Re: [sipX-dev] CA cert file names with spaces do not work for sipXconfig

Fri, 27 Jun 2008 10:00:19 -0700 

Scott Lawrence wrote:

On Fri, 2008-06-27 at 07:51 -0400, Damian Krzeminski wrote:

Scott Lawrence wrote:

On Thu, 2008-06-26 at 19:29 -0400, Damian Krzeminski wrote:

see: http://track.sipfoundry.org/browse/XCF-2655
Recent changes in gen-ssl-keys.sh.in make it generate CA cert files that default to organization names, which pretty often include spaces. 

Code is sipXconfig.sh that does not work with space is here:

  Certificates=`find $AuthoritiesDir | egrep -i '.(crt|crl)$'`
  @bin.dir@/ssl-cert/create-ssl-truststore.sh --checksum \
    $SslDir/.authorities-contents.md5 \
    --truststore $TrustStore $Certificates


Anybody knows shell tricks to make it work?

Put double quotes around the file name.

There are various times when the authority name is displayed to users,
and when there is a commercial cert authority we can't change the name
they use, so just tolerating this is easier.
Sorry if it was not clear: I know that quoting the file name would solve the problem. I am asking if anybody knows an elegant way to do that. I was experimenting a bit with 'find -print0' and 'xargs -0', but I did not find an obvious way to use it here... 

I believe this will work:

        export Certificates=""
        find $AuthoritiesDir \( -name \*.crt -o \*.crl \) \
        while read Certificate
        do
           Certificates="$Certificates \"${Certificate}\""
        done
@bin.dir@/ssl-cert/create-ssl-truststore.sh --checksum \ 
                $SslDir/.authorities-contents.md5 \
                --truststore $TrustStore $Certificates



OK - I think I have beat it into space-safe submission.
Can I please get a quick code review on that change? It works for me but is it portable? 
D.


>From bd260c3068ea6a516cc994bea6fffa193d4b50b7 Mon Sep 17 00:00:00 2001
From: dkrzemin <[EMAIL PROTECTED]>
Date: Thu, 26 Jun 2008 19:09:20 -0400
Subject: [PATCH] XCF-2655 handle CA files with spaces

The parameters to create-ssl-truststore.sh changed: instead of the list of names of CA certificates,
it accepts --ca-path directory and builds truststore from all the certificates found there.
---
 sipXconfig/web/bin/create-ssl-truststore.sh.in |   26 +++++++++++++++--------
 sipXconfig/web/bin/sipxconfig.sh.in            |    4 +-
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/sipXconfig/web/bin/create-ssl-truststore.sh.in b/sipXconfig/web/bin/create-ssl-truststore.sh.in
index a6106f1..b4cd422 100644
--- a/sipXconfig/web/bin/create-ssl-truststore.sh.in
+++ b/sipXconfig/web/bin/create-ssl-truststore.sh.in
@@ -10,7 +10,7 @@
 Action=CREATE
 TrustStore="cacert"
 Password="changeit"
-Certificates=""
+CaPath=""
 CertificatesChecksum=""
 Checksum=""
 PreviousChecksum=""
@@ -46,6 +46,16 @@ do
             TrustStore=${1}
             ;;
 
+        --ca-path)
+            shift
+            if [ -z "${1}" ]; then
+                echo "Missing CA directory: $@" 1>&2
+                ACTION=USAGE
+                break
+            fi
+            CaPath=${1}
+            ;;
+
         ##
         ## handle an unknown switch
         ##
@@ -54,17 +64,13 @@ do
             break
             ;;
 
-        *)
-            Certificates="$@"
-            break
-            ;;
     esac           
 
     shift # always consume 1
 done
 
 
-if [ "${Action}" = "USAGE" -o -z "${Certificates}" ]; then
+if [ "${Action}" = "USAGE" -o -z "${CaPath}" ]; then
     cat <<EOF
 Usage:
    create-ssl-truststore.sh 
@@ -74,7 +80,7 @@ Usage:
        CA certificate files...    all the certificates and CRL to be included
 
    example :
-     find /etc/authorites | egrep -i "(.crt|.crl)$" | xargs create-ssl-truststore.sh
+     create-ssl-truststore.sh --ca-path /etc/authorites
 
 EOF
     exit 1
@@ -86,7 +92,7 @@ if [ "${Action}" = "CHECKSUM" ]; then
   else
     MD5SUM=md5sum
   fi
-  Checksum=`cat $Certificates | $MD5SUM | awk '{print $1}'`
+  Checksum=`find $CaPath -type f -name \*cr[lt] | xargs -I F cat "F" | $MD5SUM | awk '{print $1}'`
   if [ -f $CertificatesChecksum ]; then
     if [ -f "$TrustStore" ]; then
       PreviousChecksum=`cat $CertificatesChecksum`
@@ -99,7 +105,9 @@ if [ "${Action}" = "CHECKSUM" ]; then
 fi
 
 rm "$TrustStore" 2> /dev/null
-for Certificate in $Certificates
+
+find $CaPath \( -type f -name \*cr[lt] \) | \
+while read Certificate
 do
     caname="`$openssl x509 -noout -text -in "$Certificate" |\
          grep Subject: | sed -e 's;.*CN=;;' -e 's;/Em.*;;'`" || exit 1
diff --git a/sipXconfig/web/bin/sipxconfig.sh.in b/sipXconfig/web/bin/sipxconfig.sh.in
index 975814b..bed4d49 100644
--- a/sipXconfig/web/bin/sipxconfig.sh.in
+++ b/sipXconfig/web/bin/sipxconfig.sh.in
@@ -80,8 +80,8 @@ createAuthoritiesTruststore() {
     if [ -d $AuthoritiesDir ]
     then
       TrustStore=$SslDir/.authorities.jks
-      Certificates=`find $AuthoritiesDir | egrep -i '.(crt|crl)$'`
-      @bin.dir@/ssl-cert/create-ssl-truststore.sh --checksum $SslDir/.authorities-contents.md5 --truststore $TrustStore  $Certificates
+      @bin.dir@/ssl-cert/create-ssl-truststore.sh --checksum $SslDir/.authorities-contents.md5 \
+          --truststore $TrustStore --ca-path $AuthoritiesDir
       # password on command line is not security issue. catrust and directory has appropriate
       # permissions, password is required by keystores
       TrustStoreOpts="\
-- 
1.5.4.1


_______________________________________________
sipx-dev mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-dev
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev

Reply via email to