├── .gitignore ├── test ├── certs │ ├── bad │ │ ├── non-cert.txt │ │ ├── intermediate.pem │ │ └── leaf.pem │ ├── c4.pem │ ├── Baltimore CyberTrust Root.crt │ ├── c3.pem │ ├── c2.pem │ └── c1.pem ├── unrecognized-cmd.bats ├── check-negative-no-clear-src.bats ├── check-positive.bats ├── generate-local.bats ├── generate-clear.bats ├── generate-mix.bats ├── check-negative-no-var.bats ├── add-no-localsrc.bats ├── generate-with-distrusted.bats ├── check-negative-var-ro.bats ├── distrust-no-localsrc.bats ├── generate-internal-rehash.bats ├── copy-negative.bats ├── remove-positive.bats ├── test_lib.bash ├── distrust-add-clear.bats ├── add-remove-with-spaces.bats ├── add-remove.bats ├── generate-duplicates.bats └── add-negative.bats ├── how-to-make-a-release ├── Makefile ├── README.md ├── clrtrust-helper.c ├── man └── clrtrust.1.md ├── COPYING └── clrtrust.in /.gitignore: -------------------------------------------------------------------------------- 1 | *.o 2 | clrtrust-helper 3 | clrtrust 4 | man/ 5 | !man/*.md -------------------------------------------------------------------------------- /test/certs/bad/non-cert.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | Hi! I am a sophisticated non-certificate text. 3 | -------------------------------------------------------------------------------- /how-to-make-a-release: -------------------------------------------------------------------------------- 1 | 1) Tag new release version and push tag to github and use github ui to draft a new release 2 | -------------------------------------------------------------------------------- /test/unrecognized-cmd.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | } 10 | 11 | @test "handle unrecognized command" { 12 | run $CLRTRUST regenerate 13 | [ $status -ne 0 ] 14 | } 15 | 16 | teardown() { 17 | remove_fs 18 | } 19 | 20 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 21 | -------------------------------------------------------------------------------- /test/check-negative-no-clear-src.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | rm -r $CLR_CLEAR_TRUST_SRC 10 | cp $CERTS/c[3-4].pem $CLR_LOCAL_TRUST_SRC/trusted 11 | } 12 | 13 | @test "check fails when there's no Clear source" { 14 | run $CLRTRUST check 15 | [ $status -ne 0 ] 16 | [ -n "$output" ] 17 | } 18 | 19 | teardown() { 20 | remove_fs 21 | } 22 | 23 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 24 | -------------------------------------------------------------------------------- /test/check-positive.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-2].pem $CLR_CLEAR_TRUST_SRC/trusted 10 | cp $CERTS/c[3-4].pem $CLR_LOCAL_TRUST_SRC/trusted 11 | } 12 | 13 | @test "check on a correct environment" { 14 | $CLRTRUST check 15 | } 16 | 17 | @test "check when there's no local source" { 18 | rm -r $CLR_LOCAL_TRUST_SRC 19 | $CLRTRUST check 20 | } 21 | 22 | teardown() { 23 | remove_fs 24 | } 25 | 26 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 27 | -------------------------------------------------------------------------------- /test/generate-local.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-4].pem $CLR_LOCAL_TRUST_SRC/trusted 10 | } 11 | 12 | @test "generate store, all local" { 13 | $CLRTRUST generate 14 | cnt=$(ls $STORE/anchors | wc -l) 15 | [ $cnt -eq 9 ] 16 | cnt=$($CLRTRUST list | grep ^id | wc -l) 17 | [ $cnt -eq 4 ] 18 | [ -f $STORE/compat/ca-roots.keystore ] 19 | [ -f $STORE/compat/ca-roots.pem ] 20 | } 21 | 22 | teardown() { 23 | remove_fs 24 | } 25 | 26 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 27 | -------------------------------------------------------------------------------- /test/generate-clear.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-4].pem $CLR_CLEAR_TRUST_SRC/trusted 10 | } 11 | 12 | @test "generate store, all provided by Clear Linux" { 13 | $CLRTRUST generate 14 | cnt=$(ls $STORE/anchors | wc -l) 15 | [ $cnt -eq 9 ] 16 | cnt=$($CLRTRUST list | grep ^id | wc -l) 17 | [ $cnt -eq 4 ] 18 | [ -f $STORE/compat/ca-roots.keystore ] 19 | [ -f $STORE/compat/ca-roots.pem ] 20 | } 21 | 22 | teardown() { 23 | remove_fs 24 | } 25 | 26 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 27 | -------------------------------------------------------------------------------- /test/generate-mix.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-2].pem $CLR_CLEAR_TRUST_SRC/trusted 10 | cp $CERTS/c[3-4].pem $CLR_LOCAL_TRUST_SRC/trusted 11 | } 12 | 13 | @test "generate store, source both Clear and local" { 14 | $CLRTRUST generate 15 | cnt=$(ls $STORE/anchors | wc -l) 16 | [ $cnt -eq 9 ] 17 | cnt=$($CLRTRUST list | grep ^id | wc -l) 18 | [ $cnt -eq 4 ] 19 | [ -f $STORE/compat/ca-roots.keystore ] 20 | [ -f $STORE/compat/ca-roots.pem ] 21 | } 22 | 23 | teardown() { 24 | remove_fs 25 | } 26 | 27 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 28 | -------------------------------------------------------------------------------- /test/check-negative-no-var.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-2].pem $CLR_CLEAR_TRUST_SRC/trusted 10 | cp $CERTS/c[3-4].pem $CLR_LOCAL_TRUST_SRC/trusted 11 | dir=$(dirname ${CLR_TRUST_STORE}) 12 | rm -r $dir 13 | } 14 | 15 | @test "check fails when there's no parent for trust store" { 16 | if [ -z "${USER}" ]; then 17 | skip "mock chroot environment. \$USER is not defined." 18 | fi 19 | run $CLRTRUST check 20 | [ $status -ne 0 ] 21 | [ -n "$output" ] 22 | } 23 | 24 | teardown() { 25 | remove_fs 26 | } 27 | 28 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 29 | -------------------------------------------------------------------------------- /test/add-no-localsrc.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | rm -rf $CLR_LOCAL_TRUST_SRC/trusted $CLR_LOCAL_TRUST_SRC/distrusted 10 | } 11 | 12 | @test "add cert when the local trust src is not there" { 13 | # add acceptable CA 14 | run $CLRTRUST add $CERTS/c1.pem 15 | [ $status -eq 0 ] 16 | run $CLRTRUST list 17 | [ $status -eq 0 ] 18 | cnt=$(echo "$output" | grep ^id | wc -l) 19 | [ $cnt -eq 1 ] 20 | [ -d $CLR_LOCAL_TRUST_SRC/trusted ] 21 | [ -d $CLR_LOCAL_TRUST_SRC/distrusted ] 22 | } 23 | 24 | teardown() { 25 | remove_fs 26 | } 27 | 28 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 29 | -------------------------------------------------------------------------------- /test/generate-with-distrusted.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-2].pem $CLR_CLEAR_TRUST_SRC/trusted 10 | cp $CERTS/c[3-4].pem $CLR_LOCAL_TRUST_SRC/trusted 11 | cp $CERTS/c2.pem $CLR_LOCAL_TRUST_SRC/distrusted 12 | } 13 | 14 | @test "generate store, source both Clear and local, local distrust" { 15 | $CLRTRUST generate 16 | cnt=$(ls $STORE/anchors | wc -l) 17 | [ ! -f $STORE/anchors/c2.pem ] 18 | [ $cnt -eq 7 ] 19 | cnt=$($CLRTRUST list | grep ^id | wc -l) 20 | [ $cnt -eq 3 ] 21 | } 22 | 23 | teardown() { 24 | remove_fs 25 | } 26 | 27 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 28 | -------------------------------------------------------------------------------- /test/check-negative-var-ro.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-2].pem $CLR_CLEAR_TRUST_SRC/trusted 10 | cp $CERTS/c[3-4].pem $CLR_LOCAL_TRUST_SRC/trusted 11 | chmod 400 $(dirname ${CLR_TRUST_STORE}) 12 | } 13 | 14 | @test "check fails when trust store cannot be written" { 15 | if [ -z "${USER}" ]; then 16 | skip "mock chroot environment. \$USER is not defined." 17 | fi 18 | run $CLRTRUST check 19 | [ $status -ne 0 ] 20 | [ -n "$output" ] 21 | } 22 | 23 | teardown() { 24 | chmod 755 $(dirname ${CLR_TRUST_STORE}) 25 | remove_fs 26 | } 27 | 28 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 29 | -------------------------------------------------------------------------------- /test/distrust-no-localsrc.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c1.pem $CLR_CLEAR_TRUST_SRC/trusted 10 | rm -rf $CLR_LOCAL_TRUST_SRC 11 | } 12 | 13 | @test "remove cert when local trust src is not there" { 14 | # add acceptable CA 15 | run $CLRTRUST remove $CERTS/c1.pem 16 | [ $status -eq 0 ] 17 | run $CLRTRUST list 18 | [ $status -eq 0 ] 19 | cnt=$(echo "$output" | grep ^id | wc -l) 20 | [ $cnt -eq 0 ] 21 | [ -d $CLR_LOCAL_TRUST_SRC/trusted ] 22 | [ -d $CLR_LOCAL_TRUST_SRC/distrusted ] 23 | } 24 | 25 | teardown() { 26 | remove_fs 27 | } 28 | 29 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 30 | -------------------------------------------------------------------------------- /test/generate-internal-rehash.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-2].pem $CLR_CLEAR_TRUST_SRC/trusted 10 | cp $CERTS/c[3-4].pem $CLR_LOCAL_TRUST_SRC/trusted 11 | } 12 | 13 | @test "generate store, using internal rehash" { 14 | $CLRTRUST -c generate 15 | cnt=$(ls $STORE/anchors | wc -l) 16 | [ $cnt -eq 9 ] 17 | cnt=$(find $STORE/anchors -type l | wc -l) 18 | [ $cnt -eq 5 ] 19 | cnt=$($CLRTRUST list | grep ^id | wc -l) 20 | [ $cnt -eq 4 ] 21 | [ -f $STORE/compat/ca-roots.keystore ] 22 | [ -f $STORE/compat/ca-roots.pem ] 23 | } 24 | 25 | teardown() { 26 | remove_fs 27 | } 28 | 29 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 30 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | # Copyright 2020 Intel Corporation. 2 | 3 | LDLIBS := -lcrypto 4 | CFLAGS := -W -Wall -Werror -std=gnu9x 5 | 6 | BINDIR := /usr/bin 7 | LIBEXECDIR := /usr/libexec 8 | MANDIR := /usr/share/man 9 | 10 | .PHONY: build install check clean 11 | 12 | build: clrtrust-helper clrtrust man/clrtrust.1 13 | 14 | clrtrust-helper: clrtrust-helper.o 15 | 16 | clrtrust: clrtrust.in 17 | cat clrtrust.in | sed -e 's:LIBEXEC_CONFIG_VALUE:$(LIBEXECDIR):' > $@ 18 | chmod +x clrtrust 19 | 20 | man/%: man/%.md 21 | pandoc -s -f markdown -t man $< --output $@ 22 | 23 | install: 24 | install -D --mode=0755 clrtrust ${INSTALL_ROOT}${BINDIR}/clrtrust 25 | install -D --mode=0755 clrtrust-helper ${INSTALL_ROOT}${LIBEXECDIR}/clrtrust-helper 26 | install -D --mode=0644 man/clrtrust.1 ${INSTALL_ROOT}${MANDIR}/man1/clrtrust.1 27 | 28 | check: build 29 | bats -t test 30 | 31 | clean: 32 | rm -rf clrtrust-helper clrtrust-helper.o clrtrust man/clrtrust.1 33 | -------------------------------------------------------------------------------- /test/copy-negative.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | # copy bad certificate 10 | cp $CERTS/bad/non-cert.txt $CLR_LOCAL_TRUST_SRC/trusted 11 | # copy good certificate 12 | cp $CERTS/c1.pem $CLR_LOCAL_TRUST_SRC/trusted 13 | } 14 | 15 | @test "helper returns error code 2 if bad certificate found" { 16 | find $CLR_LOCAL_TRUST_SRC/trusted -type f | { 17 | run $CLRTRUST_HELPER -f 18 | echo $output 19 | # should return 2 20 | [ $status -eq 2 ] 21 | } 22 | } 23 | 24 | @test "generate returns error code 127 if bad certificate found" { 25 | run $CLRTRUST generate 26 | # should return 127 27 | echo "$output" | grep "is not a PEM-encoded X.509" 28 | [ $status -eq 127 ] 29 | } 30 | 31 | teardown() { 32 | remove_fs 33 | } 34 | 35 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 36 | -------------------------------------------------------------------------------- /test/remove-positive.