#!/usr/bin/sh #---------------------------------------------------------------------------------- # /var/install/bin/certs-show-chain - show certificate chain # # Copyright (c) 2010-2025 The Eisfair Team, team(at)eisfair(dot)org # # Creation: 2010-10-18 jed # Last Update: $Id$ # # Usage: # certs-show-chain --help - show this help" # # certs-show-chain [options(s)] "name-of-certificate-file" # - show certificate chain # # Options: # -user username - run script as user 'username' # # --nogui - don't use GUI to display results # --tableview - show result in a column separated format # (C-client cert, R-root cert) # # --emailpackage [full-email-address] - send certificate chain package as an email # --package [destination-directory] - create a certificate chain package # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. #---------------------------------------------------------------------------------- # include eislib etc. . /var/install/include/eislib . /var/install/include/jedlib # activate debug output #debug_certs=true if ${debug_certs:-false} then exec 2> /tmp/$(basename ${0})-trace-$$.log set -x ask_debug=true export ask_debug fi #---------------------------------------------------------------------------------- # show help #---------------------------------------------------------------------------------- show_help () { echo "Usage:" echo " certs-show-chain --help - show this help" echo echo " certs-show-chain [option(s)] name-of-certificate-file" echo " - show certificate chain." echo echo "Options:" echo " -user username - run script as user 'username'." echo echo " --nogui - don't use the GUI to display results." echo " --tableview - show result in a column separated format." echo " (C-client cert, R-root cert)" echo echo " --emailpackage [full-email-address] - send certificate chain package as an email." echo " --package [destination-directory] - create a certificate chain package." echo } #---------------------------------------------------------------------------------- # extract a specific certificate from a file which may contain multiple certificates # # input : $1 - cert type # $2 - cert file #---------------------------------------------------------------------------------- extract_cert_file () { _ecf_cert_type="$1" _ecf_cert_file="$2" if [ -f ${_ecf_cert_file} ] then # file exists _ecf_cert_count=`grep '\---BEGIN CERTIFICATE---' ${certdir}/${_ecf_cert_file} | wc -l` if [ ${_ecf_cert_count} -ge 1 ] then # crtificate(s) found, extract it ... _ecf_cert_subject=`${openssl_bin} x509 -in ${certdir}/${_ecf_cert_file} -noout -subject | sed -e 's/^subject= *//' -e 's/[^A-Za-z0-9 _.=-]//g'` _ecf_idx=1 while [ ${_ecf_idx} -le ${_ecf_cert_count} ] do # loop through list of certificates awk "/-BEGIN CERTIFICATE-/ && ++n == ${_ecf_idx}, /-END CERTIFICATE-/" ${certdir}/${_ecf_cert_file} > ${split_tmpfile} # check if extracted certificate matches subject _ecf_tmp_subject=`${openssl_bin} x509 -in ${split_tmpfile} -noout -subject | sed -e 's/subject= *//' -e 's/[^A-Za-z0-9 _.=-]//g'` if [ "${_ecf_cert_subject}" = "${_ecf_tmp_subject}" ] then # certificate found case ${_ecf_cert_type} in C ) DEBUG_INFO="1-output file: ${cert_tmpfile}" if [ ! -f ${cert_tmpfile} ] then # certificate only exists once in a chain { echo "subject: ${_ecf_tmp_subject}" cat ${split_tmpfile} } > ${cert_tmpfile} fi ;; I ) DEBUG_INFO="2-output file: ${chain_tmpfile}" { echo "subject: ${_ecf_tmp_subject}" cat ${split_tmpfile} } >> ${chain_tmpfile} ;; R ) DEBUG_INFO="3-output file: ${root_tmpfile}" if [ ! -f ${root_tmpfile} ] then # certificate only exists once in a chain { echo "subject: ${_ecf_tmp_subject}" cat ${split_tmpfile} } > ${root_tmpfile} fi ;; esac rm -f ${split_tmpfile} break else rm -f ${split_tmpfile} fi _ecf_idx=`expr ${_ecf_idx} + 1` done fi # if [ ${_ecf_cert_count} -ge 1 ] fi # if [ -f ${_ecf_cert_file} ] } #---------------------------------------------------------------------------------- # run ocsp check # # output: ocsp response and return code #---------------------------------------------------------------------------------- run_ocsp_check () { # further information can be found here: # https://raymii.org/s/articles/OpenSSL_Manually_Verify_a_certificate_against_an_OCSP.html _roc_force_update=1 _roc_source='' if [ -f ${response_file} ] then # a response file already exists DEBUG_INFO='run_ocsp_check - a response file already exists' # Response verify OK # /var/tmp/tmp.wA92zQw3Zy/eis.privat.lan: good # This Update: Dec 15 21:00:00 2017 GMT # Next Update: Dec 22 21:00:00 2017 GMT if [ -s "${cert_tmpfile}" -a -s "${chain_tmpfile}" ] then # client certificate _roc_response=`${openssl_bin} ocsp -no_nonce -respin ${response_file} -issuer ${chain_tmpfile} -verify_other ${chain_tmpfile} -cert ${cert_tmpfile} 2>&1` _roc_ret=$? elif [ -s "${root_tmpfile}" ] then # root certificate _roc_response=`${openssl_bin} ocsp -no_nonce -respin ${response_file} -issuer ${root_tmpfile} -cert ${root_tmpfile} 2>&1` _roc_ret=$? fi if [ -n "${_roc_response}" ] then # response successfully read _roc_currdate_sec=`date +'%s'` _roc_enddate=`echo "${_roc_response}" | sed -n '/Next Update:/s/^.*Next Update: *//p'` # DEBUG_INFO="next ocsp update: `date -d "${_roc_enddate}" +"%Y-%m-%d %H:%M" 2>/dev/null`" _roc_enddate_sec=`date -d "${_roc_enddate}" +'%s'` if [ ${_roc_enddate_sec} -gt ${_roc_currdate_sec} ] then # response information is still valid _roc_force_update=0 _roc_source=' (cache)' fi fi fi if [ ${_roc_force_update} -eq 1 ] then # force update of ocsp response DEBUG_INFO="run_ocsp_check - a response file doesn't exist." _roc_source=' (online)' _roc_ocsp_host=`echo "${cert_1_ocsp_uri}" | sed 's/^http[s]*:\/\/\([^\/]*\).*$/\1/'` # be carefull, different header separators for OpenSSL v1.0.x and v1.1.x! if [ -s "${cert_tmpfile}" -a -s "${chain_tmpfile}" ] then # client certificate _roc_response=`${openssl_bin} ocsp -no_nonce -respout ${response_file} -issuer ${chain_tmpfile} -verify_other ${chain_tmpfile} \ -cert ${cert_tmpfile} -url ${cert_1_ocsp_uri} -header HOST${openssl_separator}"${_roc_ocsp_host}" 2>&1` _roc_ret=$? elif [ -s "${root_tmpfile}" ] then # root certificate _roc_response=`${openssl_bin} ocsp -no_nonce -respout ${response_file} -issuer ${root_tmpfile} -cert ${root_tmpfile} \ -url ${cert_1_ocsp_uri} -header HOST${openssl_separator}"${_roc_ocsp_host}" 2>&1` _roc_ret=$? fi fi echo "${_roc_response}" | sed "/^Response/s/^\(Response.*\)$/\1${_roc_source}/" return ${_roc_ret} } #================================================================================== # main #================================================================================== ssldir=/usr/local/ssl certdir=${ssldir}/certs crldir=${ssldir}/crl tmpdir=/tmp email_bin=/usr/bin/send_file_from_cmd.sh openssl_bin=/usr/bin/openssl maxlen=205 certs_title="Show certificate chain (run as '`whoami`')" color='' frame='' if [ -f /etc/config.d/setup ] then if $(grep -qE "^MENU=['\"]/var/install/bin/show-menu['\"]" /etc/config.d/setup) then color='--nocolor' frame='--noframe' fi fi # check installed OpenSSL version # OpenSSL 1.0.2l-fips 25 May 2017 openssl_version=`${openssl_bin} version | sed 's/^openssl \([0-9.]