wok-next view cacerts/stuff/make-ca.sh @ rev 20420
linux-dev: up 4.9.76
author | Aleksej Bobylev <al.bobylev@gmail.com> |
---|---|
date | Thu Jan 11 15:21:05 2018 +0200 (2018-01-11) |
parents | f29d4912ea56 |
children |
line source
1 #!/bin/sh
2 # Begin make-ca.sh
3 # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
4 #
5 # The file certdata.txt must exist in the local directory
6 # Version number is obtained from the version of the data.
7 #
8 # Authors: DJ Lucas
9 # Bruce Dubbs
10 #
11 # Version 20120211
13 # Some data in the certs have UTF-8 characters
14 export LANG=en_US.utf8
16 certdata="certdata.txt"
18 if [ ! -r $certdata ]; then
19 echo "$certdata must be in the local directory"
20 exit 1
21 fi
23 REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
25 if [ -z "${REVISION}" ]; then
26 echo "$certfile has no 'Revision' in CVS_ID"
27 exit 1
28 fi
30 VERSION=$(echo $REVISION | cut -f2 -d" ")
32 TEMPDIR=$(mktemp -d)
33 TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
34 BUNDLE="ca-bundle.crt"
35 CONVERTSCRIPT="./make-cert.pl"
36 SSLDIR="${DESTDIR}/etc/ssl"
38 mkdir "${TEMPDIR}/certs"
40 # Get a list of starting lines for each cert
41 CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
43 # Get a list of ending lines for each cert
44 CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
46 # Start a loop
47 for certbegin in ${CERTBEGINLIST}; do
48 for certend in ${CERTENDLIST}; do
49 if test "${certend}" -gt "${certbegin}"; then
50 break
51 fi
52 done
54 # Dump to a temp file with the name of the file as the beginning line number
55 sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
56 done
58 unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
60 mkdir -p certs
61 rm -f certs/* # Make sure the directory is clean
63 for tempfile in ${TEMPDIR}/certs/*.tmp; do
64 # Make sure that the cert is trusted...
65 grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
66 egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
68 if test "${?}" = "0"; then
69 # Throw a meaningful error and remove the file
70 cp "${tempfile}" tempfile.cer
71 perl ${CONVERTSCRIPT} > tempfile.crt
72 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
73 echo "Certificate ${keyhash} is not trusted! Removing..."
74 rm -f tempfile.cer tempfile.crt "${tempfile}"
75 continue
76 fi
78 # If execution made it to here in the loop, the temp cert is trusted
79 # Find the cert data and generate a cert file for it
81 cp "${tempfile}" tempfile.cer
82 perl ${CONVERTSCRIPT} > tempfile.crt
83 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
84 mv tempfile.crt "certs/${keyhash}.pem"
85 rm -f tempfile.cer "${tempfile}"
86 echo "Created ${keyhash}.pem"
87 done
89 # Remove blacklisted files
90 # MD5 Collision Proof of Concept CA
91 if test -f certs/8f111d69.pem; then
92 echo "Certificate 8f111d69 is not trusted! Removing..."
93 rm -f certs/8f111d69.pem
94 fi
96 # Finally, generate the bundle and clean up.
97 cat certs/*.pem > ${BUNDLE}
98 rm -r "${TEMPDIR}"