wok-current view cacerts/stuff/make-ca.sh @ rev 17675

nmon: keep source
author Pascal Bellard <pascal.bellard@slitaz.org>
date Wed Feb 18 11:21:08 2015 +0100 (2015-02-18)
parents
children f29d4912ea56
line source
1 #!/bin/sh
2 # Begin make-ca.sh
3 # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
4 #
5 # The file certdata.txt must exist in the local directory
6 # Version number is obtained from the version of the data.
7 #
8 # Authors: DJ Lucas
9 # Bruce Dubbs
10 #
11 # Version 20120211
13 certdata="certdata.txt"
15 if [ ! -r $certdata ]; then
16 echo "$certdata must be in the local directory"
17 exit 1
18 fi
20 REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
22 if [ -z "${REVISION}" ]; then
23 echo "$certfile has no 'Revision' in CVS_ID"
24 exit 1
25 fi
27 VERSION=$(echo $REVISION | cut -f2 -d" ")
29 TEMPDIR=$(mktemp -d)
30 TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
31 BUNDLE="ca-bundle.crt"
32 CONVERTSCRIPT="./make-cert.pl"
33 SSLDIR="${DESTDIR}/etc/ssl"
35 mkdir "${TEMPDIR}/certs"
37 # Get a list of staring lines for each cert
38 CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
40 # Get a list of ending lines for each cert
41 CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
43 # Start a loop
44 for certbegin in ${CERTBEGINLIST}; do
45 for certend in ${CERTENDLIST}; do
46 if test "${certend}" -gt "${certbegin}"; then
47 break
48 fi
49 done
51 # Dump to a temp file with the name of the file as the beginning line number
52 sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
53 done
55 unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
57 mkdir -p certs
58 touch certs/dummy
59 rm certs/* # Make sure the directory is clean
61 for tempfile in ${TEMPDIR}/certs/*.tmp; do
62 # Make sure that the cert is trusted...
63 grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
64 egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
66 if test "${?}" = "0"; then
67 # Throw a meaningful error and remove the file
68 cp "${tempfile}" tempfile.cer
69 perl ${CONVERTSCRIPT} > tempfile.crt
70 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
71 echo "Certificate ${keyhash} is not trusted! Removing..."
72 rm -f tempfile.cer tempfile.crt "${tempfile}"
73 continue
74 fi
76 # If execution made it to here in the loop, the temp cert is trusted
77 # Find the cert data and generate a cert file for it
79 cp "${tempfile}" tempfile.cer
80 perl ${CONVERTSCRIPT} > tempfile.crt
81 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
82 mv tempfile.crt "certs/${keyhash}.pem"
83 rm -f tempfile.cer "${tempfile}"
84 echo "Created ${keyhash}.pem"
85 done
87 # Remove blacklisted files
88 # MD5 Collision Proof of Concept CA
89 if test -f certs/8f111d69.pem; then
90 echo "Certificate 8f111d69 is not trusted! Removing..."
91 rm -f certs/8f111d69.pem
92 fi
94 # Finally, generate the bundle and clean up.
95 cat certs/*.pem > ${BUNDLE}
96 rm -r "${TEMPDIR}"