Preparing for ca-certificates

astronaut/astronaut

@@ -79,11 +79,11 @@ fi
 
 # Tools for the astronaut
 mksum() {
-    echo $(md5sum "$@" 2> /dev/null | cut -d' ' -f1)
+    echo "$(md5sum "$@" 2> /dev/null | cut -d' ' -f1)"
 }
 
 download() {
-    local name="$(basename "$1")"
+    local name="$(basename "$1" | cut -d? -f1)"
     local path="$dir_source/$name"
     local checksum=""
     if [ "$2" -a -f "$path" ]; then
@@ -116,9 +116,18 @@ extract() {
     $(echo "$cmd" | sed -e 's@{src}@'"$dir_source/$1"'@g')
 }
 
+getfile() {
+    cp "$dir_source/$1" "$dir_build/$1"
+}
+
 dlextract() {
     download "$1" "$2"
-    extract "$(basename "$1")"
+    extract "$(basename "$1" | cut -d? -f1)"
+}
+
+dlfile() {
+    download "$1" "$2"
+    getfile "$(basename "$1" | cut -d? -f1)"
 }
 
 extrafile() {

astronaut/hello.sat

@@ -9,12 +9,22 @@ version=2.9
 download "http://ftp.gnu.org/pub/gnu/$name/$name-$version.tar.gz" \
          "67607d2616a0faaf5bc94c59dca7c3cb" \
          "curl -L -o {dst} {src}"
+
 # Name [REQUIRED], Custom command
 extract "$name-$version.tar.gz" \
         "tar xvf {src}"
+
 # Abbreviation for the above functions. Does not allow custom commands
 #dlextract "http://ftp.gnu.org/pub/gnu/$name/$name-$version.tar.gz" \
 #          "67607d2616a0faaf5bc94c59dca7c3cb"
+
+# Copy some file you downloaded over to the build directory
+#getfile "Waffles.txt"
+
+# Abbreviation for downloading a file and copying it over
+#dlfile "http://example.com/Waffles.txt" \
+#       "MD5SUM"
+
 # Copy local file to build directory. Path relative to the location of the satellite file
 #extrafile "Herpaderp.txt"  
 

tools/satellites/extrafiles/ca-certificates/make-ca.sh

@@ -0,0 +1,95 @@
+#!/bin/sh
+# Begin make-ca.sh
+# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
+#
+# The file certdata.txt must exist in the local directory
+# Version number is obtained from the version of the data.
+#
+# Authors: DJ Lucas
+#          Bruce Dubbs
+#
+# Version 20120211
+
+if [ "$1" ]; then
+    certdata="$1"
+else
+    certdata="./certdata.txt"
+fi
+
+if [ "$2" ]; then
+    certdir="$2"
+else
+    certdir="./certs"
+fi
+
+if [ ! -r $certdata ]; then
+  echo "Can't find certdata" 1>&2
+  exit 1
+fi
+
+TEMPDIR=$(mktemp -d)
+TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
+CONVERTSCRIPT="./make-cert.pl"
+
+mkdir "${TEMPDIR}/certs"
+
+# Get a list of starting lines for each cert
+CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
+
+# Get a list of ending lines for each cert
+CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
+
+# Start a loop
+for certbegin in ${CERTBEGINLIST}; do
+  for certend in ${CERTENDLIST}; do
+    if test "${certend}" -gt "${certbegin}"; then
+      break
+    fi
+  done
+
+  # Dump to a temp file with the name of the file as the beginning line number
+  sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
+done
+
+unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
+
+mkdir -p "$certdir"
+rm -f "$certdir/*"      # Make sure the directory is clean
+
+for tempfile in ${TEMPDIR}/certs/*.tmp; do
+  # Make sure that the cert is trusted...
+  grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
+    egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
+
+  if test "${?}" = "0"; then
+    # Throw a meaningful error and remove the file
+    cp "${tempfile}" tempfile.cer
+    perl ${CONVERTSCRIPT} > tempfile.crt
+    keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
+    echo "Certificate ${keyhash} is not trusted!  Removing..."
+    rm -f tempfile.cer tempfile.crt "${tempfile}"
+    continue
+  fi
+
+  # If execution made it to here in the loop, the temp cert is trusted
+  # Find the cert data and generate a cert file for it
+
+  cp "${tempfile}" tempfile.cer
+  perl ${CONVERTSCRIPT} > tempfile.crt
+  keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
+  mv tempfile.crt "$certdir/${keyhash}.pem"
+  rm -f tempfile.cer "${tempfile}"
+  echo "Created ${keyhash}.pem"
+done
+
+# Remove blacklisted files
+# MD5 Collision Proof of Concept CA
+if test -f "$certdir/8f111d69.pem"; then
+  echo "Certificate 8f111d69 is not trusted!  Removing..."
+  rm -f "$certdir/8f111d69.pem"
+fi
+
+# Finally, generate the bundle and clean up.
+cat "$certdir"/*.pem > "$certdir/ca-certificates.crt"
+echo "Created ca-certificates.crt"
+rm -r "${TEMPDIR}"

tools/satellites/extrafiles/ca-certificates/make-cert.pl

@@ -0,0 +1,49 @@
+#!/usr/bin/perl -w
+
+# Used to generate PEM encoded files from Mozilla certdata.txt.
+# Run as ./make-cert.pl > certificate.crt
+#
+# Parts of this script courtesy of RedHat (mkcabundle.pl)
+#
+# This script modified for use with single file data (tempfile.cer) extracted
+# from certdata.txt, taken from the latest version in the Mozilla NSS source.
+# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+#
+# Authors: DJ Lucas
+#          Bruce Dubbs
+#
+# Version 20120211
+
+my $certdata = './tempfile.cer';
+
+open( IN, "cat $certdata|" )
+    || die "could not open $certdata";
+
+my $incert = 0;
+
+while ( <IN> )
+{
+    if ( /^CKA_VALUE MULTILINE_OCTAL/ )
+    {
+        $incert = 1;
+        open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
+            || die "could not pipe to openssl x509";
+    }
+
+    elsif ( /^END/ && $incert )
+    {
+        close( OUT );
+        $incert = 0;
+        print "\n\n";
+    }
+
+    elsif ($incert)
+    {
+        my @bs = split( /\\/ );
+        foreach my $b (@bs)
+        {
+            chomp $b;
+            printf( OUT "%c", oct($b) ) unless $b eq '';
+        }
+    }
+}