Skip to content

Instantly share code, notes, and snippets.

@shtrom
Last active December 28, 2021 01:05
Show Gist options
  • Save shtrom/abc8ad8766af1287269900af12209095 to your computer and use it in GitHub Desktop.
Save shtrom/abc8ad8766af1287269900af12209095 to your computer and use it in GitHub Desktop.
Backport of CACert update scripts (https://www.qnapclub.eu/fr/qpkg/238) for manual use on Qnap QTS 4.3
#!/bin/sh
CONF=/etc/config/qpkg.conf
QPKG_NAME="CACert"
#QPKG_ROOT=`/sbin/getcfg $QPKG_NAME Install_Path -f ${CONF}`
QPKG_ROOT=$(cd $(dirname ${0}); pwd)
QPKG_NAME1="QPerl"
QPKG_ROOT1=`/sbin/getcfg $QPKG_NAME1 Install_Path -f ${CONF}`
export QNAP_QPKG=$QPKG_NAME
export QPKG_ROOT QPKG_ROOT1
export PATH=$QPKG_ROOT1/bin:$PATH
case "$1" in
start)
ENABLED=TRUE #$(/sbin/getcfg $QPKG_NAME Enable -u -d FALSE -f $CONF)
if [ "$ENABLED" != "TRUE" ]; then
echo "$QPKG_NAME is disabled."
exit 1
fi
/bin/ln -sf $QPKG_ROOT /opt/$QPKG_NAME
#cd $QPKG_ROOT
#/bin/ln -sf /opt/QPerl/bin/perl /usr/bin/perl
if [ -f /etc/ssl/ca-bundle.crt ]
then
echo "/etc/ssl/ca-bundle.crt exists"
else
#### fetch the certificates and convert them to the correct format
URL="http://anduin.linuxfromscratch.org/BLFS/other/certdata.txt" &&
rm -f certdata.txt &&
curl -kLO ${URL} &&
sh -x ${QPKG_ROOT}/make-ca.sh &&
unset URL
####
SSLDIR=/etc/ssl &&
${QPKG_ROOT}/remove-expired-certs.sh ${SSLDIR}/certs &&
install -d ${SSLDIR}/certs &&
cp -v certs/*.pem ${SSLDIR}/certs &&
for c in ${SSLDIR}/certs/*.pem; do hash=$(openssl x509 -noout -in ${c} -hash); ln -sf ${c} ${SSLDIR}/certs/${hash}.0; done &&
install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &&
/bin/ln -sf ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt &&
/bin/ln -sf ../ca-bundle.crt ${SSLDIR}/certs/rootca.pem &&
unset SSLDIR
####
rm -r certs BLFS-ca-bundle* || true
fi
;;
stop)
cd $QPKG_ROOT
./remove-expired-certs.sh
rm -rf /opt/$QPKG_NAME
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0
#!/bin/sh -e
# Begin make-ca.sh
# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
#
# The file certdata.txt must exist in the local directory
# Version number is obtained from the version of the data.
#
# Authors: DJ Lucas
# Bruce Dubbs
#
# Version 20120211
certdata="certdata.txt"
if [ ! -r $certdata ]; then
echo "$certdata must be in the local directory"
exit 1
fi
REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
if [ -z "${REVISION}" ]; then
echo "$certfile has no 'Revision' in CVS_ID"
exit 1
fi
QPKG_ROOT=$(cd $(dirname ${0}); pwd)
VERSION=$(echo $REVISION | cut -f2 -d" ")
TEMPDIR=$(mktemp -d /tmp/cacert.XXXXXX)
TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
CONVERTSCRIPT="${QPKG_ROOT}/make-cert.pl"
SSLDIR="/etc/ssl"
mkdir "${TEMPDIR}/certs"
# Get a list of starting lines for each cert
CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
# Get a list of ending lines for each cert
CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
# Start a loop
for certbegin in ${CERTBEGINLIST}; do
for certend in ${CERTENDLIST}; do
if test "${certend}" -gt "${certbegin}"; then
break
fi
done
# Dump to a temp file with the name of the file as the beginning line number
sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
done
unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
mkdir -p certs
rm -f certs/* # Make sure the directory is clean
for tempfile in ${TEMPDIR}/certs/*.tmp; do
# Make sure that the cert is trusted...
grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
if test "${?}" = "0"; then
# Throw a meaningful error and remove the file
cp "${tempfile}" tempfile.cer
perl ${CONVERTSCRIPT} > tempfile.crt
keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
echo "Certificate ${keyhash} is not trusted! Removing..."
rm -f tempfile.cer tempfile.crt "${tempfile}"
continue
fi
# If execution made it to here in the loop, the temp cert is trusted
# Find the cert data and generate a cert file for it
cp "${tempfile}" tempfile.cer
perl ${CONVERTSCRIPT} > tempfile.crt
keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
mv tempfile.crt "certs/${keyhash}.pem"
rm -f tempfile.cer "${tempfile}"
echo "Created ${keyhash}.pem"
done
# Remove blacklisted files
# MD5 Collision Proof of Concept CA
if test -f certs/8f111d69.pem; then
echo "Certificate 8f111d69 is not trusted! Removing..."
rm -f certs/8f111d69.pem
fi
# Finally, generate the bundle and clean up.
cat certs/*.pem > ${BUNDLE}
rm -r "${TEMPDIR}"
#!/usr/bin/perl -w
# Used to generate PEM encoded files from Mozilla certdata.txt.
# Run as ./make-cert.pl > certificate.crt
#
# Parts of this script courtesy of RedHat (mkcabundle.pl)
#
# This script modified for use with single file data (tempfile.cer) extracted
# from certdata.txt, taken from the latest version in the Mozilla NSS source.
# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Authors: DJ Lucas
# Bruce Dubbs
#
# Version 20120211
my $certdata = './tempfile.cer';
open( IN, "cat $certdata|" )
|| die "could not open $certdata";
my $incert = 0;
while ( <IN> )
{
if ( /^CKA_VALUE MULTILINE_OCTAL/ )
{
$incert = 1;
open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
|| die "could not pipe to openssl x509";
}
elsif ( /^END/ && $incert )
{
close( OUT );
$incert = 0;
print "\n\n";
}
elsif ($incert)
{
my @bs = split( /\\/ );
foreach my $b (@bs)
{
chomp $b;
printf( OUT "%c", oct($b) ) unless $b eq '';
}
}
}
#!/bin/sh
# Begin /usr/sbin/remove-expired-certs.sh
#
# Version 20120211
# Make sure the date is parsed correctly on all systems
mydate()
{
local y=$( echo $1 | cut -d" " -f4 )
local M=$( echo $1 | cut -d" " -f1 )
local d=$( echo $1 | cut -d" " -f2 )
local m
if [ ${d} -lt 10 ]; then d="0${d}"; fi
case $M in
Jan) m="01";;
Feb) m="02";;
Mar) m="03";;
Apr) m="04";;
May) m="05";;
Jun) m="06";;
Jul) m="07";;
Aug) m="08";;
Sep) m="09";;
Oct) m="10";;
Nov) m="11";;
Dec) m="12";;
esac
certdate="${y}${m}${d}"
}
OPENSSL=/usr/bin/openssl
DIR=/etc/ssl/certs
if [ $# -gt 0 ]; then
DIR="$1"
fi
certs=$( find ${DIR} -type f -name "*.pem" ; find ${DIR} -type f -name "*.crt" )
today=$( date +%Y%m%d )
for cert in $certs; do
notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
date=$( echo ${notafter} | sed 's/^notAfter=//' )
mydate "$date"
if [ ${certdate} -lt ${today} ]; then
echo "${cert} expired on ${certdate}! Removing..."
rm -f "${cert}"
fi
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment