84 lines
2.3 KiB
Bash
Executable File
84 lines
2.3 KiB
Bash
Executable File
#!/bin/sh
|
|
|
|
### Amfora ###
|
|
# https://github.com/makeworld-the-better-one/amfora
|
|
#
|
|
## Trust store format ##
|
|
# The file "~/.cache/amfora/tofu.toml" is used.
|
|
# It contains 2 lines for each host:port:
|
|
# 1. "example/org:port" = "spki:sha256:uppercase" -> certificate public key (SPKI) fingerprint
|
|
# 2. "example/org/expiry:port" = expiry date
|
|
# Dots in the hostname are converted to slashes.
|
|
# IDNs are converted to punycode.
|
|
#
|
|
## Example ##
|
|
# $ cat ~/.cache/amfora/tofu.toml
|
|
# "gemini/circumlunar/space" = "1A03A15619200DB4496494EC90381C1FE8BD9E0142260F6D8A3D962ED3CFC72F"
|
|
# "gemini/circumlunar/space/expiry" = 2025-10-03T13:50:37Z
|
|
|
|
set -o errexit # (-e) exit immediately if any command has a non-zero exit status
|
|
set -o nounset # (-u) don't accept undefined variables
|
|
#set -o xtrace # for debugging
|
|
|
|
timestamp_start=$(date +%s)
|
|
|
|
# Go where this script is.
|
|
cd "$(dirname "$0")" || exit
|
|
|
|
trust_store="tofu.toml"
|
|
|
|
# Remove the old trust store.
|
|
rm -f "$trust_store"
|
|
|
|
# Add the "cert_is_not_within_expiry_boundaries" function.
|
|
. ../expiry-boundaries.sh
|
|
|
|
for cert_file in ../certs/*; do
|
|
|
|
cert=$(cat "$cert_file")
|
|
|
|
if cert_is_not_within_expiry_boundaries; then
|
|
>&2 echo "excluded: $cert_file"
|
|
continue
|
|
fi
|
|
|
|
host=$(expr "$cert_file" : '^../certs\/\(.*\)\:[0-9]*\.pem$')
|
|
port=$(expr "$cert_file" : '^../certs\/.*\:\([0-9]*\)\.pem$')
|
|
|
|
# Hostname to punycode.
|
|
host=$(echo "$host" | idn --allow-unassigned)
|
|
|
|
# Replace dots with slashes.
|
|
host=$(echo "$host" | tr . /)
|
|
|
|
# Append port if not default
|
|
if [ "$port" = 1965 ]; then
|
|
port_string=''
|
|
else
|
|
port_string=":$port"
|
|
fi
|
|
|
|
# Certificate public key (SPKI) fingerprint
|
|
fingerprint=$(echo "$cert" \
|
|
| openssl x509 -pubkey -noout \
|
|
| openssl pkey -pubin -outform der \
|
|
| openssl dgst -sha256 \
|
|
| cut -d ' ' -f 2 \
|
|
| tr '[:lower:]' '[:upper:]')
|
|
line1=$(printf "\"%s$port_string\" = \"%s\"" "$host" "$fingerprint")
|
|
|
|
# Expiry date
|
|
enddate=$(echo "$cert" | openssl x509 -enddate -noout | cut -d '=' -f 2)
|
|
enddate=$(date -d "$enddate" +"%Y-%m-%dT%H:%M:%SZ" --utc)
|
|
line2=$(printf "\"%s/expiry$port_string\" = %s" "$host" "$enddate")
|
|
|
|
printf "%s\n%s\n" "$line1" "$line2" >> "$trust_store"
|
|
|
|
done
|
|
|
|
timestamp_end=$(date +%s)
|
|
exec_time="$((timestamp_end - timestamp_start))"
|
|
exec_time_formatted="$(date -d "@$exec_time" --utc "+%H:%M:%S")"
|
|
|
|
echo "OK (duration: $exec_time_formatted)"
|