diff --git a/recipes/ca-certificates/make-ca.sh b/recipes/ca-certificates/make-ca.sh
new file mode 100644
index 0000000000000000000000000000000000000000..5150fc0cefc65b7a0219eec4cad3c4d37f6b8871
--- /dev/null
+++ b/recipes/ca-certificates/make-ca.sh
@@ -0,0 +1,732 @@
+#!/usr/bin/env bash
+# Begin /usr/sbin/make-ca.sh
+#
+# Script to create OpenSSL certs directory, GnuTLS certificate bundle, NSS
+# shared DB, and Java cacerts from upstream certdata.txt and local sources
+#
+# Authors: DJ Lucas
+# Bruce Dubbs
+#
+# Changes:
+#
+# 20170425 - Use p11-kit format anchors
+# - Add CKA_NSS_MOZILLA_CA_POLICY attribute for p11-kit anchors
+# - Add clientAuth OpenSSL attribute and (currently unused) NSS
+# CKA_TRUST_CLIENT_AUTH
+# 20170119 - Show trust bits on local certs
+# - Add version output for help2man
+# 20161210 - Add note about --force swich when same version
+# 20161126 - Add -D/--destdir switch
+# 20161124 - Add -f/--force switch to bypass version check
+# - Add multiple switches to allow for alternate localtions
+# - Add help text
+# 20161118 - Drop make-cert.pl script
+# - Add support for Java and NSSDB
+
+# Set defaults
+VERSION="20170425"
+CERTDATA="certdata.txt"
+PKIDIR="/etc/pki"
+SSLDIR="/etc/ssl"
+CERTUTIL="certutil"
+KEYTOOL="keytool"
+OPENSSL="openssl"
+ANCHORDIR="${PKIDIR}/anchors"
+CABUNDLE="${SSLDIR}/ca-bundle.crt"
+CERTDIR="${SSLDIR}/certs"
+KEYSTORE="${SSLDIR}/java/cacerts"
+NSSDB="${PKIDIR}/nssdb"
+LOCALDIR="${SSLDIR}/local"
+DESTDIR=""
+
+# Some data in the certs have UTF-8 characters
+export LANG=en_US.utf8
+
+TEMPDIR=$(mktemp -d)
+WORKDIR="${TEMPDIR}/work"
+WITH_NSS=1
+WITH_JAVA=1
+FORCE=0
+
+function get_args(){
+ while test -n "${1}" ; do
+ case "${1}" in
+ -C | --certdata)
+ check_arg $1 $2
+ CERTDATA="${2}"
+ shift 2
+ ;;
+ -D | --destdir)
+ check_arg $1 $2
+ DESTDIR="${2}"
+ shift 2
+ ;;
+ -P | --pkidir)
+ check_arg $1 $2
+ PKIDIR="${2}"
+ ANCHORDIR="${PKIDIR}/anchors"
+ NSSDB="${PKIDIR}/nssdb"
+ echo "${@}" | grep -e "-a " -e "--anchordir" \
+ -e "-n " -e "--nssdb" > /dev/null
+ if test "${?}" == "0"; then
+ echo "Error! ${1} cannot be used with the -a/--anchordir or -n/--nssdb switches."
+ echo ""
+ exit 3
+ fi
+ shift 2
+ ;;
+ -S | --ssldir)
+ check_arg $1 $2
+ SSLDIR="${2}"
+ CABUNDLE="${SSLDIR}/ca-bundle.crt"
+ CERTDIR="${SSLDIR}/certs"
+ KEYSTORE="${SSLDIR}/java/cacerts"
+ LOCALDIR="${SSLDIR}/local"
+ echo "${@}" | grep -e "-c " -e "--cafile" \
+ -e "-d " -e "--cadir" \
+ -e "-j " -e "--javacerts" > /dev/null
+ if test "${?}" == "0"; then
+ echo "Error! ${1} cannot be used with the -c/--cafile, -d/--cadir, or"
+ echo "-j/--javacerts switches."
