#!/bin/sh
# $Id: doegrids-hash-check,v 1.1 2003/05/22 22:38:22 helm Exp $

usage_error() {
  echo "$0 [-help] [-v|-verbose] [-gsi|-all]" 1>&2 
}

#[ $# -gt 1 ] && { usage_error ; exit 1 ; }

VERBOSE=""
CERT=""
One=""
Two=""
OPENSSL=openssl
TCMODE="gsi"

go_help() {

usage_error 

cat <<NoMoreHelp
This script checks whether DOEGrids CA support files are 
installed in the appropriate directory.  This script should be
run AFTER installation of support files, and BEFORE 
requesting certificates.  This script should be run on every
machine that has grid or globus - related software installed.

If files are installed correctly, the script returns 0
and prints "Ok".  Any other message or value returned
indicates a problem or issue that must be corrected.

The script searches for DOEGrids CA support files by following
the GSI CA search path algorithm as described here:
http://www.globus.org/security/config.html

The "TRUSTED_CA" list described in the above URL is constructed:

\$X509_CERT_DIR (environment variable)
$HOME/.globus/certificates/
/etc/grid-security/certificates/ 
\$GLOBUS_LOCATION/share/certificates/

CA support files are stored in files whose names are based
on a hash of the CA subject name.   Only the existence of
named files is tested; the content of CA support files is not
evaluated.

-gsi [default] the search will take place only in the first
directory found in TRUSTED_CA. The script will search no
further, even if needed files are missing.  This is
the way gsi behaves.

-all search every directory in TRUSTED_CA.

Examples
doegrids-hash-check
   Check for the DOEGrids CA support files, using the GSI algorithm to
   check just the first available directory in TRUSTED_CA

doegrids-hash-check -v -all
   Check for the DOEGrids CA support files, in all available TRUSTED_CA
   directories, with copious output.

DOEGrids CA recommends that only the directory
/etc/grid-security/certificates
be used for CA support files, and all other directories
in TRUSTED_CA be removed.   The script will issue
warnings if these other directories are found.

NoMoreHelp

exit 0

} 


Pcount=1

while [ "$Pcount" -le "$#" ] ; do
   MyArg="`eval echo \"\$"${Pcount}"\"`"
   case "${MyArg}" in
      -v | -verbose )
          VERBOSE="-verbose" 
          [ $VERBOSE ] && echo "Setting VERBOSE mode" >&2
          Pcount=`expr $Pcount + 1`
          ;;
      -help )
          go_help
          exit 0
          ;;
      -gsi ) 
          TCMODE="gsi"
          [ $VERBOSE ] && echo "Setting GSI mode" >&2
          Pcount=`expr $Pcount + 1`
          ;;
      -all )
          TCMODE="tutti"
          [ $VERBOSE ] && echo "Setting ALL TRUSTED_CA mode" >&2
          Pcount=`expr $Pcount + 1`
          ;;
        *)
#         Just skip stuff we don't understand
          Pcount=`expr $Pcount + 1`
         ;;
   esac
done

#Awkward naming construction....
Hash1=d1b603c3
Hash1Subj='/DC=net/DC=ES/O=ESnet/OU=Certificate Authorities/CN=ESnet Root CA 1'
Hash1Desc='ESnet Root CA'

Hash2=1c3f2ca8
Hash2Subj='/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1'
Hash2Desc='DOEGrids Community CA'

Hash3=6349a761
Hash3Subj='/O=DOE Science Grid/OU=Certificate Authorities/CN=Certificate Manager'
Hash3Desc='[Old] DOE Science Grid Root CA'

Hash4=9d8753eb
Hash4Subj='/DC=net/DC=es/OU=Certificate Authorities/OU=DOE Science Grid/CN=pki1'
Hash4Desc='[Old] DOE Science Grid Community CA'

#
# Build TRUSTED_CA array
# as per
# http://www.globus.org/security/config.html

# This is for a summary diagnostic
VANILLAPTR=ISGSIF
VANILLA=unset
ISX509=unset
ISHOME=unset
ISGSIF=unset
ISGLOC=unset
ExitStatus=0

TRUSTED_CA_ARRAY=""

if [ $VERBOSE ] ; then
                  echo " Checking for DOEGrids CA support files"  >&2 ;
                  echo " 1 root, 1 subordinate signing public key & signing policy files" >&2 ;
                  echo " and DOE Science Grid CA support files" >&2 ; 
                  echo " 1 root, 1 subordinate signing public key & signing policy files" >&2 ;
     for i in 1 2 3 4 ; do
         Hash=`eval echo '"$'"Hash$i"'"'`
#         eval echo '"$'"Hash$i"'"'
          echo "" >&2
          echo "  $Hash CA information:" >&2
#            echo "  \c" >&2 ; eval echo 'Name hash: "$'"Hash$i"'"' >&2
          echo "  \c" >&2 ; eval echo 'Subject name: "$'"Hash${i}Subj"'"' >&2
          echo "  \c" >&2 ; eval echo 'Description:  "$'"Hash${i}Desc"'"' >&2
     done
     echo "" >&2 
fi

if [ "${X509_CERT_DIR-unset}" = "unset" ]; then
  [ $VERBOSE ] &&  echo "[ok] \$X509_CERT_DIR is not defined" >&2
else
 if [ -d "$X509_CERT_DIR" ] ; then
    VANILLA="no"
    [ $VERBOSE ] && echo "\$X509_CERT_DIR: $X509_CERT_DIR" >&2
    TRUSTED_CA_ARRAY="$TRUSTED_CA_ARRAY $X509_CERT_DIR"
    ISX509="set"
    echo "Warning: this is not a DOEGRIDS recommended configuration." >&2
    echo "  \$X509_CERT_DIR is set!" >&2
    echo "  GSI will search" >&2
    echo "  $X509_CERT_DIR"  >&2
    echo "  in preference to /etc/grid-security/certificates" >&2
 else
    echo "Warning: \$X509_CERT_DIR defined as $X509_CERT_DIR" >&2
    echo "  which is not a directory or doesn't exist" >&2
 fi
 echo "" >&2 
fi

if [ "${HOME-unset}" = "unset" ]; then
   echo "Warning: \$HOME is not defined -- should not happen" >&2
   echo "" >&2 
else
 if [ -d "$HOME/.globus/certificates" ]; then
   VANILLA="no"
   ISHOME="set"
   Temp="$HOME/.globus/certificates"
   TRUSTED_CA_ARRAY="$TRUSTED_CA_ARRAY $Temp"
   Temp=""
    echo "Warning: this is not a DOEGRIDS recommended configuration." >&2
    echo "  GSI will search" >&2
    echo "  $HOME/.globus/certificates" >&2
    echo "  in preference to /etc/grid-security/certificates" >&2
    echo "" >&2 
 else
   [ $VERBOSE ] && { echo "[ok] $HOME/.globus/certificates does not exist" >&2;  echo "" >&2 ; }
 fi
fi
# This automatically exists
 if [ -d "/etc/grid-security/certificates" ] ; then
   TRUSTED_CA_ARRAY="$TRUSTED_CA_ARRAY /etc/grid-security/certificates"
   [ "$VANILLA" = "unset" ] && VANILLA="yes"
   ISGSIF="set"
 else
   VANILLA="no"
   echo "Warning: this is not a DOEGRIDS recommended configuration." >&2
   echo "Warning: /etc/grid-security/certificates does not exist" >&2
   ExitStatus=6
   echo "" >&2 
 fi   
#
if [ "${GLOBUS_LOCATION-unset}" = "unset" ]; then
 if [ $VERBOSE ] ; then
   echo "[ok] \$GLOBUS_LOCATION is not defined --" >&2
   echo "      will not be able to check \$GLOBUS_LOCATION/share/certificates" >&2
 fi
else
 if [ -d "$GLOBUS_LOCATION/share/certificates" ] ; then
   ISGLOC="set"
   Temp="$GLOBUS_LOCATION/share/certificates"
   [ $VERBOSE ] && echo "will search $Temp" >&2
   TRUSTED_CA_ARRAY="$TRUSTED_CA_ARRAY $Temp"
   Temp=""
   if [ "$VANILLA" = "no" ] ; then
   echo "Warning: this is not a DOEGRIDS recommended configuration." >&2
   echo "  \$GLOBUS_LOCATION/share/certificates will be searched" >&2
   echo "   because /etc/grid-security/certificates does not exist" >&2
   echo "" >&2 
   ExitStatus=5
   fi
 else
   [ $VERBOSE ] && echo "[ok] $GLOBUS_LOCATION/share/certificates does not exist" >&2
 fi
 echo "" >&2 
fi

if [ "$VANILLA" = "yes" ] ; then
   if [ $VERBOSE ] ; then
   echo "" >&2
   echo "[Ok] /etc/grid-security/certificates searched first" >&2 
   echo "This is a DOEGrids recommended configuration" >&2 
   fi
else
   # It's not a recommended configuration
   # Should have a more coordinated mgmt of exitstatus
   ExitStatus=1
fi
#

[ $VERBOSE ] && echo "\$TRUSTED_CA: $TRUSTED_CA_ARRAY" >&2

for Dir in $TRUSTED_CA_ARRAY ; do
  if [ -d "$Dir" ] ; then
     if [ $VERBOSE ] ; then
        echo "" >&2
        echo "Checking ${Dir}" >&2
        echo "" >&2
     fi 
     for i in 1 2 3 4 ; do
#
         yesSign=ok
         yesPoli=ok
         yesURL=ok
         yesCA=ok
#
         Hash=`eval echo '"$'"Hash$i"'"'`
         [ $VERBOSE ] && echo Checking "$Hash" >&2
         [ $VERBOSE ] && echo "  "Looking for "${Dir}/${Hash}.?" >&2
         if [ -s "${Dir}/${Hash}."? ] ; then
            yesSign="ok" 
         else
            yesSign="no"
            echo "  [NOT OK] missing: ${Dir}/${Hash}.0 (or .1, .2, ...)" >&2
            ExitStatus=2
         fi
         [ $VERBOSE ] && echo "  "Looking for "${Dir}/${Hash}.signing_policy" >&2
         if [ -s "${Dir}/${Hash}.signing_policy" ] ; then
            yesPoli="ok"
         else
            yesPoli="no"
            echo "  [NOT OK] missing: ${Dir}/${Hash}.signing_policy" >&2
            ExitStatus=2
         fi
#
             yesCA="ok"
             [ "$yesSign" = "no" -o "$yesPoli" = "no" ] && yesCA="no" 
             if [ "$yesCA" = "ok" ] ; then
                [ $VERBOSE ] && echo "  ok: ${Dir}/${Hash}" >&2
             fi

         [ $VERBOSE ] && echo End checking "$Hash" >&2
     done
#    done - for 1234
#
     [ "$TCMODE" = "gsi" ] && break
  else
      # This should not happen....
      echo "" >&2
      echo "Checking ${Dir}: not a directory or doesn't exist" >&2
      echo "" >&2
      ExitStatus=3
  fi
# fi - $Dir
done
# for Dir in $TRUSTED_CA_ARRAY ; do

[ "$ExitStatus" -eq "0" ] && echo "Ok" >&2
exit $ExitStatus
# $Log: doegrids-hash-check,v $
# Revision 1.1  2003/05/22 22:38:22  helm
# *** empty log message ***
#
# Revision 1.3  2003/05/16 17:53:09  helm
# examples
#
# Revision 1.2  2003/05/16 17:28:49  helm
# Messages to stderr
#
# Revision 1.1  2003/05/16 17:01:38  helm
# Add sanity check scripts
#
