################################################################################## # Command: certs_to_wallet.sh # # The script will create a _new_ auto login orapki wallet from a list of sites # and puts the certificates of the chain the trusted certificates of the wallet. # It will create a backup of the current wallet and auto login. # Will ask for a password for a new wallet. # On creation or password issue, backup will be restored. # Sites can be added to wallet_sites.lst, either in the script dir or wallet dir. # The wallet_sites.lst in the wallet dir will take preference, you can have # seperate sites per wallet. # Each site must be on a single line followed by a colon ':' and port number: # and comments starting with a # are accepted. # If there is no port number specified, 443 will be used and the site list must # end with a \n character (last line empty). # # # Author: Ian Hoogeboom, please feel free to ajust script to own needs # v.1 - ianh - original version 2020-11-28 # v.2 - ianh - skip site own certificate (ORA-29024 - user certificate should not be in Wallet # v.3 - ianh - skiiping user certificate based on hash, not 'first' certificate ################################################################################## WALLET_LOCATION=${1} NOW=$(date '+%Y%m%d%H%M%S') if [ "${WALLET_LOCATION}" == "" ]; then echo "No wallet location specified!" echo "Command:> certs_to_wallet.sh " exit 1 fi SITE_LIST=${WALLET_LOCATION}/wallet_sites.lst if [ ! -f "${SITE_LIST}" ]; then SITE_LIST=wallet_sites.lst fi if [ ! -f "${SITE_LIST}" ]; then echo "Site list not found!" echo "Place wallet_sites.lst in current directory or in [${WALLET_LOCATION}]" exit 1 fi echo "Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters" echo -n "Password for new wallet: " read -s PASSWORD echo if [ -f "${WALLET_LOCATION}/ewallet.p12" ]; then echo "Backing-up wallet to ${WALLET_LOCATION}/ewallet.p12.${NOW}" mv ${WALLET_LOCATION}/ewallet.p12 ${WALLET_LOCATION}/ewallet.p12.${NOW} fi if [ -f "${WALLET_LOCATION}/cwallet.sso" ]; then echo "Backing-up auto_login to ${WALLET_LOCATION}/cwallet.sso.${NOW}" mv ${WALLET_LOCATION}/cwallet.sso ${WALLET_LOCATION}/cwallet.sso.${NOW} fi echo "Creating new wallet" orapki wallet create -wallet ${WALLET_LOCATION} -pwd ${PASSWORD} -auto_login >/dev/null ERROR=${?} # if there is an error creating the new wallet (password error maybe), restore teh wallet # TODO move to function for reuse on other errors if [ ${ERROR} != 0 ]; then echo "Error creating new wallet, permissions or password issues?!" if [ -f "${WALLET_LOCATION}/ewallet.p12.${NOW}" ]; then echo "Old wallet restored!" cp ${WALLET_LOCATION}/ewallet.p12.${NOW} ${WALLET_LOCATION}/ewallet.p12 fi if [ -f "${WALLET_LOCATION}/cwallet.sso.${NOW}" ]; then echo "Old auto login restored!" cp ${WALLET_LOCATION}/cwallet.sso.${NOW} ${WALLET_LOCATION}/cwallet.sso fi exit fi # read all the lines from wallet_sites.lst while read SITE; do COMMENT=$(echo ${SITE} | grep -e "^#.*") if [[ "${COMMENT}" = "" ]]; then HOST=$(echo ${SITE} | awk -F':' '{print $1}') PORT=$(echo ${SITE} | awk -F':' '{print $2}') if [ "${PORT}" == "" ]; then PORT=443 fi echo "Getting certificate chain from: ${HOST}:${PORT}" # get MD5 of site certificate SITE_CERT_MD5=$(openssl s_client -host ${HOST} -port ${PORT} -trusted_first 2>/dev/null <<< "q" | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' | md5sum | awk {'print $1'}) # get certificate chain for site openssl s_client -host ${HOST} -port ${PORT} -showcerts -no_alt_chains -trusted_first 2>/dev/null <<< "q" | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' > ${HOST}.certs csplit --digits=2 --quiet --prefix=${HOST}.certs. ${HOST}.certs "/-----END CERTIFICATE-----/+1" "{*}" for CERT in $(ls ./${HOST}.certs.*); do # get the MD5 of the current cert in the chain CHAIN_CERT_MD5=$(md5sum ${CERT} | awk {'print $1'}) # skip the cert of the site itself, user cerificates should not be the wallet if [ -s "${CERT}" ] && [ "${CHAIN_CERT_MD5}" != "${SITE_CERT_MD5}" ]; then echo "Adding ${CERT}" orapki wallet add -wallet ${WALLET_LOCATION} -pwd ${PASSWORD} -trusted_cert -cert ${CERT} >/dev/null fi done fi done < ${SITE_LIST} orapki wallet display -wallet ${WALLET_LOCATION} echo "Done"