+ echo ""
+ exit 3
+ fi
+
+ shift 2
+ ;;
+ -a | --anchordir)
+ check_arg $1 $2
+ ANCHORDIR="${2}"
+ echo "${@}" | grep -e "-P " -e "--pkidir" > /dev/null
+ if test "${?}" == "0"; then
+ echo "Error! ${1} cannot be used with the -P/--pkidir switch."
+ echo ""
+ exit 3
+ fi
+ shift 2
+ ;;
+ -c | --cafile)
+ check_arg $1 $2
+ CABUNDLE="${2}"
+ echo "${@}" | grep -e "-S " -e "--ssldir" > /dev/null
+ if test "${?}" == "0"; then
+ echo "Error! ${1} cannot be used with the -S/--ssldir switch."
+ echo ""
+ exit 3
+ fi
+ shift 2
+ ;;
+ -d | --cadir)
+ check_arg $1 $2
+ CADIR="${2}"
+ if test "${?}" == "0"; then
+ echo "Error! ${1} cannot be used with the -S/--ssldir switch."
+ echo ""
+ exit 3
+ fi
+ shift 2
+ ;;
+ -j | --javacerts)
+ check_arg $1 $2
+ KEYSTORE="${2}"
+ if test "${?}" == "0"; then
+ echo "Error! ${1} cannot be used with the -S/--ssldir switch."
+ echo ""
+ exit 3
+ fi
+ shift 2
+ ;;
+ -l | --localdir)
+ check_arg $1 $2
+ LOCALDIR="${2}"
+ shift 2
+ ;;
+ -n | --nssdb)
+ check_arg $1 $2
+ NSSDB="${2}"
+ echo "${@}" | grep -e "-P " -e "--pkidir" > /dev/null
+ if test "${?}" == "0"; then
+ echo "Error! ${1} cannot be used with the -P/--pkidir switch."
+ echo ""
+ exit 3
+ fi
+ shift 2
+ ;;
+ -k | --keytool)
+ check_arg $1 $2
+ KEYTOOL="${2}"
+ shift 2
+ ;;
+ -s | --openssl)
+ check_arg $1 $2
+ OPENSSL="${2}"
+ shift 2
+ ;;
+ -t | --certutil)
+ check_arg $1 $2
+ CERTUTIL="${2}"
+ shift 2
+ ;;
+ -f | --force)
+ FORCE="1"
+ shift 1
+ ;;
+ -h | --help)
+ showhelp
+ exit 0
+ ;;
+ -v | --version)
+ echo -e "$(basename ${0}) ${VERSION}\n"
+ exit 0
+ ;;
+ *)
+ showhelp
+ exit 1
+ ;;
+ esac
+ done
+}
+
+function check_arg(){
+ echo "${2}" | grep -v "^-" > /dev/null
+ if [ -z "$?" -o ! -n "$2" ]; then
+ echo "Error: $1 requires a valid argument."
+ exit 1
+ fi
+}
+
+function showhelp(){
+ echo ""
+ echo "`basename ${0}` converts certdata.txt (provided by the Mozilla Foundation)"
+ echo "into a complete PKI distribution for use with LFS or like distributions."
+ echo ""
+ echo " -C --certdata The certdata.txt file (provided by Mozilla)"
+ echo " Default: ./certdata.txt"
+ echo ""
+ echo " -D --destdir Change the output directory and use relative"
+ echo " paths for all other values."
+ echo " Default: unset"
+ echo ""
+ echo " -P --pkidir The output PKI directory - Cannot be used with"
+ echo " the -a/--anchordir or -n/--nssdb switches"
+ echo " Default: /etc/pki"
+ echo ""
+ echo " -S --ssldir The output SSL root direcotry - Cannot be used"
+ echo " with the -c/--cafile, -d/--cadir, or"
+ echo " -j/--javacerts switches"
+ echo " Defualt: /etc/ssl"
+ echo ""
+ echo " -a --anchordir The output directory for OpenSSL trusted"
+ echo " CA certificates used as trust anchors."
