wok-next diff cacerts/stuff/make-ca.sh @ rev 16555
linux: update ATA config (again)
| author | Pascal Bellard <pascal.bellard@slitaz.org> |
|---|---|
| date | Wed Apr 30 11:54:39 2014 +0000 (2014-04-30) |
| parents | |
| children | f29d4912ea56 |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/cacerts/stuff/make-ca.sh Wed Apr 30 11:54:39 2014 +0000 1.3 @@ -0,0 +1,96 @@ 1.4 +#!/bin/sh 1.5 +# Begin make-ca.sh 1.6 +# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs 1.7 +# 1.8 +# The file certdata.txt must exist in the local directory 1.9 +# Version number is obtained from the version of the data. 1.10 +# 1.11 +# Authors: DJ Lucas 1.12 +# Bruce Dubbs 1.13 +# 1.14 +# Version 20120211 1.15 + 1.16 +certdata="certdata.txt" 1.17 + 1.18 +if [ ! -r $certdata ]; then 1.19 + echo "$certdata must be in the local directory" 1.20 + exit 1 1.21 +fi 1.22 + 1.23 +REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$') 1.24 + 1.25 +if [ -z "${REVISION}" ]; then 1.26 + echo "$certfile has no 'Revision' in CVS_ID" 1.27 + exit 1 1.28 +fi 1.29 + 1.30 +VERSION=$(echo $REVISION | cut -f2 -d" ") 1.31 + 1.32 +TEMPDIR=$(mktemp -d) 1.33 +TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH" 1.34 +BUNDLE="ca-bundle.crt" 1.35 +CONVERTSCRIPT="./make-cert.pl" 1.36 +SSLDIR="${DESTDIR}/etc/ssl" 1.37 + 1.38 +mkdir "${TEMPDIR}/certs" 1.39 + 1.40 +# Get a list of staring lines for each cert 1.41 +CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1) 1.42 + 1.43 +# Get a list of ending lines for each cert 1.44 +CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1` 1.45 + 1.46 +# Start a loop 1.47 +for certbegin in ${CERTBEGINLIST}; do 1.48 + for certend in ${CERTENDLIST}; do 1.49 + if test "${certend}" -gt "${certbegin}"; then 1.50 + break 1.51 + fi 1.52 + done 1.53 + 1.54 + # Dump to a temp file with the name of the file as the beginning line number 1.55 + sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp" 1.56 +done 1.57 + 1.58 +unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend 1.59 + 1.60 +mkdir -p certs 1.61 +touch certs/dummy 1.62 +rm certs/* # Make sure the directory is clean 1.63 + 1.64 +for tempfile in ${TEMPDIR}/certs/*.tmp; do 1.65 + # Make sure that the cert is trusted... 1.66 + grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \ 1.67 + egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null 1.68 + 1.69 + if test "${?}" = "0"; then 1.70 + # Throw a meaningful error and remove the file 1.71 + cp "${tempfile}" tempfile.cer 1.72 + perl ${CONVERTSCRIPT} > tempfile.crt 1.73 + keyhash=$(openssl x509 -noout -in tempfile.crt -hash) 1.74 + echo "Certificate ${keyhash} is not trusted! Removing..." 1.75 + rm -f tempfile.cer tempfile.crt "${tempfile}" 1.76 + continue 1.77 + fi 1.78 + 1.79 + # If execution made it to here in the loop, the temp cert is trusted 1.80 + # Find the cert data and generate a cert file for it 1.81 + 1.82 + cp "${tempfile}" tempfile.cer 1.83 + perl ${CONVERTSCRIPT} > tempfile.crt 1.84 + keyhash=$(openssl x509 -noout -in tempfile.crt -hash) 1.85 + mv tempfile.crt "certs/${keyhash}.pem" 1.86 + rm -f tempfile.cer "${tempfile}" 1.87 + echo "Created ${keyhash}.pem" 1.88 +done 1.89 + 1.90 +# Remove blacklisted files 1.91 +# MD5 Collision Proof of Concept CA 1.92 +if test -f certs/8f111d69.pem; then 1.93 + echo "Certificate 8f111d69 is not trusted! Removing..." 1.94 + rm -f certs/8f111d69.pem 1.95 +fi 1.96 + 1.97 +# Finally, generate the bundle and clean up. 1.98 +cat certs/*.pem > ${BUNDLE} 1.99 +rm -r "${TEMPDIR}"