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-2].pem $CLR_CLEAR_TRUST_SRC/trusted 10 | cp $CERTS/c[3-4].pem $CLR_LOCAL_TRUST_SRC/trusted 11 | } 12 | 13 | @test "distrust Clear-provided CAs" { 14 | run $CLRTRUST generate 15 | [ $status -eq 0 ] 16 | cnt=$(ls $STORE/anchors | wc -l) 17 | [ $cnt -eq 9 ] 18 | cnt=$($CLRTRUST list | grep ^id | wc -l) 19 | [ $cnt -eq 4 ] 20 | # removing a Clear-provided CA should "distrust" it, not remove 21 | [ -f $CLR_TRUST_STORE/anchors/c1.pem ] 22 | $CLRTRUST remove $CERTS/c1.pem 23 | [ -f $CLR_LOCAL_TRUST_SRC/distrusted/c1.pem ] 24 | [ ! -f $CLR_TRUST_STORE/anchors/c1.pem ] 25 | # removing a locally provided CA should wipe it out from the trust store 26 | [ -f $CLR_TRUST_STORE/anchors/c3.pem ] 27 | $CLRTRUST remove $CERTS/c3.pem 28 | [ ! -f $CLR_LOCAL_TRUST_SRC/trusted/c3.pem ] 29 | [ ! -f $CLR_TRUST_STORE/anchors/c3.pem ] 30 | } 31 | 32 | teardown() { 33 | remove_fs 34 | } 35 | 36 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 37 | -------------------------------------------------------------------------------- /test/test_lib.bash: -------------------------------------------------------------------------------- 1 | # Copyright 2017 Intel Corporation 2 | 3 | find_clrtrust() { 4 | if [ -x $BATS_TEST_DIRNAME/../clrtrust ]; then 5 | CLRTRUST=$(realpath $BATS_TEST_DIRNAME/../clrtrust) 6 | else 7 | return 1 8 | fi 9 | if [ -x $BATS_TEST_DIRNAME/../clrtrust-helper ]; then 10 | CLRTRUST_HELPER=$(realpath $BATS_TEST_DIRNAME/../clrtrust-helper) 11 | else 12 | return 1 13 | fi 14 | } 15 | 16 | setup_fs() { 17 | ROOT=$(mktemp -d) 18 | CERTS=$BATS_TEST_DIRNAME/certs 19 | mkdir -p $ROOT/etc/ca-certs/trusted 20 | mkdir -p $ROOT/etc/ca-certs/distrusted 21 | mkdir -p $ROOT/usr/share/ca-certs/trusted 22 | mkdir -p $ROOT/usr/share/ca-certs/distrusted 23 | mkdir -p $ROOT/var/cache/ca-certs 24 | CLR_TRUST_STORE=$ROOT/var/cache/ca-certs 25 | STORE=$CLR_TRUST_STORE 26 | CLR_LOCAL_TRUST_SRC=$ROOT/etc/ca-certs 27 | CLR_CLEAR_TRUST_SRC=$ROOT/usr/share/ca-certs 28 | export CLR_TRUST_STORE CLR_LOCAL_TRUST_SRC CLR_CLEAR_TRUST_SRC 29 | } 30 | 31 | remove_fs() { 32 | unset CLR_TRUST_STORE CLR_LOCAL_TRUST_SRC CLR_CLEAR_TRUST_SRC 33 | rm -rf $ROOT 34 | } 35 | 36 | # vim: ft=sh:sw=4:ts=4:et:tw=80:ai 37 | -------------------------------------------------------------------------------- /test/distrust-add-clear.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-2].pem $CLR_CLEAR_TRUST_SRC/trusted 10 | cp $CERTS/c[3-4].pem $CLR_LOCAL_TRUST_SRC/trusted 11 | } 12 | 13 | @test "distrust Clear-provided cert, add it back" { 14 | $CLRTRUST generate 15 | cnt=$(ls $STORE/anchors | wc -l) 16 | [ $cnt -eq 9 ] 17 | cnt=$($CLRTRUST list | grep ^id | wc -l) 18 | [ $cnt -eq 4 ] 19 | $CLRTRUST remove $CERTS/c1.pem 20 | cnt=$($CLRTRUST list | grep ^id | wc -l) 21 | [ $cnt -eq 3 ] 22 | [ -f $CLR_LOCAL_TRUST_SRC/distrusted/c1.pem ] 23 | [ -f $CLR_CLEAR_TRUST_SRC/trusted/c1.pem ] 24 | [ ! -f $CLR_LOCAL_TRUST_SRC/trusted/c1.pem ] 25 | $CLRTRUST add $CERTS/c1.pem 26 | cnt=$($CLRTRUST list | grep ^id | wc -l) 27 | find $CLR_LOCAL_TRUST_SRC 28 | [ $cnt -eq 4 ] 29 | [ ! -f $CLR_LOCAL_TRUST_SRC/distrusted/c1.pem ] 30 | [ -f $CLR_CLEAR_TRUST_SRC/trusted/c1.pem ] 31 | [ ! -f $CLR_LOCAL_TRUST_SRC/trusted/c1.pem ] 32 | } 33 | 34 | teardown() { 35 | remove_fs 36 | } 37 | 38 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 39 | -------------------------------------------------------------------------------- /test/certs/c4.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDfDCCAmSgAwIBAgIQGKy1av1pthU6Y2yv2vrEoTANBgkqhkiG9w0BAQUFADBY 3 | MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjExMC8GA1UEAxMo 4 | R2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNjEx 5 | MjcwMDAwMDBaFw0zNjA3MTYyMzU5NTlaMFgxCzAJBgNVBAYTAlVTMRYwFAYDVQQK 6 | Ew1HZW9UcnVzdCBJbmMuMTEwLwYDVQQDEyhHZW9UcnVzdCBQcmltYXJ5IENlcnRp 7 | ZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC 8 | AQEAvrgVe//UfH1nrYNke8hCUy3f9oQIIGHWAVlqnEQRr+92/ZV+zmEwu3qDXwK9 9 | AWbK7hWNb6EwnL2hhZ6UOvNWiAAxz9juapYC2e0DjPt1befquFUWBRaa9OBesYjA 10 | ZIVcFU2Ix7e64HXprQU9nceJSOC7KMgD4TCTZF5SwFlwIjVXiIrxlQqD17wxcwE0 11 | 7e9GceBrAqg1cmuXm2bgyxx5X9gaBGgeRwLmnWDiNpcB3841kt++Z8dtd1k7j53W 12 | kBWUvEI0EME5+bEnPn7WinXFsq+W06Lem+SYvn3h6YGttm/81w7a4DSwDRp35+MI 13 | mO9Y+pyEtzavwt+s0vQQBnBxNQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4G 14 | A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQULNVQQZcVi/CPNmFbSvtr2ZnJM5IwDQYJ 15 | KoZIhvcNAQEFBQADggEBAFpwfyzdtzRP9YZRqSa+S7iq8XEN3GHHoOo0Hnp3DwQ1 16 | 6CePbJC/kRYkRj5KTs4rFtULUh38H2eiAkUxT87z+gOneZ1TatnaYzr4gNfTmeGl 17 | 4b7UVXGYNTq+k+qurUKykG/g/CFNNWMziUnWm07Kx+dOCQD32sfvmWKZd7aVIl6K 18 | oKv0uHiYyjgZmclynnjNS6yvGaBzEi38wkG6gZHaFloxt/m0cYASSJlyc1pZU8Fj 19 | UjPtp8nSOQJw+uCxQmYpqptR7TBUIhRf2asdweSU8Pj1K/fqynhG1riR/aYNKxoU 20 | AT6A8EKglQdebc3MS6RFjasS6LPeWuWgfOgPIh1a6Vk= 21 | -----END CERTIFICATE----- 22 | -------------------------------------------------------------------------------- /test/certs/Baltimore CyberTrust Root.crt: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ 3 | RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD 4 | VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX 5 | DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y 6 | ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy 7 | VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr 8 | mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr 9 | IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK 10 | mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu 11 | XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy 12 | dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye 13 | jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1 14 | BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 15 | DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92 16 | 9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx 17 | jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0 18 | Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz 19 | ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS 20 | R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp 21 | -----END CERTIFICATE----- 22 | -------------------------------------------------------------------------------- /test/add-remove-with-spaces.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c1.pem "$CLR_CLEAR_TRUST_SRC/trusted/COMODO RSA Certification Authority.pem" 10 | } 11 | 12 | @test "add, remove files with spaces in names" { 13 | $CLRTRUST generate 14 | cnt=$(ls $STORE/anchors | wc -l) 15 | [ $cnt -eq 3 ] # file and symlink 16 | run $CLRTRUST list 17 | [ $status -eq 0 ] 18 | cnt=$(echo "$output"| grep ^id | wc -l) 19 | [ $cnt -eq 1 ] 20 | # add file with spaces 21 | $CLRTRUST add $CERTS/'Baltimore CyberTrust Root.crt' 22 | run $CLRTRUST list 23 | cnt=$(echo "$output" | grep ^id | wc -l) 24 | [ $cnt -eq 2 ] 25 | $CLRTRUST add $CERTS/c2.pem 26 | run $CLRTRUST list 27 | cnt=$(echo "$output" | grep ^id | wc -l) 28 | [ $cnt -eq 3 ] 29 | $CLRTRUST remove $CERTS/'Baltimore CyberTrust Root.crt' $CERTS/c2.pem 30 | run $CLRTRUST list 31 | cnt=$(echo "$output" | grep ^id | wc -l) 32 | [ $cnt -eq 1 ] 33 | $CLRTRUST remove "$CLR_CLEAR_TRUST_SRC/trusted/COMODO RSA Certification Authority.pem" 34 | run $CLRTRUST list 35 | cnt=$(echo "$output" | grep ^id | wc -l) 36 | [ $cnt -eq 0 ] 37 | } 38 | 39 | teardown() { 40 | true 41 | #remove_fs 42 | } 43 | 44 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 45 | -------------------------------------------------------------------------------- /test/certs/c3.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIDnzCCAoegAwIBAgIBJjANBgkqhkiG9w0BAQUFADBxMQswCQYDVQQGEwJERTEc 3 | MBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2Vj 4 | IFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENB 5 | IDIwHhcNOTkwNzA5MTIxMTAwWhcNMTkwNzA5MjM1OTAwWjBxMQswCQYDVQQGEwJE 6 | RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxl 7 | U2VjIFRydXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290 8 | IENBIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrC6M14IspFLEU 9 | ha88EOQ5bzVdSq7d6mGNlUn0b2SjGmBmpKlAIoTZ1KXleJMOaAGtuU1cOs7TuKhC 10 | QN/Po7qCWWqSG6wcmtoIKyUn+WkjR/Hg6yx6m/UTAtB+NHzCnjwAWav12gz1Mjwr 11 | rFDa1sPeg5TKqAyZMg4ISFZbavva4VhYAUlfckE8FQYBjl2tqriTtM2e66foai1S 12 | NNs671x1Udrb8zH57nGYMsRUFUQM+ZtV7a3fGAigo4aKSe5TBY8ZTNXeWHmb0moc 13 | QqvF1afPaA+W5OFhmHZhyJF81j4A4pFQh+GdCuatl9Idxjp9y7zaAzTVjlsB9WoH 14 | txa2bkp/AgMBAAGjQjBAMB0GA1UdDgQWBBQxw3kbuvVT1xfgiXotF2wKsyudMzAP 15 | BgNVHRMECDAGAQH/AgEFMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOC 16 | AQEAlGRZrTlk5ynrE/5aw4sTV8gEJPB0d8Bg42f76Ymmg7+Wgnxu1MM9756Abrsp 17 | tJh6sTtU6zkXR34ajgv8HzFZMQSyzhfzLMdiNlXiItiJVbSYSKpk+tYcNthEeFpa 18 | IzpXl/V6ME+un2pMSyuOoAPjPuCp1NJ70rOo4nI8rZ7/gFnkm0W09juwzTkZmDLl 19 | 6iFhkOQxIY40sfcvNUqFENrnijchvllj4PKFiDFT1FQUhXB59C4Gdyd1Lx+4ivn+ 20 | xbrYNuSD7Odlt79jWvNGr4GUN9RBjNYj1h7P9WgbRGOiWrqnNVmh5XAFmw4jV5mU 21 | Cm26OWMohpLzGITY+9HPBVZkVw== 22 | -----END CERTIFICATE----- 23 | -------------------------------------------------------------------------------- /test/add-remove.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | } 10 | 11 | @test "generate empty store, add certificate" { 12 | $CLRTRUST generate 13 | cnt=$(ls $STORE/anchors | wc -l) 14 | [ $cnt -eq 1 ] 15 | run $CLRTRUST list 16 | [ $status -eq 0 ] 17 | [ -z "$output" ] 18 | # add one CA 19 | $CLRTRUST add $CERTS/c1.pem 20 | [ $? -eq 0 ] 21 | run $CLRTRUST list 22 | cnt=$(echo "$output"| grep ^id | wc -l) 23 | [ $cnt -eq 1 ] 24 | # add another one 25 | $CLRTRUST add $CERTS/c2.pem 26 | run $CLRTRUST list 27 | cnt=$(echo "$output" | grep ^id | wc -l) 28 | [ $cnt -eq 2 ] 29 | # add duplicate 30 | $CLRTRUST add $CERTS/c1.pem 31 | # add two 32 | $CLRTRUST add $CERTS/c[3=4].pem 33 | run $CLRTRUST list 34 | cnt=$(echo "$output" | grep ^id | wc -l) 35 | [ $cnt -eq 4 ] 36 | # remove one 37 | $CLRTRUST remove $CERTS/c3.pem 38 | run $CLRTRUST list 39 | cnt=$(echo "$output" | grep ^id | wc -l) 40 | [ $cnt -eq 3 ] 41 | # remove two 42 | $CLRTRUST remove $CERTS/c1.pem $CERTS/c4.pem 43 | run $CLRTRUST list 44 | cnt=$(echo "$output" | grep ^id | wc -l) 45 | [ $cnt -eq 1 ] 46 | # remove last 47 | $CLRTRUST remove $CERTS/c2.pem 48 | run $CLRTRUST list 49 | [ -z "$output" ] 50 | } 51 | 52 | teardown() { 53 | remove_fs 54 | } 55 | 56 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 57 | -------------------------------------------------------------------------------- /test/generate-duplicates.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | cp $CERTS/c[1-2].pem $CLR_CLEAR_TRUST_SRC/trusted 10 | cp $CERTS/c[3-4].pem $CLR_LOCAL_TRUST_SRC/trusted 11 | # add duplicate 12 | cp $CERTS/c1.pem $CLR_LOCAL_TRUST_SRC/trusted/c1-local.pem 13 | cp $CERTS/c1.pem $CLR_LOCAL_TRUST_SRC/trusted/c100-new.pem 14 | cp $CERTS/c2.pem $CLR_LOCAL_TRUST_SRC/trusted/c2-local.pem 15 | } 16 | 17 | @test "generate store containing duplicates, multiple" { 18 | run $CLRTRUST generate 19 | [ $status -eq 0 ] 20 | cnt=$(ls $STORE/anchors | wc -l) 21 | [ $cnt -eq 9 ] 22 | cnt=$($CLRTRUST list | grep ^id | wc -l) 23 | [ $cnt -eq 4 ] 24 | } 25 | 26 | @test "generate store containing duplicates, single, many instances" { 27 | rm $CLR_LOCAL_TRUST_SRC/trusted/c2-local.pem 28 | run $CLRTRUST generate 29 | [ $status -eq 0 ] 30 | cnt=$(ls $STORE/anchors | wc -l) 31 | [ $cnt -eq 9 ] 32 | cnt=$($CLRTRUST list | grep ^id | wc -l) 33 | [ $cnt -eq 4 ] 34 | $CLRTRUST list 35 | } 36 | 37 | @test "generate store containing duplicates, single, one instance" { 38 | rm $CLR_LOCAL_TRUST_SRC/trusted/c100-new.pem 39 | run $CLRTRUST generate 40 | [ $status -eq 0 ] 41 | cnt=$(ls $STORE/anchors | wc -l) 42 | [ $cnt -eq 9 ] 43 | cnt=$($CLRTRUST list | grep ^id | wc -l) 44 | [ $cnt -eq 4 ] 45 | $CLRTRUST list 46 | } 47 | 48 | teardown() { 49 | remove_fs 50 | } 51 | 52 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 53 | -------------------------------------------------------------------------------- /test/certs/bad/intermediate.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEKDCCAxCgAwIBAgIQAQAhJYiw+lmnd+8Fe2Yn3zANBgkqhkiG9w0BAQsFADBC 3 | MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMS 4 | R2VvVHJ1c3QgR2xvYmFsIENBMB4XDTE3MDUyMjExMzIzN1oXDTE4MTIzMTIzNTk1 5 | OVowSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMT 6 | HEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwggEiMA0GCSqGSIb3DQEBAQUA 7 | A4IBDwAwggEKAoIBAQCcKgR3XNhQkToGo4Lg2FBIvIk/8RlwGohGfuCPxfGJziHu 8 | Wv5hDbcyRImgdAtTT1WkzoJile7rWV/G4QWAEsRelD+8W0g49FP3JOb7kekVxM/0 9 | Uw30SvyfVN59vqBrb4fA0FAfKDADQNoIc1Fsf/86PKc3Bo69SxEE630k3ub5/DFx 10 | +5TVYPMuSq9C0svqxGoassxT3RVLix/IGWEfzZ2oPmMrhDVpZYTIGcVGIvhTlb7j 11 | gEoQxirsupcgEcc5mRAEoPBhepUljE5SdeK27QjKFPzOImqzTs9GA5eXA37Asd57 12 | r0Uzz7o+cbfe9CUlwg01iZ2d+w4ReYkeN8WvjnJpAgMBAAGjggERMIIBDTAfBgNV 13 | HSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1 14 | dvWBtrtiGrpagS8wDgYDVR0PAQH/BAQDAgEGMC4GCCsGAQUFBwEBBCIwIDAeBggr 15 | BgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBIGA1UdEwEB/wQIMAYBAf8CAQAw 16 | NQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9i 17 | YWwuY3JsMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFATAIBgZngQwBAgIwHQYDVR0l 18 | BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQDKSeWs 19 | 12Rkd1u+cfrP9B4jx5ppY1Rf60zWGSgjZGaOHMeHgGRfBIsmr5jfCnC8vBk97nsz 20 | qX+99AXUcLsFJnnqmseYuQcZZTTMPOk/xQH6bwx+23pwXEz+LQDwyr4tjrSogPsB 21 | E4jLnD/lu3fKOmc2887VJwJyQ6C9bgLxRwVxPgFZ6RGeGvOED4Cmong1L7bHon8X 22 | fOGLVq7uZ4hRJzBgpWJSwzfVO+qFKgE4h6LPcK2kesnE58rF2rwjMvL+GMJ74N87 23 | L9TQEOaWTPtEtyFkDbkAlDASJodYmDkFOA/MgkgMCkdm7r+0X8T/cKjhf4t5K7hl 24 | MqO5tzHpCvX2HzLc 25 | -----END CERTIFICATE----- 26 | -------------------------------------------------------------------------------- /test/certs/c2.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIEuTCCA6GgAwIBAgIQQBrEZCGzEyEDDrvkEhrFHTANBgkqhkiG9w0BAQsFADCB 3 | vTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL 4 | ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwOCBWZXJp 5 | U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MTgwNgYDVQQDEy9W 6 | ZXJpU2lnbiBVbml2ZXJzYWwgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAe 7 | Fw0wODA0MDIwMDAwMDBaFw0zNzEyMDEyMzU5NTlaMIG9MQswCQYDVQQGEwJVUzEX 8 | MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0 9 | IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA4IFZlcmlTaWduLCBJbmMuIC0gRm9y 10 | IGF1dGhvcml6ZWQgdXNlIG9ubHkxODA2BgNVBAMTL1ZlcmlTaWduIFVuaXZlcnNh 11 | bCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF 12 | AAOCAQ8AMIIBCgKCAQEAx2E3XrEBNNti1xWb/1hajCMj1mCOkdeQmIN65lgZOIzF 13 | 9uVkhbSicfvtvbnazU0AtMgtc6XHaXGVHzk8skQHnOgO+k1KxCHfKWGPMiJhgsWH 14 | H26MfF8WIFFE0XBPV+rjHOPMee5Y2A7Cs0WTwCznmhcrewA3ekEzeOEz4vMQGn+H 15 | LL729fdC4uW/h2KJXwBL38Xd5HVEMkE6HnFuacsLdUYI0crSK5XQz/u5QGtkjFdN 16 | /BMReYTtXlT2NJ8IAfMQJQYXStrxHXpma5hgZqTZ79IugvHw7wnqRMkVauIDbjPT 17 | rJ9VAMf2CGqUuV/c4DPxhGD5WycRtPwW8rtWaoAljQIDAQABo4GyMIGvMA8GA1Ud 18 | EwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMG0GCCsGAQUFBwEMBGEwX6FdoFsw 19 | WTBXMFUWCWltYWdlL2dpZjAhMB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgs 20 | exkuMCUWI2h0dHA6Ly9sb2dvLnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMB0GA1Ud 21 | DgQWBBS2d/ppSEefUxLVwuoHMnYH0ZcHGTANBgkqhkiG9w0BAQsFAAOCAQEASvj4 22 | sAPmLGd75JR3Y8xuTPl9Dg3cyLk1uXBPY/ok+myDjEedO2Pzmvl2MpWRsXe8rJq+ 23 | seQxIcaBlVZaDrHC1LGmWazxY8u4TB1ZkErvkBYoH1quEPuBUDgMbMzxPcP1Y+Oz 24 | 4yHJJDnp/RVmRvQbEdBNc6N9Rvk97ahfYtTxP/jgdFcrGJ2BtMQo2pSXpXDrrB2+ 25 | BxHw1dvd5Yzw1TKwg+ZX4o+/vqGqvz0dtdQ46tewXDpPaj+PwGZsY6rp2aQW9IHR 26 | lRQOfc2VNNnSj3BzgXucfr2YYdhFh5iQxeuGMMY1v/D/w1WIg0vvBZIGcfK4mJO3 27 | 7M2CYfE45k+XmCpajQ== 28 | -----END CERTIFICATE----- 29 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## DISCONTINUATION OF PROJECT. 2 | 3 | This project will no longer be maintained by Intel. 4 | 5 | Intel will not provide or guarantee development of or support for this project, including but not limited to, maintenance, bug fixes, new releases or updates. Patches to this project are no longer accepted by Intel. If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the community, please create your own fork of the project. 6 | 7 | Contact: webadmin@linux.intel.com 8 | # clrtrust: management tool for certificate trust store 9 | 10 | 11 | The `clrtrust` tool provides a frontend for centralized trust store management. 12 | It allows for adding (trusting) and removing (distrusting) certificate 13 | authorities (CAs). It also provides maintenance commands for viewing and 14 | re-generating the trust store. 15 | 16 | See [`man clrtrust`](man/clrtrust.1.md) for usage information and examples. 17 | 18 | ## `clrtrust` in Clear Linux OS 19 | 20 | Clear Linux\* OS uses `clrtrust` to implement a centralized TLS Trust Store for 21 | all its software packages which use Transport Layer Security. The trust store 22 | contains a set of trusted Root Certificate Authorities (CAs) which the 23 | operating system should trust. 24 | 25 | Clear Linux\* provides a complete and comprehensible list of well-known CAs out 26 | of the box. It is not necessary to take an action to be able to, for example, 27 | connect to https://clearlinux.org or https://google.com using TLS-enabled 28 | software, such as `curl` or `firefox`. 29 | 30 | ## License 31 | 32 | clrtrust is provided under terms of the GPL, version 2.0. See 33 | [`COPYING`](COPYING) for details. 34 | 35 | Copyright © 2020 Intel Corporation 36 | 37 | 38 | ## Reporting issues 39 | 40 | Help us improve the quality! Report issues at: 41 | https://github.com/clearlinux/clrtrust/issues 42 | 43 | -------------------------------------------------------------------------------- /test/add-negative.bats: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bats 2 | # Copyright 2017 Intel Corporation 3 | 4 | load test_lib 5 | 6 | setup() { 7 | find_clrtrust 8 | setup_fs 9 | } 10 | 11 | @test "generate empty store, fail to add certificates" { 12 | $CLRTRUST generate 13 | cnt=$(ls $STORE/anchors | wc -l) 14 | ls $STORE/anchors 15 | [ $cnt -eq 1 ] 16 | run $CLRTRUST list 17 | [ $status -eq 0 ] 18 | [ -z "$output" ] 19 | # try adding intermediate CA 20 | run $CLRTRUST add $CERTS/bad/intermediate.pem 21 | [ $status -eq 255 ] 22 | run $CLRTRUST list 23 | [ $status -eq 0 ] 24 | [ -z "$output" ] 25 | # try adding leaf certificate 26 | run $CLRTRUST add $CERTS/bad/leaf.pem 27 | [ $status -eq 255 ] 28 | run $CLRTRUST list 29 | [ $status -eq 0 ] 30 | [ -z "$output" ] 31 | # try adding non-certificate 32 | run $CLRTRUST add $CERTS/bad/non-cert.txt 33 | [ $status -eq 255 ] 34 | run $CLRTRUST list 35 | [ $status -eq 0 ] 36 | [ -z "$output" ] 37 | # add acceptable CA 38 | run $CLRTRUST add $CERTS/c1.pem 39 | [ $status -eq 0 ] 40 | run $CLRTRUST list 41 | [ $status -eq 0 ] 42 | cnt=$(echo "$output" | grep ^id | wc -l) 43 | [ $cnt -eq 1 ] 44 | # try removing non-certificate 45 | run $CLRTRUST remove $CERTS/bad/non-cert.txt 46 | [ $status -eq 255 ] 47 | run $CLRTRUST list 48 | cnt=$(echo "$output" | grep ^id | wc -l) 49 | [ $cnt -eq 1 ] 50 | # leaf can be forced 51 | $CLRTRUST add --force $CERTS/bad/leaf.pem 52 | run $CLRTRUST list 53 | [ $status -eq 0 ] 54 | cnt=$(echo "$output" | grep ^id | wc -l) 55 | [ $cnt -eq 2 ] 56 | # intermediate can be forced 57 | $CLRTRUST add -f $CERTS/bad/intermediate.pem 58 | run $CLRTRUST list 59 | [ $status -eq 0 ] 60 | cnt=$(echo "$output" | grep ^id | wc -l) 61 | [ $cnt -eq 3 ] 62 | } 63 | 64 | teardown() { 65 | remove_fs 66 | } 67 | 68 | # vim: ft=sh:sw=4:ts=4:et:tw=80:si:noai:nocin 69 | -------------------------------------------------------------------------------- /test/certs/c1.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIF2DCCA8CgAwIBAgIQTKr5yttjb+Af907YWwOGnTANBgkqhkiG9w0BAQwFADCB 3 | hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G 4 | A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV 5 | BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAwMTE5 6 | MDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT 7 | EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR 8 | Q09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNh 9 | dGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCR 10 | 6FSS0gpWsawNJN3Fz0RndJkrN6N9I3AAcbxT38T6KhKPS38QVr2fcHK3YX/JSw8X 11 | pz3jsARh7v8Rl8f0hj4K+j5c+ZPmNHrZFGvnnLOFoIJ6dq9xkNfs/Q36nGz637CC 12 | 9BR++b7Epi9Pf5l/tfxnQ3K9DADWietrLNPtj5gcFKt+5eNu/Nio5JIk2kNrYrhV 13 | /erBvGy2i/MOjZrkm2xpmfh4SDBF1a3hDTxFYPwyllEnvGfDyi62a+pGx8cgoLEf 14 | Zd5ICLqkTqnyg0Y3hOvozIFIQ2dOciqbXL1MGyiKXCJ7tKuY2e7gUYPDCUZObT6Z 15 | +pUX2nwzV0E8jVHtC7ZcryxjGt9XyD+86V3Em69FmeKjWiS0uqlWPc9vqv9JWL7w 16 | qP/0uK3pN/u6uPQLOvnoQ0IeidiEyxPx2bvhiWC4jChWrBQdnArncevPDt09qZah 17 | SL0896+1DSJMwBGB7FY79tOi4lu3sgQiUpWAk2nojkxl8ZEDLXB0AuqLZxUpaVIC 18 | u9ffUGpVRr+goyhhf3DQw6KqLCGqR84onAZFdr+CGCe01a60y1Dma/RMhnEw6abf 19 | Fobg2P9A3fvQQoh/ozM6LlweQRGBY84YcWsr7KaKtzFcOmpH4MN5WdYgGq/yapiq 20 | crxXStJLnbsQ/LBMQeXtHT1eKJ2czL+zUdqnR+WEUwIDAQABo0IwQDAdBgNVHQ4E 21 | FgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB 22 | /wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAArx1UaEt65Ru2yyTUEUAJNMnMvl 23 | wFTPoCWOAvn9sKIN9SCYPBMtrFaisNZ+EZLpLrqeLppysb0ZRGxhNaKatBYSaVqM 24 | 4dc+pBroLwP0rmEdEBsqpIt6xf4FpuHA1sj+nq6PK7o9mfjYcwlYRm6mnPTXJ9OV 25 | 2jeDchzTc+CiR5kDOF3VSXkAKRzH7JsgHAckaVd4sjn8OoSgtZx8jb8uk2Intzna 26 | FxiuvTwJaP+EmzzV1gsD41eeFPfR60/IvYcjt7ZJQ3mFXLrrkguhxuhoqEwWsRqZ 27 | CuhTLJK7oQkYdQxlqHvLI7cawiiFwxv/0Cti76R7CZGYZ4wUAc1oBmpjIXUDgIiK 28 | boHGhfKppC3n9KUkEEeDys30jXlYsQab5xoq2Z0B15R97QNKyvDb6KkBPvVWmcke 29 | jkk9u+UJueBPSZI9FoJAzMxZxuY67RIuaTxslbH9qh17f4a+Hg4yRvv7E491f0yL 30 | S0Zj/gA0QHDBw7mh3aZw4gSzQbzpgJHqZJx64SIDqZxubw5lT2yHh17zbqD5daWb 31 | QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl 32 | 0MC2Hb46TpSi125sC8KKfPog88Tk5c0NqMuRkrF8hey1FGlmDoLnzc7ILaZRfyHB 33 | NVOFBkpdn627G190 34 | -----END CERTIFICATE----- 35 | -------------------------------------------------------------------------------- /test/certs/bad/leaf.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN CERTIFICATE----- 2 | MIIHijCCBnKgAwIBAgIIDMX/nn+QGyIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE 3 | BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl 4 | cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MDkyNjAwWhcNMTcwOTIwMDkyNjAw 5 | WjBmMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN 6 | TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEVMBMGA1UEAwwMKi5n 7 | b29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEylnJ/rP3GRw3qVvX 8 | jk3dm/WF1shJtWlWtlegn783KLh6ahtHfM1KOv+lPe5SIK9yJsJk1jFYVzvN5prD 9 | pQTDd6OCBSIwggUeMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjALBgNV 10 | HQ8EBAMCB4AwggPhBgNVHREEggPYMIID1IIMKi5nb29nbGUuY29tgg0qLmFuZHJv 11 | aWQuY29tghYqLmFwcGVuZ2luZS5nb29nbGUuY29tghIqLmNsb3VkLmdvb2dsZS5j 12 | b22CFCouZGI4MzM5NTMuZ29vZ2xlLmNuggYqLmcuY2+CDiouZ2NwLmd2dDIuY29t 13 | ghYqLmdvb2dsZS1hbmFseXRpY3MuY29tggsqLmdvb2dsZS5jYYILKi5nb29nbGUu 14 | Y2yCDiouZ29vZ2xlLmNvLmlugg4qLmdvb2dsZS5jby5qcIIOKi5nb29nbGUuY28u 15 | dWuCDyouZ29vZ2xlLmNvbS5hcoIPKi5nb29nbGUuY29tLmF1gg8qLmdvb2dsZS5j 16 | b20uYnKCDyouZ29vZ2xlLmNvbS5jb4IPKi5nb29nbGUuY29tLm14gg8qLmdvb2ds 17 | ZS5jb20udHKCDyouZ29vZ2xlLmNvbS52boILKi5nb29nbGUuZGWCCyouZ29vZ2xl 18 | LmVzggsqLmdvb2dsZS5mcoILKi5nb29nbGUuaHWCCyouZ29vZ2xlLml0ggsqLmdv 19 | b2dsZS5ubIILKi5nb29nbGUucGyCCyouZ29vZ2xlLnB0ghIqLmdvb2dsZWFkYXBp 20 | cy5jb22CDyouZ29vZ2xlYXBpcy5jboIUKi5nb29nbGVjb21tZXJjZS5jb22CESou 21 | Z29vZ2xldmlkZW8uY29tggwqLmdzdGF0aWMuY26CDSouZ3N0YXRpYy5jb22CCiou 22 | Z3Z0MS5jb22CCiouZ3Z0Mi5jb22CFCoubWV0cmljLmdzdGF0aWMuY29tggwqLnVy 23 | Y2hpbi5jb22CECoudXJsLmdvb2dsZS5jb22CFioueW91dHViZS1ub2Nvb2tpZS5j 24 | b22CDSoueW91dHViZS5jb22CFioueW91dHViZWVkdWNhdGlvbi5jb22CByoueXQu 25 | YmWCCyoueXRpbWcuY29tghphbmRyb2lkLmNsaWVudHMuZ29vZ2xlLmNvbYILYW5k 26 | cm9pZC5jb22CG2RldmVsb3Blci5hbmRyb2lkLmdvb2dsZS5jboIcZGV2ZWxvcGVy 27 | cy5hbmRyb2lkLmdvb2dsZS5jboIEZy5jb4IGZ29vLmdsghRnb29nbGUtYW5hbHl0 28 | aWNzLmNvbYIKZ29vZ2xlLmNvbYISZ29vZ2xlY29tbWVyY2UuY29tghhzb3VyY2Uu 29 | YW5kcm9pZC5nb29nbGUuY26CCnVyY2hpbi5jb22CCnd3dy5nb28uZ2yCCHlvdXR1 30 | LmJlggt5b3V0dWJlLmNvbYIUeW91dHViZWVkdWNhdGlvbi5jb22CBXl0LmJlMGgG 31 | CCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29t 32 | L0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5j 33 | b20vb2NzcDAdBgNVHQ4EFgQUIi7ZOGnk9oZTsZQ3CyNds6fV3KQwDAYDVR0TAQH/ 34 | BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAhBgNVHSAEGjAY 35 | MAwGCisGAQQB1nkCBQEwCAYGZ4EMAQICMDAGA1UdHwQpMCcwJaAjoCGGH2h0dHA6 36 | Ly9wa2kuZ29vZ2xlLmNvbS9HSUFHMi5jcmwwDQYJKoZIhvcNAQELBQADggEBAHgS 37 | 6+KbN/Rez65HJHshhXuXZQOteE8KmZHWgjeiucZLrcrjimev6cAYQ25Eu8ToXYvT 38 | 7ia/pdGD0AEr2As2NyQee/vScKoN30a/Vq35gZrtIDGFAT2uBfLjsBozGdbBVGTa 39 | UwB3MK/xlNL7WOQeuR4cdBS2nbKC7ttz8Y3+sWcB1yIDRzbV7SbxFyJnSjfQiMVk 40 | i1NcHcR96y5gVWsKeTKauhnp6msXao+952ejXnvYr0+ucsLjCk7Ce4/MBTpIG1A5 41 | UC69UwPxkNp0lIjyYp5n0DFq0bc4uLjREwU61rRgg80spMrjS2pvFw3gG9aVqJ0B 42 | sbsxvSh8edXPtsYkc1k= 43 | -----END CERTIFICATE----- 44 | -------------------------------------------------------------------------------- /clrtrust-helper.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright © 2018 Intel Corporation. 3 | * 4 | * See COPYING for terms. 5 | */ 6 | 7 | /* This is a helper application which is meant to be used with clrtrust, the 8 | * Clear Linux Trust Store management tool. It is created for performance 9 | * reasons, to process certificates in bulk as opposed to running openssl for 10 | * each certificate file. 11 | * 12 | * It reads the list of files, one filename per line, from the standard input 13 | * and produces output in form of: \t. 14 | * 15 | * Two modes are supported. If '-f' switch is specified on the command line, for 16 | * each file a SHA-1 fingerprint is calculated. If '-s' is specified, then 17 | * subject hash is produced. 18 | */ 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | 27 | /* process return codes */ 28 | #define CTH_EOK 0 /* success. */ 29 | #define CTH_EERR 1 /* incorrect invocation, cannot start. */ 30 | #define CTH_EINV 2 /* invalid input, cannot produce result. */ 31 | 32 | typedef enum { 33 | MODE_FINGER = 1, /* output fingerprint */ 34 | MODE_HASH, /* output subject hash */ 35 | MODE_INVALID = 100 36 | } runmode_t; 37 | 38 | void print_help() { 39 | char *help = "clrtrust-helper [-f|-s]\n" 40 | "Helper utility for clrtrust. Reads the list of files from" 41 | " stdin, one per line, and produces either fingerprint or" 42 | " subject hash for each file on stdout in form:\n" 43 | " \n"; 44 | puts(help); 45 | } 46 | 47 | int main(int argc, char **argv) { 48 | 49 | runmode_t runmode = MODE_INVALID; /* global switch: whether to produce fingerprint 50 | or subject hash. */ 51 | 52 | BIO *inbio = NULL; 53 | 54 | /* fingerprint-related variables */ 55 | const EVP_MD *finger_type = NULL; 56 | unsigned int finger_sz; 57 | unsigned char finger[EVP_MAX_MD_SIZE]; 58 | 59 | /* subjecthash-related variables */ 60 | unsigned long subject_hash; 61 | 62 | unsigned int i; 63 | int c; 64 | 65 | char *fname = NULL; 66 | size_t sz = 0; 67 | 68 | /* return code */ 69 | int ret = CTH_EOK; 70 | 71 | while ((c = getopt(argc, argv, "fs")) != -1) { 72 | switch (c) { 73 | case 'f': 74 | if (runmode == MODE_INVALID) { 75 | runmode = MODE_FINGER; 76 | } else { 77 | print_help(); 78 | return CTH_EERR; 79 | } 80 | break; 81 | case 's': 82 | if (runmode == MODE_INVALID) { 83 | runmode = MODE_HASH; 84 | } else { 85 | print_help(); 86 | return CTH_EERR; 87 | } 88 | break; 89 | default: 90 | printf("Unrecognized option -%c.\n", c); 91 | print_help(); 92 | return CTH_EERR; 93 | } 94 | } 95 | 96 | if (runmode == MODE_INVALID) { 97 | print_help(); 98 | return CTH_EERR; 99 | } 100 | 101 | OpenSSL_add_all_algorithms(); 102 | 103 | finger_type = EVP_sha1(); 104 | 105 | inbio = BIO_new(BIO_s_file()); 106 | 107 | while (getline(&fname, &sz, stdin) != -1) { 108 | int fname_len = strlen(fname); 109 | int err = 1; 110 | FILE *fp = NULL; 111 | X509 *cert = NULL; 112 | 113 | if (fname_len < 1) continue; 114 | if (fname[fname_len-1] == '\n') { 115 | fname[fname_len-1] = '\0'; 116 | } 117 | 118 | if (!(fp = fopen(fname, "r"))) { 119 | goto wrap_up; 120 | } 121 | 122 | if (!BIO_set_fp(inbio, fp, BIO_NOCLOSE)) { 123 | goto wrap_up; 124 | } 125 | 126 | if (!(cert = PEM_read_bio_X509(inbio, NULL, 0, NULL))) { 127 | goto wrap_up; 128 | } 129 | 130 | switch (runmode) { 131 | case MODE_FINGER: 132 | if (!X509_digest(cert, finger_type, finger, &finger_sz)) { 133 | goto wrap_up; 134 | } 135 | printf("%s\t", fname); 136 | for (i=0; i < finger_sz; i++) { 137 | printf("%02X", finger[i]); 138 | if (i < finger_sz-1) printf(":"); 139 | } 140 | putc('\n', stdout); 141 | err = 0; 142 | break; 143 | case MODE_HASH: 144 | subject_hash = X509_subject_name_hash(cert); 145 | printf("%s\t%08lx\n", fname, subject_hash); 146 | err = 0; 147 | break; 148 | default: 149 | return CTH_EERR; 150 | } 151 | 152 | wrap_up: 153 | if (fp) fclose(fp); 154 | if (cert) X509_free(cert); 155 | if (err) { 156 | printf("%s\tERROR\n", fname); 157 | ret = CTH_EINV; 158 | } 159 | } 160 | 161 | if (fname) free(fname); 162 | 163 | return ret; 164 | } 165 | -------------------------------------------------------------------------------- /man/clrtrust.1.md: -------------------------------------------------------------------------------- 1 | ## SYNOPSIS 2 | 3 | **clrtrust** is a tool for generating and managing a centralized trusted 4 | certificate store. 5 | 6 | `clrtrust [-v|--verbose] [-h|--help] [-c|--internal-rehash] [options]` 7 | 8 | ## DESCRIPTION 9 | 10 | A trust store contains a set of X.509 certificates which the operating system 11 | and applications should consider trustworthy. 12 | 13 | The `clrtrust` tool provides a frontend for centralized trust store management. 14 | It allows for adding (trusting) and removing (distrusting) certificate 15 | authorities (CAs). It also provides maintenance commands for viewing and 16 | re-generating the trust store. 17 | 18 | Certificates can be provided by the operating system for out-of-box 19 | functionality. Certificates can also be provided and modified by privileged 20 | users. 21 | 22 | It is up to each application to make use of the trust store generated by 23 | `clrtrust`. 24 | 25 | ## OPTIONS 26 | 27 | ``` 28 | Usage: clrtrust [-v|--verbose] [-h|--help] [-c|--internal-rehash] [options] 29 | 30 | -v | --verbose Shows more details about execution 31 | -c | --internal-rehash Forces use of internal implementation of c_rehash 32 | -h | --help Prints this message 33 | 34 | Commands 35 | generate generates the trust store 36 | list list CAs 37 | add add trust to a CA 38 | remove remove trust to a CA 39 | restore restore trust to previously removed CA 40 | check sanity/consistency check of the trust store 41 | 42 | clrtrust --help to get help on specific command. 43 | ``` 44 | 45 | **Commands that modify the trust store require root privileges.** 46 | 47 | - `clrtrust generate [-f|--force]` 48 | 49 | The `generate` command has no arguments and generates a unified trust store 50 | composed of system-provided and user-provided certificates, if any. The 51 | optional `--force` parameter will forcibly generate the trust store, even if 52 | it results in an empty store. See the FILES section for paths used for trust 53 | store generation. 54 | 55 | 56 | - `clrtrust list` 57 | 58 | The `list` command has no arguments and outputs a list of trusted certificates 59 | with the following fields: 60 | 61 | `id` uniquely identifies the certificate. It can be used as input to other 62 | `clrtrust` commands such as `remove` or `restore`. 63 | 64 | `File` contains the file path of the certificate in the trust store. 65 | 66 | `Authority` shows the name of the organization that issued the certificate. 67 | This field is extracted from the certificate file. 68 | 69 | `Expires` shows the expiration date of the certificate. This field is 70 | extracted from the certificate file. 71 | 72 | 73 | 74 | - `clrtust add [ ...] [-f|--force]` 75 | 76 | The `add` command takes one or more certificates as required argument(s). The 77 | certificate is identified by a file path. The certificate file(s) must be 78 | PEM-encoded with only one certificate per file. The optional `--force` 79 | parameter will forcibly add the certificate to the trust store, even if it is 80 | not a root CA. 81 | 82 | Adding a root CA to the trust store allows applications using the trust store 83 | to trust the root CA certificate, trust certificate chains issued by the 84 | authority, verify the authenticity of peer's certificate, and establish a 85 | connection. 86 | 87 | 88 | 89 | - `clrtrust remove [ ...]` 90 | 91 | The `remove` command takes one or more certificates as required argument(s). 92 | The certificate is identified by a file path or `id`. The argument can be an 93 | `id` of the certificate (see the `list` command) or the file path of the 94 | certificate. 95 | 96 | Removing a root CA from the trust store distrusts the certificate for 97 | applications using the trust store. Certificate chains issued by the 98 | authority will no longer be trusted, authenticity of the peer's certificate 99 | will no longer be verified, and a connection will not be established. 100 | 101 | 102 | 103 | - `clrtrust check` 104 | 105 | The `check` command has no arguments and validate the consistency of a 106 | previously generated unified trust store. 107 | 108 | 109 | ## EXAMPLES 110 | 111 | ### View the list of trusted CAs 112 | 113 | `clrtrust list` 114 | 115 | The command above outputs a list of trusted certificates in the format below: 116 | 117 | ``` 118 | id: FA:B7:EE:36:97:26:62:FB:2D:B0:2A:F6:BF:03:FD:E8:7C:4B:2F:9B 119 | File: /var/cache/ca-certs/anchors/certSIGN_ROOT_CA.crt 120 | Authority: /C=RO/O=certSIGN/OU=certSIGN ROOT CA 121 | Expires: Jul 4 17:20:04 2031 GMT 122 | ``` 123 | 124 | The certificate can be further inspected using the `openssl x509` command. For 125 | example: 126 | 127 | ``` 128 | openssl x509 -in /var/cache/ca-certs/anchors/certSIGN_ROOT_CA.crt -noout -text 129 | ``` 130 | 131 | ### Add (trust) a root CA 132 | 133 | `clrtrust add ~/PrivateCA.pem` 134 | 135 | The command above will add a root CA certificate located in the 136 | `~/PrivateCA.pem` file. If the certificate file is not in the PEM format, use 137 | `openssl x509` command to convert to PEM first. For example: 138 | 139 | ``` 140 | openssl x509 -in PrivateCA.cer -inform der -out PrivateCA.pem -outform pem 141 | ``` 142 | 143 | ### Remove (distrust) a root CA 144 | 145 | `clrtrust remove ~/PrivateCA.pem` 146 | 147 | The command above will remove a root CA certificate located in the 148 | `~/PrivateCA.pem` file from the trust store and distrust it. 149 | 150 | 151 | ## FILES 152 | 153 | */var/cache/ca-certs* 154 | 155 | Generated directory of certificates and verification keys. Do not modify 156 | contents outside of `clrtrust`. 157 | 158 | */usr/share/ca-certs/* 159 | 160 | Operating-system provided certificates and keys. Do not modify contents 161 | outside of `clrtrust`. 162 | 163 | */etc/ca-certs/* 164 | 165 | Generated directory of user-supplied certificates and verification keys. Do 166 | not modify contents outside of `clrtrust`. 167 | 168 | ## BUGS 169 | 170 | See GitHub Issues: 171 | 172 | 173 | ## SEE ALSO 174 | 175 | **openssl(1)** 176 | -------------------------------------------------------------------------------- /COPYING: -------------------------------------------------------------------------------- 1 | This program is free software: you can redistribute it and/or modify 2 | it under the terms of the GNU General Public License as published by 3 | the Free Software Foundation, version 2 or later of the License. 4 | 5 | This program is distributed in the hope that it will be useful, 6 | but WITHOUT ANY WARRANTY; without even the implied warranty of 7 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 8 | GNU General Public License for more details. 9 | 10 | You should have received a copy of the GNU General Public License 11 | along with this program. If not, see . 12 | 13 | 14 | 15 | GNU GENERAL PUBLIC LICENSE 16 | Version 2, June 1991 17 | 18 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 19 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 20 | Everyone is permitted to copy and distribute verbatim copies 21 | of this license document, but changing it is not allowed. 22 | 23 | Preamble 24 | 25 | The licenses for most software are designed to take away your 26 | freedom to share and change it. By contrast, the GNU General Public 27 | License is intended to guarantee your freedom to share and change free 28 | software--to make sure the software is free for all its users. This 29 | General Public License applies to most of the Free Software 30 | Foundation's software and to any other program whose authors commit to 31 | using it. (Some other Free Software Foundation software is covered by 32 | the GNU Lesser General Public License instead.) You can apply it to 33 | your programs, too. 34 | 35 | When we speak of free software, we are referring to freedom, not 36 | price. Our General Public Licenses are designed to make sure that you 37 | have the freedom to distribute copies of free software (and charge for 38 | this service if you wish), that you receive source code or can get it 39 | if you want it, that you can change the software or use pieces of it 40 | in new free programs; and that you know you can do these things. 41 | 42 | To protect your rights, we need to make restrictions that forbid 43 | anyone to deny you these rights or to ask you to surrender the rights. 44 | These restrictions translate to certain responsibilities for you if you 45 | distribute copies of the software, or if you modify it. 46 | 47 | For example, if you distribute copies of such a program, whether 48 | gratis or for a fee, you must give the recipients all the rights that 49 | you have. You must make sure that they, too, receive or can get the 50 | source code. And you must show them these terms so they know their 51 | rights. 52 | 53 | We protect your rights with two steps: (1) copyright the software, and 54 | (2) offer you this license which gives you legal permission to copy, 55 | distribute and/or modify the software. 56 | 57 | Also, for each author's protection and ours, we want to make certain 58 | that everyone understands that there is no warranty for this free 59 | software. If the software is modified by someone else and passed on, we 60 | want its recipients to know that what they have is not the original, so 61 | that any problems introduced by others will not reflect on the original 62 | authors' reputations. 63 | 64 | Finally, any free program is threatened constantly by software 65 | patents. We wish to avoid the danger that redistributors of a free 66 | program will individually obtain patent licenses, in effect making the 67 | program proprietary. To prevent this, we have made it clear that any 68 | patent must be licensed for everyone's free use or not licensed at all. 69 | 70 | The precise terms and conditions for copying, distribution and 71 | modification follow. 72 | 73 | GNU GENERAL PUBLIC LICENSE 74 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 75 | 76 | 0. This License applies to any program or other work which contains 77 | a notice placed by the copyright holder saying it may be distributed 78 | under the terms of this General Public License. The "Program", below, 79 | refers to any such program or work, and a "work based on the Program" 80 | means either the Program or any derivative work under copyright law: 81 | that is to say, a work containing the Program or a portion of it, 82 | either verbatim or with modifications and/or translated into another 83 | language. (Hereinafter, translation is included without limitation in 84 | the term "modification".) Each licensee is addressed as "you". 85 | 86 | Activities other than copying, distribution and modification are not 87 | covered by this License; they are outside its scope. The act of 88 | running the Program is not restricted, and the output from the Program 89 | is covered only if its contents constitute a work based on the 90 | Program (independent of having been made by running the Program). 91 | Whether that is true depends on what the Program does. 92 | 93 | 1. You may copy and distribute verbatim copies of the Program's 94 | source code as you receive it, in any medium, provided that you 95 | conspicuously and appropriately publish on each copy an appropriate 96 | copyright notice and disclaimer of warranty; keep intact all the 97 | notices that refer to this License and to the absence of any warranty; 98 | and give any other recipients of the Program a copy of this License 99 | along with the Program. 100 | 101 | You may charge a fee for the physical act of transferring a copy, and 102 | you may at your option offer warranty protection in exchange for a fee. 103 | 104 | 2. You may modify your copy or copies of the Program or any portion 105 | of it, thus forming a work based on the Program, and copy and 106 | distribute such modifications or work under the terms of Section 1 107 | above, provided that you also meet all of these conditions: 108 | 109 | a) You must cause the modified files to carry prominent notices 110 | stating that you changed the files and the date of any change. 111 | 112 | b) You must cause any work that you distribute or publish, that in 113 | whole or in part contains or is derived from the Program or any 114 | part thereof, to be licensed as a whole at no charge to all third 115 | parties under the terms of this License. 116 | 117 | c) If the modified program normally reads commands interactively 118 | when run, you must cause it, when started running for such 119 | interactive use in the most ordinary way, to print or display an 120 | announcement including an appropriate copyright notice and a 121 | notice that there is no warranty (or else, saying that you provide 122 | a warranty) and that users may redistribute the program under 123 | these conditions, and telling the user how to view a copy of this 124 | License. (Exception: if the Program itself is interactive but 125 | does not normally print such an announcement, your work based on 126 | the Program is not required to print an announcement.) 127 | 128 | These requirements apply to the modified work as a whole. If 129 | identifiable sections of that work are not derived from the Program, 130 | and can be reasonably considered independent and separate works in 131 | themselves, then this License, and its terms, do not apply to those 132 | sections when you distribute them as separate works. But when you 133 | distribute the same sections as part of a whole which is a work based 134 | on the Program, the distribution of the whole must be on the terms of 135 | this License, whose permissions for other licensees extend to the 136 | entire whole, and thus to each and every part regardless of who wrote it. 137 | 138 | Thus, it is not the intent of this section to claim rights or contest 139 | your rights to work written entirely by you; rather, the intent is to 140 | exercise the right to control the distribution of derivative or 141 | collective works based on the Program. 142 | 143 | In addition, mere aggregation of another work not based on the Program 144 | with the Program (or with a work based on the Program) on a volume of 145 | a storage or distribution medium does not bring the other work under 146 | the scope of this License. 147 | 148 | 3. You may copy and distribute the Program (or a work based on it, 149 | under Section 2) in object code or executable form under the terms of 150 | Sections 1 and 2 above provided that you also do one of the following: 151 | 152 | a) Accompany it with the complete corresponding machine-readable 153 | source code, which must be distributed under the terms of Sections 154 | 1 and 2 above on a medium customarily used for software interchange; or, 155 | 156 | b) Accompany it with a written offer, valid for at least three 157 | years, to give any third party, for a charge no more than your 158 | cost of physically performing source distribution, a complete 159 | machine-readable copy of the corresponding source code, to be 160 | distributed under the terms of Sections 1 and 2 above on a medium 161 | customarily used for software interchange; or, 162 | 163 | c) Accompany it with the information you received as to the offer 164 | to distribute corresponding source code. (This alternative is 165 | allowed only for noncommercial distribution and only if you 166 | received the program in object code or executable form with such 167 | an offer, in accord with Subsection b above.) 168 | 169 | The source code for a work means the preferred form of the work for 170 | making modifications to it. For an executable work, complete source 171 | code means all the source code for all modules it contains, plus any 172 | associated interface definition files, plus the scripts used to 173 | control compilation and installation of the executable. However, as a 174 | special exception, the source code distributed need not include 175 | anything that is normally distributed (in either source or binary 176 | form) with the major components (compiler, kernel, and so on) of the 177 | operating system on which the executable runs, unless that component 178 | itself accompanies the executable. 179 | 180 | If distribution of executable or object code is made by offering 181 | access to copy from a designated place, then offering equivalent 182 | access to copy the source code from the same place counts as 183 | distribution of the source code, even though third parties are not 184 | compelled to copy the source along with the object code. 185 | 186 | 4. You may not copy, modify, sublicense, or distribute the Program 187 | except as expressly provided under this License. Any attempt 188 | otherwise to copy, modify, sublicense or distribute the Program is 189 | void, and will automatically terminate your rights under this License. 190 | However, parties who have received copies, or rights, from you under 191 | this License will not have their licenses terminated so long as such 192 | parties remain in full compliance. 193 | 194 | 5. You are not required to accept this License, since you have not 195 | signed it. However, nothing else grants you permission to modify or 196 | distribute the Program or its derivative works. These actions are 197 | prohibited by law if you do not accept this License. Therefore, by 198 | modifying or distributing the Program (or any work based on the 199 | Program), you indicate your acceptance of this License to do so, and 200 | all its terms and conditions for copying, distributing or modifying 201 | the Program or works based on it. 202 | 203 | 6. Each time you redistribute the Program (or any work based on the 204 | Program), the recipient automatically receives a license from the 205 | original licensor to copy, distribute or modify the Program subject to 206 | these terms and conditions. You may not impose any further 207 | restrictions on the recipients' exercise of the rights granted herein. 208 | You are not responsible for enforcing compliance by third parties to 209 | this License. 210 | 211 | 7. If, as a consequence of a court judgment or allegation of patent 212 | infringement or for any other reason (not limited to patent issues), 213 | conditions are imposed on you (whether by court order, agreement or 214 | otherwise) that contradict the conditions of this License, they do not 215 | excuse you from the conditions of this License. If you cannot 216 | distribute so as to satisfy simultaneously your obligations under this 217 | License and any other pertinent obligations, then as a consequence you 218 | may not distribute the Program at all. For example, if a patent 219 | license would not permit royalty-free redistribution of the Program by 220 | all those who receive copies directly or indirectly through you, then 221 | the only way you could satisfy both it and this License would be to 222 | refrain entirely from distribution of the Program. 223 | 224 | If any portion of this section is held invalid or unenforceable under 225 | any particular circumstance, the balance of the section is intended to 226 | apply and the section as a whole is intended to apply in other 227 | circumstances. 228 | 229 | It is not the purpose of this section to induce you to infringe any 230 | patents or other property right claims or to contest validity of any 231 | such claims; this section has the sole purpose of protecting the 232 | integrity of the free software distribution system, which is 233 | implemented by public license practices. Many people have made 234 | generous contributions to the wide range of software distributed 235 | through that system in reliance on consistent application of that 236 | system; it is up to the author/donor to decide if he or she is willing 237 | to distribute software through any other system and a licensee cannot 238 | impose that choice. 239 | 240 | This section is intended to make thoroughly clear what is believed to 241 | be a consequence of the rest of this License. 242 | 243 | 8. If the distribution and/or use of the Program is restricted in 244 | certain countries either by patents or by copyrighted interfaces, the 245 | original copyright holder who places the Program under this License 246 | may add an explicit geographical distribution limitation excluding 247 | those countries, so that distribution is permitted only in or among 248 | countries not thus excluded. In such case, this License incorporates 249 | the limitation as if written in the body of this License. 250 | 251 | 9. The Free Software Foundation may publish revised and/or new versions 252 | of the General Public License from time to time. Such new versions will 253 | be similar in spirit to the present version, but may differ in detail to 254 | address new problems or concerns. 255 | 256 | Each version is given a distinguishing version number. If the Program 257 | specifies a version number of this License which applies to it and "any 258 | later version", you have the option of following the terms and conditions 259 | either of that version or of any later version published by the Free 260 | Software Foundation. If the Program does not specify a version number of 261 | this License, you may choose any version ever published by the Free Software 262 | Foundation. 263 | 264 | 10. If you wish to incorporate parts of the Program into other free 265 | programs whose distribution conditions are different, write to the author 266 | to ask for permission. For software which is copyrighted by the Free 267 | Software Foundation, write to the Free Software Foundation; we sometimes 268 | make exceptions for this. Our decision will be guided by the two goals 269 | of preserving the free status of all derivatives of our free software and 270 | of promoting the sharing and reuse of software generally. 271 | 272 | NO WARRANTY 273 | 274 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 275 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 276 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 277 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 278 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 279 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 280 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 281 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 282 | REPAIR OR CORRECTION. 283 | 284 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 285 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 286 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 287 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 288 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 289 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 290 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 291 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 292 | POSSIBILITY OF SUCH DAMAGES. 293 | 294 | END OF TERMS AND CONDITIONS 295 | 296 | How to Apply These Terms to Your New Programs 297 | 298 | If you develop a new program, and you want it to be of the greatest 299 | possible use to the public, the best way to achieve this is to make it 300 | free software which everyone can redistribute and change under these terms. 301 | 302 | To do so, attach the following notices to the program. It is safest 303 | to attach them to the start of each source file to most effectively 304 | convey the exclusion of warranty; and each file should have at least 305 | the "copyright" line and a pointer to where the full notice is found. 306 | 307 | 308 | Copyright (C) 309 | 310 | This program is free software; you can redistribute it and/or modify 311 | it under the terms of the GNU General Public License as published by 312 | the Free Software Foundation; either version 2 of the License, or 313 | (at your option) any later version. 314 | 315 | This program is distributed in the hope that it will be useful, 316 | but WITHOUT ANY WARRANTY; without even the implied warranty of 317 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 318 | GNU General Public License for more details. 