dtonhofer/split_ca_bundle.pl

## split_ca_bundle.pl
#!/usr/bin/perl

use strict;
use warnings;

# ===
# Gist:
#
# https://gist.github.com/dtonhofer/01018844971235b511d241b537c332ee
#
# Synopsis:
#
# split_ca_bundle.pl /etc/pki/tls/certs/ca-bundle.crt
# split_ca_bundle.pl /etc/pki/tls/certs/ca-bundle.crt
#
# The result of splitting the CA bundle goes to a new directory created in the
# current working directory, which then looks like this:
#
# explode_bundle_L15w/
#   'certificate.000 (ACCVRAIZ1)'
#   'certificate.001 (AC RAIZ FNMT-RCM)'
#   'certificate.002 (AC RAIZ FNMT-RCM SERVIDORES SEGUROS)'
#   'certificate.003 (ANF Secure Server Root CA)'
#   'certificate.004 (Actalis Authentication Root CA)'
#   'certificate.005 (AffirmTrust Commercial)'
#   'certificate.006 (AffirmTrust Networking)'
#   'certificate.007 (AffirmTrust Premium)'
#
# ===
# Description:
#
# Split "certificate bundles" like those found in /etc/pki/tls/certs into
# individual files and append the X509 cleartext description to each file.
#
# The file to split is given on the command line or piped via STDIN.
#
# Files are written to a newly created directory. This directory is created
# in the current working directory.
#
# Created files are named "certificate.XXX" or "trusted-certificate.XXX",
# with XX an index value. The issuer/subject name (which should be the same
# as these are self-signed certificates) is append to the name.
#
# This works for bundles of both trusted and non-trusted certificates.
#
# See http://tygerclan.net/?q=node/49 for another program of this kind,
# which sets the name of the split-off files in function of the subject
#
# 2024-06-18: De-badified bad code for calling openssl, too large
#             procedures made smaller, and lazy programming using
#             references replaced. Fixed problem with "/" in CN.
#
# -------
# Author:  David Tonhofer
# License: Public Domain
# -------

use File::Temp qw(tempdir);               # Perl core module
use File::Spec::Functions qw(catfile);    # Perl core module

sub extractCnBestEffort {
   my($rest) = @_;
   if ($rest =~ /\bCN\s*=\s*(.+?)\s*(,|$)/) {
      return $1
   }
   else {
      # Sometimes there is no CN, let's use the OU then
      if ($rest =~ /\bOU\s*=\s*(.+?)\s*(,|$)/) {
         return $1
      }
      else {
         # Sometimes there is no OU, let's use the C then
         # This is the case of Taiwan
         my $country = '?';
         my $org     = '?';
         if ($rest =~ /\bC\s*=\s*(.+?)\s*(,|$)/) {
            $country = $1
         }
         if ($rest =~ /\bO\s*=\s*(.+?)\s*(,|$)/) {
            $org = $1
         }
         return "$country $org"
      }
   }
}

sub analyzeLineOfFileWithCertText {
   my($line,$curIssuer,$curSubject,$fn_text) = @_;
   my $newIssuer  = $curIssuer;
   my $newSubject = $curSubject;
   my $rest; # "rest of the line"
   my $what; # select subject or issuer
   # We see things like: "Issuer: C = PL, O = Krajowa Izba Rozliczeniowa S.A., CN = SZAFIR ROOT CA2"
   #                      Issuer: C=CZ, O=První certifikační autorita, a.s., CN=I.CA Root CA/RSA, serialNumber=NTRCZ-26439395
   if ($line =~ /^\s+Issuer:\s+(.+)$/) {
      die "There are two 'Issuer' lines in $fn_text'\n" if $curIssuer;
      $rest = $1;
      $what = 'issuer';
   }
   elsif ($line =~ /^\s+Subject:\s+(.+)$/) {
      die "There are two 'Subject' lines in fn'\n" if $curSubject;
      $rest = $1;
      $what = 'subject';
   }
   if ($rest) {
      my $cnBestEffort = extractCnBestEffort($rest);
      if ($what eq 'subject') {
         $newSubject = $cnBestEffort;
      }
      else {
         $newIssuer  = $cnBestEffort;
      }
   }
   return [ $newIssuer, $newSubject ];
}

