📄 smime_keys.pl
字号:
#! /usr/bin/perl -w# Copyright (C) 2001,2002 Oliver Ehli <elmy@acm.org># Copyright (C) 2001 Mike Schiraldi <raldi@research.netsol.com># Copyright (C) 2003 Bjoern Jacke <bjoern@j3e.de>## This program is free software; you can redistribute it and/or modify# it under the terms of the GNU General Public License as published by# the Free Software Foundation; either version 2 of the License, or# (at your option) any later version.# # This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.# # You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.use strict;use File::Copy;umask 077;require "timelocal.pl";sub usage ();sub newfile ($;$$);sub mutt_Q ($ );sub mycopy ($$);# directory setup routinessub mkdir_recursive ($ );sub init_paths ();# key/certificate management methodssub list_certs ();sub query_label ();sub add_entry ($$$$$ );sub add_certificate ($$$$;$ );sub add_key ($$$$);sub add_root_cert ($ );sub parse_pem (@ );sub handle_pem (@ );sub modify_entry ($$$;$ );sub remove_pair ($ );sub change_label ($ );sub verify_cert($$);sub do_verify($$$ ); # Get the directories mutt uses for certificate/key storage.my $mutt = $ENV{MUTT_CMDLINE} || 'mutt';my $opensslbin = "/usr/bin/openssl";my @tempfiles = ();my @cert_tmp_file = ();my $tmpdir;my $private_keys_path = mutt_Q 'smime_keys';die "smime_keys is not set in mutt's configuration file" if length $private_keys_path == 0;my $certificates_path = mutt_Q 'smime_certificates';die "smime_certificates is not set in mutt's configuration file" if length $certificates_path == 0;my $root_certs_path = mutt_Q 'smime_ca_location';die "smime_ca_location is not set in mutt's configuration file" if length $root_certs_path == 0;my $root_certs_switch;if ( -d $root_certs_path) { $root_certs_switch = -CApath;} else { $root_certs_switch = -CAfile;}## OPS#if(@ARGV == 1 and $ARGV[0] eq "init") { init_paths;}elsif(@ARGV == 1 and $ARGV[0] eq "list") { list_certs;}elsif(@ARGV == 2 and $ARGV[0] eq "label") { change_label($ARGV[1]);}elsif(@ARGV == 2 and $ARGV[0] eq "add_cert") { my $format = -B $ARGV[1] ? 'DER' : 'PEM'; my $cmd = "$opensslbin x509 -noout -hash -in $ARGV[1] -inform $format"; my $cert_hash = `$cmd`; $? and die "'$cmd' returned $?"; chomp($cert_hash); my $label = query_label; &add_certificate($ARGV[1], \$cert_hash, 1, $label, '?');}elsif(@ARGV == 2 and $ARGV[0] eq "add_pem") { -e $ARGV[1] and -s $ARGV[1] or die("$ARGV[1] is nonexistent or empty."); open(PEM_FILE, "<$ARGV[1]") or die("Can't open $ARGV[1]: $!"); my @pem = <PEM_FILE>; close(PEM_FILE); handle_pem(@pem);}elsif( @ARGV == 2 and $ARGV[0] eq "add_p12") { -e $ARGV[1] and -s $ARGV[1] or die("$ARGV[1] is nonexistent or empty."); print "\nNOTE: This will ask you for two passphrases:\n"; print " 1. The passphrase you used for exporting\n"; print " 2. The passphrase you wish to secure your private key with.\n\n"; my $pem_file = "$ARGV[1].pem"; my $cmd = "$opensslbin pkcs12 -in $ARGV[1] -out $pem_file"; system $cmd and die "'$cmd' returned $?"; -e $pem_file and -s $pem_file or die("Conversion of $ARGV[1] failed."); open(PEM_FILE, $pem_file) or die("Can't open $pem_file: $!"); my @pem = <PEM_FILE>; close(PEM_FILE); unlink $pem_file; handle_pem(@pem);}elsif(@ARGV == 4 and $ARGV[0] eq "add_chain") { my $mailbox; my $format = -B $ARGV[2] ? 'DER' : 'PEM'; my $cmd = "$opensslbin x509 -noout -hash -in $ARGV[2] -inform $format"; my $cert_hash = `$cmd`; $? and die "'$cmd' returned $?"; $format = -B $ARGV[3] ? 