wok-current view cacerts/stuff/make-ca.sh @ rev 19274
Up cookutils (809)
author | Aleksej Bobylev <al.bobylev@gmail.com> |
---|---|
date | Tue Jul 05 01:51:14 2016 +0300 (2016-07-05) |
parents | d805d3de4546 |
children | cfa2c2f63692 |
line source
1 #!/bin/sh
2 # Begin make-ca.sh
3 # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
4 #
5 # The file certdata.txt must exist in the local directory
6 # Version number is obtained from the version of the data.
7 #
8 # Authors: DJ Lucas
9 # Bruce Dubbs
10 #
11 # Version 20120211
13 certdata="certdata.txt"
15 if [ ! -r $certdata ]; then
16 echo "$certdata must be in the local directory"
17 exit 1
18 fi
20 REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
22 if [ -z "${REVISION}" ]; then
23 echo "$certfile has no 'Revision' in CVS_ID"
24 exit 1
25 fi
27 VERSION=$(echo $REVISION | cut -f2 -d" ")
29 TEMPDIR=$(mktemp -d)
30 TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
31 BUNDLE="ca-bundle.crt"
32 CONVERTSCRIPT="./make-cert.pl"
33 SSLDIR="${DESTDIR}/etc/ssl"
35 mkdir "${TEMPDIR}/certs"
37 # Get a list of starting lines for each cert
38 CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
40 # Get a list of ending lines for each cert
41 CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
43 # Start a loop
44 for certbegin in ${CERTBEGINLIST}; do
45 for certend in ${CERTENDLIST}; do
46 if test "${certend}" -gt "${certbegin}"; then
47 break
48 fi
49 done
51 # Dump to a temp file with the name of the file as the beginning line number
52 sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
53 done
55 unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
57 mkdir -p certs
58 rm -f certs/* # Make sure the directory is clean
60 for tempfile in ${TEMPDIR}/certs/*.tmp; do
61 # Make sure that the cert is trusted...
62 grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
63 egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
65 if test "${?}" = "0"; then
66 # Throw a meaningful error and remove the file
67 cp "${tempfile}" tempfile.cer
68 perl ${CONVERTSCRIPT} > tempfile.crt
69 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
70 echo "Certificate ${keyhash} is not trusted! Removing..."
71 rm -f tempfile.cer tempfile.crt "${tempfile}"
72 continue
73 fi
75 # If execution made it to here in the loop, the temp cert is trusted
76 # Find the cert data and generate a cert file for it
78 cp "${tempfile}" tempfile.cer
79 perl ${CONVERTSCRIPT} > tempfile.crt
80 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
81 mv tempfile.crt "certs/${keyhash}.pem"
82 rm -f tempfile.cer "${tempfile}"
83 echo "Created ${keyhash}.pem"
84 done
86 # Remove blacklisted files
87 # MD5 Collision Proof of Concept CA
88 if test -f certs/8f111d69.pem; then
89 echo "Certificate 8f111d69 is not trusted! Removing..."
90 rm -f certs/8f111d69.pem
91 fi
93 # Finally, generate the bundle and clean up.
94 cat certs/*.pem > ${BUNDLE}
95 rm -r "${TEMPDIR}"