Skip to content

Instantly share code, notes, and snippets.

@tashian
Last active October 10, 2023 20:03
Show Gist options
  • Save tashian/83e44e6c9948547157e619e98b95ddd8 to your computer and use it in GitHub Desktop.
Save tashian/83e44e6c9948547157e619e98b95ddd8 to your computer and use it in GitHub Desktop.
Using a TPM EKcert as input, recursively fetch the TPM CA certificate chain
#!/bin/bash
# Using a TPM EKcert filename as input, this script recursively fetches TPM CA certificates.
# It depends on the EKcert having an AIA (Authority Information Access) Issuer URI field.
# This field is not required and may not be present.
# If available, the CA certificates will be saved into the current directory.
#
# To use this script, you will need the following programs:
# jq — https://jqlang.github.io/jq/
# step — https://smallstep.com/docs/step-cli/installation/
# curl
# Function to download a certificate from a URL
download_certificate() {
local url="$1"
local filename="${url##*/}"
echo "Downloading certificate from $url..."
curl -LO "$url"
if [ $? -eq 0 ]; then
echo "Certificate downloaded: $filename"
extract_urls "$filename"
else
echo "Failed to download certificate from $url"
fi
}
# Function to extract URLs from a certificate file
extract_urls() {
local cert_file="$1"
local urls=$(step certificate inspect "$cert_file" --format json | jq -r '.extensions.authority_info_access.issuer_urls[]?')
if [ -n "$urls" ]; then
while read -r url; do
download_certificate "$url"
done <<< "$urls"
else
echo "No URLs found in certificate: $cert_file"
fi
}
# Main function
main() {
if [ $# -ne 1 ]; then
echo "Usage: $0 <input_certificate>"
exit 1
fi
input_certificate="$1"
if [ ! -f "$input_certificate" ]; then
echo "Input certificate not found: $input_certificate"
exit 1
fi
extract_urls "$input_certificate"
}
main "$@"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment