wok-current annotate cacerts/stuff/make-ca.sh @ rev 21106

updated lfs-book (7.3 -> 8.4)
author Hans-G?nter Theisgen
date Tue Mar 19 13:56:25 2019 +0100 (2019-03-19)
parents f29d4912ea56
children
rev   line source
al@14468 1 #!/bin/sh
al@14468 2 # Begin make-ca.sh
al@14468 3 # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
al@14468 4 #
al@14468 5 # The file certdata.txt must exist in the local directory
al@14468 6 # Version number is obtained from the version of the data.
al@14468 7 #
al@14468 8 # Authors: DJ Lucas
al@14468 9 # Bruce Dubbs
al@14468 10 #
al@14468 11 # Version 20120211
al@14468 12
al@19310 13 # Some data in the certs have UTF-8 characters
al@19310 14 export LANG=en_US.utf8
al@19310 15
al@14468 16 certdata="certdata.txt"
al@14468 17
al@14468 18 if [ ! -r $certdata ]; then
al@14468 19 echo "$certdata must be in the local directory"
al@14468 20 exit 1
al@14468 21 fi
al@14468 22
al@14468 23 REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
al@14468 24
al@14468 25 if [ -z "${REVISION}" ]; then
al@14468 26 echo "$certfile has no 'Revision' in CVS_ID"
al@14468 27 exit 1
al@14468 28 fi
al@14468 29
al@14468 30 VERSION=$(echo $REVISION | cut -f2 -d" ")
al@14468 31
al@14468 32 TEMPDIR=$(mktemp -d)
al@14468 33 TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
al@14468 34 BUNDLE="ca-bundle.crt"
al@14468 35 CONVERTSCRIPT="./make-cert.pl"
al@14468 36 SSLDIR="${DESTDIR}/etc/ssl"
al@14468 37
al@14468 38 mkdir "${TEMPDIR}/certs"
al@14468 39
al@17865 40 # Get a list of starting lines for each cert
al@14468 41 CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
al@14468 42
al@14468 43 # Get a list of ending lines for each cert
al@14468 44 CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
al@14468 45
al@14468 46 # Start a loop
al@14468 47 for certbegin in ${CERTBEGINLIST}; do
al@14468 48 for certend in ${CERTENDLIST}; do
al@14468 49 if test "${certend}" -gt "${certbegin}"; then
al@14468 50 break
al@14468 51 fi
al@14468 52 done
al@14468 53
al@14468 54 # Dump to a temp file with the name of the file as the beginning line number
al@14468 55 sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
al@14468 56 done
al@14468 57
al@17865 58 unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
al@14468 59
al@14468 60 mkdir -p certs
al@17865 61 rm -f certs/* # Make sure the directory is clean
al@14468 62
al@14468 63 for tempfile in ${TEMPDIR}/certs/*.tmp; do
al@14468 64 # Make sure that the cert is trusted...
al@14468 65 grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
al@14468 66 egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
al@14468 67
al@14468 68 if test "${?}" = "0"; then
al@14468 69 # Throw a meaningful error and remove the file
al@14468 70 cp "${tempfile}" tempfile.cer
al@14468 71 perl ${CONVERTSCRIPT} > tempfile.crt
al@14468 72 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
al@14468 73 echo "Certificate ${keyhash} is not trusted! Removing..."
al@14468 74 rm -f tempfile.cer tempfile.crt "${tempfile}"
al@14468 75 continue
al@14468 76 fi
al@14468 77
al@14468 78 # If execution made it to here in the loop, the temp cert is trusted
al@14468 79 # Find the cert data and generate a cert file for it
al@14468 80
al@14468 81 cp "${tempfile}" tempfile.cer
al@14468 82 perl ${CONVERTSCRIPT} > tempfile.crt
al@14468 83 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
al@14468 84 mv tempfile.crt "certs/${keyhash}.pem"
al@14468 85 rm -f tempfile.cer "${tempfile}"
al@14468 86 echo "Created ${keyhash}.pem"
al@14468 87 done
al@14468 88
al@14468 89 # Remove blacklisted files
al@14468 90 # MD5 Collision Proof of Concept CA
al@14468 91 if test -f certs/8f111d69.pem; then
al@14468 92 echo "Certificate 8f111d69 is not trusted! Removing..."
al@14468 93 rm -f certs/8f111d69.pem
al@14468 94 fi
al@14468 95
al@14468 96 # Finally, generate the bundle and clean up.
al@14468 97 cat certs/*.pem > ${BUNDLE}
al@14468 98 rm -r "${TEMPDIR}"