Last active
December 20, 2024 16:22
-
-
Save hiranp/67ebcc4aa43d13fba9eb481de1a96438 to your computer and use it in GitHub Desktop.
Revisions
-
hiranp revised this gist
Dec 20, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -20,7 +20,7 @@ main() { update=update-ca-trust elif [[ $ID =~ (debian|ubuntu|mint) || $ID_LIKE =~ (debian|ubuntu|mint) ]]; then certdir=/usr/local/share/ca-certificates # shellcheck disable=SC2100 update=update-ca-certificates else certdir=$1 -
Dec 20, 2024 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -16,10 +16,11 @@ main() { source /etc/os-release if [[ $ID =~ (fedora|rhel|centos) || $ID_LIKE =~ (fedora|rhel|centos) ]]; then certdir=/etc/pki/ca-trust/source/anchors # shellcheck disable=SC2100 update=update-ca-trust elif [[ $ID =~ (debian|ubuntu|mint) || $ID_LIKE =~ (debian|ubuntu|mint) ]]; then certdir=/usr/local/share/ca-certificates update=update-ca-certificates else certdir=$1 -
Dec 20, 2024 . 1 changed file with 1 addition and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -16,6 +16,7 @@ main() { source /etc/os-release if [[ $ID =~ (fedora|rhel|centos) || $ID_LIKE =~ (fedora|rhel|centos) ]]; then certdir=/etc/pki/ca-trust/source/anchors # shellcheck disable=SC2034 update=update-ca-trust elif [[ $ID =~ (debian|ubuntu|mint) || $ID_LIKE =~ (debian|ubuntu|mint) ]]; then certdir=/usr/local/share/ca-certificates -
Dec 20, 2024 . No changes.There are no files selected for viewing
-
Dec 20, 2024 . 1 changed file with 3 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,9 @@ # Import DoD root certificates into linux CA store # https://gist.github.com/AfroThundr3007730/ba99753dda66fc4abaf30fb5c0e5d012 # Dependencies: openssl, wget, unzip set -e main() { # Location of bundle from DISA site -
Dec 20, 2024 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ # Import DoD root certificates into linux CA store # https://gist.github.com/AfroThundr3007730/ba99753dda66fc4abaf30fb5c0e5d012 # De[eset -e main() { # Location of bundle from DISA site -
Dec 20, 2024 . 1 changed file with 20 additions and 19 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,20 +2,20 @@ # Import DoD root certificates into linux CA store # https://gist.github.com/AfroThundr3007730/ba99753dda66fc4abaf30fb5c0e5d012 set -e main() { # Location of bundle from DISA site url='https://public.cyber.mil/pki-pke/pkipke-document-library/' bundle=$(curl -sL "$url" | grep -i -oP 'href="\K[^"]*dod.zip' | head -n 1) bundle="https://public.cyber.mil${bundle}" # Set cert directory and update command based on OS source /etc/os-release if [[ $ID =~ (fedora|rhel|centos) || $ID_LIKE =~ (fedora|rhel|centos) ]]; then certdir=/etc/pki/ca-trust/source/anchors update=update-ca-trust elif [[ $ID =~ (debian|ubuntu|mint) || $ID_LIKE =~ (debian|ubuntu|mint) ]]; then certdir=/usr/local/share/ca-certificates update=update-ca-certificates else @@ -30,37 +30,38 @@ main() { exit 1 } # Create a temporary directory tmpdir=$(mktemp -d) trap 'rm -rf "$tmpdir"' EXIT # Extract the bundle cd "$certdir" || exit wget -qP "$tmpdir" "$bundle" unzip -qj "$tmpdir/${bundle##*/}" -d "$tmpdir" # Check for existence of PEM format p7b. if find "$tmpdir" -name '*_dod_pem.p7b' | grep -q .; then echo 'Found PEM formatted file, continuing extraction...' certform="PEM" certfile=$(find "$tmpdir" -name '*_dod_pem.p7b') else echo 'Found DER formatted file, continuing extraction and conversion...' certform="DER" certfile=$(find "$tmpdir" -name '*_dod_der.p7b') fi # Convert the PKCS#7 bundle into individual PEM files openssl pkcs7 -inform "$certform" -print_certs -in "$certfile" | awk 'BEGIN {c=0} /subject=/ {c++} {print > "cert." c ".pem"}' # Rename the files based on the CA name for i in *.pem; do name=$(openssl x509 -noout -subject -in "$i" | awk -F '(=|= )' '{gsub(/ /, "_", $NF); print $NF}') mv "$i" "${name}.crt" done # Remove temp files and update certificate stores rm -fr "$tmpdir" $update } -
Dec 20, 2024 . No changes.There are no files selected for viewing
-
Dec 20, 2024 . 1 changed file with 55 additions and 59 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,72 +1,68 @@ #!/bin/bash # Import DoD root certificates into linux CA store # https://gist.github.com/AfroThundr3007730/ba99753dda66fc4abaf30fb5c0e5d012 main() { # Location of bundle from DISA site url='https://public.cyber.mil/pki-pke/pkipke-document-library/' bundle=$(curl -s $url | awk -F '"' 'tolower($2) ~ /dod.zip/ {print $2}') #bundle=https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/certificates_pkcs7_v5-6_dod.zip # Set cert directory and update command based on OS source /etc/os-release if [[ $ID =~ (fedora|rhel|centos) || $ID_LIKE =~ (fedora|rhel|centos) ]]; then certdir=/etc/pki/ca-trust/source/anchors update=update-ca-trust elif [[ $ID =~ (debian|ubuntu|mint) || $ID_LIKE =~ (debian|ubuntu|mint) ]]; then certdir=/usr/local/share/ca-certificates update=update-ca-certificates else certdir=$1 update=$2 fi [[ -n $certdir && -n $update ]] || { echo 'Unable to autodetect OS using /etc/os-release.' echo 'Please provide CA certificate directory and update command.' echo 'Example: add-dod-certs.sh /cert/store/location update-cmd' exit 1 } # Extract the bundle cd $certdir || exit wget -qP tmp "$bundle" unzip -qj tmp/"${bundle##*/}" -d tmp # Check for existence of PEM format p7b. if [ -f "tmp/*_dod_pem.p7b" ]; then echo 'Found PEM formatted file, continuing extraction...' certform="PEM" certfile="*_dod_pem.p7b" else echo 'Found DER formatted file, continuing extraction and conversion...' certform="DER" certfile="*_dod_der.p7b" fi # Convert the PKCS#7 bundle into individual PEM files openssl pkcs7 -inform ${certform} -print_certs -in tmp/"${certfile}" | awk 'BEGIN {c=0} /subject=/ {c++} {print > "cert." c ".pem"}' # Rename the files based on the CA name for i in *.pem; do name=$( openssl x509 -noout -subject -in "$i" | awk -F '(=|= )' '{gsub(/ /, "_", $NF); print $NF}' ) mv "$i" "${name}".crt done # Remove temp files and update certificate stores rm -fr tmp $update } # Only execute if not being sourced [[ ${BASH_SOURCE[0]} == "$0" ]] && main "$@" -
Dec 20, 2024 . 1 changed file with 72 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1 +1,72 @@ #!/bin/bash # Imports DoD root certificates into Linux CA store # Version 0.4.1 updated 20241216 by AfroThundr # SPDX-License-Identifier: GPL-3.0-or-later # For issues or updated versions of this script, browse to the following URL: # https://gist.github.com/AfroThundr3007730/ba99753dda66fc4abaf30fb5c0e5d012 # Dependencies: curl gawk openssl unzip wget set -euo pipefail shopt -s extdebug nullglob add_dod_certs() { local bundle cert certdir file form tmpdir url update trap '[[ -d ${tmpdir:-} ]] && rm -fr $tmpdir' EXIT INT TERM # Location of bundle from DISA site url='https://public.cyber.mil/pki-pke/pkipke-document-library/' bundle=$(curl -s $url | awk -F '"' 'tolower($2) ~ /dod.zip/ {print $2}') # Set cert directory and update command based on OS [[ -f /etc/os-release ]] && source /etc/os-release if [[ ${ID:-} =~ (fedora|rhel|centos) || ${ID_LIKE:-} =~ (fedora|rhel|centos) ]]; then certdir=/etc/pki/ca-trust/source/anchors update='update-ca-trust' elif [[ ${ID:-} =~ (debian|ubuntu|mint) || ${ID_LIKE:-} =~ (debian|ubuntu|mint) ]]; then certdir=/usr/local/share/ca-certificates update='update-ca-certificates' else certdir=${1:-} && update=${2:-} fi [[ ${certdir:-} && ${update:-} ]] || { printf 'Unable to autodetect OS using /etc/os-release.\n' printf 'Please provide CA certificate directory and update command.\n' printf 'Example: %s /cert/store/location update-cmd\n' "${0##*/}" exit 1 } # Extract the bundle wget -qP "${tmpdir:=$(mktemp -d)}" "$bundle" unzip -qj "$tmpdir"/"${bundle##*/}" -d "$tmpdir" # Check for existence of PEM or DER format p7b. for file in "$tmpdir"/*_dod_{pem,der}.p7b; do # Iterate over glob instead of testing directly (SC2144) [[ -f ${file:-} ]] && form=${file%.*} && form=${form##*_} && break done [[ ${form:-} && ${file:-} ]] || { printf 'No bundles found!\n' && exit 1; } # Convert the PKCS#7 bundle into individual PEM files openssl pkcs7 -print_certs -inform "$form" -in "$file" | awk -v d="$tmpdir" \ 'BEGIN {c=0} /subject=/ {c++} {print > d "/cert." c ".pem"}' # Rename the files based on the CA name for cert in "$tmpdir"/cert.*.pem; do mv "$cert" "$certdir"/"$( openssl x509 -noout -subject -in "$cert" | awk -F '(=|= )' '{print gensub(/ /, "_", 1, $NF)}' )".crt done # Remove temp files and update certificate stores rm -fr "$tmpdir" && $update } # Only execute if not being sourced [[ ${BASH_SOURCE[0]} == "$0" ]] || return 0 && add_dod_certs "$@" -
Dec 20, 2024 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1 @@