bin: add support for libressl

raggi · raggi · commit 35c3673ae917 · 2016-09-20T22:20:23.000-07:00
diff --git a/README.md b/README.md
@@ -1,8 +1,11 @@
-# openssl-osx-ca
+# openssl-osx-ca (and libressl-osx-ca)
 
 A simple script intended to be run from `cron(1)` to sync an openssl style CA
 pem with the certificates found in the OSX Keychain(s).
 
+The name is now a misnomer, as the software will manage certificate bundles for
+both openssl and libressl installed under Homebrew.
+
 The keychains exported to the CA bundle by default are:
  * System.keychain
  * SystemRootCertificates.keychain
diff --git a/bin/openssl-osx-ca b/bin/openssl-osx-ca
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+usage() {
+	echo "$(basename $0) [--skip-login-keychain] [--skip-system-keychain] [-h|--help] [\`which brew\`]"
+}
+
 skip_system_keychain=false
 skip_login_keychain=false
 
@@ -11,9 +15,17 @@ while [ ! $# -eq 0 ]; do
 		--skip-system-keychain)
 			skip_system_keychain=true
 			;;
+		-h|--help)
+			usage
+			exit 1
+			;;
 		*brew)
 			brew=$1
 			;;
+		*)
+			echo "Unknown argument: $1" >&2
+			exit 1
+			;;
 	esac
 	shift
 done
@@ -24,53 +36,79 @@ fi
 
 if [[ ! -x "${brew}" ]]; then
 	echo "Homebrew not in PATH or given arguments, cannot continue"
+	usage
 	exit 1
 fi
 
-openssl=$($brew list openssl | grep bin/openssl | head -n 1)
+exitcode=0
+err() {
+	if [[ -d $1 ]]; then
+		rm -r "${1}"
+	fi
 
-[[ "${openssl}" = "" ]] && echo "Homebrew openssl not found" && exit 1
+	exitcode=$(($exitcode + 1))
+}
 
-c_rehash=$($brew list openssl | grep bin/c_rehash | head -n 1)
+genbundle() {
+	local sslimpl=$1
 
-[[ "${c_rehash}" = "" ]] && echo "Homebrew c_rehash (openssl) not found" && exit 1
+	local list=$($brew list $sslimpl 2>/dev/null)
+	[[ -z $list ]] && continue
 
-openssldir=$($openssl version -d | cut -d '"' -f 2)
+	local openssl=$(echo "$list" | grep bin/openssl | head -n 1)
 
-[[ "${openssldir}" = "" ]] && echo "openssl directory not found" && exit 1
+	[[ "${openssl}" = "" ]] && echo "Homebrew $sslimpl not found" && err && return 1
 
-tmpdir=$(/usr/bin/mktemp -d -t openssl_osx_ca)
+	local openssldir=$($openssl version -d | cut -d '"' -f 2)
 
-[[ "${tmpdir}" = "" ]] && echo "mktemp failed" && exit 1
+	[[ "${openssldir}" = "" ]] && echo "$sslimpl directory not found" && err && return 1
 
-certs="${tmpdir}/cert.pem"
-if ! $skip_system_keychain ; then
-	security find-certificate -a -p /Library/Keychains/System.keychain > $certs
-fi
-security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> $certs
-if [[ -f ~/Library/Keychains/login.keychain ]] && ! $skip_login_keychain ; then
-        security find-certificate -a -p  ~/Library/Keychains/login.keychain >> $certs
-fi
+	local tmpdir=$(/usr/bin/mktemp -d -t openssl_osx_ca)
 
-d1=$($openssl md5 ${openssldir}/cert.pem | awk '{print $2}')
-d2=$($openssl md5 ${tmpdir}/cert.pem | awk '{print $2}')
+	[[ "${tmpdir}" = "" ]] && echo "mktemp failed" && err "${tmpdir}" && return 1
 
-if [[ "${d1}" = "${d2}" ]]; then
-	logger -t "$(basename $0)" "${openssldir}/cert.pem up to date"
-else
-	if ! $c_rehash -- $tmpdir > /dev/null; then
-		logger -t "$(basename $0)" "${openssldir}/cert.pem updated failed, see cron"
+	local certs="${tmpdir}/cert.pem"
+	if ! $skip_system_keychain ; then
+		security find-certificate -a -p /Library/Keychains/System.keychain > $certs
+	fi
+	security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> $certs
+	if [[ -f ~/Library/Keychains/login.keychain ]] && ! $skip_login_keychain ; then
+		security find-certificate -a -p  ~/Library/Keychains/login.keychain >> $certs
+	fi
 
-		echo "rehash failed to verify, something is wrong"
-		echo "check ${tmpdir}/cert.pem for problems"
-		exit 1
+	d1=$($openssl md5 ${openssldir}/cert.pem | awk '{print $2}')
+	d2=$($openssl md5 ${tmpdir}/cert.pem | awk '{print $2}')
+
+	if [[ "${d1}" = "${d2}" ]]; then
+		logger -t "$(basename $0)" "${openssldir}/cert.pem up to date"
+	else
+
+		# Note: there's no c_rehash bundled with libressl, the bundle is still
+		# produced, so carry on as normal and just produce a bundle in the standard
+		# location.
+		local c_rehash=$(echo "$list" | grep bin/c_rehash | head -n 1)
+		if [[ -n $c_rehash ]]; then
+			if ! $c_rehash -- $tmpdir > /dev/null; then
+				logger -t "$(basename $0)" "${openssldir}/cert.pem updated failed, see cron"
+
+				echo "rehash failed to verify, something is wrong"
+				echo "check ${tmpdir}/cert.pem for problems"
+				err "${tmpdir}" && return 1
+			fi
+		fi
+
+		# XXX: I don't think this is atomic on OSX, but it's as close as we're going to
+		# get without a lot more work.
+		mv -f ${tmpdir}/* ${openssldir}/
+
+		logger -t "$(basename $0)" "${openssldir}/cert.pem updated"
 	fi
 
-	# XXX: I don't think this is atomic on OSX, but it's as close as we're going to
-	# get without a lot more work.
-	mv -f ${tmpdir}/* ${openssldir}/
+	rm -r "${tmpdir}"
+}
 
-	logger -t "$(basename $0)" "${openssldir}/cert.pem updated"
-fi
+for sslimpl in openssl libressl; do
+	genbundle $sslimpl
+done
 
-rm -r "${tmpdir}"
+exit $exitcode
