generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

RT2272: Add old-style hash to c_rehash

Browse Source 
In addition to Matthias's change, I also added -n to
not remove links. And updated the manpage.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a787c2590e468585a1a19738e0c7f481ec91b762)
This commit is contained in:
Matthias Andree 2014-09-07 18:45:02 -04:00 committed by Rich Salz
parent f28c48d07e
commit ef720a67ab
2 changed files with 91 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
doc/apps/c_rehash.pod
View File

@ -10,6 +10,10 @@ c_rehash - Create symbolic links to files named by the hash values
=head1 SYNOPSIS =head1 SYNOPSIS
B<c_rehash> B<c_rehash>
B<[-old]>
B<[-h]>
B<[-n]>
B<[-v]>
[ I<directory>...] [ I<directory>...]
=head1 DESCRIPTION =head1 DESCRIPTION
@ -18,6 +22,7 @@ B<c_rehash> scans directories and calculates a hash value of each
C<.pem>, C<.crt>, C<.cer>, or C<.crl> C<.pem>, C<.crt>, C<.cer>, or C<.crl>
file in the specified directory list and creates symbolic links file in the specified directory list and creates symbolic links
for each file, where the name of the link is the hash value. for each file, where the name of the link is the hash value.
(If the platform does not support symbolic links, a copy is made.)
This utility is useful as many programs that use OpenSSL require This utility is useful as many programs that use OpenSSL require
directories to be set up like this in order to find certificates. directories to be set up like this in order to find certificates.
@ -35,6 +40,7 @@ is a hexadecimal character and B<D> is a single decimal digit.
When processing a directory, B<c_rehash> will first remove all links When processing a directory, B<c_rehash> will first remove all links
that have a name in that syntax. If you have links in that format that have a name in that syntax. If you have links in that format
used for other purposes, they will be removed. used for other purposes, they will be removed.
To skip the removal step, use the B<-n> flag.
Hashes for CRL's look similar except the letter B<r> appears after Hashes for CRL's look similar except the letter B<r> appears after
the period, like this: C<HHHHHHHH.rD>. the period, like this: C<HHHHHHHH.rD>.
@ -52,13 +58,39 @@ B<OPENSSL> environment variable to the full pathname.
Any program can be used, it will be invoked as follows for either Any program can be used, it will be invoked as follows for either
a certificate or CRL: a certificate or CRL:
$OPENSSL x509 -hash -fingerprint -noout -in FFFFFF $OPENSSL x509 -hash -fingerprint -noout -in FILENAME
$OPENSSL crl -hash -fingerprint -noout -in FFFFFF $OPENSSL crl -hash -fingerprint -noout -in FILENAME
where B<FFFFFF> is the filename. It must output the hash of the where B<FILENAME> is the filename. It must output the hash of the
file on the first line, and the fingerprint on the second, file on the first line, and the fingerprint on the second,
optionally prefixed with some text and an equals sign. optionally prefixed with some text and an equals sign.
=head1 OPTIONS
=over 4
=item B<-old>
Use old-style hashing (MD5, as opposed to SHA-1) for generating
links for releases before 1.0.0. Note that current versions will
not use the old style.
=item B<-h>
Display a brief usage message.
=item B<-n>
Do not remove existing links.
This is needed when keeping new and old-style links in the same directory.
=item B<-v>
Print messages about old links removed and new links created.
By default, B<c_rehash> only lists each directory as it is processed.
=back
=head1 ENVIRONMENT =head1 ENVIRONMENT
=over =over

