Created
April 27, 2019 20:09
-
-
Save cyraxjoe/fa2c1dddb62d9554e5896fae87a0a986 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# | |
# Descarga el zip con los certificados raiz del SAT de: | |
# http://omawww.sat.gob.mx/informacion_fiscal/factura_electronica/Paginas/certificado_sello_digital.aspx | |
# | |
# Para usar el script ponlo en la raiz del directorio extraido de Cert_Prod.zip. | |
# | |
# Ejecuta con: | |
# bash ./create-hashes.sh <TARGET-DIR> | |
# | |
# o | |
# | |
# chmod +x ./create-hashes.sh && ./create-hashes.sh <TARGET-DIR> | |
# | |
# Donde <TARGET-DIR> es el nuevo directory (lo crea el script) que va a tener los archivos | |
# en PEM con ligas simbolicas del hash del subject que corresponde | |
# al certificado, este se puede usar con la optionc -CApath de | |
# `openssl verify`. | |
## | |
# Por ejemplo, para verificar un certificado personal ya con <TARGET-DIR> generado: | |
# | |
# openssl x509 -inform der -outform pem -in <CERTIFICADO-PERSONAL> | openssl verify -CApath <TARGET-DIR> | |
# | |
# Debe mostrar "stdin: OK" si todo salio bien, | |
# | |
# Si quieres ver la cadena usa `-show_chain` | |
# | |
# openssl x509 -inform der -outform pem -in <CERTIFICADO-PERSONAL> | openssl verify -CApath <TARGET-DIR> -show_chain | |
# | |
# El certificado que se verifica tiene que estar en PEM, por eso se pasa en el stdin el certificado a verificar, | |
# generalmente el SAT entrega encodeados en DER. | |
# | |
################## NOTA ####################### | |
## Al parecer un certificado esta duplicado en el bundle, el hash "dea989e0" | |
## corresponde a ARC4_IES.pem y a ARC2_IES.pem. Puedes ignorar el error de ln sobre ese hash. | |
##################################################################################### | |
TARGET=$1 | |
echo "Generating directory of trusted certificates (use with '-CApath') at $TARGET" | |
mkdir $TARGET | |
for CA_cert in *.{cer,crt}; do | |
type_of_cert="$(file -b $CA_cert)" | |
if [ "x$type_of_cert" = "xdata" ]; then | |
encode="der" | |
else | |
encode="pem" | |
fi | |
cert_hash="$(openssl x509 -inform $encode -noout -hash -in $CA_cert)" | |
new_ca_filename="${CA_cert%%.*}.pem" | |
if [ "x$encode" = "xpem" ]; then | |
cp $CA_cert "$TARGET/${new_ca_filename}" | |
else | |
openssl x509 -inform der -outform pem -in $CA_cert -out "$TARGET/${new_ca_filename}" | |
fi | |
pushd $TARGET | |
echo "Making symlink TARGET/$cert_hash -> $new_ca_filename" | |
ln -s $new_ca_filename "${cert_hash}.0" | |
popd | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment