hiranp · December 20, 2024 16:22
diff --git a/add-dod-certs.sh b/add-dod-certs.sh
 #!/bin/bash
 # Import DoD root certificates into linux CA store
 # https://gist.github.com/AfroThundr3007730/ba99753dda66fc4abaf30fb5c0e5d012

 # Dependencies: openssl, wget, unzip

 set -e

 main() {
  # Location of bundle from DISA site
  url='https://public.cyber.mil/pki-pke/pkipke-document-library/'
  bundle=$(curl -sL "$url" | grep -i -oP 'href="\K[^"]*dod.zip' | head -n 1)
  bundle="https://public.cyber.mil${bundle}"

  # Set cert directory and update command based on OS
  source /etc/os-release
  if [[ $ID =~ (fedora|rhel|centos) || $ID_LIKE =~ (fedora|rhel|centos) ]]; then
    certdir=/etc/pki/ca-trust/source/anchors
    # shellcheck disable=SC2100
    update=update-ca-trust
  elif [[ $ID =~ (debian|ubuntu|mint) || $ID_LIKE =~ (debian|ubuntu|mint) ]]; then
    certdir=/usr/local/share/ca-certificates
    # shellcheck disable=SC2100
    update=update-ca-certificates
  else
    certdir=$1
    update=$2
  fi

  [[ -n $certdir && -n $update ]] || {
    echo 'Unable to autodetect OS using /etc/os-release.'
    echo 'Please provide CA certificate directory and update command.'
    echo 'Example: add-dod-certs.sh /cert/store/location update-cmd'
    exit 1
  }

  # Create a temporary directory
  tmpdir=$(mktemp -d)
  trap 'rm -rf "$tmpdir"' EXIT

  # Extract the bundle
  cd "$certdir" || exit
  wget -qP "$tmpdir" "$bundle"
  unzip -qj "$tmpdir/${bundle##*/}" -d "$tmpdir"

  # Check for existence of PEM format p7b.
  if find "$tmpdir" -name '*_dod_pem.p7b' | grep -q .; then
    echo 'Found PEM formatted file, continuing extraction...'
    certform="PEM"
    certfile=$(find "$tmpdir" -name '*_dod_pem.p7b')
  else
    echo 'Found DER formatted file, continuing extraction and conversion...'
    certform="DER"
    certfile=$(find "$tmpdir" -name '*_dod_der.p7b')
  fi

  # Convert the PKCS#7 bundle into individual PEM files
  openssl pkcs7 -inform "$certform" -print_certs -in "$certfile" |
    awk 'BEGIN {c=0} /subject=/ {c++} {print > "cert." c ".pem"}'

  # Rename the files based on the CA name
  for i in *.pem; do
    name=$(openssl x509 -noout -subject -in "$i" | awk -F '(=|= )' '{gsub(/ /, "_", $NF); print $NF}')
    mv "$i" "${name}.crt"
  done

  # Remove temp files and update certificate stores
  rm -fr "$tmpdir"
  $update
 }

 # Only execute if not being sourced
 [[ ${BASH_SOURCE[0]} == "$0" ]] && main "$@"
	#!/bin/bash
	# Import DoD root certificates into linux CA store
	# https://gist.github.com/AfroThundr3007730/ba99753dda66fc4abaf30fb5c0e5d012

	# Dependencies: openssl, wget, unzip

	set -e

	main() {
	# Location of bundle from DISA site
	url='https://public.cyber.mil/pki-pke/pkipke-document-library/'
	bundle=$(curl -sL "$url" \| grep -i -oP 'href="\K[^"]*dod.zip' \| head -n 1)
	bundle="https://public.cyber.mil${bundle}"

	# Set cert directory and update command based on OS
	source /etc/os-release
	if [[ $ID =~ (fedora\|rhel\|centos) \|\| $ID_LIKE =~ (fedora\|rhel\|centos) ]]; then
	certdir=/etc/pki/ca-trust/source/anchors
	# shellcheck disable=SC2100
	update=update-ca-trust
	elif [[ $ID =~ (debian\|ubuntu\|mint) \|\| $ID_LIKE =~ (debian\|ubuntu\|mint) ]]; then
	certdir=/usr/local/share/ca-certificates
	# shellcheck disable=SC2100
	update=update-ca-certificates
	else
	certdir=$1
	update=$2
	fi

	[[ -n $certdir && -n $update ]] \|\| {
	echo 'Unable to autodetect OS using /etc/os-release.'
	echo 'Please provide CA certificate directory and update command.'
	echo 'Example: add-dod-certs.sh /cert/store/location update-cmd'
	exit 1
	}

	# Create a temporary directory
	tmpdir=$(mktemp -d)
	trap 'rm -rf "$tmpdir"' EXIT

	# Extract the bundle
	cd "$certdir" \|\| exit
	wget -qP "$tmpdir" "$bundle"
	unzip -qj "$tmpdir/${bundle##*/}" -d "$tmpdir"

	# Check for existence of PEM format p7b.
	if find "$tmpdir" -name '*_dod_pem.p7b' \| grep -q .; then
	echo 'Found PEM formatted file, continuing extraction...'
	certform="PEM"
	certfile=$(find "$tmpdir" -name '*_dod_pem.p7b')
	else
	echo 'Found DER formatted file, continuing extraction and conversion...'
	certform="DER"
	certfile=$(find "$tmpdir" -name '*_dod_der.p7b')
	fi

	# Convert the PKCS#7 bundle into individual PEM files
	openssl pkcs7 -inform "$certform" -print_certs -in "$certfile" \|
	awk 'BEGIN {c=0} /subject=/ {c++} {print > "cert." c ".pem"}'

	# Rename the files based on the CA name
	for i in *.pem; do
	name=$(openssl x509 -noout -subject -in "$i" \| awk -F '(=\|= )' '{gsub(/ /, "_", $NF); print $NF}')
	mv "$i" "${name}.crt"
	done

	# Remove temp files and update certificate stores
	rm -fr "$tmpdir"
	$update
	}

	# Only execute if not being sourced
	[[ ${BASH_SOURCE[0]} == "$0" ]] && main "$@"