Browse Source

Preparing for ca-certificates

master
mid-kid 10 years ago
parent
commit
53b4aec05b
  1. 15
      astronaut/astronaut
  2. 10
      astronaut/hello.sat
  3. 95
      tools/satellites/extrafiles/ca-certificates/make-ca.sh
  4. 49
      tools/satellites/extrafiles/ca-certificates/make-cert.pl

15
astronaut/astronaut

@ -79,11 +79,11 @@ fi
# Tools for the astronaut # Tools for the astronaut
mksum() { mksum() {
echo $(md5sum "$@" 2> /dev/null | cut -d' ' -f1) echo "$(md5sum "$@" 2> /dev/null | cut -d' ' -f1)"
} }
download() { download() {
local name="$(basename "$1")" local name="$(basename "$1" | cut -d? -f1)"
local path="$dir_source/$name" local path="$dir_source/$name"
local checksum="" local checksum=""
if [ "$2" -a -f "$path" ]; then if [ "$2" -a -f "$path" ]; then
@ -116,9 +116,18 @@ extract() {
$(echo "$cmd" | sed -e 's@{src}@'"$dir_source/$1"'@g') $(echo "$cmd" | sed -e 's@{src}@'"$dir_source/$1"'@g')
} }
getfile() {
cp "$dir_source/$1" "$dir_build/$1"
}
dlextract() { dlextract() {
download "$1" "$2" download "$1" "$2"
extract "$(basename "$1")" extract "$(basename "$1" | cut -d? -f1)"
}
dlfile() {
download "$1" "$2"
getfile "$(basename "$1" | cut -d? -f1)"
} }
extrafile() { extrafile() {

10
astronaut/hello.sat

@ -9,12 +9,22 @@ version=2.9
download "http://ftp.gnu.org/pub/gnu/$name/$name-$version.tar.gz" \ download "http://ftp.gnu.org/pub/gnu/$name/$name-$version.tar.gz" \
"67607d2616a0faaf5bc94c59dca7c3cb" \ "67607d2616a0faaf5bc94c59dca7c3cb" \
"curl -L -o {dst} {src}" "curl -L -o {dst} {src}"
# Name [REQUIRED], Custom command # Name [REQUIRED], Custom command
extract "$name-$version.tar.gz" \ extract "$name-$version.tar.gz" \
"tar xvf {src}" "tar xvf {src}"
# Abbreviation for the above functions. Does not allow custom commands # Abbreviation for the above functions. Does not allow custom commands
#dlextract "http://ftp.gnu.org/pub/gnu/$name/$name-$version.tar.gz" \ #dlextract "http://ftp.gnu.org/pub/gnu/$name/$name-$version.tar.gz" \
# "67607d2616a0faaf5bc94c59dca7c3cb" # "67607d2616a0faaf5bc94c59dca7c3cb"
# Copy some file you downloaded over to the build directory
#getfile "Waffles.txt"
# Abbreviation for downloading a file and copying it over
#dlfile "http://example.com/Waffles.txt" \
# "MD5SUM"
# Copy local file to build directory. Path relative to the location of the satellite file # Copy local file to build directory. Path relative to the location of the satellite file
#extrafile "Herpaderp.txt" #extrafile "Herpaderp.txt"

95
tools/satellites/extrafiles/ca-certificates/make-ca.sh

@ -0,0 +1,95 @@
#!/bin/sh
# Begin make-ca.sh
# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
#
# The file certdata.txt must exist in the local directory
# Version number is obtained from the version of the data.
#
# Authors: DJ Lucas
# Bruce Dubbs
#
# Version 20120211
if [ "$1" ]; then
certdata="$1"
else
certdata="./certdata.txt"
fi
if [ "$2" ]; then
certdir="$2"
else
certdir="./certs"
fi
if [ ! -r $certdata ]; then
echo "Can't find certdata" 1>&2
exit 1
fi
TEMPDIR=$(mktemp -d)
TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
CONVERTSCRIPT="./make-cert.pl"
mkdir "${TEMPDIR}/certs"
# Get a list of starting lines for each cert
CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
# Get a list of ending lines for each cert
CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
# Start a loop
for certbegin in ${CERTBEGINLIST}; do
for certend in ${CERTENDLIST}; do
if test "${certend}" -gt "${certbegin}"; then
break
fi
done
# Dump to a temp file with the name of the file as the beginning line number
sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
done
unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
mkdir -p "$certdir"
rm -f "$certdir/*" # Make sure the directory is clean
for tempfile in ${TEMPDIR}/certs/*.tmp; do
# Make sure that the cert is trusted...
grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
if test "${?}" = "0"; then
# Throw a meaningful error and remove the file
cp "${tempfile}" tempfile.cer
perl ${CONVERTSCRIPT} > tempfile.crt
keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
echo "Certificate ${keyhash} is not trusted! Removing..."
rm -f tempfile.cer tempfile.crt "${tempfile}"
continue
fi
# If execution made it to here in the loop, the temp cert is trusted
# Find the cert data and generate a cert file for it
cp "${tempfile}" tempfile.cer
perl ${CONVERTSCRIPT} > tempfile.crt
keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
mv tempfile.crt "$certdir/${keyhash}.pem"
rm -f tempfile.cer "${tempfile}"
echo "Created ${keyhash}.pem"
done
# Remove blacklisted files
# MD5 Collision Proof of Concept CA
if test -f "$certdir/8f111d69.pem"; then
echo "Certificate 8f111d69 is not trusted! Removing..."
rm -f "$certdir/8f111d69.pem"
fi
# Finally, generate the bundle and clean up.
cat "$certdir"/*.pem > "$certdir/ca-certificates.crt"
echo "Created ca-certificates.crt"
rm -r "${TEMPDIR}"

49
tools/satellites/extrafiles/ca-certificates/make-cert.pl

@ -0,0 +1,49 @@
#!/usr/bin/perl -w
# Used to generate PEM encoded files from Mozilla certdata.txt.
# Run as ./make-cert.pl > certificate.crt
#
# Parts of this script courtesy of RedHat (mkcabundle.pl)
#
# This script modified for use with single file data (tempfile.cer) extracted
# from certdata.txt, taken from the latest version in the Mozilla NSS source.
# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Authors: DJ Lucas
# Bruce Dubbs
#
# Version 20120211
my $certdata = './tempfile.cer';
open( IN, "cat $certdata|" )
|| die "could not open $certdata";
my $incert = 0;
while ( <IN> )
{
if ( /^CKA_VALUE MULTILINE_OCTAL/ )
{
$incert = 1;
open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
|| die "could not pipe to openssl x509";
}
elsif ( /^END/ && $incert )
{
close( OUT );
$incert = 0;
print "\n\n";
}
elsif ($incert)
{
my @bs = split( /\\/ );
foreach my $b (@bs)
{
chomp $b;
printf( OUT "%c", oct($b) ) unless $b eq '';
}
}
}
Loading…
Cancel
Save