+ echo " Default: \$PKIDIR/anchors"
+ echo ""
+ echo " -c --cafile The output filename for the PEM formated bundle"
+ echo " Default: \$SSLDIR/ca-bundle.crt"
+ echo ""
+ echo " -d --cadir The output directory for the OpenSSL trusted"
+ echo " CA certificates"
+ echo " Deault: \$SSLDIR/certs/"
+ echo ""
+ echo " -j --javacerts The output path for the Java cacerts file"
+ echo " Default: \$SSLDIR/java/cacerts"
+ echo ""
+ echo " -l --localdir The path to a local set of OpenSSL trusted"
+ echo " certificates to include in the output"
+ echo " Default: \$SSLDIR/local"
+ echo ""
+ echo " -n --nssdb The output path for the shared NSS DB"
+ echo " Default: \$PKIDIR/nssdb"
+ echo ""
+ echo " -k --keytool The path to the java keytool utility"
+ echo ""
+ echo " -s --openssl The path to the openssl utility"
+ echo ""
+ echo " -t --certutil The path the certutil utility"
+ echo ""
+ echo " -f --force Force run, even if source is not newer"
+ echo ""
+ echo " -h --help Show this help message and exit"
+ echo ""
+ echo " -v --version Show version information and exit"
+ echo ""
+ echo "Example: `basename ${0}` -f -C ~/certdata.txt"
+ echo ""
+}
+
+# Convert CKA_TRUST values to trust flags for certutil
+function convert_trust(){
+ case $1 in
+ CKT_NSS_TRUSTED_DELEGATOR)
+ echo "C"
+ ;;
+ CKT_NSS_NOT_TRUSTED)
+ echo "p"
+ ;;
+ CKT_NSS_MUST_VERIFY_TRUST)
+ echo ""
+ ;;
+ esac
+}
+
+function convert_trust_arg(){
+ case $1 in
+ C)
+ case $2 in
+ sa)
+ echo "-addtrust serverAuth"
+ ;;
+ sm)
+ echo "-addtrust emailProtection"
+ ;;
+ cs)
+ echo "-addtrust codeSigning"
+ ;;
+ ca)
+ echo "-addtrust clientAuth"
+ ;;
+ esac
+ ;;
+ p)
+ case $2 in
+ sa)
+ echo "-addreject serverAuth"
+ ;;
+ sm)
+ echo "-addreject emailProtection"
+ ;;
+ cs)
+ echo "-addreject codeSigning"
+ ;;
+ ca)
+ echo "-addreject clientAuth"
+ ;;
+ esac
+ ;;
+ *)
+ echo ""
+ ;;
+ esac
+}
+
+# Define p11-kit ext value constants (see p11-kit API documentation)
+get-p11-val() {
+ case $1 in
+ p11sasmcs)
+ p11value="0%2a%06%03U%1d%25%01%01%ff%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
+ ;;
+
+ p11sasm)
+ p11value="0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01"
+ ;;
+
+ p11sacs)
+ p11value="0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
+ ;;
+
+ p11sa)
+ p11value="0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%01"
+ ;;
+
+ p11smcs)
+ p11value="0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%03"
+ ;;
+
+ p11sm)
+ p11value="0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%04"
+ ;;
+
+ p11cs)
+ p11value="0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%03"
+ ;;
+
+ p11)
+ p11value="0%18%06%03U%1d%25%01%01%ff%04%0e0%0c%06%0a%2b%06%01%04%01%99w%06%0a%10"
+ ;;
+ esac
+}
+
+# Process command line arguments
+get_args $@
+
+if test ! -r "${CERTDATA}"; then
+ echo "${CERTDATA} was not found. The certdata.txt file must be in the local"
+ echo "directory, or speficied with the --certdata switch."
+ exit 1
+fi
+
+test -f "${CERTUTIL}" || WITH_NSS=0
+test -f "${KEYTOOL}" || WITH_JAVA=0
+
+VERSION=$(grep CVS_ID "${CERTDATA}" | cut -d " " -f 8)
+
+if test "${VERSION}x" == "x"; then
+ echo "WARNING! ${CERTDATA} has no 'Revision' in CVS_ID"
+ echo "Will run conversion unconditionally."