sub analyzeFileWithCertText {
   my($fn,$fn_text) = @_;
   my $issuer;
   my $subject;
   # Read back from $fn_text and for each line:
   # - append line to $fn
   # - find subjetc or issuer
   open(my $fh_app,'>>:encoding(UTF-8)',$fn) or die "Could not open file '$fn' for appending: $!";
   open(my $fh_read, '<:encoding(UTF-8)', $fn_text) || die "Could not open file '$fn_text' for reading: $!\n";
   while (my $line = <$fh_read>) {
      print $fh_app $line;
      my $ret = analyzeLineOfFileWithCertText($line,$issuer,$subject,$fn_text);
      $issuer  = $$ret[0];
      $subject = $$ret[1];
   }
   close($fh_read) or warn "Could not close file '$fn_text': $!\n";
   close($fh_app) or warn "Could not close file '$fn': $!";
   return [$issuer,$subject];
}

sub runOpensslForDecodingAndAppendToFile {
   my($fn) = @_;
   my $fn_text = $fn . '.txt';
   # See https://perldoc.perl.org/functions/system
   my @openssl = ('openssl','x509','-noout','-text','-in',$fn,'-out',$fn_text);
   my $retval = system(@openssl);
   if ($retval == -1) {
      print STDERR "Failed to execute 'openssl x509' command: $!\n";
   }
   elsif ($retval & 127) {
      my $sig = ($? & 127); # the lowest 7 bits
      my $cdw = ($? & 128) ? 'with' : 'without'; # the 8th bit
      print STDERR "'openssl x509' died with signal $sig, $cdw coredump\n";
   }
   elsif ($retval != 0) {
      my $bailout_code = $retval >> 8; # need to drop 8 bits
      print STDERR "'openssl x509' failed with code $bailout_code\n";
   }
   else {
      my $ret = analyzeFileWithCertText($fn,$fn_text);
      unlink($fn_text) or warn "Could not unlink $fn_text: $!";
      return $ret;
   }
}

# ---
# Create new file to accept certificate data
# ---

sub createCertFile {
   my($line,$count) = @_;
   $line =~ /^(-----BEGIN (TRUSTED )?CERTIFICATE-----)\s*$/ || die "Not-matching line '$line'\n";
   my $marker  = $1;
   my $trusted = $2;
   my $prefix  = "";
   $prefix = "trusted-" if ($trusted);
   my $xcount = sprintf("%03d",$count); #prefix count with 0s
   my $fn = "${prefix}certificate.$xcount";
   die "File '$fn' exists!" if (-e $fn);
   print STDERR "Certificate data goes to file '$fn'\n";
   open(my $fh, '>:encoding(UTF-8)', $fn) || die "Could not create file '$fn': $!\n";
   print $fh "$marker\n";
   return ($fn,$fh)
}

# ---
# Read the file with certificates in a single slurp (from STDIN or else from
# the file whose filename has been given on the command line)
# If a filename with a relative path is given on the cmdline, Perl will look
# for it in the current working directory and so may not find it.
# ---

# use Cwd qw(cwd);
# my $mycwd = cwd;
# print "Current working directory is ${mycwd}\n";

my @lines = <> or die "Could not 'slurp' input (file or STDIN): $!\n";

# ---
# Try to create a temporary directory to be filled with certificates;
# The directory is created in tmpdir(); use "DIR => $dir" as additional
# argument to change that.
# ---

# my $tgdir = tempdir("explode_bundle_XXXX", TMPDIR => 1);
my $tgdir = tempdir("explode_bundle_XXXX"); # explode in current directory

if (!$tgdir) {
   die "Could not create temporary directory: $!\n"
}
else {
   print STDERR "Created temporary directory '$tgdir' into which result will be written.\n"
}

chdir $tgdir || die "Could not change working directory to '$tgdir': $!\n";

# ---
# Read and split the slurped file-of-certificates using a simple state machine
# ---

my $state = "outside"; # reader state machine state
my $count = 0;         # index of the certificate file we create
my $fh;                # file handle of the certificate file we create
my $fn;                # file name of the certificate file we create
my $trusted;           # either undef or "TRUSTED" depend on type of certificate

# Certificates marked as "trusted" have "extended validation" fields, that is all.

for my $line (@lines) {
   chomp $line;
   if ($state eq "outside") {
      if ($line =~ /^(-----BEGIN (TRUSTED )?CERTIFICATE-----)\s*$/) {
         $trusted  = $2;
         ($fn,$fh) = createCertFile($line,$count);
         $state    = "inside";
         $count++
      }
      else {
         print STDERR "Skipping line '$line'\n"
      }
   }
   else {
      die unless $state eq "inside";
      if ($line =~ /^(-----END (TRUSTED )?CERTIFICATE-----)\s*$/) {
         my $marker       = $1;
         my $trustedCheck = $2;
         if (!((($trusted && $trustedCheck) || (!$trusted && !$trustedCheck)))) {
            die "Trusted flag difference detected\n"
         }
         $state = "outside";
         print $fh "$marker\n";
         print STDERR "Closing file '$fn'\n";
         close $fh or die "Could not close file '$fn': $!\n";
         my $ret = runOpensslForDecodingAndAppendToFile($fn);
         my $issuer  = $$ret[0];
         my $subject = $$ret[1];
         my $selfsigned = ($issuer eq $subject);
         my $fn_newname;
         if ($selfsigned) {
            $fn_newname = "$fn ($subject)" # can leave out the issuer
         }
         else {
            $fn_newname = "$fn ($issuer ---> $subject)"
         }
         # in some cases, the new filename can contain '/'
         $fn_newname =~ s/\//./g;
         rename($fn,$fn_newname) or warn "Could not rename '$fn' to '$fn_newname': $!\n";
      }
      else {
         # Write the line to the target file
         print $fh "$line\n"
      }
   }
}

if ($state eq "inside") {
   die "Last certificate was not properly terminated\n"
}

print STDERR "Done. Everything can be found in temporary directory '$tgdir'.\n";
	#!/usr/bin/perl

	use strict;
	use warnings;

	# ===
	# Gist:
	#
	# https://gist.github.com/dtonhofer/01018844971235b511d241b537c332ee
	#
	# Synopsis:
	#
	# split_ca_bundle.pl /etc/pki/tls/certs/ca-bundle.crt
	# split_ca_bundle.pl /etc/pki/tls/certs/ca-bundle.crt
	#
	# The result of splitting the CA bundle goes to a new directory created in the
	# current working directory, which then looks like this:
	#
	# explode_bundle_L15w/
	# 'certificate.000 (ACCVRAIZ1)'
	# 'certificate.001 (AC RAIZ FNMT-RCM)'
	# 'certificate.002 (AC RAIZ FNMT-RCM SERVIDORES SEGUROS)'
	# 'certificate.003 (ANF Secure Server Root CA)'
	# 'certificate.004 (Actalis Authentication Root CA)'
	# 'certificate.005 (AffirmTrust Commercial)'
	# 'certificate.006 (AffirmTrust Networking)'
	# 'certificate.007 (AffirmTrust Premium)'
	#
	# ===
	# Description:
	#
	# Split "certificate bundles" like those found in /etc/pki/tls/certs into
	# individual files and append the X509 cleartext description to each file.
	#
	# The file to split is given on the command line or piped via STDIN.
	#
	# Files are written to a newly created directory. This directory is created
	# in the current working directory.
	#
	# Created files are named "certificate.XXX" or "trusted-certificate.XXX",
	# with XX an index value. The issuer/subject name (which should be the same
	# as these are self-signed certificates) is append to the name.
	#
	# This works for bundles of both trusted and non-trusted certificates.
	#
	# See http://tygerclan.net/?q=node/49 for another program of this kind,
	# which sets the name of the split-off files in function of the subject
	#
	# 2024-06-18: De-badified bad code for calling openssl, too large
	# procedures made smaller, and lazy programming using
	# references replaced. Fixed problem with "/" in CN.
	#
	# -------
	# Author: David Tonhofer
	# License: Public Domain
	# -------

	use File::Temp qw(tempdir); # Perl core module
	use File::Spec::Functions qw(catfile); # Perl core module

	sub extractCnBestEffort {
	my($rest) = @_;
	if ($rest =~ /\bCN\s=\s(.+?)\s*(,\|$)/) {
	return $1
	}
	else {
	# Sometimes there is no CN, let's use the OU then
	if ($rest =~ /\bOU\s=\s(.+?)\s*(,\|$)/) {
	return $1
	}
	else {
	# Sometimes there is no OU, let's use the C then
	# This is the case of Taiwan
	my $country = '?';
	my $org = '?';
	if ($rest =~ /\bC\s=\s(.+?)\s*(,\|$)/) {
	$country = $1
	}
	if ($rest =~ /\bO\s=\s(.+?)\s*(,\|$)/) {
	$org = $1
	}
	return "$country $org"
	}
	}
	}

	sub analyzeLineOfFileWithCertText {
	my($line,$curIssuer,$curSubject,$fn_text) = @_;
	my $newIssuer = $curIssuer;
	my $newSubject = $curSubject;
	my $rest; # "rest of the line"
	my $what; # select subject or issuer
	# We see things like: "Issuer: C = PL, O = Krajowa Izba Rozliczeniowa S.A., CN = SZAFIR ROOT CA2"
	# Issuer: C=CZ, O=První certifikační autorita, a.s., CN=I.CA Root CA/RSA, serialNumber=NTRCZ-26439395
	if ($line =~ /^\s+Issuer:\s+(.+)$/) {
	die "There are two 'Issuer' lines in $fn_text'\n" if $curIssuer;
	$rest = $1;
	$what = 'issuer';
	}
	elsif ($line =~ /^\s+Subject:\s+(.+)$/) {
	die "There are two 'Subject' lines in fn'\n" if $curSubject;
	$rest = $1;
	$what = 'subject';
	}
	if ($rest) {
	my $cnBestEffort = extractCnBestEffort($rest);
	if ($what eq 'subject') {
	$newSubject = $cnBestEffort;
	}
	else {
	$newIssuer = $cnBestEffort;
	}
	}
	return [ $newIssuer, $newSubject ];
	}

	sub analyzeFileWithCertText {
	my($fn,$fn_text) = @_;
	my $issuer;
	my $subject;
	# Read back from $fn_text and for each line:
	# - append line to $fn
	# - find subjetc or issuer
	open(my $fh_app,'>>:encoding(UTF-8)',$fn) or die "Could not open file '$fn' for appending: $!";
	open(my $fh_read, '<:encoding(UTF-8)', $fn_text) \|\| die "Could not open file '$fn_text' for reading: $!\n";
	while (my $line = <$fh_read>) {
	print $fh_app $line;
	my $ret = analyzeLineOfFileWithCertText($line,$issuer,$subject,$fn_text);
	$issuer = $$ret[0];
	$subject = $$ret[1];
	}
	close($fh_read) or warn "Could not close file '$fn_text': $!\n";
	close($fh_app) or warn "Could not close file '$fn': $!";
	return [$issuer,$subject];
	}

	sub runOpensslForDecodingAndAppendToFile {
	my($fn) = @_;
	my $fn_text = $fn . '.txt';
	# See https://perldoc.perl.org/functions/system
	my @openssl = ('openssl','x509','-noout','-text','-in',$fn,'-out',$fn_text);
	my $retval = system(@openssl);
	if ($retval == -1) {
	print STDERR "Failed to execute 'openssl x509' command: $!\n";
	}
	elsif ($retval & 127) {
	my $sig = ($? & 127); # the lowest 7 bits
	my $cdw = ($? & 128) ? 'with' : 'without'; # the 8th bit
	print STDERR "'openssl x509' died with signal $sig, $cdw coredump\n";
	}
	elsif ($retval != 0) {
	my $bailout_code = $retval >> 8; # need to drop 8 bits
	print STDERR "'openssl x509' failed with code $bailout_code\n";
	}
	else {
	my $ret = analyzeFileWithCertText($fn,$fn_text);
	unlink($fn_text) or warn "Could not unlink $fn_text: $!";
	return $ret;
	}
	}

