#!/bin/sh # File under Perl Artistic Licence 2.0 # http://www.opensource.org/licenses/artistic-license-2.0.php # Copyright holder: TBS INTERNET SAS, France # Author: JP Donnio # Contact: tag-nss-update-crl@tbs-internet.com # http://www.tbs-certificats.com/ # # Doc at: http://www.tbs-certificats.com/ssl/nss_tools_crl_ca_control.html # # Version: 1.0 # Date: 2008-08-20 # This program loads a list of CRLs into NSS (Firefox, Thunderbird, SeaMonkey, etc.) # # The file containing a list of CRL URLs is provided AS IS and does not # contains all the CRLs your need! Our list is cut-down because we have # also cut-down the approved CA list. # Please review the list of CAs you have approved and make sure you have # all the CRLs. If you have left all the default firefox (NSS) builtin # roots (either ignorant or crazy), the provided file is FAR from complete! # # you may use something like # certutil -L -h "Builtin Object Token" -d # to see all the roots. Look for the C and T flags! # USAGE: nss_update_crl if [ -d "$1" ]; then DBDIR=$1 else # SET HERE your firefox/mozilla/you-name-it directory # must contain cert8.db DBDIR=~/.mozilla/default/m8xsi8n3.slt/ fi CRLLIST=~/bin/nss_update_crl.list # -B is needed to be able to import CRLs of intermediate certs not stored in the DB # otherwise you get: # crlutil: unable to import CRL: Peer's Certificate issuer is not recognized. CRLPARAM="-B" if [ ! -d "$DBDIR" ]; then echo "Your DBDIR does not exist: $DBDIR" echo "Please edit the script to fix" exit 1 fi if [ ! -f "$CRLLIST" ]; then echo "Your CRLLIST file does not exist: $CRLLIST" echo "Please edit the script to fix" exit 2 fi if [ ! -s "$CRLLIST" ]; then echo "Your CRLLIST file is empty: $CRLLIST" echo "Please place a list of URL CRLs in it" exit 3 fi if [ -d $HOME/tmp/ ]; then TEMPDIR="$HOME/tmp/" TEMPFILE="$HOME/tmp/nss_update_crl.tmp" elif [ -d /var/tmp/ ]; then TEMPDIR="/var/tmp/" TEMPFILE="/var/tmp/nss_update_crl.tmp" elif [ -d /tmp/ ]; then TEMPDIR="/tmp/" TEMPFILE="/tmp/nss_update_crl.tmp" else echo "Could not locate a proper temporary directory" exit 4 fi # or set this by hand CURL=$(which curl) if [ ! -x "$CURL" ] ; then echo "Could not find curl, please edit script" echo http://curl.haxx.se/ exit 5 fi # or set this by hand CRLUTIL=$(which crlutil) if [ ! -x "$CRLUTIL" ] ; then echo "Could not find crlutil, please edit script" echo http://www.mozilla.org/projects/security/pki/nss/tools/crlutil.html exit 6 fi # experience shows that a backup is sometime useful! BAKDIR="$DBDIR/cert8backup" [ -d "$BAKDIR" ] || mkdir "$BAKDIR" BAKFILE="$BAKDIR/cert8.db-$(date +%Y%m%d)" [ -f "$BAKFILE" ] || cp -a "$DBDIR/cert8.db" "$BAKFILE" OIFS=$IFS IFS=$'\n' for URLCRL in $(grep -v ^# "$CRLLIST") do $CURL -s $URLCRL -o "$TEMPFILE" if [ -f "$TEMPFILE" ] && [ -s "$TEMPFILE" ] ; then REP="$TEMPDIR/nss_update_crl-error-$(date +%s)" mkdir "$REP" if ! $CRLUTIL -I $CRLPARAM -i "$TEMPFILE" -u "$URLCRL" -d "$DBDIR" 2> "$REP/RETURN" then echo "Error on $URLCRL, see in $REP" ; echo cp -a "$TEMPFILE" "$REP/theCRL" echo "$URLCRL" > "$REP/URL" sleep 1 else rm -rf "$REP" fi fi [ -f "$TEMPFILE" ] && rm -f "$TEMPFILE" done IFS=$OIFS