mid-kid
10 years ago
4 changed files with 166 additions and 3 deletions
@ -0,0 +1,95 @@ |
|||||
|
#!/bin/sh |
||||
|
# Begin make-ca.sh |
||||
|
# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs |
||||
|
# |
||||
|
# The file certdata.txt must exist in the local directory |
||||
|
# Version number is obtained from the version of the data. |
||||
|
# |
||||
|
# Authors: DJ Lucas |
||||
|
# Bruce Dubbs |
||||
|
# |
||||
|
# Version 20120211 |
||||
|
|
||||
|
if [ "$1" ]; then |
||||
|
certdata="$1" |
||||
|
else |
||||
|
certdata="./certdata.txt" |
||||
|
fi |
||||
|
|
||||
|
if [ "$2" ]; then |
||||
|
certdir="$2" |
||||
|
else |
||||
|
certdir="./certs" |
||||
|
fi |
||||
|
|
||||
|
if [ ! -r $certdata ]; then |
||||
|
echo "Can't find certdata" 1>&2 |
||||
|
exit 1 |
||||
|
fi |
||||
|
|
||||
|
TEMPDIR=$(mktemp -d) |
||||
|
TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH" |
||||
|
CONVERTSCRIPT="./make-cert.pl" |
||||
|
|
||||
|
mkdir "${TEMPDIR}/certs" |
||||
|
|
||||
|
# Get a list of starting lines for each cert |
||||
|
CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1) |
||||
|
|
||||
|
# Get a list of ending lines for each cert |
||||
|
CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1` |
||||
|
|
||||
|
# Start a loop |
||||
|
for certbegin in ${CERTBEGINLIST}; do |
||||
|
for certend in ${CERTENDLIST}; do |
||||
|
if test "${certend}" -gt "${certbegin}"; then |
||||
|
break |
||||
|
fi |
||||
|
done |
||||
|
|
||||
|
# Dump to a temp file with the name of the file as the beginning line number |
||||
|
sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp" |
||||
|
done |
||||
|
|
||||
|
unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend |
||||
|
|
||||
|
mkdir -p "$certdir" |
||||
|
rm -f "$certdir/*" # Make sure the directory is clean |
||||
|
|
||||
|
for tempfile in ${TEMPDIR}/certs/*.tmp; do |
||||
|
# Make sure that the cert is trusted... |
||||
|
grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \ |
||||
|
egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null |
||||
|
|
||||
|
if test "${?}" = "0"; then |
||||
|
# Throw a meaningful error and remove the file |
||||
|
cp "${tempfile}" tempfile.cer |
||||
|
perl ${CONVERTSCRIPT} > tempfile.crt |
||||
|
keyhash=$(openssl x509 -noout -in tempfile.crt -hash) |
||||
|
echo "Certificate ${keyhash} is not trusted! Removing..." |
||||
|
rm -f tempfile.cer tempfile.crt "${tempfile}" |
||||
|
continue |
||||
|
fi |
||||
|
|
||||
|
# If execution made it to here in the loop, the temp cert is trusted |
||||
|
# Find the cert data and generate a cert file for it |
||||
|
|
||||
|
cp "${tempfile}" tempfile.cer |
||||
|
perl ${CONVERTSCRIPT} > tempfile.crt |
||||
|
keyhash=$(openssl x509 -noout -in tempfile.crt -hash) |
||||
|
mv tempfile.crt "$certdir/${keyhash}.pem" |
||||
|
rm -f tempfile.cer "${tempfile}" |
||||
|
echo "Created ${keyhash}.pem" |
||||
|
done |
||||
|
|
||||
|
# Remove blacklisted files |
||||
|
# MD5 Collision Proof of Concept CA |
||||
|
if test -f "$certdir/8f111d69.pem"; then |
||||
|
echo "Certificate 8f111d69 is not trusted! Removing..." |
||||
|
rm -f "$certdir/8f111d69.pem" |
||||
|
fi |
||||
|
|
||||
|
# Finally, generate the bundle and clean up. |
||||
|
cat "$certdir"/*.pem > "$certdir/ca-certificates.crt" |
||||
|
echo "Created ca-certificates.crt" |
||||
|
rm -r "${TEMPDIR}" |
@ -0,0 +1,49 @@ |
|||||
|
#!/usr/bin/perl -w |
||||
|
|
||||
|
# Used to generate PEM encoded files from Mozilla certdata.txt. |
||||
|
# Run as ./make-cert.pl > certificate.crt |
||||
|
# |
||||
|
# Parts of this script courtesy of RedHat (mkcabundle.pl) |
||||
|
# |
||||
|
# This script modified for use with single file data (tempfile.cer) extracted |
||||
|
# from certdata.txt, taken from the latest version in the Mozilla NSS source. |
||||
|
# mozilla/security/nss/lib/ckfw/builtins/certdata.txt |
||||
|
# |
||||
|
# Authors: DJ Lucas |
||||
|
# Bruce Dubbs |
||||
|
# |
||||
|
# Version 20120211 |
||||
|
|
||||
|
my $certdata = './tempfile.cer'; |
||||
|
|
||||
|
open( IN, "cat $certdata|" ) |
||||
|
|| die "could not open $certdata"; |
||||
|
|
||||
|
my $incert = 0; |
||||
|
|
||||
|
while ( <IN> ) |
||||
|
{ |
||||
|
if ( /^CKA_VALUE MULTILINE_OCTAL/ ) |
||||
|
{ |
||||
|
$incert = 1; |
||||
|
open( OUT, "|openssl x509 -text -inform DER -fingerprint" ) |
||||
|
|| die "could not pipe to openssl x509"; |
||||
|
} |
||||
|
|
||||
|
elsif ( /^END/ && $incert ) |
||||
|
{ |
||||
|
close( OUT ); |
||||
|
$incert = 0; |
||||
|
print "\n\n"; |
||||
|
} |
||||
|
|
||||
|
elsif ($incert) |
||||
|
{ |
||||
|
my @bs = split( /\\/ ); |
||||
|
foreach my $b (@bs) |
||||
|
{ |
||||
|
chomp $b; |
||||
|
printf( OUT "%c", oct($b) ) unless $b eq ''; |
||||
|
} |
||||
|
} |
||||
|
} |
Loading…
Reference in new issue