'DER' : 'PEM'; $cmd = "$opensslbin x509 -noout -hash -in $ARGV[3] -inform $format"; my $issuer_hash = `$cmd`; $? and die "'$cmd' returned $?"; chomp($cert_hash); chomp($issuer_hash); my $label = query_label; add_certificate($ARGV[3], \$issuer_hash, 0, $label); my @mailbox = &add_certificate($ARGV[2], \$cert_hash, 1, $label, $issuer_hash); foreach $mailbox (@mailbox) { chomp($mailbox); add_key($ARGV[1], $cert_hash, $mailbox, $label); }}elsif((@ARGV == 2 or @ARGV == 3) and $ARGV[0] eq "verify") { verify_cert($ARGV[1], $ARGV[2]);}elsif(@ARGV == 2 and $ARGV[0] eq "remove") { remove_pair($ARGV[1]);}elsif(@ARGV == 2 and $ARGV[0] eq "add_root") { add_root_cert($ARGV[1]);}else { usage; exit(1);}exit(0);############## sub-routines ########################sub usage () { print <<EOF;Usage: smime_keys <operation> [file(s) | keyID [file(s)]] with operation being one of: init : no files needed, inits directory structure. list : lists the certificates stored in database. label : keyID required. changes/removes/adds label. remove : keyID required. verify : 1=keyID and optionally 2=CRL Verifies the certificate chain, and optionally wether this certificate is included in supplied CRL (PEM format). Note: to verify all certificates at the same time, replace keyID with "all" add_cert : certificate required. add_chain : three files reqd: 1=Key, 2=certificate plus 3=intermediate certificate(s). add_p12 : one file reqd. Adds keypair to database. file is PKCS12 (e.g. export from netscape). add_pem : one file reqd. Adds keypair to database. (file was converted from e.g. PKCS12). add_root : one file reqd. Adds PEM root certificate to the location specified within muttrc (smime_verify_* command)EOF}sub mutt_Q ($) { my $var = shift or die; my $cmd = "$mutt -v >/dev/null 2>/dev/null"; system ($cmd) == 0 or die<<EOF;Couldn't launch mutt. I attempted to do so by running the command "$mutt".If that's not the right command, you can override it by setting the environment variable \$MUTT_CMDLINEEOF $cmd = "$mutt -Q $var 2>/dev/null"; my $answer = `$cmd`; $? and die<<EOF;Couldn't look up the value of the mutt variable "$var". You must set this in your mutt config file. See contrib/smime.rc for an example.EOF#' $answer =~ /\"(.*?)\"/ and return $1; $answer =~ /^Mutt (.*?) / and die<<EOF;This script requires mutt 1.5.0 or later. You are using mutt $1.EOF die "Value of $var is weird\n";}sub mycopy ($$) { my $source = shift or die; my $dest = shift or die; copy $source, $dest or die "Problem copying $source to $dest: $!\n";}## directory setup routines#sub mkdir_recursive ($) { my $path = shift or die; my $tmp_path; for my $dir (split /\//, $path) { $tmp_path .= "$dir/"; -d $tmp_path or mkdir $tmp_path, 0700 or die "Can't mkdir $tmp_path: $!"; }}sub init_paths () { mkdir_recursive($certificates_path); mkdir_recursive($private_keys_path); my $file; $file = $certificates_path . "/.index"; -f $file or open(TMP_FILE, ">$file") and close(TMP_FILE) or die "Can't touch $file: $!"; $file = $private_keys_path . "/.index"; -f $file or open(TMP_FILE, ">$file") and close(TMP_FILE) or die "Can't touch $file: $!";}## certificate management methods#sub list_certs () { my %keyflags = ( 'i', '(Invalid)', 'r', '(Revoked)', 'e', '(Expired)', 'u', '(Unverified)', 'v', '(Valid)', 't', '(Trusted)'); open(INDEX, "<$certificates_path/.index") or die "Couldn't open $certificates_path/.index: $!"; print "\n"; while(<INDEX>) { my $tmp; my @tmp; my $tab = " "; my @fields = split; if($fields[2] eq '-') { print "$fields[1]: Issued for: $fields[0] $keyflags{$fields[4]}\n"; } else { print "$fields[1]: Issued for: $fields[0] \"$fields[2]\" $keyflags{$fields[4]}\n"; } my $certfile = "$certificates_path/$fields[1]"; my $cert; { open F, $certfile or die "Couldn't open $certfile: $!"; local $/; $cert = <F>; close F; } my $subject_in; my $issuer_in; my $date1_in; my $date2_in; my $format = -B $certfile ? 'DER' : 'PEM'; my $cmd = "$opensslbin x509 -subject -issuer -dates -noout -in $certfile -inform $format"; ($subject_in, $issuer_in, $date1_in, $date2_in) = `$cmd`; $? and print "ERROR: '$cmd' returned $?\n\n" and next; my @subject = split(/\//, $subject_in); while(@subject) { $tmp = shift @subject; ($tmp =~ /^CN\=/) and last; undef $tmp; } defined $tmp and @tmp = split (/\=/, $tmp) and print $tab."Subject: $tmp[1]\n"; my @issuer = split(/\//, $issuer_in); while(@issuer) { $tmp = shift @issuer; ($tmp =~ /^CN\=/) and last; undef $tmp; } defined $tmp and @tmp = split (/\=/, $tmp) and print $tab."Issued by: $tmp[1]"; if ( defined $date1_in and defined $date2_in ) { @tmp = split (/\=/, $date1_in); $tmp = $tmp[1]; @tmp = split (/\=/, $date2_in); print $tab."Certificate is not valid before $tmp". $tab." or after ".$tmp[1]; } -e "$private_keys_path/$fields[1]" and print "$tab - Matching private key installed -\n"; $format = -B "$certificates_path/$fields[1]" ? 'DER' : 'PEM'; $cmd = "$opensslbin x509 -purpose -noout -in $certfile -inform $format"; my $purpose_in = `$cmd`; $? and die "'$cmd' returned $?"; my @purpose = split (/\n/, $purpose_in); print "$tab$purpose[0] (displays S/MIME options only)\n"; while(@purpose) { $tmp = shift @purpose; ($tmp =~ /^S\/MIME/ and $tmp =~ /Yes/) or next; my @tmptmp = split (/:/, $tmp); print "$tab $tmptmp[0]\n"; } print "\n"; } close(INDEX);}sub query_label () { my @words; my $input; print "\nYou may assign a label to this key, so you don't have to remember\n"; print "the key ID. This has to be _one_ word (no whitespaces).\n\n"; print "Enter label: "; chomp($input = <STDIN>); my ($label, $junk) = split(/\s/, $input, 2); defined $junk and print "\nUsing '$label' as label; ignoring '$junk'\n"; defined $label || ($label = "-"); return $label;}sub add_entry ($$$$$) { my $mailbox = shift or die; my $hashvalue = shift or die; my $use_cert = shift; my $label = shift or die; my $issuer_hash = shift; my @fields; if ($use_cert) { open(INDEX, "+<$certificates_path/.index") or die "Couldn't open $certificates_path/.index: $!"; } else { open(INDEX, "+<$private_keys_path/.index") or die "Couldn't open $private_keys_path/.index: $!"; } while(<INDEX>) { @fields = split; return if ($fields[0] eq $mailbox && $fields[1] eq $hashvalue); } if ($use_cert) { print INDEX "$mailbox $hashvalue $label $issuer_hash u\n"; } else { print INDEX "$mailbox $hashvalue $label \n"; } close(INDEX);}sub add_certificate ($$$$;$) { my $filename = shift or die; my $hashvalue = shift or die; my $add_to_index = shift; my $label = shift or die; my $issuer_hash = shift; my $iter = 0; my @mailbox; my $mailbox; while(-e "$certificates_path/$$hashvalue.$iter") { my ($t1, $t2); my $format = -B $filename ? 'DER' : 'PEM'; my $cmd = "$opensslbin x509 -in $filename -inform $format -fingerprint -noout"; $t1 = `$cmd`; $? and die "'$cmd' returned $?"; $format = -B "$certificates_path/$$hashvalue.$iter" ? 'DER' : 'PEM'; $cmd = "$opensslbin x509 -in $certificates_path/$$hashvalue.$iter -inform $format -fingerprint -noout"; $t2 = `$cmd`; $? and die "'$cmd' returned $?"; $t1 eq $t2 and last; $iter++; } $$hashvalue .= ".$iter"; if (-e "$certificates_path/$$hashvalue") { print "\nCertificate: $certificates_path/$$hashvalue already installed.\n"; } else { mycopy $filename, "$certificates_path/$$hashvalue"; if ($add_to_index) { my $format = -B $filename ? 'DER' : 'PEM'; my $cmd = "$opensslbin x509 -in $filename -inform $format -email -noout"; @mailbox = `$cmd`; $? and die "'$cmd' returned $?"; foreach $mailbox (@mailbox) { chomp($mailbox); add_entry($mailbox, $$hashvalue, 1, $label, $issuer_hash); print "\ncertificate $$hashvalue ($label) for $mailbox added.\n"; } verify_cert($$hashvalue, undef); } else { print "added certificate: $certificates_path/$$hashvalue.\n"; } } return @mailbox;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -