AfroThundr3007730 · November 18, 2024 16:14 · AfroThundr3007730 · Mar 2, 2024
diff --git a/add-dod-certs.sh b/add-dod-certs.sh
 #!/bin/bash
 # Import DoD root certificates into linux CA store
 # Version 0.3.0 updated 20240304
 # SPDX-License-Identifier: GPL-3.0-or-later

 add_dod_certs() {
    local bundle cert certdir file form tmpdir url update
    # Location of bundle from DISA site
    url='https://public.cyber.mil/pki-pke/pkipke-document-library/'
    bundle=$(curl -s $url | awk -F '"' 'tolower($2) ~ /dod.zip/ {print $2}')
    #bundle=https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip

    # Set cert directory and update command based on OS
    # shellcheck disable=SC1091
    source /etc/os-release
    if [[ $ID      =~ (fedora|rhel|centos) ||
          $ID_LIKE =~ (fedora|rhel|centos) ]]; then
        certdir=/etc/pki/ca-trust/source/anchors
        update='update-ca-trust'
    elif [[ $ID      =~ (debian|ubuntu|mint) ||
            $ID_LIKE =~ (debian|ubuntu|mint) ]]; then
        certdir=/usr/local/share/ca-certificates
        update='update-ca-certificates'
    else
        certdir=$1
        update=$2
    fi

    if [[ -z $certdir || -z $update ]]; then
        printf 'Unable to autodetect OS using /etc/os-release.\n'
        printf 'Please provide CA certificate directory and update command.\n'
        printf 'Example: %s /cert/store/location update-cmd\n' "${0##*/}"
        exit 1
    fi

    # Extract the bundle
    tmpdir=$(mktemp -d)
    wget -qP "$tmpdir" "$bundle"
    unzip -qj "$tmpdir"/"${bundle##*/}" -d "$tmpdir"

    # Check for existence of PEM or DER format p7b.
    for file in "$tmpdir"/*_dod_{pem,der}.p7b; do
        # Iterate over glob instead of testing directly (SC2144)
        if [[ -f $file ]]; then form=${file%.*}; form=${form##*_}; break; fi
    done

    # Convert the PKCS#7 bundle into individual PEM files
    openssl pkcs7 -print_certs -inform "$form" -in "$file" |
        awk -v d="$tmpdir" 'BEGIN {c=0} /subject=/ {c++} {print > d "/cert." c ".pem"}'

    # Rename the files based on the CA name
    for cert in "$tmpdir"/cert.*.pem; do
        mv "$cert" "$certdir"/"$(openssl x509 -noout -subject -in "$cert" |
            awk -F '(=|= )' '{gsub(/ /, "_", $NF); print $NF}')".crt
    done

    # Remove temp files and update certificate stores
    rm -fr "$tmpdir"
    $update
 }

 # Only execute if not being sourced
 [[ ${BASH_SOURCE[0]} == "$0" ]] && add_dod_certs "$@"
	#!/bin/bash
	# Import DoD root certificates into linux CA store
	# Version 0.3.0 updated 20240304
	# SPDX-License-Identifier: GPL-3.0-or-later

	add_dod_certs() {
	local bundle cert certdir file form tmpdir url update
	# Location of bundle from DISA site
	url='https://public.cyber.mil/pki-pke/pkipke-document-library/'
	bundle=$(curl -s $url \| awk -F '"' 'tolower($2) ~ /dod.zip/ {print $2}')
	#bundle=https://dl.dod.cyber.mil/wp-content/uploads/pki-pke/zip/unclass-certificates_pkcs7_DoD.zip

	# Set cert directory and update command based on OS
	# shellcheck disable=SC1091
	source /etc/os-release
	if [[ $ID =~ (fedora\|rhel\|centos) \|\|
	$ID_LIKE =~ (fedora\|rhel\|centos) ]]; then
	certdir=/etc/pki/ca-trust/source/anchors
	update='update-ca-trust'
	elif [[ $ID =~ (debian\|ubuntu\|mint) \|\|
	$ID_LIKE =~ (debian\|ubuntu\|mint) ]]; then
	certdir=/usr/local/share/ca-certificates
	update='update-ca-certificates'
	else
	certdir=$1
	update=$2
	fi

	if [[ -z $certdir \|\| -z $update ]]; then
	printf 'Unable to autodetect OS using /etc/os-release.\n'
	printf 'Please provide CA certificate directory and update command.\n'
	printf 'Example: %s /cert/store/location update-cmd\n' "${0##*/}"
	exit 1
	fi

	# Extract the bundle
	tmpdir=$(mktemp -d)
	wget -qP "$tmpdir" "$bundle"
	unzip -qj "$tmpdir"/"${bundle##*/}" -d "$tmpdir"

	# Check for existence of PEM or DER format p7b.
	for file in "$tmpdir"/*_dod_{pem,der}.p7b; do
	# Iterate over glob instead of testing directly (SC2144)
	if [[ -f $file ]]; then form=${file%.}; form=${form##_}; break; fi
	done

	# Convert the PKCS#7 bundle into individual PEM files
	openssl pkcs7 -print_certs -inform "$form" -in "$file" \|
	awk -v d="$tmpdir" 'BEGIN {c=0} /subject=/ {c++} {print > d "/cert." c ".pem"}'

	# Rename the files based on the CA name
	for cert in "$tmpdir"/cert.*.pem; do
	mv "$cert" "$certdir"/"$(openssl x509 -noout -subject -in "$cert" \|
	awk -F '(=\|= )' '{gsub(/ /, "_", $NF); print $NF}')".crt
	done

	# Remove temp files and update certificate stores
	rm -fr "$tmpdir"
	$update
	}

	# Only execute if not being sourced
	[[ ${BASH_SOURCE[0]} == "$0" ]] && add_dod_certs "$@"