82
tools/c_rehash.in
View File

@ -1,31 +1,58 @@
#!/usr/local/bin/perl #!/usr/local/bin/perl
# Perl c_rehash script, scan all files in a directory # Perl c_rehash script, scan all files in a directory
# and add symbolic links to their hash values. # and add symbolic links to their hash values.
my $openssl;
my $dir; my $dir;
my $prefix; my $prefix;
if(defined $ENV{OPENSSL}) { my $openssl = $ENV{OPENSSL} || "openssl";
$openssl = $ENV{OPENSSL}; my $pwd;
} else { my $x509hash = "-subject_hash";
$openssl = "openssl"; my $crlhash = "-hash";
$ENV{OPENSSL} = $openssl; my $verbose = 0;
my $symlink_exists=eval {symlink("",""); 1};
my $removelinks = 1;
## Parse flags.
while ( $ARGV[0] =~ '-.*' ) {
my $flag = shift @ARGV;
last if ( $flag eq '--');
if ( $flag =~ /-old/) {
$x509hash = "-subject_hash_old";
$crlhash = "-hash_old";
} elsif ( $flag =~ /-h/) {
help();
} elsif ( $flag eq '-n' ) {
$removelinks = 0;
} elsif ( $flag eq '-v' ) {
$verbose++;
}
else {
print STDERR "Usage error; try -help.\n";
exit 1;
}
}
sub help {
print "Usage: c_rehash [-old] [-h] [-v] [dirs...]\n";
print " -old use old-style digest\n";
print " -h print this help text\n";
print " -v print files removed and linked\n";
exit 0;
} }
my $pwd;
eval "require Cwd"; eval "require Cwd";
if (defined(&Cwd::getcwd)) { if (defined(&Cwd::getcwd)) {
$pwd=Cwd::getcwd(); $pwd=Cwd::getcwd();
} else { } else {
$pwd=`pwd`; chomp($pwd); $pwd=`pwd`;
chomp($pwd);
} }
my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix delimiter?
$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); # prefix our path # DOS/Win32 or Unix delimiter? Prefix our installdir, then search.
my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':';
$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : "");
if(! -x $openssl) { if(! -x $openssl) {
my $found = 0; my $found = 0;
@ -66,16 +93,19 @@ sub hash_dir {
my %hashlist; my %hashlist;
print "Doing $_[0]\n"; print "Doing $_[0]\n";
chdir $_[0]; chdir $_[0];
opendir(DIR, "."); if ( $removelinks ) {
my @flist = readdir(DIR); opendir(DIR, ".");
# Delete any existing symbolic links my @flist = readdir(DIR);
foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { closedir DIR;
if(-l $_) { # Delete any existing symbolic links
unlink $_; foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
if(-l $_) {
unlink $_;
print "unlink $_" if $verbose;
}
} }
} }
closedir DIR; FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
FILE: foreach $fname (grep {/\.(pem|crt|cer|crl)$/} @flist) {
# Check to see if certificates and/or CRLs present. # Check to see if certificates and/or CRLs present.
my ($cert, $crl) = check_file($fname); my ($cert, $crl) = check_file($fname);
if(!$cert && !$crl) { if(!$cert && !$crl) {
@ -117,7 +147,7 @@ sub check_file {
sub link_hash_cert { sub link_hash_cert {
my $fname = $_[0]; my $fname = $_[0];
$fname =~ s/'/'\\''/g; $fname =~ s/'/'\\''/g;
my ($hash, $fprint) = `"$openssl" x509 -hash -fingerprint -noout -in "$fname"`; my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
chomp $hash; chomp $hash;
chomp $fprint; chomp $fprint;
$fprint =~ s/^.*=//; $fprint =~ s/^.*=//;
@ -133,16 +163,16 @@ sub link_hash_cert {
$suffix++; $suffix++;
} }
$hash .= ".$suffix"; $hash .= ".$suffix";
print "$fname => $hash\n";
$symlink_exists=eval {symlink("",""); 1};
if ($symlink_exists) { if ($symlink_exists) {
symlink $fname, $hash; symlink $fname, $hash;
print "link $fname -> $hash\n" if $verbose;
} else { } else {
open IN,"<$fname" or die "can't open $fname for read"; open IN,"<$fname" or die "can't open $fname for read";
open OUT,">$hash" or die "can't open $hash for write"; open OUT,">$hash" or die "can't open $hash for write";
print OUT <IN>; # does the job for small text files print OUT <IN>; # does the job for small text files
close OUT; close OUT;
close IN; close IN;
print "copy $fname -> $hash\n" if $verbose;
} }
$hashlist{$hash} = $fprint; $hashlist{$hash} = $fprint;
} }
@ -152,7 +182,7 @@ sub link_hash_cert {
sub link_hash_crl { sub link_hash_crl {
my $fname = $_[0]; my $fname = $_[0];
$fname =~ s/'/'\\''/g; $fname =~ s/'/'\\''/g;
my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`; my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
chomp $hash; chomp $hash;
chomp $fprint; chomp $fprint;
$fprint =~ s/^.*=//; $fprint =~ s/^.*=//;
@ -168,12 +198,12 @@ sub link_hash_crl {
$suffix++; $suffix++;
} }
$hash .= ".r$suffix"; $hash .= ".r$suffix";
print "$fname => $hash\n";
$symlink_exists=eval {symlink("",""); 1};
if ($symlink_exists) { if ($symlink_exists) {
symlink $fname, $hash; symlink $fname, $hash;
print "link $fname -> $hash\n" if $verbose;
} else { } else {
system ("cp", $fname, $hash); system ("cp", $fname, $hash);
print "cp $fname -> $hash\n" if $verbose;
} }
$hashlist{$hash} = $fprint; $hashlist{$hash} = $fprint;
} }