Changeset 7789


Ignore:
Timestamp:
23/12/10 16:35:07 (9 years ago)
Author:
pjkersha
Message:

Improvements to:

  • allow for keystores where no password is set
  • error handling
Location:
TI12-security/trunk/esg_keytool_utils
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/esg_keytool_utils/export_keystore_certs2pems.cfg

    r7268 r7789  
    1717keystore="./keystore" 
    1818 
    19 # Java Key store password.  If omitted, it will be prompted for from stdin 
     19# Java Key store password.  If omitted, it is assumed to be null 
    2020keystore_passwd=123456 
    2121 
    22 # Directory for storage of temporary DER files used by keytool 
    23 tmp_dir=. 
     22# Uncomment this to prompt from stdin instead 
     23#keystore_passwd_from_stdin=True 
    2424 
    2525# Export directory for output PEM files 
  • TI12-security/trunk/esg_keytool_utils/export_keystore_certs2pems.sh

    r7264 r7789  
    4545fi 
    4646 
     47# Check output directory setting 
     48if [ -z "$export_dir" ]; then 
     49    echo "Missing 'export_dir' setting from config file or value is null." >&2; 
     50    echo $usage >&2 ; 
     51    exit 1; 
     52 
     53elif [ ! -d "export_dir" ]; then 
     54    # Attempt to create path 
     55    mkdir -p $export_dir 
     56fi 
     57 
    4758# Keystore password may be retrieved from stdin 
    48 if [ -z "$keystore_passwd" ]; then 
     59if [ "$keystore_passwd_from_stdin" ]; then 
    4960    # Read from stdin 
    5061    read -t 60 -p "Keystore password: " -s keystore_passwd ; 
     
    5263fi 
    5364 
    54 if [ -z "$keystore_passwd" ]; then  
    55     echo "No keystore password set: exiting ..." >&2 ; 
    56     exit 1; 
    57     
    58 elif [ ${#keystore_passwd} -lt 6 ]; then 
     65# Check password is longer than 6 chars but skip if no password was set at 
     66# all - this is legal. 
     67if [ "$keystore_passwd" ] && [ ${#keystore_passwd} -lt 6 ]; then 
    5968    echo "keystore password must be longer than 6 characters." >&2 ; 
    6069    exit 1; 
    6170fi 
    6271 
     72# Temporary file to collect stderr from keytool 
     73tmp_error_filepath=$(tempfile) 
    6374if [ -z "$aliases" ]; then 
    6475    # Get aliases for all the stored certificates 
    65     aliases=$(keytool -list -keystore $keystore -storepass $keystore_passwd | grep trustedCertEntry|awk -F, '{print $1}') 
     76    # (Needs alternate invocations based on whether a password is set or not) 
     77    if [ -z "$keystore_passwd" ]; then 
     78        # Use echo to pipe in a null password at the prompt 
     79        aliases=$(echo|keytool -list -keystore $keystore $keystore_passwd \ 
     80                2> $tmp_error_filepath | \ 
     81                grep trustedCertEntry | awk -F, '{print $1}') 
     82    else 
     83        aliases=$(keytool -list -keystore $keystore -storepass $keystore_passwd \ 
     84                2> $tmp_error_filepath | \ 
     85                grep trustedCertEntry| awk -F, '{print $1}') 
     86    fi 
     87     
     88    # Collected stderr from keytool 
     89    tmp_file_output=$(< $tmp_error_filepath) 
     90    rm -f $tmp_error_filepath 
     91     
     92    # Check again to flag 'keytool -list' operation failed 
     93    if [ -z "$aliases" ]; then 
     94        echo No aliases found for keystore $keystore. Error output is: "$tmp_file_output" >&2 ; 
     95        rm -f $(tempfile) 
     96        exit 1;   
     97    fi 
    6698fi 
     99 
     100# Temporary directory for DER file intermediate output 
     101tmp_dir=$(mktemp -d) 
    67102 
    68103# Export based on alias 
     
    70105    # Export as DER format cert 
    71106    der_file="$tmp_dir/${alias}.der" 
    72     keytool -export -alias "$alias" -keystore $keystore -storepass $keystore_passwd -file "$der_file"  
    73  
     107    if [ -z "$keystore_passwd" ]; then 
     108        # Use echo to pipe in a null password at the prompt 
     109        echo | keytool -export -alias "$alias" -keystore $keystore \ 
     110            $keystore_passwd -file "$der_file" 2> /dev/null 
     111    else 
     112        keytool -export -alias "$alias" -keystore $keystore -storepass \ 
     113            $keystore_passwd -file "$der_file" 2> /dev/null 
     114    fi 
     115     
    74116    # Find out the hash and use this to name the exported PEM file 
    75117    cert_hash=$(openssl x509 -inform DER -in "$der_file" -noout -hash) 
     118    if [ $? != "0" ]; then 
     119        echo "Error calculating hash for certificate $der_file" >&2 ; 
     120        break ;   
     121    fi  
     122            
    76123    pem_file="$export_dir/${cert_hash}.0" 
    77124     
    78125    # Convert exported file to PEM 
    79126    openssl x509 -inform DER -in "$der_file" -outform PEM -out "$pem_file" 
     127done 
    80128 
    81     # Cleanup 
    82     rm -f "$der_file" 
    83 done 
     129rm -rf $tmp_dir ; 
     130echo "Certificates exported from keystore $keystore to $export_dir." ; 
     131exit 0 ; 
Note: See TracChangeset for help on using the changeset viewer.