*\).*$/\1/i'` # be carefull, different header separators for OpenSSL v1.0.x and v1.1.x! openssl_separator=' ' proxy_connect='' if [ "`compare_version --text "${openssl_version}" '1.1'`" = 'old' ] then # old OpenSSL version: < v1.1.0, e.g. v1.0.2 openssl_separator=' ' if [ -n "${HTTP_PROXY}" ] then myecho --error "proxy usage is not supported by this OpenSSL version!" # exit 1 fi else # new OpenSSL version: >= v1.1.0 openssl_separator='=' if [ -n "${HTTP_PROXY}" ] then proxy_connect="-proxy ${HTTP_PROXY}" if [ -n "${HTTP_PROXY_USER}" ] then # a proxy authentication has been requested. myecho --error "proxy authentication is not supported by the OpenSSL command!" # exit 1 fi fi fi # command line parameter EXEC_CMD="$*" su_options='' nogui=0 package=0 package_path=/tmp tableview=0 user='' email=0 email_receiver_addr='postmaster' curr_user=`whoami` if [ "${curr_user}" != 'root' ] then email_sender_addr="`getent passwd ${curr_user} | cut -d: -f5` <${curr_user}>" else email_sender_addr='CA master ' fi if [ $# -gt 0 ] then ### read command line parameter(s) ### while [ $# -gt 0 ] do case $1 in -help|--help|-?|--?|/? ) show_help exit 1 ;; -nogui|--nogui ) # don't show result in GUI nogui=1 su_options="${su_options}--nogui " shift ;; -emailpackage|--emailpackage ) nogui=1 package=1 email=1 su_options="${su_options}--emailpackage " if [ -n "$2" ] then # check if email address contains a @-character echo "$2" | grep -q "^-" if [ $? -ne 0 ] then email_receiver_addr="$2" su_options="${su_options}${email_receiver_addr} " fi shift fi shift ;; -emailsender|--emailsender ) if [ -z "${user}" ] then email_sender_addr="${2}" su_options="${su_options}--emailsender '${email_sender_addr}' " fi shift; shift ;; -package|--package ) nogui=1 package=1 su_options="${su_options}--package " if [ -n "$2" -a -d "$2" ] then package_path="$2" su_options="${su_options}${package_path} " shift fi shift ;; -tableview|--tableview ) nogui=1 tableview=1 su_options="${su_options}--tableview " shift ;; -user|--user ) # get runas username user="$2" # check if user exists if getent passwd ${user} >/dev/null 2>&1 then email_sender_addr="`getent passwd ${user} | cut -d: -f5` <${user}>" su_options="${su_options}--emailsender '${email_sender_addr}' " else mecho --error "The user '${user}' doesn't exist on this server!" exit 1 fi shift; shift ;; -* ) # skip unknown parameters shift ;; * ) # get certificate name curr_file="${certdir}/`basename "$1"`" if [ ! -f ${curr_file} ] then if [ -f ${curr_file}.pem ] then # add .pem extension if file couldn't be found curr_file="${curr_file}.pem" else mecho --error "The file '${curr_file}.pem' doesn't exist on this server!" exit 1 fi fi shift break ;; esac done else # show help show_help exit 1 fi if [ -n "${user}" ] then # run as a different user su ${user} -s /usr/bin/sh -c "`abs_path $0` ${su_options} \"${curr_file}\"" else ### read certificate chain ### short_firstfile=`basename "${curr_file}" '.pem'` tmpdir="`mktemp -d -p ${tmpdir}`" tmpfile=${tmpdir}/${short_firstfile}.tmp # temporary files for ocsp check split_tmpfile=${tmpdir}/${short_firstfile}.split cert_tmpfile=${tmpdir}/${short_firstfile}.cert chain_tmpfile=${tmpdir}/${short_firstfile}.chain root_tmpfile=${tmpdir}/${short_firstfile}.root # DER encoded ocsp certificate check response # command to display file: openssl ocsp -respin nextcloud.telejeck.de-response.ecsp -text -noverify response_file=${crldir}/${short_firstfile}.ocsp rm -f ${split_tmpfile} ${cert_tmpfile} ${chain_tmpfile} ${root_tmpfile} idx=0 exit_flag=0 last_error='' while [ ${exit_flag} -eq 0 ] do cd ${certdir} >/dev/null 2>/dev/null if [ $? -eq 0 ] then # cert directory can be accessed, go on ... if [ -n "${curr_file}" ] then # certificate file given, go on ... if [ -f "${curr_file}" ] then # certificate file exists, go on ... cat "${curr_file}" >/dev/null 2>/dev/null if [ $? -eq 0 ] then # file can be accessed, go on ... idx=`expr ${idx} + 1` subject="`${openssl_bin} x509 -in "${curr_file}" -noout -subject | sed -e 's#^subject= *##g' -e 's/[^A-Za-z0-9 _.=-]//g'`" subject_hash=`${openssl_bin} x509 -in "${curr_file}" -noout -subject_hash` issuer="`${openssl_bin} x509 -in "${curr_file}" -noout -issuer | sed -e 's#^issuer= *##g' -e 's/[^A-Za-z0-9 _.=-]//g'`" issuer_hash=`${openssl_bin} x509 -in "${curr_file}" -noout -issuer_hash` enddate="`${openssl_bin} x509 -in "${curr_file}" -noout -enddate | sed 's#^notAfter= *##g'`" md5fingerprint="`${openssl_bin} x509 -in "${curr_file}" -noout -fingerprint -md5 | sed 's#^.*print= *##g'`" sha1fingerprint="`${openssl_bin} x509 -in "${curr_file}" -noout -fingerprint -sha1 | sed 's#^.*print= *##g'`" tmp_uri="`/var/install/bin/certs-update-crl --quiet --showsingleuri "${curr_file}"`" if [ "`echo "${tmp_uri}" | cut -d'|' -f1`" = 'OCSP' ] then ### OCSP ### crl_uri='' else ### CRL ### crl_uri="`echo "${tmp_uri}" | cut -d'|' -f2`" fi ocsp_uri="`${openssl_bin} x509 -noout -in "${curr_file}" -ocsp_uri | sed 's#\([^/]\)$#\1/#'`" # check if referring certificate exists ls "${certdir}/${issuer_hash}.0" > /dev/null 2> /dev/null if [ $? -eq 0 ] then prev_file="${certdir}/${issuer_hash}.0" while [ -L "${prev_file}" ] do prev_file="`readlink -e "${prev_file}"`" if [ -z "${prev_file}" ] then # error, dead symbolic link last_error="file '${certdir}/${issuer_hash}.0' missing!" exit_flag=1 fi done else # error prev_file='' last_error="file '${certdir}/${issuer_hash}.0' missing!" exit_flag=1 fi # evaluate certificate type # C - client # I - intermediate # R - root if [ "${subject_hash}" = "${issuer_hash}" ] then # root certificate cert_type='R' else if [ ${idx} -eq 1 ] then # client certificate cert_type='C' else # intermediate certificate cert_type='I' fi fi # store certificate details eval cert_${idx}_type=\"${cert_type}\" eval cert_${idx}_subject=\"${subject}\" eval cert_${idx}_subject_hash=${subject_hash} eval cert_${idx}_issuer=\"${issuer}\" eval cert_${idx}_issuer_hash=${issuer_hash} eval cert_${idx}_curr_file="\"`basename "${curr_file}"`\"" eval cert_${idx}_prev_file=\"${prev_file}\" eval cert_${idx}_enddate=\"${enddate}\" eval cert_${idx}_md5fingerprint=\"${md5fingerprint}\" eval cert_${idx}_sha1fingerprint=\"${sha1fingerprint}\" eval cert_${idx}_crl_uri=\"${crl_uri}\" eval cert_${idx}_ocsp_uri=\"${ocsp_uri}\" if [ ${exit_flag} -eq 1 ] then # error appeared, exit loop idx=`expr ${idx} + 1` eval cert_${idx}_type='E' eval cert_${idx}_subject_hash='E' eval cert_${idx}_issuer_hash=${exit_flag} eval cert_${idx}_curr_file="${issuer_hash}.0" break else extract_cert_file "${cert_type}" "`basename "${curr_file}"`" # jump to next certificate curr_file="${prev_file}" fi else # error last_error="file '${curr_file}' cannot be accessed!" exit_flag=3 fi else # initial certificate file not found last_error="file '${curr_file}' missing!" exit_flag=2 break fi else # no certificate file given last_error="no certificate file '${curr_file}' given!" exit_flag=10 break fi else # error last_error="directory '${certdir}' cannot be accessed!" exit_flag=4 fi if [ "${subject_hash}" = "${issuer_hash}" ] then # ca certificate reached, exit loop ... exit_flag=0 break fi done ### output certificate chain data ### if [ ${tableview} -eq 1 ] then # print certificate chain as a single string if [ ${exit_flag} -lt 10 ] then line='' maxidx=${idx} idx=1 while [ ${idx} -le ${maxidx} ] do eval cert_type='$cert_'${idx}'_type' eval curr_file='$cert_'${idx}'_curr_file' line="${line}${cert_type}:${curr_file}:" idx=`expr ${idx} + 1` done # verify certificate chain ret=0 if [ -z "${cert_1_crl_uri}" -a -n "${cert_1_ocsp_uri}" ] then ### OCSP ### response=`run_ocsp_check` ret=$? echo "${response}" | grep -q "/${short_firstfile}.cert: good" if [ $? -eq 0 ] then ret=0 if [ -f ${response_file}.old ] then # -s - silent if cmp -s ${response_file}.old ${response_file} then # unchanged result rm -f ${response_file}.old fi fi fi else ### CRL ### if [ -n "${cert_1_crl_uri}" ] then response=`${openssl_bin} verify -CApath ${certdir} -purpose any -crl_check ${certdir}/${cert_1_curr_file} 2>&1` ret=$? fi fi if [ ${ret} -ne 0 ] then line="${line}FAIL:" else line="${line}OK:" fi # certificate order: certificate (C) >> intermediate (I) >> root (R) echo "${line}" else if [ -n "${last_error}" ] then # error echo "Error: ${last_error}" fi fi elif [ ${package} -eq 1 ] then # create a package which contains all certificates of a chain if [ ${exit_flag} -lt 10 ] then line='' maxidx=${idx} idx=1 while [ ${idx} -le ${maxidx} ] do eval curr_file='$cert_'${idx}'_curr_file' short_name=`basename "${curr_file}" | sed -e 's#(#\\\(#g' -e 's#)#\\\)#g' -e 's# #\\\ #g'` line="${line}${short_name}:" idx=`expr ${idx} + 1` done # create certificate package cd ${certdir} tarfile=`echo "${line}" | cut -d: -f1` certfiles=`echo "${line}" | sed 's/:/ /g'` if [ ${email} -eq 0 ] then mecho "using package path '${package_path}'." fi # delete an existing archive file rm -f "${package_path}/${tarfile}.tgz" # create tar archive tar czf "${package_path}/${tarfile}.tgz" ${certfiles} if [ ${email} -eq 1 ] then # send email if [ -s "${package_path}/${tarfile}.tgz" ] then # file exists and has a size greater than zero mecho "sending email from: ${email_sender_addr}" mecho "sending email to : ${email_receiver_addr}" { echo "Attached you will find the certification archive '${tarfile}.tgz'." echo "Please store all files contained in your certificate directory, e.g. '${certdir}" echo "and remember to update the certificate hashes afterwards by executing the command:" echo "/var/install/bin/certs-update-hashes (menu entry: 1 - certificate folder)" echo echo "Your CA master" } | ${email_bin} -f "${email_sender_addr}" \ -s "Your certificate archive '${tarfile}.tgz' - check attachements" \ -t "${email_receiver_addr}" -b "${package_path}/${tarfile}.tgz" else mecho --error "certificate archive '${package_path}/${tarfile}.tgz doesn't exist or has a file size of zero." fi # remove temporary file rm -f "${package_path}/${tarfile}.tgz" else # show certificate location mecho --info "certificate archive '${package_path}/${tarfile}.tgz has successfully been created." fi else if [ -n "${last_error}" ] then # error echo "Error: ${last_error}" fi fi else # display certificate chain on the screen { if [ ${exit_flag} -lt 10 ] then # print certificate chain spaces='' spaces1='' spaces2='' maxidx=${idx} echo '*' idx=1 while [ ${idx} -le ${maxidx} ] do # read certificate details eval subject='$cert_'${idx}'_subject' eval subject_hash='$cert_'${idx}'_subject_hash' eval issuer='$cert_'${idx}'_issuer' eval curr_file='$cert_'${idx}'_curr_file' eval enddate='$cert_'${idx}'_enddate' eval md5fingerprint='$cert_'${idx}'_md5fingerprint' eval sha1fingerprint='$cert_'${idx}'_sha1fingerprint' line1="`echo "${spaces2}| certificate : ${curr_file} (${subject_hash})" | cut -c 1-${maxlen}`" line2="`echo "${spaces1}| subject : ${subject}" | cut -c 1-${maxlen}`" line3="`echo "${spaces1}| issuer : ${issuer}" | cut -c 1-${maxlen}`" line4="`echo "${spaces1}| MD5 f-print : ${md5fingerprint}" | cut -c 1-${maxlen}`" line5="`echo "${spaces1}| SHA1 f-print: ${sha1fingerprint}" | cut -c 1-${maxlen}`" line6="${spaces1}|" # print certificate details echo "${line1}" echo "${line2}" echo "${line3}" echo "${line4}" echo "${line5}" currdate_sec=`date +"%s"` enddate_sec=`date -d "${enddate}" +"%s"` if [ ${enddate_sec} -le ${currdate_sec} ] then # certificate no longer valid - print warning outdate=`date -d "${enddate}" +"%d.%m.%Y %H:%M:%S"` warnline="`echo "${spaces1}| valid until : ${outdate} - CERTIFICATE NEEDS AN IMMEDIATE UPDATE!" | cut -c 1-${maxlen}`" echo "${warnline}" fi echo "${line6}" spaces1="${spaces} " spaces2="${spaces}+->" spaces="${spaces} " idx=`expr ${idx} + 1` done if [ -z "${last_error}" ] then echo "${spaces2} end of chain!" else # print error message echo "${spaces2} Error: ${last_error}" fi else if [ -n "${last_error}" ] then # error echo echo "+-> Error: ${last_error}" fi fi echo # verify certificate chain if [ -z "${cert_1_crl_uri}" -a -n "${cert_1_ocsp_uri}" ] then # run oscp check echo 'checking certificate chain: ' response=`run_ocsp_check` ret=$? echo "${response}" | grep -q "/${short_firstfile}.cert: good" if [ $? -eq 0 ] then ret=0 if [ -f ${response_file}.old ] then # -s - silent if cmp -s ${response_file}.old ${response_file} then # unchanged result rm -f ${response_file}.old fi fi fi # format OCSP verification result # - prefix first line with '* OCSP ' # - remove file path from output # - replace tabs by 4x spaces # # OLD: Response verify OK # : /var/tmp/tmp.wA92zQw3Zy/eis.privat.lan: good # : This Update: Dec 15 21:00:00 2017 GMT # : Next Update: Dec 22 21:00:00 2017 GMT # # NEW: * OCSP Response verify OK # : eis.privat.lan: good # : This Update: Dec 15 21:00:00 2017 GMT # : Next Update: Dec 22 21:00:00 2017 GMT echo "${response}" | sed -e 's/^\([a-z]\)/* OCSP \1/i' -e 's#/.*/\(.*\).cert# \1.pem#' -e 's/\t/ /g' else if [ -n "${cert_1_crl_uri}" ] then echo 'checking certificate chain: ' response=`${openssl_bin} verify -CApath ${certdir} -verbose -purpose any -crl_check ${certdir}/${cert_1_curr_file} 2>&1` # - CRL file: pki.google.com-GIAG2.crl.pem crl_file=`/var/install/bin/certs-update-crl -searchsingleuri "${cert_1_crl_uri}" | grep "CRL file:" | sed 's/^.*file: *//'` if [ -f "${crldir}/${crl_file}" ] then # add validity time/date range # lastUpdate=Nov 9 13:50:35 2013 GMT lastdate=`${openssl_bin} crl -in ${crldir}/${crl_file} -lastupdate -noout | sed 's/^lastUpdate=//g'` # nextUpdate=Nov 19 13:50:35 2013 GMT nextdate=`${openssl_bin} crl -in ${crldir}/${crl_file} -nextupdate -noout | sed 's/^nextUpdate=//g'` response="${response}`printf "\n Last Update: ${lastdate}\n Next Update: ${nextdate}\n"`" fi # format verification result # # OLD: eis.privat.lan: OK # : Last Update: Nov 9 13:50:35 2013 GMT # : Next Update: Nov 19 13:50:35 2013 GMT # # NEW: eis.privat.lan: OK # : Last Update: Nov 9 13:50:35 2013 GMT # : Next Update: Nov 19 13:50:35 2013 GMT echo "${response}" | sed 's/^\([a-z]\)/ \1/' fi fi } > ${tmpfile} fi if [ ${nogui} -eq 0 ] then # make use of the ECE-GUI /var/install/bin/show-doc.cui ${color} ${frame} --title "${certs_title}" ${tmpfile} else # ASCII output only if [ ${tableview} -ne 1 -a ${package} -ne 1 ] then echo "${certs_title}" cat ${tmpfile} fi fi # delete temporary working directory if ! ${debug_certs:-false} then rm -rf ${tmpdir} fi fi exit 0