xref: /src/usr.sbin/certctl/certctl.sh

#!/bin/sh

#	$NetBSD: certctl.sh,v 1.7 2024/03/04 20:37:31 riastradh Exp $
#
# Copyright (c) 2023 The NetBSD Foundation, Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#

set -o pipefail
set -Ceu

progname=${0##*/}

### Options and arguments

usage()
{
	exec >&2
	printf 'Usage: %s %s\n' \
	    "$progname" \
	    "[-nv] [-C <config>] [-c <certsdir>] [-u <untrusted>]"
	printf '               <cmd> <args>...\n'
	printf '       %s list\n' "$progname"
	printf '       %s rehash\n' "$progname"
	printf '       %s trust <cert>\n' "$progname"
	printf '       %s untrust <cert>\n' "$progname"
	printf '       %s untrusted\n' "$progname"
	exit 1
}

certsdir=/etc/openssl/certs
config=/etc/openssl/certs.conf
distrustdir=/etc/openssl/untrusted
nflag=false			# dry run
vflag=false			# verbose

# Options used by FreeBSD:
#
#	-D destdir
#	-M metalog
#	-U		(unprivileged)
#	-d distbase
#
while getopts C:c:nu:v f; do
	case $f in
	C)	config=$OPTARG;;
	c)	certsdir=$OPTARG;;
	n)	nflag=true;;
	u)	distrustdir=$OPTARG;;
	v)	vflag=true;;
	\?)	usage;;
	esac
done
shift $((OPTIND - 1))

if [ $# -lt 1 ]; then
	usage
fi
cmd=$1

### Global state

config_paths=
config_manual=false
tmpfile=

# If tmpfile is set to nonempty, clean it up on exit.

trap 'test -n "$tmpfile" && rm -f "$tmpfile"' EXIT HUP INT TERM

### Subroutines

# error <msg> ...
#
#	Print an error message to stderr.
#
#	Does not exit the process.
#
error()
{
	echo "$progname:" "$@" >&2
}

# run <cmd> <args>...
#
#	Print a command if verbose, and run it unless it's a dry run.
#
run()
{
	local t q cmdline

	if $vflag; then	       # print command if verbose
		for t; do
			case $t in
			''|*[^[:alnum:]+,-./:=_@]*)
				# empty or unsafe -- quotify
				;;
			*)
				# nonempty and safe-only -- no quotify
				cmdline="${cmdline:+$cmdline }$t"
				continue
				;;
			esac
			q=$(printf '%s' "$t" | sed -e "s/'/'\\\''/g'")
			cmdline="${cmdline:+$cmdline }'$q'"
		done
		printf '%s\n' "$cmdline"
	fi
	if ! $nflag; then	# skip command if dry run
		"$@"
	fi
}

# configure
#
#	Parse the configuration file, initializing config_*.
#
configure()
{
	local lineno status formatok vconfig line contline op path vpath vop

	# Count line numbers, record a persistent error status to
	# return at the end, and record whether we got a format line.
	lineno=0
	status=0
	formatok=false

	# vis the config name for terminal-safe error messages.
	vconfig=$(printf '%s' "$config" | vis -M)

	# Read and process each line of the config file.
	while read -r line; do
		lineno=$((lineno + 1))

		# If the line ends in an odd number of backslashes, it
		# has a continuation line, so read on.
		while expr "$line" : '^\(\\\\\)*\\' >/dev/null ||
		    expr "$line" : '^.*[^\\]\(\\\\\)*\\$' >/dev/null; do
			if ! read -r contline; then
				error "$vconfig:$lineno: premature end of file"
				return 1
			fi
			line="$line$contline"
		done

		# Skip blank lines and comments.
		case $line in
		''|'#'*)
			continue
			;;
		esac

		# Require the first non-blank/comment line to identify
		# the config file format.
		if ! $formatok; then
			if [ "$line" = "netbsd-certctl 20230816" ]; then
				formatok=true
				continue
			else
				error "$vconfig:$lineno: missing format line"
				status=1
				break
			fi
		fi

		# Split the line into words and dispatch on the first.
		set -- $line
		op=$1
		case $op in
		manual)
			config_manual=true
			;;
		path)
			if [ $# -lt 2 ]; then
				error "$vconfig:$lineno: missing path"
				status=1
				continue
			fi
			if [ $# -gt 3 ]; then
				error "$vconfig:$lineno: excess args"
				status=1
				continue
			fi

			# Unvis the path.  Hack: if the user has had
			# the audacity to choose a path ending in
			# newlines, prevent the shell from consuming
			# them so we don't choke on their subterfuge.
			path=$(printf '%s.' "$2" | unvis)
			path=${path%.}

			# Ensure the path is absolute.  It is unclear
			# what directory it should be relative to if
			# not.
			case $path in
			/*)
				;;
			*)
				error "$vconfig:$lineno:" \
				    "relative path forbidden"
				status=1
				continue
				;;
			esac

			# Record the vis-encoded path in a
			# space-separated list.
			vpath=$(printf '%s' "$path" | vis -M)
			config_paths="$config_paths $vpath"
			;;
		*)
			vop=$(printf '%s' "$op" | vis -M)
			error "$vconfig:$lineno: unknown command: $vop"
			;;
		esac
	done <$config || status=$?

	return $status
}

# list_default_trusted
#
#	List the vis-encoded certificate paths and their base names,
#	separated by a space, for the certificates that are trusted by
#	default according to the configuration.
#
#	No order guaranteed; caller must sort.
#
list_default_trusted()
{
	local vpath path cert base vcert vbase

	for vpath in $config_paths; do
		path=$(printf '%s.' "$vpath" | unvis)
		path=${path%.}

		# Enumerate the .pem, .cer, and .crt files.
		for cert in "$path"/*.pem "$path"/*.cer "$path"/*.crt; do
			# vis the certificate path.
			vcert=$(printf '%s' "$cert" | vis -M)

			# If the file doesn't exist, then either:
			#
			# (a) it's a broken symlink, so fail;
			# or
			# (b) the shell glob failed to match,
			#     so ignore it and move on.
			if [ ! -e "$cert" ]; then
				if [ -h "$cert" ]; then
					error "broken symlink: $vcert"
					status=1
				fi
				continue
			fi

			# Print the vis-encoded absolute path to the
			# certificate and base name on a single line.
			vbase=${vcert##*/}
			printf '%s %s\n' "$vcert" "$vbase"
		done
	done
}

# list_distrusted
#
#	List the vis-encoded certificate paths and their base names,
#	separated by a space, for the certificates that have been
#	distrusted by the user.
#
#	No order guaranteed; caller must sort.
#
list_distrusted()
{
	local status link vlink cert vcert

	status=0

	for link in "$distrustdir"/*; do
		# vis the link for terminal-safe error messages.
		vlink=$(printf '%s' "$link" | vis -M)

		# The distrust directory must only have symlinks to
		# certificates.  If we find a non-symlink, print a
		# warning and arrange to fail.
		if [ ! -h "$link" ]; then
			if [ ! -e "$link" ] && \
			    [ "$link" = "$distrustdir/*" ]; then
				# Shell glob matched nothing -- just
				# ignore it.
				break
			fi
			error "distrusted non-symlink: $vlink"
			status=1
			continue
		fi

		# Read the target of the symlink, nonrecursively.  If
		# the user has had the audacity to make a symlink whose
		# target ends in newline, prevent the shell from
		# consuming them so we don't choke on their subterfuge.
		cert=$(readlink -n -- "$link" && printf .)
		cert=${cert%.}

		# Warn if the target is relative.  Although it is clear
		# what directory it would be relative to, there might
		# be issues with canonicalization.
		case $cert in
		/*)
			;;
		*)
			vlink=$(printf '%s' "$link" | vis -M)
			vcert=$(printf '%s' "$cert" | vis -M)
			error "distrusted relative symlink: $vlink -> $vcert"
			;;
		esac

		# Print the vis-encoded absolute path to the
		# certificate and base name on a single line.
		vcert=$(printf '%s' "$cert" | vis -M)
		vbase=${vcert##*/}
		printf '%s %s\n' "$vcert" "$vbase"
	done

	return $status
}

# list_trusted
#
#	List the trusted certificates, excluding the distrusted one, as
#	one vis(3) line per certificate.  Reject duplicate base names,
#	since we will be creating symlinks to the same base names in
#	the certsdir.  Sorted lexicographically by vis-encoding.
#
list_trusted()
{

	# XXX Use dev/ino to match files instead of symlink targets?

	{
		list_default_trusted \
		| while read -r vcert vbase; do
			printf 'trust %s %s\n' "$vcert" "$vbase"
		done

		# XXX Find a good way to list the default-untrusted
		# certificates, so if you have already distrusted one
		# and it is removed from default-trust on update,
		# nothing warns about this.

		# list_default_untrusted \
		# | while read -r vcert vbase; do
		# 	printf 'distrust %s %s\n' "$vcert" "$vbase"
		# done

		list_distrusted \
		| while read -r vcert vbase; do
			printf 'distrust %s %s\n' "$vcert" "$vbase"
		done
	} | awk -v progname="$progname" '
		BEGIN			{ status = 0 }
		$1 == "trust" && $3 in trust && $2 != trust[$3] {
			printf "%s: duplicate base name %s\n  %s\n  %s\n", \
			    progname, $3, trust[$3], $2 >"/dev/stderr"
			status = 1
			next
		}
		$1 == "trust"		{ trust[$3] = $2 }
		$1 == "distrust" && !trust[$3] && !distrust[$3] {
			printf "%s: distrusted certificate not found: %s\n", \
			    progname, $3 >"/dev/stderr"
			status = 1
		}
		$1 == "distrust" && $2 in trust && $2 != trust[$3] {
			printf "%s: distrusted certificate %s" \
			    " has multiple paths\n" \
			    "  %s\n  %s\n",
			    progname, $3, trust[$3], $2 >"/dev/stderr"
			status = 1
		}
		$1 == "distrust"	{ distrust[$3] = 1 }
		END			{
			for (vbase in trust) {
				if (!distrust[vbase])
					print trust[vbase]
			}
			exit status
		}
	' | sort -u
}

# rehash
#
#	Delete and rebuild certsdir.
#
rehash()
{
	local vcert cert certbase hash counter bundle vbundle

	# If manual operation is enabled, refuse to rehash the
	# certsdir, but succeed anyway so this can safely be used in
	# automated scripts.
	if $config_manual; then
		error "manual certificates enabled, not rehashing"
		return
	fi

	# Delete the active certificates symlink cache, if either it is
	# empty or nonexistent, or it is tagged for use by certctl.
	if [ -f "$certsdir/.certctl" ]; then
		# Directory exists and is managed by certctl(8).
		# Safe to delete it and everything in it.
		run rm -rf -- "$certsdir"
	elif [ -h "$certsdir" ]; then
		# Paranoia: refuse to chase a symlink.  (Caveat: this
		# is not secure against an adversary who can recreate
		# the symlink at any time.  Just a helpful check for
		# mistakes.)
		error "certificates directory is a symlink"
		return 1
	elif [ ! -e "$certsdir" ]; then
		# Directory doesn't exist at all.  Nothing to do!
		:
	elif [ ! -d "$certsdir" ]; then
		error "certificates directory is not a directory"
		return 1
	elif ! find -f "$certsdir" -- -maxdepth 0 -type d -empty -exit 1; then
		# certsdir exists, is a directory, and is empty.  Safe
		# to delete it with rmdir and take it over.
		run rmdir -- "$certsdir"
	else
		error "existing certificates; set manual or move them"
		return 1
	fi
	run mkdir -- "$certsdir"
	if $vflag; then
		printf '# initialize %s\n' "$certsdir"
	fi
	if ! $nflag; then
		printf 'This directory is managed by certctl(8).\n' \
		    >$certsdir/.certctl
	fi

	# Create a temporary file for the single-file bundle.  This
	# will be automatically deleted on normal exit or
	# SIGHUP/SIGINT/SIGTERM.
	if ! $nflag; then
		tmpfile=$(mktemp -t "$progname.XXXXXX")
	fi

	# Recreate symlinks for all of the trusted certificates.
	list_trusted \
	| while read -r vcert; do
		cert=$(printf '%s.' "$vcert" | unvis)
		cert=${cert%.}
		run ln -s -- "$cert" "$certsdir"

		# Add the certificate to the single-file bundle.
		if ! $nflag; then
			cat -- "$cert" >>$tmpfile
		fi
	done

	# Hash the directory with openssl.
	#
	# XXX Pass `-v' to openssl in a way that doesn't mix with our
	# shell-safe verbose commands?  (Need to handle `-n' too.)
	run openssl rehash -- "$certsdir"

	# Install the single-file bundle.
	bundle=$certsdir/ca-certificates.crt
	vbundle=$(printf '%s' "$bundle" | vis -M)
	$vflag && printf '# create %s\n' "$vbundle"
	if ! $nflag; then
		(umask 0022; cat <$tmpfile >${bundle}.tmp)
		mv -f -- "${bundle}.tmp" "$bundle"
		rm -f -- "$tmpfile"
		tmpfile=
	fi
}