+ sleep 2
+ VERSION="$(date -u +%Y%m%d-%H%M)"
+else
+ if test "${FORCE}" == "1"; then
+ echo "Output forced. Will run conversion unconditionally."
+ sleep 2
+ elif test "${DESTDIR}x" == "x"; then
+ test -f "${CABUNDLE}" &&
+ OLDVERSION=$(grep "^VERSION:" "${CABUNDLE}" | cut -d ":" -f 2)
+ fi
+fi
+
+if test "${OLDVERSION}x" == "${VERSION}x"; then
+ echo "No update required! Use --force to update anyway."
+ exit 0
+fi
+
+mkdir -p "${TEMPDIR}"/{certs,ssl/{certs,java},pki/{nssdb,anchors},work}
+cp "${CERTDATA}" "${WORKDIR}/certdata.txt"
+pushd "${WORKDIR}" > /dev/null
+
+if test "${WITH_NSS}" == "1"; then
+ # Create a blank NSS DB
+ "${CERTUTIL}" -N --empty-password -d "sql:${TEMPDIR}/pki/nssdb"
+fi
+
+# Get a list of starting lines for each cert
+CERTBEGINLIST=`grep -n "^# Certificate" "${WORKDIR}/certdata.txt" | \
+ cut -d ":" -f1`
+
+# Dump individual certs to temp file
+for certbegin in ${CERTBEGINLIST}; do
+ awk "NR==$certbegin,/^CKA_TRUST_STEP_UP_APPROVED/" "${WORKDIR}/certdata.txt" \
+ > "${TEMPDIR}/certs/${certbegin}.tmp"
+done
+
+unset CERTBEGINLIST certbegin
+
+for tempfile in ${TEMPDIR}/certs/*.tmp; do
+ # Get a name for the cert
+ certname="$(grep "^# Certificate" "${tempfile}" | cut -d '"' -f 2)"
+
+ # Determine certificate trust values for SSL/TLS, S/MIME, and Code Signing
+ satrust="$(convert_trust `grep '^CKA_TRUST_SERVER_AUTH' ${tempfile} | \
+ cut -d " " -f 3`)"
+ smtrust="$(convert_trust `grep '^CKA_TRUST_EMAIL_PROTECTION' ${tempfile} | \
+ cut -d " " -f 3`)"
+ cstrust="$(convert_trust `grep '^CKA_TRUST_CODE_SIGNING' ${tempfile} | \
+ cut -d " " -f 3`)"
+ # Not currently included in NSS certdata.txt
+ #catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${tempfile} | \
+ # cut -d " " -f 3`)"
+
+ # Get args for OpenSSL trust settings
+ saarg="$(convert_trust_arg "${satrust}" sa)"
+ smarg="$(convert_trust_arg "${smtrust}" sm)"
+ csarg="$(convert_trust_arg "${cstrust}" cs)"
+ # Not currently included in NSS certdata.txt
+ #caarg="$(convert_trust_arg "${catrust}" ca)"
+
+ # Convert to a PEM formated certificate
+ printf $(awk '/^CKA_VALUE/{flag=1;next}/^END/{flag=0}flag{printf $0}' \
+ "${tempfile}") | "${OPENSSL}" x509 -text -inform DER -fingerprint \
+ > tempfile.crt
+
+ # Get individual values for certificates
+ certkey="$(${OPENSSL} x509 -in tempfile.crt -noout -pubkey)"
+ certcer="$(${OPENSSL} x509 -in tempfile.crt)"
+ certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)"
+
+ # Get p11-kit label, oid, and values
+ p11label="$(grep -m1 "Issuer" ${tempfile} | grep -o CN=.*$ | \
+ cut -d ',' -f 1 | sed 's@CN=@@')"
+
+ # if distrusted at all, x-distrusted
+ if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p"
+ then
+ # if any distrusted, x-distrusted
+ p11trust="x-distrusted: true"
+ p11oid="1.3.6.1.4.1.3319.6.10.1"
+ p11value="0.%06%0a%2b%06%01%04%01%99w%06%0a%01%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
+ else
+ p11trust="trusted: true"
+ p11oid="2.5.29.37"
+ trustp11="p11"
+ if test "${satrust}" == "C"; then
+ trustp11="${trustp11}sa"
