1#!/bin/sh 2 3# Copyright 2016 The Chromium Authors 4# Use of this source code is governed by a BSD-style license that can be 5# found in the LICENSE file. 6 7 8set -e -x 9 10SECURITY=/usr/bin/security 11 12KEYCHAIN="$1" 13shift 14# security create-keychain will interpret a non-absolute path relative to the 15# keychain directory rather than the current directory, and OSX doesn't have a 16# realpath command. Be lazy and make the user pass in an absolute path. 17if [ `echo "$KEYCHAIN" | cut -c1` != '/' ]; then 18 echo keychain path must be absolute 19 exit 1 20fi 21 22PASSWORD=aoeu 23 24 25# create-keychain modifes the global keychain search list, save it first. 26# (or does it?) 27SAVED_KEYCHAIN_LIST=`$SECURITY list -d user` 28echo "Saved user keychain list:" 29echo "$SAVED_KEYCHAIN_LIST" 30echo 31 32 33$SECURITY create-keychain -p "$PASSWORD" "$KEYCHAIN" 34 35trusted=0 36 37for cert in "$@"; do 38 if [ "$cert" = "--trusted" ]; then 39 trusted=1 40 continue 41 fi 42 if [ "$cert" = "--untrusted" ]; then 43 trusted=0 44 continue 45 fi 46 47 # security tool only accepts DER. If input is a PEM, convert it. 48 if grep -- "-----BEGIN CERTIFICATE-----" "$cert" ; then 49 tmpcert="${cert}.der.tmp" 50 openssl x509 -inform PEM -in "$cert" -outform DER -out "$tmpcert" 51 cert="$tmpcert" 52 fi 53 54 if [ $trusted = 1 ]; then 55 $SECURITY add-trusted-cert -r trustAsRoot -k "$KEYCHAIN" "$cert" 56 else 57 $SECURITY add-certificates -k "$KEYCHAIN" "$cert" 58 fi 59done 60 61 62 63#TODO: Would be good to restore the keychain search list on failure too. 64 65echo "pre-restore user keychain list:" 66$SECURITY list -d user 67 68# restore the original keychain search list 69/bin/echo -n "${SAVED_KEYCHAIN_LIST}" | xargs $SECURITY list -d user -s 70 71echo "Restored user keychain list:" 72$SECURITY list -d user 73echo 74