319 | 320 | You should have received a copy of the GNU General Public License along 321 | with this program; if not, write to the Free Software Foundation, Inc., 322 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 323 | 324 | Also add information on how to contact you by electronic and paper mail. 325 | 326 | If the program is interactive, make it output a short notice like this 327 | when it starts in an interactive mode: 328 | 329 | Gnomovision version 69, Copyright (C) year name of author 330 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 331 | This is free software, and you are welcome to redistribute it 332 | under certain conditions; type `show c' for details. 333 | 334 | The hypothetical commands `show w' and `show c' should show the appropriate 335 | parts of the General Public License. Of course, the commands you use may 336 | be called something other than `show w' and `show c'; they could even be 337 | mouse-clicks or menu items--whatever suits your program. 338 | 339 | You should also get your employer (if you work as a programmer) or your 340 | school, if any, to sign a "copyright disclaimer" for the program, if 341 | necessary. Here is a sample; alter the names: 342 | 343 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 344 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 345 | 346 | , 1 April 1989 347 | Ty Coon, President of Vice 348 | 349 | This General Public License does not permit incorporating your program into 350 | proprietary programs. If your program is a subroutine library, you may 351 | consider it more useful to permit linking proprietary applications with the 352 | library. If this is what you want to do, use the GNU Lesser General 353 | Public License instead of this License. 354 | -------------------------------------------------------------------------------- /clrtrust.in: -------------------------------------------------------------------------------- 1 | #!/usr/bin/bash 2 | # Copyright 2017 Intel Corporation 3 | # See COPYING for the terms. 4 | 5 | ##### HEALTH CHECKS 6 | 7 | is_root() { 8 | if [ $UID -ne 0 ]; then 9 | 1>&2 echo "Must be root to execute the command." 10 | return 1 11 | fi 12 | return 0 13 | } 14 | 15 | has_openssl() { 16 | if ! command -v openssl >/dev/null 2>&1; then 17 | 1>&2 echo "openssl is required, but not found." 18 | return 1 19 | fi 20 | # make sure openssl can handle a valid root CA (here-doc below) 21 | cat </dev/null 2>&1; then 49 | 1>&2 echo "p11-kit is required, but not found." 50 | return 1 51 | fi 52 | return 0 53 | } 54 | 55 | # checks if the location to write is the default trust store. extra caution is 56 | # needed when re-writing the system-wide store (e.g. serialization, privilege 57 | # checks and so on). 58 | is_system_store() { 59 | [ "$CLR_TRUST_STORE" = "$CLR_TRUST_STORE_DFLT" ] 60 | } 61 | 62 | detect_c_rehash() { 63 | if [ -z "$INTERNAL_C_REHASH" ] && command -v c_rehash >/dev/null 2>&1; then 64 | # use c_rehash 65 | C_REHASH_CMD=c_rehash 66 | else 67 | test -n "$VERBOSE" && echo "Using internal rehash" 68 | C_REHASH_CMD=c_rehash_internal 69 | fi 70 | return 0 71 | } 72 | 73 | sig_ignore() { 74 | : 75 | } 76 | 77 | lock() { 78 | local lock_path 79 | local ret 80 | # lock should be on the same block device so that we could ln to it 81 | lock_path=$(mktemp "${CLR_TRUST_LOCK_FILE}.XXXXXX") 82 | ret=$? 83 | if [ $ret -ne 0 ]; then 84 | return $ret 85 | fi 86 | ln "$lock_path" "$CLR_TRUST_LOCK_FILE" >/dev/null 2>&1 87 | ret=$? 88 | rm "$lock_path" 89 | return $ret 90 | } 91 | 92 | unlock() { 93 | rm -f "${CLR_TRUST_LOCK_FILE}" 94 | } 95 | 96 | # takes cert file as a single argument 97 | # returns 0 if root ca, 1 otherwise 98 | is_root_ca() { 99 | # if issuer and subject match, then it's a self-signed certificate, the only 100 | # indication of a Root CA we need to take into account (X.509v3 extensions 101 | # are not) 102 | t=$(openssl x509 -in "$1" -noout -issuer -subject 2>/dev/null \ 103 | | sed -e 's/^\(issuer\|subject\)=//' | uniq | wc -l) 104 | test $t -eq 1 105 | } 106 | 107 | is_single_cert() { 108 | # each certificate provided as input to clrtrust must contain single 109 | # certificate, so it can be used in CAPath. in other words, OpenSSL's bundle 110 | # certificates are not accepted. this function checks for that 111 | t=$(cat "$1" | grep 'BEGIN \(X509 \|TRUSTED \|\)CERTIFICATE' | wc -l) 112 | test $t -eq 1 113 | } 114 | 115 | ##### DEFAULT LOCATIONS 116 | 117 | # trust store default location 118 | CLR_TRUST_STORE_DFLT=/var/cache/ca-certs 119 | CLR_TRUST_STORE=${CLR_TRUST_STORE:-$CLR_TRUST_STORE_DFLT} 120 | 121 | # user-supplied, local source of trust 122 | CLR_LOCAL_TRUST_SRC=${CLR_LOCAL_TRUST_SRC:-/etc/ca-certs} 123 | 124 | # Clear Linux-supplied source of trust 125 | CLR_CLEAR_TRUST_SRC=${CLR_CLEAR_TRUST_SRC:-/usr/share/ca-certs} 126 | 127 | ##### ERROR CODES 128 | # 0 is always success, used literally 129 | EPERM=1 # operation not permitted 130 | EBUSY=16 # resourse busy (cannot acquire trust store lock) 131 | EINVAL=22 # invalid argument 132 | EBADST=127 # invalid state / health check does not pass 133 | EERR=255 # general error 134 | 135 | ##### LOCATION OF THE HELPER 136 | # always favor env override. if not, prefer the helper that is found next to the 137 | # script itself (it indicates the development environment). if not, look at the 138 | # configured location. 139 | LIBEXEC_DIR=LIBEXEC_CONFIG_VALUE 140 | CLR_HELPER_NAME=clrtrust-helper 141 | for helper_dir in ${CLR_LIBEXEC_DIR:+"${CLR_LIBEXEC_DIR}"} "$(dirname $0)" "${LIBEXEC_DIR}"; do 142 | if [ -x "${helper_dir}/${CLR_HELPER_NAME}" ]; then 143 | CLR_HELPER_CMD="${helper_dir}/${CLR_HELPER_NAME}" 144 | break 145 | fi 146 | done 147 | 148 | if [ ! -x "$CLR_HELPER_CMD" ]; then 149 | 1>&2 echo "Cannot locate the helper executable (${CLR_HELPER_NAME})" 150 | exit $EBADST 151 | fi 152 | 153 | # get absolute path to the helper (to be able to run in subshells) 154 | if [[ "${CLR_HELPER_CMD}" != /* ]]; then 155 | CLR_HELPER_CMD=$(realpath "${CLR_HELPER_CMD}") 156 | fi 157 | 158 | ##### LOCK FILE PATH 159 | # absolute dirs where we can have lock, must be writeable. potentially, the 160 | # choice of lock directory could differ between two parallel runs of clrtrust, 161 | # but we're explicitly not protecting against that 162 | LOCK_DIRS="/run/lock /var/lock /tmp" 163 | for lock_dir in $LOCK_DIRS; do 164 | if [ -d $lock_dir ] && [ -w $lock_dir ]; then 165 | CLR_TRUST_LOCK_FILE=$lock_dir/clrtrust.lock 166 | break 167 | fi 168 | done 169 | 170 | if [ -z "$CLR_TRUST_LOCK_FILE" ]; then 171 | 1>&2 cat <\t 181 | find_certs() { 182 | local dir=$1 183 | if [ -z $dir ]; then return 255; fi 184 | if [ ! -d $dir ]; then return 255; fi 185 | find $dir -maxdepth 1 -type f | "${CLR_HELPER_CMD}" -f 186 | 187 | # NB: CLR_HELPER_CMD will return 2 exit status if some of the certificates 188 | # cannot be opened/processed. calls to find_certs rely on this fact 189 | # throughout this script. 190 | } 191 | 192 | find_all_certs() { 193 | local ret 194 | local nret 195 | find_certs $CLR_CLEAR_TRUST_SRC/trusted 196 | ret=$? 197 | find_certs $CLR_LOCAL_TRUST_SRC/trusted 198 | nret=$? 199 | if [ $nret -ne 0 ]; then 200 | ret=$nret 201 | fi 202 | return $ret 203 | } 204 | 205 | filter_bad_certs() { 206 | local bad_cert_files=$(echo "$1" | sed -ne '/\tERROR$/ { s/\tERROR$//; p }') 207 | if [ -n "$bad_cert_files" ]; then 208 | for bad_file in "$bad_cert_files"; do 209 | 1>&2 echo "$bad_file is not a PEM-encoded X.509 certificate. Skipping..." 210 | done 211 | fi 212 | echo "$1" | sed -e '/\tERROR$/d' 213 | } 214 | 215 | # a c_rehash implementation for creating openssl-style CApath. this 216 | # implementation is much simpler than openssl's one: it is designed to rehash a 217 | # newly created store. it only takes directory to process as the argument and 218 | # no options. it further assumes that it runs on a pristine directory where 219 | # every file is a valid certificate, no duplicates (clrtrust ensures it prior to 220 | # calling this function). also, it is called on a stage directory, unique to 221 | # each clrtrust process, so no concurrent execution is assumed. 222 | c_rehash_internal() { 223 | local dir=$1 224 | if [ -z "$dir" ] || [ ! -d "$dir" ] || [ ! -w "$dir" ]; then 225 | return 1 226 | fi 227 | ( 228 | cd "$dir" 229 | hashes=$(find . -maxdepth 1 -type f | "${CLR_HELPER_CMD}" -s) 230 | if [ $? -ne 0 ]; then 231 | return 1 232 | fi 233 | echo "$hashes" | while IFS=$'\t' read f h; do 234 | lnno=0 235 | while ! ln -s "$f" "${h}.${lnno}" && ((lnno++ < 100)); do 236 | : 237 | done 2>/dev/null 238 | done 239 | ) 240 | if [ $? -ne 0 ]; then 241 | return 1 242 | fi 243 | return 0 244 | } 245 | 246 | print_verbose_error() { 247 | test -n "$VERBOSE" && 1>&2 printf "%s" "$@" && 1>&2 echo 248 | } 249 | 250 | print_check_help() { 251 | cat <&2 echo "${CLR_LOCAL_TRUST_SRC} must be a directory." 283 | print_verbose_error \ 284 | "${CLR_LOCAL_TRUST_SRC} is used by ${BASENAME} to store local (user-added)" \ 285 | " trust and distrust data." 286 | return $EBADST 287 | fi 288 | if [ -e "${CLR_LOCAL_TRUST_SRC}/distrusted" ] && [ ! -d "${CLR_LOCAL_TRUST_SRC}/distrusted" ]; then 289 | 1>&2 echo "$CLR_LOCAL_TRUST_SRC/distrusted must be a directory." 290 | print_verbose_error \ 291 | "${CLR_LOCAL_TRUST_SRC}/trusted is a directory used by ${BASENAME} to store" \ 292 | " trusted root CA certificates." 293 | return $EBADST 294 | fi 295 | if [ -e "${CLR_LOCAL_TRUST_SRC}/trusted" ] && [ ! -d "${CLR_LOCAL_TRUST_SRC}/trusted" ]; then 296 | 1>&2 echo "$CLR_LOCAL_TRUST_SRC/trusted must be a directory." 297 | print_verbose_error \ 298 | "${CLR_LOCAL_TRUST_SRC}/distrusted is a directory used by ${BASENAME} to store" \ 299 | "distrusted root CA certificates." 300 | return $EBADST 301 | fi 302 | fi # it's OK if CLR_LOCAL_TRUST_SRC does not exist 303 | 304 | if [ -e "${CLR_CLEAR_TRUST_SRC}" ]; then 305 | for dir in "${CLR_CLEAR_TRUST_SRC}" "${CLR_CLEAR_TRUST_SRC}/trusted"; do 306 | if [ ! -d "${dir}" ]; then 307 | 1>&2 echo "${dir} must be a directory." 308 | print_verbose_error \ 309 | "${dir} is a directory which contains trust and distrust data provided by" \ 310 | " Clear: Linux. It is installed initially and updated by swupd. Remove ${dir}" \ 311 | " and run 'swupd verify --fix' to reinstall." 312 | return $EBADST 313 | fi 314 | done 315 | else # it's not OK if CLR_CLEAR_TRUST_SRC does not exist 316 | 1>&2 echo "${CLR_CLEAR_TRUST_SRC} does not exist." 317 | print_verbose_error \ 318 | "${CLR_CLEAR_TRUST_SRC} is a directory which contains trust and distrust data" \ 319 | " provided by Clear Linux. It is installed initially and updated by swupd. Run" \ 320 | " 'swupd verify --fix' to reinstall." 321 | return $EBADST 322 | fi 323 | 324 | dir=$(dirname ${CLR_TRUST_STORE}) 325 | if [ ! -e "$dir" ]; then 326 | 1>&2 echo "${dir} does not exit." 327 | fi 328 | 329 | if is_system_store; then 330 | usr="root" 331 | else 332 | usr=${USER} 333 | fi 334 | 335 | if [ -z ${usr} ]; then 336 | # this is most likely means mock build, but even if not the checks below 337 | # do not apply if the variable is not set 338 | return 0 339 | fi 340 | 341 | stat=($(stat -L -c "0%a %G %U" "$dir")) 342 | if [ $? -ne 0 ]; then 343 | return $EERR 344 | fi 345 | ownusr=${stat[2]} 346 | owngrp=${stat[1]} 347 | perm=${stat[0]} 348 | 349 | if [ "$ownusr" = "$usr" ] && (( $perm & 0200 )); then 350 | true 351 | elif (( $perm & 0002 )); then 352 | true 353 | elif (( $perm & 0020 )); then 354 | grps=$(groups $usr) 355 | found=0 356 | for g in $grps; do 357 | if [ $g = $owngrp ]; then 358 | found=1 359 | fi 360 | done 361 | if [ $found -ne 1 ]; then 362 | 1>&2 echo "${dir} is not writeable for ${usr}." 363 | print_verbose_error \ 364 | "${dir} must be writeable: the store will be generated at ${CLR_TRUST_STORE}" 365 | return $EPERM 366 | fi 367 | else 368 | 1>&2 echo "${dir} is not writeable for ${usr}." 369 | print_verbose_error \ 370 | "${dir} must be writeable: the store will be generated at ${CLR_TRUST_STORE}" 371 | return $EPERM 372 | fi 373 | 374 | return 0 375 | } 376 | 377 | ensure_local_trust_src() { 378 | mkdir -p ${CLR_LOCAL_TRUST_SRC}/trusted \ 379 | ${CLR_LOCAL_TRUST_SRC}/distrusted \ 380 | &>/dev/null 381 | } 382 | 383 | print_generate_help() { 384 | cat <&2 cat </dev/null 2>&1); then 500 | 1>&2 echo "Error rehashing the anchors." 501 | rm -r $CLR_STORE_STAGE 502 | return $EERR 503 | fi 504 | 505 | trap sig_ignore INT HUP TERM 506 | if is_system_store && ! lock; then 507 | trap - INT HUP TERM 508 | 1>&2 cat <... 554 | 555 | -h | --help Prints this help message and exits 556 | -f | --force Force addition of the certificate if possible 557 | 558 | ... List of files containing a PEM-encoded Root CA certificate(s) 559 | EOF 560 | } 561 | 562 | cmd_add() { 563 | local files 564 | local ret 565 | local ca_certs 566 | local err 567 | local errors 568 | local opt_force=0 569 | 570 | while [ $# -gt 0 ]; do 571 | case $1 in 572 | ("-h"|"--help") 573 | print_add_help 574 | return 0 575 | ;; 576 | ("-f"|"--force") 577 | opt_force=1 578 | shift 579 | ;; 580 | (*) 581 | # first empty line will be deleted few lines later 582 | files="$files 583 | $1" 584 | shift 585 | ;; 586 | esac 587 | done 588 | 589 | # run check 590 | cmd_check 591 | ret=$? 592 | if [ $ret -ne 0 ]; then 593 | return $ret 594 | fi 595 | 596 | if [ -z "$files" ]; then 597 | 1>&2 echo "Specify certificate(s) to add." 598 | print_add_help 599 | return $EINVAL 600 | fi 601 | 602 | ensure_local_trust_src 603 | 604 | files=$(echo "$files" | sed -e '1d') 605 | ca_certs=$(find_all_certs) 606 | if [ $? -eq 2 ]; then 607 | ca_certs=$(filter_bad_certs "$ca_certs") 608 | ret=$EBADST 609 | fi 610 | distrusted_certs=$(find_certs $CLR_LOCAL_TRUST_SRC/distrusted) 611 | if [ $? -eq 2 ]; then 612 | distrusted_certs=$(filter_bad_certs "$distrusted_certs") 613 | ret=$EBADST 614 | fi 615 | 616 | err=$(mktemp) 617 | tmp=$(mktemp) 618 | 619 | trap sig_ignore INT HUP TERM 620 | 621 | echo "$files" | while read f; do 622 | if [ ! -f "$f" ]; then 623 | 1>&2 echo "No such file $f. Skipping..." 624 | continue 625 | fi 626 | if ! is_single_cert "$f"; then 627 | 1>&2 echo "$f must contain single certificate. Skipping..." 628 | continue 629 | fi 630 | finger=$(openssl x509 -in "${f}" -noout -fingerprint -SHA1 2>$tmp) 631 | if [ $? -ne 0 ]; then 632 | 1>&2 echo "$f is not a PEM-encoded X.509 certificate. Skipping..." 633 | cat $tmp 634 | continue 635 | fi 636 | finger=${finger#SHA1 Fingerprint=} 637 | if ! is_root_ca "${f}" && [ $opt_force -ne 1 ]; then 638 | 1>&2 cat </dev/null 2>&1; then 645 | cp "${f}" $CLR_LOCAL_TRUST_SRC/trusted 646 | else 647 | # if it's among trusted certs, check if it's distrusted. if so, 648 | # "adding" it then is removing it from distrusted before the next 649 | # store generation 650 | distrusted_f=$(echo "${distrusted_certs}" | grep "$finger" | cut -f 1) 651 | if [ -n "${distrusted_f}" ]; then 652 | rm "${distrusted_f}" 653 | else 654 | cat <$err 661 | trap - INT HUP TERM 662 | errors=$(cat $err) 663 | if [ -n "${errors}" ]; then 664 | # if some files had errors, return error exit code 665 | ret=$EERR 666 | 1>&2 cat $err 667 | else 668 | ret=0 669 | fi 670 | rm $tmp $err 671 | cmd_generate -s 672 | return $ret 673 | } 674 | 675 | print_list_help() { 676 | cat < 683 | File: 684 | Authority: 685 | Expires: 686 | EOF 687 | } 688 | 689 | cmd_list() { 690 | local certs 691 | local info 692 | local indent 693 | local err 694 | 695 | while [ $# -gt 0 ]; do 696 | case $1 in 697 | ("-h"|"--help") 698 | print_list_help 699 | return 0 700 | ;; 701 | (*) 702 | print_list_help 703 | return $EINVAL 704 | ;; 705 | esac 706 | shift 707 | done 708 | # 4 spaces for sed 709 | indent="\ \ \ \ " 710 | if [ ! -d ${CLR_TRUST_STORE}/anchors ]; then 711 | 1>&2 echo "${CLR_TRUST_STORE} is not a trust store." \ 712 | " Use ${BASENAME} generate to create the store." 713 | return $EERR 714 | fi 715 | certs=$(find ${CLR_TRUST_STORE}/anchors -maxdepth 1 -type f | LC_COLLATE=C sort) 716 | if [ -z "${certs}" ]; then 717 | print_verbose_error "Nothing is trusted. No anchors found in ${CLR_TRUST_STORE}." 718 | return 0 719 | fi 720 | 721 | echo "$certs" | while read f; do 722 | info=$(openssl x509 -in "${f}" -noout -fingerprint -SHA1 -issuer -enddate) 723 | if [ $? -ne 0 ]; then 724 | 1>&2 echo "${f} is not an X.509 certificate." 725 | fi 726 | info=$(echo "$info" | \ 727 | sed -e "s/^SHA1 Fingerprint=/id: /" \ 728 | -e "2i${indent}File: ${f}" \ 729 | -e "s/^issuer=\s*/${indent}Authority: /" \ 730 | -e "s/^notAfter=\s*/${indent}Expires: /") 731 | echo "$info" 732 | done 733 | 734 | return 0 735 | } 736 | 737 | print_remove_help() { 738 | cat <... 740 | 741 | Distrusts specified Certificate Authorities. Each CA can be represented 742 | either by a file containing PEM-encoded X.509 certificate or an id as 743 | obtained from the list command. 744 | 745 | -f | --force Forces removal of certificates 746 | -h | --help Prints this help message and exits 747 | 748 | ... List of files and/or ids to remove from the store 749 | EOF 750 | } 751 | 752 | cmd_remove() { 753 | local files 754 | local ids 755 | local err 756 | local out 757 | local invld_files 758 | local certs 759 | local opt_force 760 | local ret 761 | 762 | while [ $# -gt 0 ]; do 763 | case $1 in 764 | ("-h"|"--help") 765 | print_remove_help 766 | return 0 767 | ;; 768 | ("-f"|"--force") 769 | # TODO: implement forcing 770 | opt_force=1 771 | true 772 | ;; 773 | (*) 774 | if [ -f "$1" ]; then 775 | # need newline as a separator in case filename comes with 776 | # spaces. first empty line will be deleted later. 777 | files="$files 778 | $1" 779 | else 780 | ids="$ids $1" 781 | fi 782 | ;; 783 | esac 784 | shift 785 | done 786 | 787 | # run check 788 | cmd_check 789 | ret=$? 790 | if [ $ret -ne 0 ]; then 791 | return $ret 792 | fi 793 | 794 | ensure_local_trust_src 795 | 796 | err=$(mktemp) 797 | out=$(mktemp) 798 | 799 | files=$(echo "$files" | sed -e '1d') 800 | 801 | test -n "$files" && echo "$files" | while read f; do 802 | finger=$(openssl x509 -in "${f}" -noout -fingerprint -SHA1 2>/dev/null) 803 | if [ $? -ne 0 ]; then 804 | 1>&2 echo "${f} is not an X.509 certificate." 805 | continue 806 | fi 807 | finger=${finger#SHA1 Fingerprint=} 808 | printf "%s\t%s\n" "${f}" "${finger}" 809 | done >$out 2>$err 810 | 811 | invld_files=$(cat $err) 812 | 813 | if [ -n "$invld_files" ]; then 814 | 2>&1 echo "$invld_files" 815 | ret=$EERR 816 | fi 817 | 818 | files=$(cat $out) 819 | ids=$(echo $ids && (echo "$files" | cut -f 2)) 820 | certs=$(find_all_certs) 821 | if [ $? -eq 2 ]; then 822 | certs=$(filter_bad_certs "$certs") 823 | ret=$EINVAL 824 | fi 825 | for id in $ids; do 826 | f=$(echo "$certs" | grep $id) 827 | if [ $? -eq 0 ]; then 828 | echo "$f" | cut -f 1 829 | else 830 | f=$(echo "$files" | grep $id | cut -f 1) 831 | if [ -z $f ]; then 832 | 1>&2 echo "Certificate id $id not found." 833 | else 834 | 1>&2 echo "Certificate id $id not found (file: $f)." 835 | fi 836 | fi 837 | done >$out 838 | 839 | files=$(cat $out) 840 | if [ -n "$files" ]; then 841 | echo "$files" | while read f; do 842 | if [ ! -e $CLR_LOCAL_TRUST_SRC/distrusted ]; then 843 | mkdir $CLR_LOCAL_TRUST_SRC/distrusted 844 | fi 845 | # if certificate is provided by clear trust store, distrust it, 846 | # otherwise remove it 847 | if [ $(dirname $f) = $CLR_CLEAR_TRUST_SRC/trusted ]; then 848 | cp "$f" $CLR_LOCAL_TRUST_SRC/distrusted 849 | else 850 | rm "$f" 851 | fi 852 | done 853 | cmd_generate -s 854 | else 855 | echo "Nothing to do." 856 | fi 857 | rm $err $out 858 | return $ret 859 | } 860 | 861 | print_help() { 862 | cat < [options] 864 | 865 | -v | --verbose Shows more details about execution 866 | -c | --internal-rehash Forces use of internal implementation of c_rehash 867 | -h | --help Prints this message 868 | 869 | Commands 870 | generate generates the trust store 871 | list list CAs 872 | add add trust to a CA 873 | remove remove trust to a CA 874 | restore restore trust to previously removed CA 875 | check sanity/consistency check of the trust store 876 | 877 | ${BASENAME} --help to get help on specific command. 878 | EOF 879 | } 880 | 881 | ##### GLOBAL VARS/OPTIONS 882 | COMMAND="" 883 | BASENAME=$(basename $0) # this may not work, but we don't care too much 884 | ARGS=$* 885 | 886 | if ! has_openssl; then 887 | exit $EBADST 888 | fi 889 | 890 | if ! has_p11kit; then 891 | exit $EBADST 892 | fi 893 | 894 | while [ $# -gt 0 ]; do 895 | case $1 in 896 | ("-v"|"--verbose") 897 | VERBOSE=1 898 | shift 899 | continue 900 | ;; 901 | ("-h"|"--help") 902 | print_help 903 | exit 0 904 | ;; 905 | ("-c"|"--internal-rehash") 906 | INTERNAL_C_REHASH=1 907 | shift 908 | continue 909 | ;; 910 | (*) 911 | COMMAND=$1 912 | shift 913 | ;; 914 | esac 915 | if [ -n "$COMMAND" ]; then 916 | break 917 | fi 918 | done 919 | 920 | detect_c_rehash 921 | 922 | case $COMMAND in 923 | ("generate"|"add"|"remove"|"restore") 924 | # must be root if writing to the default location 925 | if is_system_store; then 926 | is_root || exit $EPERM 927 | fi 928 | ;; 929 | esac 930 | 931 | case $COMMAND in 932 | ("generate") 933 | cmd_generate "$@" 934 | exit $? 935 | ;; 936 | ("add") 937 | cmd_add "$@" 938 | exit $? 939 | ;; 940 | ("list") 941 | cmd_list "$@" 942 | exit $? 943 | ;; 944 | ("remove") 945 | cmd_remove "$@" 946 | exit $? 947 | ;; 948 | ("check") 949 | cmd_check "$@" 950 | exit $? 951 | ;; 952 | ("restore") 953 | 1>&2 echo "$COMMAND not yet supported." 954 | exit $EINVAL 955 | ;; 956 | (*) 957 | if [ -n "$COMMAND" ]; then 958 | 1>&2 echo "Command not understood: ${COMMAND}" 959 | fi 960 | print_help 961 | exit $EINVAL 962 | ;; 963 | esac 964 | 965 | # vim: si:noai:nocin:tw=80:sw=4:ts=4:et:nu 966 | --------------------------------------------------------------------------------