wrouesnel · October 5, 2023 21:12
diff --git a/certificate-normalize.sh b/certificate-normalize.sh
 #!/bin/bash
 # See: https://stackoverflow.com/questions/59895/how-to-get-the-source-directory-of-a-bash-script-from-within-the-script-itself
 # Note: you can't refactor this out: its at the top of every script so the scripts can find their includes.
 SOURCE="${BASH_SOURCE[0]}"
 while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
  DIR="$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )"
  SOURCE="$(readlink "$SOURCE")"
  [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
 done
 SCRIPT_DIR="$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )"

 function log() {
  echo "$*" 1>&2
 }

 function fatal() {
  echo "$*" 1>&2
  exit 1
 }

 pushd "$SCRIPT_DIR" >/dev/null 2>&1 || fatal "Could not change dir"

 for cmd in "find" "openssl" "cp" "mkdir"; do
  if ! command -v "$cmd"; then
    fatal "$cmd command not found"
  fi
 done

 # Copies the certificates back and forth to ensure we wind up with one of
 # each format.

 mkdir "der" "pfx"

 while read -r infile; do 
    inbase="$(basename "$infile")"
    if ! openssl x509 -outform der -in "$infile" -out "der/${inbase%.*}.der"; then
      fatal "Failed writing DER form"
    fi
    if ! openssl pkcs12 -passout pass: -export -out "pfx/${inbase%.*}.pfx" -nokeys -in "$infile"; then
      fatal "Failed writing pfx form"
    fi
 done < <(find pem -type f)

 # Build the unified pem
 find pem -type f -exec cat {} + > ca-certificates.crt

 # Build a subroot with a common set of locations to overwrite
 mkdir root

 # This list pulled from Go source code
 bundle_locations=(\
 "/etc/ssl/certs/ca-certificates.crt" \
 "/etc/pki/tls/certs/ca-bundle.crt" \
 "/etc/ssl/ca-bundle.pem" \
 "/etc/pki/tls/cacert.pem" \
 "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" \
 "/etc/ssl/cert.pem" \
 )
    
 for path in "${bundle_locations[@]}"; do
  mkdir -p "root/$(dirname "${path}")"
  cp -f "ca-certificates.crt" "root/${path}"
 done

 exit 0
	#!/bin/bash
	# See: https://stackoverflow.com/questions/59895/how-to-get-the-source-directory-of-a-bash-script-from-within-the-script-itself
	# Note: you can't refactor this out: its at the top of every script so the scripts can find their includes.
	SOURCE="${BASH_SOURCE[0]}"
	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
	DIR="$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )"
	SOURCE="$(readlink "$SOURCE")"
	[[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
	done
	SCRIPT_DIR="$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )"

	function log() {
	echo "$*" 1>&2
	}

	function fatal() {
	echo "$*" 1>&2
	exit 1
	}

	pushd "$SCRIPT_DIR" >/dev/null 2>&1 \|\| fatal "Could not change dir"

	for cmd in "find" "openssl" "cp" "mkdir"; do
	if ! command -v "$cmd"; then
	fatal "$cmd command not found"
	fi
	done

	# Copies the certificates back and forth to ensure we wind up with one of
	# each format.

	mkdir "der" "pfx"

	while read -r infile; do
	inbase="$(basename "$infile")"
	if ! openssl x509 -outform der -in "$infile" -out "der/${inbase%.*}.der"; then
	fatal "Failed writing DER form"
	fi
	if ! openssl pkcs12 -passout pass: -export -out "pfx/${inbase%.*}.pfx" -nokeys -in "$infile"; then
	fatal "Failed writing pfx form"
	fi
	done < <(find pem -type f)

	# Build the unified pem
	find pem -type f -exec cat {} + > ca-certificates.crt

	# Build a subroot with a common set of locations to overwrite
	mkdir root

	# This list pulled from Go source code
	bundle_locations=(\
	"/etc/ssl/certs/ca-certificates.crt" \
	"/etc/pki/tls/certs/ca-bundle.crt" \
	"/etc/ssl/ca-bundle.pem" \
	"/etc/pki/tls/cacert.pem" \
	"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" \
	"/etc/ssl/cert.pem" \
	)

	for path in "${bundle_locations[@]}"; do
	mkdir -p "root/$(dirname "${path}")"
	cp -f "ca-certificates.crt" "root/${path}"
	done

	exit 0