/usr/sbin/update-ca-certificates is in ca-certificates 20161130+nmu1+deb9u1.
This file is owned by root:root, with mode 0o755.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 | #!/bin/sh -e
#
# update-ca-certificates
#
# Copyright (c) 2003 Fumitoshi UKAI <ukai@debian.or.jp>
# Copyright (c) 2009 Philipp Kern <pkern@debian.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301,
# USA.
#
verbose=0
fresh=0
default=0
CERTSCONF=/etc/ca-certificates.conf
CERTSDIR=/usr/share/ca-certificates
LOCALCERTSDIR=/usr/local/share/ca-certificates
CERTBUNDLE=ca-certificates.crt
ETCCERTSDIR=/etc/ssl/certs
HOOKSDIR=/etc/ca-certificates/update.d
while [ $# -gt 0 ];
do
case $1 in
--verbose|-v)
verbose=1;;
--fresh|-f)
fresh=1;;
--default|-d)
default=1
fresh=1;;
--certsconf)
shift
CERTSCONF="$1";;
--certsdir)
shift
CERTSDIR="$1";;
--localcertsdir)
shift
LOCALCERTSDIR="$1";;
--certbundle)
shift
CERTBUNDLE="$1";;
--etccertsdir)
shift
ETCCERTSDIR="$1";;
--hooksdir)
shift
HOOKSDIR="$1";;
--help|-h|*)
echo "$0: [--verbose] [--fresh]"
exit;;
esac
shift
done
if [ ! -s "$CERTSCONF" ]
then
fresh=1
fi
cleanup() {
rm -f "$TEMPBUNDLE"
rm -f "$ADDED"
rm -f "$REMOVED"
}
trap cleanup 0
# Helper files. (Some of them are not simple arrays because we spawn
# subshells later on.)
TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
# Adds a certificate to the list of trusted ones. This includes a symlink
# in /etc/ssl/certs to the certificate file and its inclusion into the
# bundle.
add() {
CERT="$1"
PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
-e 's/[()]/=/g' \
-e 's/,/_/g').pem"
if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
then
ln -sf "$CERT" "$PEM"
echo "+$PEM" >> "$ADDED"
fi
# Add trailing newline to certificate, if it is missing (#635570)
sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
}
remove() {
CERT="$1"
PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem"
if test -L "$PEM"
then
rm -f "$PEM"
echo "-$PEM" >> "$REMOVED"
fi
}
cd "$ETCCERTSDIR"
if [ "$fresh" = 1 ]; then
echo "Clearing symlinks in $ETCCERTSDIR..."
find . -type l -print | while read symlink
do
case $(readlink "$symlink") in
$CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
esac
done
find . -type l -print | while read symlink
do
test -f "$symlink" || rm -f "$symlink"
done
echo "done."
fi
echo "Updating certificates in $ETCCERTSDIR..."
# Add default certificate authorities if requested
if [ "$default" = 1 ]; then
find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt
do
add "$crt"
done
fi
# Handle certificates that should be removed. This is an explicit act
# by prefixing lines in the configuration files with exclamation marks (!).
sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read crt
do
remove "$CERTSDIR/$crt"
done
sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read crt
do
if ! test -f "$CERTSDIR/$crt"
then
echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2
continue
fi
add "$CERTSDIR/$crt"
done
# Now process certificate authorities installed by the local system
# administrator.
if [ -d "$LOCALCERTSDIR" ]
then
find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read crt
do
add "$crt"
done
fi
rm -f "$CERTBUNDLE"
ADDED_CNT=$(wc -l < "$ADDED")
REMOVED_CNT=$(wc -l < "$REMOVED")
if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
then
# only run if set of files has changed
if [ "$verbose" = 0 ]
then
c_rehash . > /dev/null
else
c_rehash .
fi
fi
chmod 0644 "$TEMPBUNDLE"
mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
# Restore proper SELinux label after moving the file
[ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" >/dev/null 2>&1
echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
if [ -d "$HOOKSDIR" ]
then
echo "Running hooks in $HOOKSDIR..."
VERBOSE_ARG=
[ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
do
( cat "$ADDED"
cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
done
echo "done."
fi
# vim:set et sw=2:
|