blob: b7edb38660d871d6ec806fb1f3c4efe368c0e2cb [file] [log] [blame]
#!/bin/sh
# Copyright 2016 The Chromium Authors
# Use of this source code is governed by a BSD-style license that can be
# found in the LICENSE file.
set -e -x
SECURITY=/usr/bin/security
KEYCHAIN="$1"
shift
# security create-keychain will interpret a non-absolute path relative to the
# keychain directory rather than the current directory, and OSX doesn't have a
# realpath command. Be lazy and make the user pass in an absolute path.
if [ `echo "$KEYCHAIN" | cut -c1` != '/' ]; then
echo keychain path must be absolute
exit 1
fi
PASSWORD=aoeu
# create-keychain modifes the global keychain search list, save it first.
# (or does it?)
SAVED_KEYCHAIN_LIST=`$SECURITY list -d user`
echo "Saved user keychain list:"
echo "$SAVED_KEYCHAIN_LIST"
echo
$SECURITY create-keychain -p "$PASSWORD" "$KEYCHAIN"
trusted=0
for cert in "$@"; do
if [ "$cert" = "--trusted" ]; then
trusted=1
continue
fi
if [ "$cert" = "--untrusted" ]; then
trusted=0
continue
fi
# security tool only accepts DER. If input is a PEM, convert it.
if grep -- "-----BEGIN CERTIFICATE-----" "$cert" ; then
tmpcert="${cert}.der.tmp"
openssl x509 -inform PEM -in "$cert" -outform DER -out "$tmpcert"
cert="$tmpcert"
fi
if [ $trusted = 1 ]; then
$SECURITY add-trusted-cert -r trustAsRoot -k "$KEYCHAIN" "$cert"
else
$SECURITY add-certificates -k "$KEYCHAIN" "$cert"
fi
done
#TODO: Would be good to restore the keychain search list on failure too.
echo "pre-restore user keychain list:"
$SECURITY list -d user
# restore the original keychain search list
/bin/echo -n "${SAVED_KEYCHAIN_LIST}" | xargs $SECURITY list -d user -s
echo "Restored user keychain list:"
$SECURITY list -d user
echo