+ fi
+ if test "${smtrust}" == "C"; then
+ trustp11="${trustp11}sm"
+ fi
+ if test "${cstrust}" == "C"; then
+ trustp11="${trustp11}cs"
+ fi
+ get-p11-val "${trustp11}"
+ fi
+
+ # Get a hash for the cert
+ keyhash=$("${OPENSSL}" x509 -noout -in tempfile.crt -hash)
+
+ # Print information about cert
+ echo "Certificate: ${certname}"
+ echo "Keyhash: ${keyhash}"
+
+ # Place certificate into trust anchors dir
+ anchorfile="${TEMPDIR}/pki/anchors/${keyhash}.pem"
+ echo "[p11-kit-object-v1]" >> "${anchorfile}"
+ echo "label: \"${p11label}\"" >> "${anchorfile}"
+ echo "class: x-certificate-extension" >> "${anchorfile}"
+ echo "object-id: ${p11oid}" >> "${anchorfile}"
+ echo "value: \"${p11value}\"" >> "${anchorfile}"
+ echo "modifiable: false" >> "${anchorfile}"
+ echo "${certkey}" >> "${anchorfile}"
+ echo "" >> "${anchorfile}"
+ echo "[p11-kit-object-v1]" >> "${anchorfile}"
+ echo "label: \"${p11label}\"" >> "${anchorfile}"
+ echo "${p11trust}" >> "${anchorfile}"
+ echo "nss-mozilla-ca-policy: true" >> "${anchorfile}"
+ echo "modifiable: false" >> "${anchorfile}"
+ echo "${certcer}" >> "${anchorfile}"
+ echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}"
+ echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
+
+
+ # Import certificates trusted for SSL/TLS into the Java keystore and
+ # GnuTLS certificate bundle
+ if test "${satrust}x" == "Cx"; then
+ # Java keystore
+ if test "${WITH_JAVA}" == "1"; then
+ "${KEYTOOL}" -import -noprompt -alias "${certname}" \
+ -keystore "${TEMPDIR}/ssl/java/cacerts" \
+ -storepass 'changeit' -file tempfile.crt \
+ 2>&1> /dev/null | \
+ sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
+ fi
+
+ # GnuTLS certificate bundle
+ cat tempfile.crt >> "${TEMPDIR}/ssl/ca-bundle.crt.tmp"
+ echo "Added to GnuTLS ceritificate bundle."
+ fi
+
+ # Import certificate into the temporary certificate directory with
+ # trust arguments
+ "${OPENSSL}" x509 -in tempfile.crt -text -fingerprint \
+ -setalias "${certname}" ${saarg} ${smarg} ${csarg} \
+ > "${TEMPDIR}/ssl/certs/${keyhash}.pem"
+ echo "Added to OpenSSL certificate directory with trust '${satrust},${smtrust},${cstrust}'."
+
+ # Import all certificates with trust args to the temporary NSS DB
+ if test "${WITH_NSS}" == "1"; then
+ "${CERTUTIL}" -d "sql:${TEMPDIR}/pki/nssdb" -A \
+ -t "${satrust},${smtrust},${cstrust}" \
+ -n "${certname}" -i tempfile.crt
+ echo "Added to NSS shared DB with trust '${satrust},${smtrust},${cstrust}'."
+ fi
+
+ # Clean up the directory and environment as we go
+ rm -f tempfile.crt
+ unset keyhash subject certname
+ unset satrust smtrust cstrust catrust sarg smarg csarg caarg
+ unset p11trust p11oid p11value trustp11 certkey certcer certtxt
+ echo -e "\n"
+done
+unset tempfile
+
+# Sanity check
+count=$(ls "${TEMPDIR}"/ssl/certs/*.pem | wc -l)
+# Historically there have been between 152 and 165 certs
+# A minimum of 140 should be safe for a rudimentry sanity check
+if test "${count}" -lt "140" ; then
+ echo "Error! Only ${count} certificates were generated!"
+ echo "Exiting without update!"
+ echo ""
+ echo "${TEMPDIR} is the temporary working directory"
+ exit 2
+fi
+unset count
+
+# Generate the bundle
+bundlefile=`basename "${CABUNDLE}"`
+bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"`
+install -vdm755 "${DESTDIR}${bundledir}" 2>&1>/dev/null
+test -f "${DESTDIR}${CABUNDLE}" && mv "${DESTDIR}${CABUNDLE}" \
+ "${DESTDIR}${CABUNDLE}.old"
+echo "VERSION:${VERSION}" > "${DESTDIR}${CABUNDLE}"
+cat "${TEMPDIR}/ssl/ca-bundle.crt.tmp" >> "${DESTDIR}${CABUNDLE}" &&
+rm -f "${DESTDIR}${CABUNDLE}.old"
+unset bundlefile bundledir
+
+# Install Java Cacerts
+if test "${WITH_JAVA}" == "1"; then
+ javafile=`basename "${KEYSTORE}"`
+ javadir=`echo "${KEYSTORE}" | sed "s@/${javafile}@@"`
+ install -vdm755 "${DESTDIR}${javadir}" 2>&1>/dev/null
+ test -f "${DESTDIR}${KEYSTORE}" && mv "${DESTDIR}${KEYSTORE}" \
+ "${DESTDIR}${KEYSTORE}.old"
+ install -m644 "${TEMPDIR}/ssl/java/cacerts" "${DESTDIR}${KEYSTORE}" &&
+ rm -f "${DESTDIR}${KEYSTORE}.old"
+ unset javafile javadir
+fi
+
+# Install NSS Shared DB
+if test "${WITH_NSS}" == "1"; then
+ sed -e "s@${TEMPDIR}/pki/nssdb@${NSSDB}@" \
+ -e 's/library=/library=libnsssysinit.so/' \
+ -e 's/Flags=internal/Flags=internal,moduleDBOnly/' \
+ -i "${TEMPDIR}/pki/nssdb/pkcs11.txt"
+ test -d "${DESTDIR}${NSSDB}" && mv "${DESTDIR}${NSSDB}" \
+ "${DESTDIR}${NSSDB}.old"
+ install -dm755 "${DESTDIR}${NSSDB}" 2>&1>/dev/null
+ install -m644 "${TEMPDIR}"/pki/nssdb/{cert9.db,key4.db,pkcs11.txt} \
+ "${DESTDIR}${NSSDB}" &&
+ rm -rf "${DESTDIR}${NSSDB}.old"
+fi
+
+# Install anchors in $ANCHORDIR
+test -d "${DESTDIR}${ANCHORDIR}" && mv "${DESTDIR}${ANCHORDIR}"\
+ "${DESTDIR}${ANCHORDIR}.old"
+install -dm755 "${DESTDIR}${ANCHORDIR}" 2>&1>/dev/null
+install -m644 "${TEMPDIR}"/pki/anchors/*.pem "${DESTDIR}${ANCHORDIR}" &&
+rm -rf "${DESTDIR}${ANCHORDIR}.old"
+
+# Install certificates in $CERTDIR
+test -d "${DESTDIR}${CERTDIR}" && mv "${DESTDIR}${CERTDIR}" \
+ "${DESTDIR}${CERTDIR}.old"
+install -dm755 "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
+install -m644 "${TEMPDIR}"/ssl/certs/*.pem "${DESTDIR}${CERTDIR}" &&
+rm -rf "${DESTDIR}${CERTDIR}.old"
+
+# Import any certs in $LOCALDIR
+# Don't do any checking, just trust the admin
+if test -d "${LOCALDIR}"; then
+ for cert in `find "${LOCALDIR}" -name "*.pem"`; do
+ # Get some information about the certificate
+ keyhash=$("${OPENSSL}" x509 -noout -in "${cert}" -hash)
+ subject=$("${OPENSSL}" x509 -noout -in "${cert}" -subject)
+ count=1
+ while test "${count}" -lt 10; do
+ echo "${subject}" | cut -d "/" -f "${count}" | grep "CN=" >/dev/null \
+ && break
+ let count++
+ done
+ certname=$(echo "${subject}" | cut -d "/" -f "${count}" | sed 's@CN=@@')
+
+ echo "Certificate: ${certname}"
+ echo "Keyhash: ${keyhash}"
+
+ # Get trust information
+ trustlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
+ grep -A1 "Trusted Uses")
+ satrust=""
+ smtrust=""
+ cstrust=""
+ catrust=""
+ satrust=$(echo "${trustlist}" | \
+ grep "TLS Web Server" 2>&1> /dev/null && echo "C")
+ smtrust=$(echo "${trustlist}" | \
+ grep "E-mail Protection" 2>&1 >/dev/null && echo "C")
+ cstrust=$(echo "${trustlist}" | \
+ grep "Code Signing" 2>&1 >/dev/null && echo "C")
+ catrust=$(echo "${trustlist}" | \
+ grep "Client Auth" 2>&1 >/dev/null && echo "C")
+
+ # Get reject information
+ rejectlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
+ grep -A1 "Rejected Uses")
+ if test "${satrust}" == ""; then satrust=$(echo "${rejectlist}" | \
+ grep "TLS Web Server" 2>&1> /dev/null && echo "p"); fi
+ if test "${smtrust}" == ""; then smtrust=$(echo "${rejectlist}" | \
+ grep "E-mail Protection" 2>&1> /dev/null && echo "p"); fi
+ if test "${cstrust}" == ""; then cstrust=$(echo "${rejectlist}" | \
+ grep "Code Signing" 2>&1> /dev/null && echo "p"); fi
+ if test "${catrust}" == ""; then catrust=$(echo "${rejectlist}" | \
+ grep "Client Auth" 2>&1> /dev/null && echo "p"); fi
+
+
+ # Place certificate into trust anchors dir
+ p11label="$(grep -m1 "Issuer" ${cert} | grep -o CN=.*$ | \
+ cut -d ',' -f 1 | sed 's@CN=@@')"
+
+ # if distrusted at all, x-distrusted
+ if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p"
+ then
+ # if any distrusted, x-distrusted
+ p11trust="x-distrusted: true"
+ p11oid="1.3.6.1.4.1.3319.6.10.1"
+ p11value="0.%06%0a%2b%06%01%04%01%99w%06%0a%01%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
+ else
+ p11trust="trusted: true"
+ p11oid="2.5.29.37"
+ trustp11="p11"
+ if test "${satrust}" == "C"; then
+ trustp11="${trustp11}sa"
+ fi
+ if test "${smtrust}" == "C"; then
+ trustp11="${trustp11}sm"
+ fi
+ if test "${cstrust}" == "C"; then
+ trustp11="${trustp11}cs"
+ fi
+ get-p11-val "${trustp11}"
+ fi
+
+ anchorfile="${DESTDIR}${ANCHORDIR}/${keyhash}.pem"
+
+ echo "[p11-kit-object-v1]" >> "${anchorfile}"
+ echo "label: \"${p11label}\"" >> "${anchorfile}"
+ echo "class: x-certificate-extension" >> "${anchorfile}"
+ echo "object-id: ${p11oid}" >> "${anchorfile}"
+ echo "value: \"${p11value}\"" >> "${anchorfile}"
+ echo "modifiable: false" >> "${anchorfile}"
+ echo "${certkey}" >> "${anchorfile}"
+ echo "" >> "${anchorfile}"
+ echo "[p11-kit-object-v1]" >> "${anchorfile}"
+ echo "label: \"${p11label}\"" >> "${anchorfile}"
+ echo "${p11trust}" >> "${anchorfile}"
+ echo "modifiable: false" >> "${anchorfile}"
+ echo "${certcer}" >> "${anchorfile}"
+ echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}"
+ echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
+
+ # Install in Java keystore
+ if test "${WITH_JAVA}" == "1" -a "${satrust}x" == "Cx"; then
+ "${KEYTOOL}" -import -noprompt -alias "${certname}" \
+ -keystore "${DESTDIR}${KEYSTORE}" \
+ -storepass 'changeit' -file "${cert}" 2>&1> /dev/null | \
+ sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
+ fi
+
+ # Append to the bundle - source should have trust info, process with
+ # openssl x509 to strip
+ if test "${satrust}x" == "Cx"; then
+ "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
+ >> "${DESTDIR}${CABUNDLE}"
+ echo "Added to GnuTLS certificate bundle."
+ fi
+
+ # Install into OpenSSL certificate store
+ "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
+ -setalias "${certname}" \
+ >> "${DESTDIR}${CERTDIR}/${keyhash}.pem"
+ echo "Added to OpenSSL certificate directory with trust '${satrust},${smtrust},${cstrust},${catrust}'."
+
+ # Add to Shared NSS DB
+ if test "${WITH_NSS}" == "1"; then
+ "${OPENSSL}" x509 -in "${cert}" -text -fingerprint | \
+ "${CERTUTIL}" -d "sql:${DESTDIR}${NSSDB}" -A \
+ -t "${satrust},${smtrust},${cstrust}" \
+ -n "${certname}"
+ echo "Added to NSS shared DB with trust '${satrust},${smtrust},${cstrust}'."
+ fi
+
+ unset keyhash subject count certname
+ unset trustlist rejectlist satrust smtrust cstrust catrust
+ unset p11trust p11oid p11value trustp11 certkey certcer certtxt
+ echo ""
+
+ done
+ unset cert
+fi
+
+c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
+popd > /dev/null
+
+# Clean up the mess
+rm -rf "${TEMPDIR}"
+
+# End /usr/sbin/make-ca.sh
diff --git a/recipes/ca-certificates/make-ca.sh.patch b/recipes/ca-certificates/make-ca.sh.patch
deleted file mode 100644
index 648d9ca8dbe822cf8b90bd6c8705267c01970d48..0000000000000000000000000000000000000000
--- a/recipes/ca-certificates/make-ca.sh.patch
+++ /dev/null
@@ -1,30 +0,0 @@
---- source/make-ca.sh 2018-08-25 17:38:12.512463896 +0200
-+++ build/make-ca.sh 2018-09-23 14:45:12.492919202 +0200
-@@ -1,4 +1,4 @@
--#!/bin/bash
-+#!/usr/bin/env bash
- # Begin /usr/sbin/make-ca.sh
- #
- # Script to create OpenSSL certs directory, GnuTLS certificate bundle, NSS
-@@ -28,9 +28,9 @@
- CERTDATA="certdata.txt"
- PKIDIR="/etc/pki"
- SSLDIR="/etc/ssl"
--CERTUTIL="/usr/bin/certutil"
--KEYTOOL="/opt/jdk/bin/keytool"
--OPENSSL="/usr/bin/openssl"
-+CERTUTIL="certutil"
-+KEYTOOL="keytool"
-+OPENSSL="openssl"
- ANCHORDIR="${PKIDIR}/anchors"
- CABUNDLE="${SSLDIR}/ca-bundle.crt"
- CERTDIR="${SSLDIR}/certs"
-@@ -723,7 +723,7 @@
- unset cert
- fi
-
--/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
-+c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
- popd > /dev/null
-
- # Clean up the mess
diff --git a/recipes/ca-certificates/recipe.sh b/recipes/ca-certificates/recipe.sh
index 09e56fdf68a4cb493db5440236997f151959a583..e89df590cea4b152d4325692d4381afc98811bd0 100644
--- a/recipes/ca-certificates/recipe.sh
+++ b/recipes/ca-certificates/recipe.sh
@@ -9,8 +9,11 @@ function recipe_fetch {
mkdir source
fi
pushd source
- curl -o make-ca.sh --time-cond make-ca.sh http://anduin.linuxfromscratch.org/BLFS/other/make-ca.sh-20170514
- curl -o certdata.txt --time-cond certdata.txt http://anduin.linuxfromscratch.org/BLFS/other/certdata.txt
+ cp ../make-ca.sh make-ca.sh
+ curl \
+ -o certdata.txt \
+ --time-cond certdata.txt \
+ https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
popd
skip=1
}