	# ---
	# Create new file to accept certificate data
	# ---

	sub createCertFile {
	my($line,$count) = @_;
	$line =~ /^(-----BEGIN (TRUSTED )?CERTIFICATE-----)\s*$/ \|\| die "Not-matching line '$line'\n";
	my $marker = $1;
	my $trusted = $2;
	my $prefix = "";
	$prefix = "trusted-" if ($trusted);
	my $xcount = sprintf("%03d",$count); #prefix count with 0s
	my $fn = "${prefix}certificate.$xcount";
	die "File '$fn' exists!" if (-e $fn);
	print STDERR "Certificate data goes to file '$fn'\n";
	open(my $fh, '>:encoding(UTF-8)', $fn) \|\| die "Could not create file '$fn': $!\n";
	print $fh "$marker\n";
	return ($fn,$fh)
	}

	# ---
	# Read the file with certificates in a single slurp (from STDIN or else from
	# the file whose filename has been given on the command line)
	# If a filename with a relative path is given on the cmdline, Perl will look
	# for it in the current working directory and so may not find it.
	# ---

	# use Cwd qw(cwd);
	# my $mycwd = cwd;
	# print "Current working directory is ${mycwd}\n";

	my @lines = <> or die "Could not 'slurp' input (file or STDIN): $!\n";

	# ---
	# Try to create a temporary directory to be filled with certificates;
	# The directory is created in tmpdir(); use "DIR => $dir" as additional
	# argument to change that.
	# ---

	# my $tgdir = tempdir("explode_bundle_XXXX", TMPDIR => 1);
	my $tgdir = tempdir("explode_bundle_XXXX"); # explode in current directory

	if (!$tgdir) {
	die "Could not create temporary directory: $!\n"
	}
	else {
	print STDERR "Created temporary directory '$tgdir' into which result will be written.\n"
	}

	chdir $tgdir \|\| die "Could not change working directory to '$tgdir': $!\n";

	# ---
	# Read and split the slurped file-of-certificates using a simple state machine
	# ---

	my $state = "outside"; # reader state machine state
	my $count = 0; # index of the certificate file we create
	my $fh; # file handle of the certificate file we create
	my $fn; # file name of the certificate file we create
	my $trusted; # either undef or "TRUSTED" depend on type of certificate

	# Certificates marked as "trusted" have "extended validation" fields, that is all.

	for my $line (@lines) {
	chomp $line;
	if ($state eq "outside") {
	if ($line =~ /^(-----BEGIN (TRUSTED )?CERTIFICATE-----)\s*$/) {
	$trusted = $2;
	($fn,$fh) = createCertFile($line,$count);
	$state = "inside";
	$count++
	}
	else {
	print STDERR "Skipping line '$line'\n"
	}
	}
	else {
	die unless $state eq "inside";
	if ($line =~ /^(-----END (TRUSTED )?CERTIFICATE-----)\s*$/) {
	my $marker = $1;
	my $trustedCheck = $2;
	if (!((($trusted && $trustedCheck) \|\| (!$trusted && !$trustedCheck)))) {
	die "Trusted flag difference detected\n"
	}
	$state = "outside";
	print $fh "$marker\n";
	print STDERR "Closing file '$fn'\n";
	close $fh or die "Could not close file '$fn': $!\n";
	my $ret = runOpensslForDecodingAndAppendToFile($fn);
	my $issuer = $$ret[0];
	my $subject = $$ret[1];
	my $selfsigned = ($issuer eq $subject);
	my $fn_newname;
	if ($selfsigned) {
	$fn_newname = "$fn ($subject)" # can leave out the issuer
	}
	else {
	$fn_newname = "$fn ($issuer ---> $subject)"
	}
	# in some cases, the new filename can contain '/'
	$fn_newname =~ s/\//./g;
	rename($fn,$fn_newname) or warn "Could not rename '$fn' to '$fn_newname': $!\n";
	}
	else {
	# Write the line to the target file
	print $fh "$line\n"
	}
	}
	}

	if ($state eq "inside") {
	die "Last certificate was not properly terminated\n"
	}

	print STDERR "Done. Everything can be found in temporary directory '$tgdir'.\n";