- /dev/null +++ b/c_rehash.c @@ -0,0 +1,375 @@ +/* c_rehash.c - Create hash symlinks for certificates + * C implementation based on the original Perl and shell versions + * + * Copyright (c) 2013-2014 Timo Teräs + * All rights reserved. + * + * This software is licensed under the MIT License. + * Full license available at: http://opensource.org/licenses/MIT + */ + +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +#define MAX_COLLISIONS 256 +#define countof(x) (sizeof(x) / sizeof(x[0])) + +#if 0 +#define DEBUG(args...) fprintf(stderr, args) +#else +#define DEBUG(args...) +#endif + +struct entry_info { + struct entry_info *next; + char *filename; + unsigned short old_id; + unsigned char need_symlink; + unsigned char digest[EVP_MAX_MD_SIZE]; +}; + +struct bucket_info { + struct bucket_info *next; + struct entry_info *first_entry, *last_entry; + unsigned int hash; + unsigned short type; + unsigned short num_needed; +}; + +enum Type { + TYPE_CERT = 0, + TYPE_CRL +}; + +static const char *symlink_extensions[] = { "", "r" }; +static const char *file_extensions[] = { "pem", "crt", "cer", "crl" }; + +static int evpmdsize; +static const EVP_MD *evpmd; + +static int do_hash_new = 1; +static int do_hash_old = 0; +static int do_remove_links = 1; +static int do_verbose = 0; + +static struct bucket_info *hash_table[257]; + +static void bit_set(unsigned char *set, unsigned bit) +{ + set[bit / 8] |= 1 << (bit % 8); +} + +static int bit_isset(unsigned char *set, unsigned bit) +{ + return set[bit / 8] & (1 << (bit % 8)); +} + +static void add_entry( + int type, unsigned int hash, + const char *filename, const unsigned char *digest, + int need_symlink, unsigned short old_id) +{ + struct bucket_info *bi; + struct entry_info *ei, *found = NULL; + unsigned int ndx = (type + hash) % countof(hash_table); + + for (bi = hash_table[ndx]; bi; bi = bi->next) + if (bi->type == type && bi->hash == hash) + break; + if (!bi) { + bi = calloc(1, sizeof(*bi)); + if (!bi) return; + bi->next = hash_table[ndx]; + bi->type = type; + bi->hash = hash; + hash_table[ndx] = bi; + } + + for (ei = bi->first_entry; ei; ei = ei->next) { + if (digest && memcmp(digest, ei->digest, evpmdsize) == 0) { + fprintf(stderr, + "WARNING: Skipping duplicate certificate in file %s\n", + filename); + return; + } + if (!strcmp(filename, ei->filename)) { + found = ei; + if (!digest) break; + } + } + ei = found; + if (!ei) { + if (bi->num_needed >= MAX_COLLISIONS) return; + ei = calloc(1, sizeof(*ei)); + if (!ei) return; + + ei->old_id = ~0; + ei->filename = strdup(filename); + if (bi->last_entry) bi->last_entry->next = ei; + if (!bi->first_entry) bi->first_entry = ei; + bi->last_entry = ei; + } + + if (old_id < ei->old_id) ei->old_id = old_id; + if (need_symlink && !ei->need_symlink) { + ei->need_symlink = 1; + bi->num_needed++; + memcpy(ei->digest, digest, evpmdsize); + } +} + +static int handle_symlink(const char *filename, const char *fullpath) +{ + static char xdigit[] = { + 0, 1, 2, 3, 4, 5, 6, 7, 8, 9,-1,-1,-1,-1,-1,-1, + -1,10,11,12,13,14,15,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1,-1, + -1,10,11,12,13,14,15 + }; + char linktarget[NAME_MAX], *endptr; + unsigned int hash = 0; + unsigned char ch; + int i, type, id; + ssize_t n; + + for (i = 0; i < 8; i++) { + ch = filename[i] - '0'; + if (ch >= countof(xdigit) || xdigit[ch] < 0) + return -1; + hash <<= 4; + hash += xdigit[ch]; + } + if (filename[i++] != '.') return -1; + for (type = countof(symlink_extensions) - 1; type > 0; type--) + if (strcasecmp(symlink_extensions[type], &filename[i]) == 0) + break; + i += strlen(symlink_extensions[type]); + + id = strtoul(&filename[i], &endptr, 10); + if (*endptr != 0) return -1; + + n = readlink(fullpath, linktarget, sizeof(linktarget)); + if (n >= sizeof(linktarget) || n < 0) return -1; + linktarget[n] = 0; + + DEBUG("Found existing symlink %s for %08x (%d), certname %s\n", + filename, hash, type, linktarget); + add_entry(type, hash, linktarget, NULL, 0, id); + return 0; +} + +static int handle_certificate(const char *filename, const char *fullpath) +{ + STACK_OF(X509_INFO) *inf; + X509_INFO *x; + BIO *b; + const char *ext; + unsigned char digest[EVP_MAX_MD_SIZE]; + X509_NAME *name = NULL; + int i, type, ret = -1; + + ext = strrchr(filename, '.'); + if (ext == NULL) return 0; + for (i = 0; i < countof(file_extensions); i++) { + if (strcasecmp(file_extensions[i], ext+1) == 0) + break; + } + if (i >= countof(file_extensions)) return -1; + + b = BIO_new_file(fullpath, "r"); + if (!b) return -1; + inf = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL); + BIO_free(b); + if (!inf) return -1; + + if (sk_X509_INFO_num(inf) == 1) { + x = sk_X509_INFO_value(inf, 0); + if (x->x509) { + type = TYPE_CERT; + name = X509_get_subject_name(x->x509); + X509_digest(x->x509, evpmd, digest, NULL); + } else if (x->crl) { + type = TYPE_CRL; + name = X509_CRL_get_issuer(x->crl); + X509_CRL_digest(x->crl, evpmd, digest, NULL); + } + if (name && do_hash_new) + add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0); + if (name && do_hash_old) + add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0); + } else { + fprintf(stderr, + "WARNING: %s does not contain exactly one certificate or CRL: skipping\n", + filename); + } + + sk_X509_INFO_pop_free(inf, X509_INFO_free); + + return ret; +} + +static int hash_dir(const char *dirname) +{ + struct bucket_info *bi, *nextbi; + struct entry_info *ei, *nextei; + struct dirent *de; + struct stat st; + unsigned char idmask[MAX_COLLISIONS / 8]; + int i, n, nextid, buflen, ret = -1; + const char *pathsep; + char *buf; + DIR *d; + + if (access(dirname, R_OK|W_OK|X_OK) != 0) { + fprintf(stderr, + "ERROR: Access denied '%s'\n", + dirname); + return -1; + } + + buflen = strlen(dirname); + pathsep = (buflen && dirname[buflen-1] == '/') ? "" : "/"; + buflen += NAME_MAX + 2; + buf = malloc(buflen); + if (buf == NULL) + goto err; + + if (do_verbose) printf("Doing %s\n", dirname); + d = opendir(dirname); + if (!d) goto err; + + while ((de = readdir(d)) != NULL) { + if (snprintf(buf, buflen, "%s%s%s", dirname, pathsep, de->d_name) >= buflen) + continue; + if (lstat(buf, &st) < 0) + continue; + if (S_ISLNK(st.st_mode) && handle_symlink(de->d_name, buf) == 0) + continue; + handle_certificate(de->d_name, buf); + } + closedir(d); + + for (i = 0; i < countof(hash_table); i++) { + for (bi = hash_table[i]; bi; bi = nextbi) { + nextbi = bi->next; + DEBUG("Type %d, hash %08x, num entries %d:\n", bi->type, bi->hash, bi->num_needed); + + nextid = 0; + memset(idmask, 0, (bi->num_needed+7)/8); + for (ei = bi->first_entry; ei; ei = ei->next) + if (ei->old_id < bi->num_needed) + bit_set(idmask, ei->old_id); + + for (ei = bi->first_entry; ei; ei = nextei) { + nextei = ei->next; + DEBUG("\t(old_id %d, need_symlink %d) Cert %s\n", + ei->old_id, ei->need_symlink, + ei->filename); + + if (ei->old_id < bi->num_needed) { + /* Link exists, and is used as-is */ + snprintf(buf, buflen, "%08x.%s%d", bi->hash, symlink_extensions[bi->type], ei->old_id); + if (do_verbose) printf("link %s -> %s\n", ei->filename, buf); + } else if (ei->need_symlink) { + /* New link needed (it may replace something) */ + while (bit_isset(idmask, nextid)) + nextid++; + + snprintf(buf, buflen, "%s%s%n%08x.%s%d", + dirname, pathsep, &n, bi->hash, + symlink_extensions[bi->type], + nextid); + if (do_verbose) printf("link %s -> %s\n", ei->filename, &buf[n]); + unlink(buf); + symlink(ei->filename, buf); + } else if (do_remove_links) { + /* Link to be deleted */ + snprintf(buf, buflen, "%s%s%n%08x.%s%d", + dirname, pathsep, &n, bi->hash, + symlink_extensions[bi->type], + ei->old_id); + if (do_verbose) printf("unlink %s\n", &buf[n]); + unlink(buf); + } + free(ei->filename); + free(ei); + } + free(bi); + } + hash_table[i] = NULL; + } + + ret = 0; +err: + free(buf); + return ret; +} + +static void c_rehash_usage(void) +{ + printf("\ +usage: c_rehash \n\ +\n\ +-compat - create new- and old-style hashed links\n\ +-old - use old-style hashing for generating links\n\ +-h - display this help\n\ +-n - do not remove existing links\n\ +-v - be more verbose\n\ +\n"); +} + +int main(int argc, char **argv) +{ + const char *env, *opt; + int i, numargs, r = 0; + + evpmd = EVP_sha1(); + evpmdsize = EVP_MD_size(evpmd); + + numargs = argc; + for (i = 1; i < argc; i++) { + if (argv[i][0] != '-') continue; + if (strcmp(argv[i], "--") == 0) { argv[i] = 0; numargs--; break; } + opt = &argv[i][1]; + if (strcmp(opt, "compat") == 0) { + do_hash_new = do_hash_old = 1; + } else if (strcmp(opt, "old") == 0) { + do_hash_new = 0; + do_hash_old = 1; + } else if (strcmp(opt, "n") == 0) { + do_remove_links = 0; + } else if (strcmp(opt, "v") == 0) { + do_verbose++; + } else { + if (strcmp(opt, "h") != 0) + fprintf(stderr, "unknown option %s\n", argv[i]); + c_rehash_usage(); + return 1; + } + argv[i] = 0; + numargs--; + } + + if (numargs > 1) { + for (i = 1; i < argc; i++) + if (argv[i]) r |= hash_dir(argv[i]); + } else if ((env = getenv("SSL_CERT_DIR")) != NULL) { + char *e, *m; + m = strdup(env); + for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":")) + r |= hash_dir(e); + free(m); + } else { + r |= hash_dir("/etc/ssl/certs"); + } + + return r ? 2 : 0; +} diff --git a/certdata2pem.py b/certdata2pem.py new file mode 100644 index 0000000..f91422b --- /dev/null +++ b/certdata2pem.py @@ -0,0 +1,155 @@ +#!/usr/bin/python +# vim:set et sw=4: +# +# certdata2pem.py - splits certdata.txt into multiple files +# +# Copyright (C) 2009 Philipp Kern +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +# USA. + +import base64 +import os.path +import re +import sys +import textwrap +import io + +objects = [] + +# Dirty file parser. +in_data, in_multiline, in_obj = False, False, False +field, type, value, obj = None, None, None, dict() + +# Python 3 will not let us decode non-ascii characters if we +# have not specified an encoding, but Python 2's open does not +# have an option to set the encoding. Python 3's open is io.open +# and io.open has been backported to Python 2.6 and 2.7, so use io.open. +for line in io.open('certdata.txt', 'rt', encoding='utf8'): + # Ignore the file header. + if not in_data: + if line.startswith('BEGINDATA'): + in_data = True + continue + # Ignore comment lines. + if line.startswith('#'): + continue + # Empty lines are significant if we are inside an object. + if in_obj and len(line.strip()) == 0: + objects.append(obj) + obj = dict() + in_obj = False + continue + if len(line.strip()) == 0: + continue + if in_multiline: + if not line.startswith('END'): + if type == 'MULTILINE_OCTAL': + line = line.strip() + for i in re.finditer(r'\\([0-3][0-7][0-7])', line): + value.append(int(i.group(1), 8)) + else: + value += line + continue + obj[field] = value + in_multiline = False + continue + if line.startswith('CKA_CLASS'): + in_obj = True + line_parts = line.strip().split(' ', 2) + if len(line_parts) > 2: + field, type = line_parts[0:2] + value = ' '.join(line_parts[2:]) + elif len(line_parts) == 2: + field, type = line_parts + value = None + else: + raise NotImplementedError('line_parts < 2 not supported.') + if type == 'MULTILINE_OCTAL': + in_multiline = True + value = bytearray() + continue + obj[field] = value +if len(obj) > 0: + objects.append(obj) + +# Read blacklist. +blacklist = [] +if os.path.exists('blacklist.txt'): + for line in open('blacklist.txt', 'r'): + line = line.strip() + if line.startswith('#') or len(line) == 0: + continue + item = line.split('#', 1)[0].strip() + blacklist.append(item) + +# Build up trust database. +trust = dict() +for obj in objects: + if obj['CKA_CLASS'] != 'CKO_NSS_TRUST': + continue + if obj['CKA_LABEL'] in blacklist: + print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']) + elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR': + trust[obj['CKA_LABEL']] = True + elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR': + trust[obj['CKA_LABEL']] = True + elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED': + print('!'*74) + print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']) + print('!'*74) + else: + print("Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ + (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'], + obj['CKA_TRUST_EMAIL_PROTECTION'])) + +for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue + bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\ + .replace(')', '=')\ + .replace(',', '_') + + # this is the only way to decode the way NSS stores multi-byte UTF-8 + # and we need an escaped string for checking existence of things + # otherwise we're dependant on the user's current locale. + if bytes != str: + # We're in python 3, convert the utf-8 string to a + # sequence of bytes that represents this utf-8 string + # then encode the byte-sequence as an escaped string that + # can be passed to open() and os.path.exists() + bname = bname.encode('utf-8').decode('unicode_escape').encode('latin-1') + else: + # Python 2 + # Convert the unicode string back to its original byte form + # (contents of files returned by io.open are returned as + # unicode strings) + # then to an escaped string that can be passed to open() + # and os.path.exists() + bname = bname.encode('utf-8').decode('string_escape') + + fname = bname + b'.crt' + if os.path.exists(fname): + print("Found duplicate certificate name %s, renaming." % bname) + fname = bname + b'_2.crt' + f = open(fname, 'w') + f.write("-----BEGIN CERTIFICATE-----\n") + encoded = base64.b64encode(obj['CKA_VALUE']).decode('utf-8') + f.write("\n".join(textwrap.wrap(encoded, 64))) + f.write("\n-----END CERTIFICATE-----\n") + diff --git a/update-ca-certificates.8 b/update-ca-certificates.8 new file mode 100644 index 0000000..b149b1d --- /dev/null +++ b/update-ca-certificates.8 @@ -0,0 +1,73 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH UPDATE-CA-CERTIFICATES 8 "20 April 2003" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +update-ca-certificates \- update /etc/ssl/certs and ca-certificates.crt +.SH SYNOPSIS +.B update-ca-certificates +.RI [ options ] +.SH DESCRIPTION +This manual page documents briefly the +.B update-ca-certificates +command. +.PP +\fBupdate-ca-certificates\fP is a program that updates the directory +/etc/ssl/certs to hold SSL certificates and generates ca-certificates.crt, +a concatenated single-file list of certificates. +.PP +It reads the file /etc/ca-certificates.conf. Each line gives a pathname of +a CA certificate under /usr/share/ca-certificates that should be trusted. +Lines that begin with "#" are comment lines and thus ignored. +Lines that begin with "!" are deselected, causing the deactivation of the CA +certificate in question. Certificates must have a .crt extension in order to +be included by update-ca-certificates. +.PP +Furthermore all certificates with a .crt extension found below +/usr/local/share/ca-certificates are also included as implicitly trusted. +.PP +Before terminating, \fBupdate-ca-certificates\fP invokes +\fBrun-parts\fP on /etc/ca-certificates/update.d. +.SH OPTIONS +A summary of options is included below. +.TP +.B \-h, \-\-help +Show summary of options. +.TP +.B \-v, \-\-verbose +Be verbose. Output \fBc_rehash\fP. +.TP +.B \-f, \-\-fresh +Fresh updates. Remove symlinks in /etc/ssl/certs directory. +.SH FILES +.TP +.I /etc/ca-certificates.conf +A configuration file. +.TP +.I /etc/ssl/certs/ca-certificates.crt +A single-file version of CA certificates. This holds +all CA certificates that you activated in /etc/ca-certificates.conf. +.TP +.I /usr/share/ca-certificates +Directory of CA certificates. +.TP +.I /usr/local/share/ca-certificates +Directory of local CA certificates (with .crt extension). +.SH SEE ALSO +.BR c_rehash (1) +.SH AUTHOR +This manual page was written by Fumitoshi UKAI , +for the Debian project (but may be used by others). diff --git a/update-ca.c b/update-ca.c new file mode 100644 index 0000000..10ebd02 --- /dev/null +++ b/update-ca.c @@ -0,0 +1,362 @@ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + +#define CERTSDIR "/usr/share/ca-certificates/" +#define LOCALCERTSDIR "/usr/local/share/ca-certificates/" +#define ETCCERTSDIR "/etc/ssl/certs/" +#define RUNPARTSDIR "/etc/ca-certificates/update.d/" +#define CERTBUNDLE "ca-certificates.crt" +#define CERTSCONF "/etc/ca-certificates.conf" + +static const char *last_component(const char *path) +{ + const char *c = strrchr(path, '/'); + if (c) return c + 1; + return path; +} +static bool str_begins(const char* str, const char* prefix) +{ + return !strncmp(str, prefix, strlen(prefix)); +} + +struct hash_item { + struct hash_item *next; + char *key; + char *value; +}; + +struct hash { + struct hash_item *items[256]; +}; + +static unsigned int hash_string(const char *str) +{ + unsigned long h = 5381; + for (; *str; str++) + h = (h << 5) + h + *str; + return h; +} + +static void hash_init(struct hash *h) +{ + memset(h, 0, sizeof *h); +} + +static struct hash_item *hash_get(struct hash *h, const char *key) +{ + unsigned int bucket = hash_string(key) % ARRAY_SIZE(h->items); + struct hash_item *item; + + for (item = h->items[bucket]; item; item = item->next) + if (strcmp(item->key, key) == 0) + return item; + return NULL; +} + +static void hash_foreach(struct hash *h, void (*cb)(struct hash_item *)) +{ + struct hash_item *item; + int i; + + for (i = 0; i < ARRAY_SIZE(h->items); i++) { + for (item = h->items[i]; item; item = item->next) + cb(item); + } +} + +static bool hash_add(struct hash *h, const char *key, const char *value) +{ + unsigned int bucket = hash_string(key) % ARRAY_SIZE(h->items); + size_t keylen = strlen(key), valuelen = strlen(value); + struct hash_item *i; + + i = malloc(sizeof(struct hash_item) + keylen + 1 + valuelen + 1); + if (!i) + return false; + + i->key = (char*)(i+1); + strcpy(i->key, key); + i->value = i->key + keylen + 1; + strcpy(i->value, value); + + i->next = h->items[bucket]; + h->items[bucket] = i; + return true; +} + +static ssize_t +buffered_copyfd(int in_fd, int out_fd, ssize_t in_size) +{ + const size_t bufsize = 8192; + char *buf = NULL; + ssize_t r = 0, w = 0, copied = 0, n, m; + if ((buf = malloc(bufsize)) == NULL) + return -1; + + while (r < in_size && (n = read(in_fd, buf, bufsize))) { + if (n == -1) { + if (errno == EINTR) + continue; + break; + } + r = n; + w = 0; + while (w < r && (n = write(out_fd, buf + w, (r - w)))) { + if (n == -1) { + if (errno == EINTR) + continue; + break; + } + w += n; + } + copied += w; + } + free(buf); + return copied; +} + +static bool +copyfile(const char* source, int output) +{ + off_t bytes = 0; + struct stat fileinfo = {0}; + ssize_t result; + int in_fd; + + if ((in_fd = open(source, O_RDONLY)) == -1) + return false; + + if (fstat(in_fd, &fileinfo) < 0) { + close(in_fd); + return false; + } + + result = sendfile(output, in_fd, &bytes, fileinfo.st_size); + if ((result == -1) && (errno == EINVAL || errno == ENOSYS)) + result = buffered_copyfd(in_fd, output, fileinfo.st_size); + + close(in_fd); + return fileinfo.st_size == result; +} + +typedef void (*proc_path)(const char *fullpath, struct hash *, int); + +static void proc_localglobaldir(const char *fullpath, struct hash *h, int tmpfile_fd) +{ + const char *fname = last_component(fullpath); + size_t flen = strlen(fname); + char *s, *actual_file = NULL; + + /* Snip off the .crt suffix */ + if (flen > 4 && strcmp(&fname[flen-4], ".crt") == 0) + flen -= 4; + + if (asprintf(&actual_file, "%s%.*s%s", + "ca-cert-", + flen, fname, + ".pem") == -1) { + fprintf(stderr, "Cannot open path: %s\n", fullpath); + return; + } + + for (s = actual_file; *s; s++) { + switch(*s) { + case ',': + case ' ': + *s = '_'; + break; + case ')': + case '(': + *s = '='; + break; + default: + break; + } + } + + if (!hash_add(h, actual_file, fullpath)) + fprintf(stderr, "Warning! Cannot hash: %s\n", fullpath); + if (!copyfile(fullpath, tmpfile_fd)) + fprintf(stderr, "Warning! Cannot copy to bundle: %s\n", fullpath); + free(actual_file); +} + +static void proc_etccertsdir(const char* fullpath, struct hash* h, int tmpfile_fd) +{ + char linktarget[SYMLINK_MAX]; + ssize_t linklen; + + linklen = readlink(fullpath, linktarget, sizeof(linktarget)-1); + if (linklen < 0) + return; + linktarget[linklen] = 0; + + struct hash_item *item = hash_get(h, last_component(fullpath)); + if (!item) { + /* Symlink exists but is not wanted + * Delete it if it points to 'our' directory + */ + if (str_begins(linktarget, CERTSDIR) || str_begins(linktarget, LOCALCERTSDIR)) + unlink(fullpath); + } else if (strcmp(linktarget, item->value) != 0) { + /* Symlink exists but points wrong */ + unlink(fullpath); + if (symlink(item->value, fullpath) < 0) + fprintf(stderr, "Warning! Cannot update symlink %s -> %s\n", item->value, fullpath); + item->value = 0; + } else { + /* Symlink exists and is ok */ + item->value = 0; + } +} + +static bool read_global_ca_list(const char* file, struct hash* d, int tmpfile_fd) +{ + FILE * fp = fopen(file, "r"); + if (fp == NULL) + return false; + + char * line = NULL; + size_t len = 0; + ssize_t read; + + while ((read = getline(&line, &len, fp)) != -1) { + /* getline returns number of bytes in buffer, and buffer + * contains delimeter if it was found */ + if (read > 0 && line[read-1] == '\n') + line[read-1] = 0; + if (str_begins(line, "#") || str_begins(line, "!")) + continue; + + char* fullpath = 0; + if (asprintf(&fullpath,"%s%s", CERTSDIR, line) != -1) { + proc_localglobaldir(fullpath, d, tmpfile_fd); + free(fullpath); + } + } + + fclose(fp); + free(line); + return true; +} + +typedef enum { + FILE_LINK, + FILE_REGULAR +} filetype; + +static bool is_filetype(const char* path, filetype file_check) +{ + struct stat statbuf; + + if (lstat(path, &statbuf) < 0) + return false; + switch(file_check) { + case FILE_LINK: return S_ISLNK(statbuf.st_mode); + case FILE_REGULAR: return S_ISREG(statbuf.st_mode); + default: break; + } + + return false; +} + +static bool dir_readfiles(struct hash* d, const char* path, + filetype allowed_file_type, + proc_path path_processor, + int tmpfile_fd) +{ + DIR *dp = opendir(path); + if (!dp) + return false; + + struct dirent *dirp; + while ((dirp = readdir(dp)) != NULL) { + if (str_begins(dirp->d_name, ".")) + continue; + + char* fullpath = 0; + if (asprintf(&fullpath, "%s%s", path, dirp->d_name) != -1) { + if (is_filetype(fullpath, allowed_file_type)) + path_processor(fullpath, d, tmpfile_fd); + + free(fullpath); + } + } + + return closedir(dp) == 0; +} + +static void update_ca_symlink(struct hash_item *item) +{ + if (!item->value) + return; + + char* newpath = 0; + bool build_str = asprintf(&newpath, "%s%s", ETCCERTSDIR, item->key); + if (!build_str || symlink(item->value, newpath) == -1) + fprintf(stderr, "Warning! Cannot symlink %s -> %s\n", + item->value, newpath); + free(newpath); +} + +int main(int a, char **v) +{ + struct hash _calinks, *calinks = &_calinks; + + const char* bundle = "bundleXXXXXX"; + char* tmpfile = 0; + if (asprintf(&tmpfile, "%s%s", ETCCERTSDIR, bundle) == -1) + return 1; + + int fd = mkstemp(tmpfile); + if (fd == -1) { + fprintf(stderr, "Failed to open temporary file %s for ca bundle\n", tmpfile); + return 1; + } + fchmod(fd, 0644); + + hash_init(calinks); + + /* Handle global CA certs from config file */ + read_global_ca_list(CERTSCONF, calinks, fd); + + /* Handle local CA certificates */ + dir_readfiles(calinks, LOCALCERTSDIR, FILE_REGULAR, &proc_localglobaldir, fd); + + /* Update etc cert dir for additions and deletions*/ + dir_readfiles(calinks, ETCCERTSDIR, FILE_LINK, &proc_etccertsdir, fd); + hash_foreach(calinks, update_ca_symlink); + + /* Update hashes and the bundle */ + if (fd != -1) { + close(fd); + char* newcertname = 0; + if (asprintf(&newcertname, "%s%s", ETCCERTSDIR, CERTBUNDLE) != -1) { + rename(tmpfile, newcertname); + free(newcertname); + } + } + + free(tmpfile); + + /* Execute run-parts */ + static const char *run_parts_args[] = { "run-parts", RUNPARTSDIR, 0 }; + execve("/usr/bin/run-parts", run_parts_args, NULL); + execve("/bin/run-parts", run_parts_args, NULL); + perror("run-parts"); + + return 1; +}