### Commands

usage_list()
{
	exec >&2
	printf 'Usage: %s list\n' "$progname"
	exit 1
}
cmd_list()
{
	test $# -eq 1 || usage_list

	configure

	list_trusted \
	| while read -r vcert vbase; do
		printf '%s\n' "$vcert"
	done
}

usage_rehash()
{
	exec >&2
	printf 'Usage: %s rehash\n' "$progname"
	exit 1
}
cmd_rehash()
{
	test $# -eq 1 || usage_rehash

	configure

	rehash
}

usage_trust()
{
	exec >&2
	printf 'Usage: %s trust <cert>\n' "$progname"
	exit 1
}
cmd_trust()
{
	local cert vcert certbase vcertbase

	test $# -eq 2 || usage_trust
	cert=$2

	configure

	# XXX Accept base name.

	# vis the certificate path for terminal-safe error messages.
	vcert=$(printf '%s' "$cert" | vis -M)

	# Verify the certificate actually exists.
	if [ ! -f "$cert" ]; then
		error "no such certificate: $vcert"
		return 1
	fi

	# Verify we currently distrust a certificate by this base name.
	certbase=${cert##*/}
	if [ ! -h "$distrustdir/$certbase" ]; then
		error "not currently distrusted: $vcert"
		return 1
	fi

	# Verify the certificate we distrust by this base name is the
	# same one.
	target=$(readlink -n -- "$distrustdir/$certbase" && printf .)
	target=${target%.}
	if [ "$cert" != "$target" ]; then
		vcertbase=${vcert##*/}
		error "distrusted $vcertbase does not point to $vcert"
		return 1
	fi

	# Remove the link from the distrusted directory, and rehash --
	# quietly, so verbose output emphasizes the distrust part and
	# not the whole certificate set.
	run rm -- "$distrustdir/$certbase"
	$vflag && echo '# rehash'
	vflag=false
	rehash
}

usage_untrust()
{
	exec >&2
	printf 'Usage: %s untrust <cert>\n' "$progname"
	exit 1
}
cmd_untrust()
{
	local cert vcert certbase vcertbase target vtarget

	test $# -eq 2 || usage_untrust
	cert=$2

	configure

	# vis the certificate path for terminal-safe error messages.
	vcert=$(printf '%s' "$cert" | vis -M)

	# Verify the certificate actually exists.  Otherwise, you might
	# fail to distrust a certificate you intended to distrust,
	# e.g. if you made a typo in its path.
	if [ ! -f "$cert" ]; then
		error "no such certificate: $vcert"
		return 1
	fi

	# Check whether this certificate is already distrusted.
	# - If the same base name points to the same path, stop here.
	# - Otherwise, fail noisily.
	certbase=${cert##*/}
	if [ -h "$distrustdir/$certbase" ]; then
		target=$(readlink -n -- "$distrustdir/$certbase" && printf .)
		target=${target%.}
		if [ "$target" = "$cert" ]; then
			$vflag && echo '# already distrusted'
			return
		fi
		vcertbase=$(printf '%s' "$certbase" | vis -M)
		vtarget=$(printf '%s' "$target" | vis -M)
		error "distrusted $vcertbase at different path $vtarget"
		return 1
	fi

	# Create the distrustdir if needed, create a symlink in it, and
	# rehash -- quietly, so verbose output emphasizes the distrust
	# part and not the whole certificate set.
	test -d "$distrustdir" || run mkdir -- "$distrustdir"
	run ln -s -- "$cert" "$distrustdir"
	$vflag && echo '# rehash'
	vflag=false
	rehash
}

usage_untrusted()
{
	exec >&2
	printf 'Usage: %s untrusted\n' "$progname"
	exit 1
}
cmd_untrusted()
{
	test $# -eq 1 || usage_untrusted

	configure

	list_distrusted \
	| while read -r vcert vbase; do
		printf '%s\n' "$vcert"
	done
}

### Main

# We accept the following aliases for user interface compatibility with
# FreeBSD:
#
#	blacklist = untrust
#	blacklisted = untrusted
#	unblacklist = trust

case $cmd in
list)	cmd_list "$@"
	;;
rehash)	cmd_rehash "$@"
	;;
trust|unblacklist)
	cmd_trust "$@"
	;;
untrust|blacklist)
	cmd_untrust "$@"
	;;
untrusted|blacklisted)
	cmd_untrusted "$@"
	;;
*)	vcmd=$(printf '%s' "$cmd" | vis -M)
	printf '%s: unknown command: %s\n' "$progname" "$vcmd" >&2
	usage
	;;
esac