Created
July 17, 2018 03:56
-
-
Save dlenski/4af7088320def44711845fc1bd4b9e35 to your computer and use it in GitHub Desktop.
Add "bag attributes" to a certificate chain
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # This script takes one or more x509 certificates in .PEM format (from | |
| # stdin or files listed on command line) and adds helpful "bag | |
| # attributes" before each certificate. This makes it easier for | |
| # humans to identify the contents of the bundle. | |
| # | |
| # Requires (g)awk and openssl's x509 command line utility. | |
| # | |
| # Output fields included can be specified via openssl-x509 options: | |
| # | |
| # subject= /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA | |
| # issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA | |
| # notBefore=Mar 8 12:00:00 2013 GMT | |
| # notAfter=Mar 8 12:00:00 2023 GMT | |
| # SHA256 Fingerprint=15:4C:43:3C:49:19:29:C5:EF:68:6E:83:8E:32:36:64:A0:0E:6A:0D:82:2C:CC:95:8F:B4:DA:B0:3E:49:A0:8F | |
| # -----BEGIN CERTIFICATE----- | |
| # ... | |
| # -----END CERTIFICATE----- | |
| awk -vZ="openssl x509 -subject -issuer -email -dates -sha256 -fingerprint" \ | |
| '/^-----BEGIN/{b=Z;x=1}x{print|b}/^-----END/{close(b);x=0;print""}' "$@" |
Well I better understand the use of the x flag now (to print between everything between the two patterns).
What is the use of b=Z then close(b) ?
Explained like this, even if there is still a bit of magic in this :-)
-vZ="openssl x509 -subject -issuer -email -dates -sha256 -fingerprint"
store the openssl command into an awk variable named Z
'
start of the awk script
/^-----BEGIN/{b=Z;x=1}
when hitting a -----BEGIN CERTIFICATE----- line, set variables b and x
x{print|b}
now x==1 , print lines and pipe to openssl cmd stored in b
/^-----END/{close(b);x=0;print""}
when hitting a -----END CERTIFICATE----- line,
- close
b - reset x to 0, otherwise it will send non-certificate lines to the openssl command
- simply prints an empty line
'
end of the awk script
"$@"
pass all the args of the script to the awk command
or with "renaming"
awk \
--assign=OPENSSL_CMD="openssl x509 -subject -issuer -email -dates -sha256 -fingerprint" \
'/^-----BEGIN/{inside_cert=1} \
inside_cert{print|OPENSSL_CMD} \
/^-----END/{close(OPENSSL_CMD);inside_cert=0;}' \
"$@"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Wonderful !
Would you mind to explain what this awk script does, step by step ?
I've struggled to find this kind of commands online, but nothing came out.
So far I understand that you print everything between BEGIN and END and pipe it to b which has been set to Z.
Why ?
We couldn't use Z directly ?
What is the use of x=1 then x alone outside the {} ?
Thanks in advance,