wok-current annotate cacerts/stuff/make-ca.sh @ rev 21106
updated lfs-book (7.3 -> 8.4)
author | Hans-G?nter Theisgen |
---|---|
date | Tue Mar 19 13:56:25 2019 +0100 (2019-03-19) |
parents | f29d4912ea56 |
children |
rev | line source |
---|---|
al@14468 | 1 #!/bin/sh |
al@14468 | 2 # Begin make-ca.sh |
al@14468 | 3 # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs |
al@14468 | 4 # |
al@14468 | 5 # The file certdata.txt must exist in the local directory |
al@14468 | 6 # Version number is obtained from the version of the data. |
al@14468 | 7 # |
al@14468 | 8 # Authors: DJ Lucas |
al@14468 | 9 # Bruce Dubbs |
al@14468 | 10 # |
al@14468 | 11 # Version 20120211 |
al@14468 | 12 |
al@19310 | 13 # Some data in the certs have UTF-8 characters |
al@19310 | 14 export LANG=en_US.utf8 |
al@19310 | 15 |
al@14468 | 16 certdata="certdata.txt" |
al@14468 | 17 |
al@14468 | 18 if [ ! -r $certdata ]; then |
al@14468 | 19 echo "$certdata must be in the local directory" |
al@14468 | 20 exit 1 |
al@14468 | 21 fi |
al@14468 | 22 |
al@14468 | 23 REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$') |
al@14468 | 24 |
al@14468 | 25 if [ -z "${REVISION}" ]; then |
al@14468 | 26 echo "$certfile has no 'Revision' in CVS_ID" |
al@14468 | 27 exit 1 |
al@14468 | 28 fi |
al@14468 | 29 |
al@14468 | 30 VERSION=$(echo $REVISION | cut -f2 -d" ") |
al@14468 | 31 |
al@14468 | 32 TEMPDIR=$(mktemp -d) |
al@14468 | 33 TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH" |
al@14468 | 34 BUNDLE="ca-bundle.crt" |
al@14468 | 35 CONVERTSCRIPT="./make-cert.pl" |
al@14468 | 36 SSLDIR="${DESTDIR}/etc/ssl" |
al@14468 | 37 |
al@14468 | 38 mkdir "${TEMPDIR}/certs" |
al@14468 | 39 |
al@17865 | 40 # Get a list of starting lines for each cert |
al@14468 | 41 CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1) |
al@14468 | 42 |
al@14468 | 43 # Get a list of ending lines for each cert |
al@14468 | 44 CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1` |
al@14468 | 45 |
al@14468 | 46 # Start a loop |
al@14468 | 47 for certbegin in ${CERTBEGINLIST}; do |
al@14468 | 48 for certend in ${CERTENDLIST}; do |
al@14468 | 49 if test "${certend}" -gt "${certbegin}"; then |
al@14468 | 50 break |
al@14468 | 51 fi |
al@14468 | 52 done |
al@14468 | 53 |
al@14468 | 54 # Dump to a temp file with the name of the file as the beginning line number |
al@14468 | 55 sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp" |
al@14468 | 56 done |
al@14468 | 57 |
al@17865 | 58 unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend |
al@14468 | 59 |
al@14468 | 60 mkdir -p certs |
al@17865 | 61 rm -f certs/* # Make sure the directory is clean |
al@14468 | 62 |
al@14468 | 63 for tempfile in ${TEMPDIR}/certs/*.tmp; do |
al@14468 | 64 # Make sure that the cert is trusted... |
al@14468 | 65 grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \ |
al@14468 | 66 egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null |
al@14468 | 67 |
al@14468 | 68 if test "${?}" = "0"; then |
al@14468 | 69 # Throw a meaningful error and remove the file |
al@14468 | 70 cp "${tempfile}" tempfile.cer |
al@14468 | 71 perl ${CONVERTSCRIPT} > tempfile.crt |
al@14468 | 72 keyhash=$(openssl x509 -noout -in tempfile.crt -hash) |
al@14468 | 73 echo "Certificate ${keyhash} is not trusted! Removing..." |
al@14468 | 74 rm -f tempfile.cer tempfile.crt "${tempfile}" |
al@14468 | 75 continue |
al@14468 | 76 fi |
al@14468 | 77 |
al@14468 | 78 # If execution made it to here in the loop, the temp cert is trusted |
al@14468 | 79 # Find the cert data and generate a cert file for it |
al@14468 | 80 |
al@14468 | 81 cp "${tempfile}" tempfile.cer |
al@14468 | 82 perl ${CONVERTSCRIPT} > tempfile.crt |
al@14468 | 83 keyhash=$(openssl x509 -noout -in tempfile.crt -hash) |
al@14468 | 84 mv tempfile.crt "certs/${keyhash}.pem" |
al@14468 | 85 rm -f tempfile.cer "${tempfile}" |
al@14468 | 86 echo "Created ${keyhash}.pem" |
al@14468 | 87 done |
al@14468 | 88 |
al@14468 | 89 # Remove blacklisted files |
al@14468 | 90 # MD5 Collision Proof of Concept CA |
al@14468 | 91 if test -f certs/8f111d69.pem; then |
al@14468 | 92 echo "Certificate 8f111d69 is not trusted! Removing..." |
al@14468 | 93 rm -f certs/8f111d69.pem |
al@14468 | 94 fi |
al@14468 | 95 |
al@14468 | 96 # Finally, generate the bundle and clean up. |
al@14468 | 97 cat certs/*.pem > ${BUNDLE} |
al@14468 | 98 rm -r "${TEMPDIR}" |