61 lines
1.5 KiB
Bash
61 lines
1.5 KiB
Bash
|
#!/bin/sh
|
||
|
|
||
|
### Lagrange ###
|
||
|
# https://gmi.skyjake.fi/lagrange/
|
||
|
#
|
||
|
## Trust store format ##
|
||
|
# The file "~/.config/lagrange/trusted.txt" is used on GNU/Linux and BSD.
|
||
|
# For other platforms, see https://github.com/skyjake/lagrange#user-files
|
||
|
# This file contains one line for each host (ports are not taken into account):
|
||
|
# example.org expiry_timestamp cert:sha256
|
||
|
# IDNs are converted to punycode.
|
||
|
#
|
||
|
## Example ##
|
||
|
# $ cat ~/.config/lagrange/trusted.txt
|
||
|
# gemini.circumlunar.space 1759495837 5b4086d6914231f55828c815faae1f10e28b8bd42af6a1e286a711e9b7d78326
|
||
|
|
||
|
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
|
||
|
set -o nounset # (-u) don't accept undefined variables
|
||
|
#set -o xtrace # for debugging
|
||
|
|
||
|
# Go where this script is.
|
||
|
cd "$(dirname "$0")" || exit
|
||
|
|
||
|
trust_store="trusted.txt"
|
||
|
|
||
|
# Remove the old trust store.
|
||
|
rm -f "$trust_store"
|
||
|
|
||
|
# Add the "cert_is_not_within_expiry_boundaries" function.
|
||
|
. ../expiry-boundaries.sh
|
||
|
|
||
|
for cert_file in ../certs/*; do
|
||
|
|
||
|
cert=$(cat "$cert_file")
|
||
|
|
||
|
if cert_is_not_within_expiry_boundaries; then
|
||
|
>&2 echo "excluded: $cert_file"
|
||
|
continue
|
||
|
fi
|
||
|
|
||
|
host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$')
|
||
|
|
||
|
# Hostname to punycode.
|
||
|
host=$(echo "$host" | idn)
|
||
|
|
||
|
# Expiry date
|
||
|
enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2)
|
||
|
enddate=$(date -d "$enddate" +%s --utc)
|
||
|
|
||
|
# Certificate fingerprint
|
||
|
fingerprint=$(echo "$cert" \
|
||
|
| openssl x509 -outform der \
|
||
|
| sha256sum \
|
||
|
| cut -d ' ' -f 1)
|
||
|
|
||
|
echo "$host $enddate $fingerprint" >> "$trust_store"
|
||
|
|
||
|
done
|
||
|
|
||
|
echo OK
|