Script para la creación de wallets a partir de un dominio

 Hola Amig@s,

Si necesitamos crear una wallet de Oracle para resolver un dominio https con oracle y no usar el proxy reverse de Apache, podemos utilizar el siguiente script. El script necesitará como parámetro la ruta de creación de la wallet y aparte, necesitará también que le indiquemos el nombre del dominio, esto último lo pedirá en el prompt.

Nota: Para utilizar este script, deberemos ejecutarlo en Linux y aparte la maquina tendrá que tener salida a internet.

##################################################################################

# Command: certs_to_wallet.sh <wallet path>

#

# The script will create a _new_ auto login orapki wallet from a list of sites

#   and puts the certificates of the chain the trusted certificates of the wallet.

# It will create a backup of the current wallet and auto login.

# Will ask for a password for a new wallet.

# On creation or password issue, backup will be restored.

# Sites can be added to wallet_sites.lst, either in the script dir or wallet dir.

# The wallet_sites.lst in the wallet dir will take preference, you can have

#   seperate sites per wallet.

# Each site must be on a single line followed by a colon ':' and port number: <site:port>

#  and comments starting with a # are accepted.

# If there is no port number specified, 443 will be used and the site list must

#  end with a \n character (last line empty).

#

#

# Author: Ian Hoogeboom, please feel free to ajust script to own needs

# v.1 - ianh - original version 2020-11-28

# v.2 - ianh - skip site own certificate (ORA-29024 - user certificate should not be in Wallet

# v.3 - ianh - skiiping user certificate based on hash, not 'first' certificate

# v.4 - earana - added the -servername parameter because some domain names require that to resolve the information.

##################################################################################


WALLET_LOCATION=${1}

NOW=$(date '+%Y%m%d%H%M%S')


if [ "${WALLET_LOCATION}" == "" ]; then

  echo "No wallet location specified!"

  echo "Command:> certs_to_wallet.sh <wallet path>"

  exit 1

fi


SITE_LIST=${WALLET_LOCATION}/wallet_sites.lst

if [ ! -f "${SITE_LIST}" ]; then

  SITE_LIST=wallet_sites.lst

fi


if [ ! -f "${SITE_LIST}" ]; then

  echo "Site list not found!"

  echo "Place wallet_sites.lst in current directory or in [${WALLET_LOCATION}]"

  exit 1

fi


echo "Passwords must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters"

echo -n "Password for new wallet: "

read -s PASSWORD

echo


if [ -f "${WALLET_LOCATION}/ewallet.p12" ]; then

  echo "Backing-up wallet to ${WALLET_LOCATION}/ewallet.p12.${NOW}"

  mv ${WALLET_LOCATION}/ewallet.p12 ${WALLET_LOCATION}/ewallet.p12.${NOW}

fi

if [ -f "${WALLET_LOCATION}/cwallet.sso" ]; then

  echo "Backing-up auto_login to ${WALLET_LOCATION}/cwallet.sso.${NOW}"

  mv ${WALLET_LOCATION}/cwallet.sso ${WALLET_LOCATION}/cwallet.sso.${NOW}

fi


echo "Creating new wallet"

orapki wallet create -wallet ${WALLET_LOCATION} -pwd ${PASSWORD} -auto_login >/dev/null

ERROR=${?}


# if there is an error creating the new wallet (password error maybe), restore teh wallet

# TODO move to function for reuse on other errors

if [ ${ERROR} != 0 ]; then

  echo "Error creating new wallet, permissions or password issues?!"


  if [ -f "${WALLET_LOCATION}/ewallet.p12.${NOW}" ]; then

    echo "Old wallet restored!"

    cp ${WALLET_LOCATION}/ewallet.p12.${NOW} ${WALLET_LOCATION}/ewallet.p12

  fi

  if [ -f "${WALLET_LOCATION}/cwallet.sso.${NOW}" ]; then

    echo "Old auto login restored!"

    cp ${WALLET_LOCATION}/cwallet.sso.${NOW} ${WALLET_LOCATION}/cwallet.sso

  fi


  exit

fi


# read all the lines from wallet_sites.lst

while read SITE; do

  COMMENT=$(echo ${SITE} | grep -e "^#.*")

  if [[ "${COMMENT}" = "" ]]; then

    HOST=$(echo ${SITE} | awk -F':' '{print $1}')

    PORT=$(echo ${SITE} | awk -F':' '{print $2}')

    if [ "${PORT}" == "" ]; then

      PORT=443

    fi

    echo "Getting certificate chain from: ${HOST}:${PORT}"

    # get MD5 of site certificate

    SITE_CERT_MD5=$(openssl s_client -host ${HOST} -port ${PORT} -trusted_first -servername ${HOST} 2>/dev/null <<< "q" | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' | md5sum | awk {'print $1'})

    # get certificate chain for site

    openssl s_client -host ${HOST} -port ${PORT} -showcerts -no_alt_chains -trusted_first -servername ${HOST} 2>/dev/null <<< "q" | awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' > ${HOST}.certs

    csplit --digits=2 --quiet --prefix=${HOST}.certs. ${HOST}.certs "/-----END CERTIFICATE-----/+1" "{*}"

    for CERT in $(ls ./${HOST}.certs.*); do

      # get the MD5 of the current cert in the chain

      CHAIN_CERT_MD5=$(md5sum ${CERT} | awk {'print $1'})

      # skip the cert of the site itself, user cerificates should not be the wallet

      if [ -s "${CERT}" ] && [ "${CHAIN_CERT_MD5}" != "${SITE_CERT_MD5}" ]; then

        echo "Adding ${CERT}"

        orapki wallet add -wallet ${WALLET_LOCATION} -pwd ${PASSWORD} -trusted_cert -cert ${CERT} >/dev/null

      fi

    done

  fi

done < ${SITE_LIST}


orapki wallet display -wallet ${WALLET_LOCATION}


echo "Done"

Espero que les resulte útil.
Salu2.
Share on Google Plus
    Blogger Comment

0 comentarios: