From ea52c5951a109a33d2c825f98bb59a021b3a61a0 Mon Sep 17 00:00:00 2001
From: jD91mZM2 <me@krake.one>
Date: Tue, 8 May 2018 14:40:00 +0200
Subject: [PATCH] Delete accidentally commited dir
---
recipes/ca-certificates/source2/make-ca.sh | 732 ---------------------
1 file changed, 732 deletions(-)
delete mode 100644 recipes/ca-certificates/source2/make-ca.sh
diff --git a/recipes/ca-certificates/source2/make-ca.sh b/recipes/ca-certificates/source2/make-ca.sh
deleted file mode 100644
index 473d00a9e..000000000
--- a/recipes/ca-certificates/source2/make-ca.sh
+++ /dev/null
@@ -1,732 +0,0 @@
-#!/usr/bin/env bash
-# Begin /usr/sbin/make-ca.sh
-#
-# Script to create OpenSSL certs directory, GnuTLS certificate bundle, NSS
-# shared DB, and Java cacerts from upstream certdata.txt and local sources
-#
-# Authors: DJ Lucas
-# Bruce Dubbs
-#
-# Changes:
-#
-# 20170425 - Use p11-kit format anchors
-# - Add CKA_NSS_MOZILLA_CA_POLICY attribute for p11-kit anchors
-# - Add clientAuth OpenSSL attribute and (currently unused) NSS
-# CKA_TRUST_CLIENT_AUTH
-# 20170119 - Show trust bits on local certs
-# - Add version output for help2man
-# 20161210 - Add note about --force swich when same version
-# 20161126 - Add -D/--destdir switch
-# 20161124 - Add -f/--force switch to bypass version check
-# - Add multiple switches to allow for alternate localtions
-# - Add help text
-# 20161118 - Drop make-cert.pl script
-# - Add support for Java and NSSDB
-
-# Set defaults
-VERSION="20170425"
-CERTDATA="certdata.txt"
-PKIDIR="/etc/pki"
-SSLDIR="/etc/ssl"
-CERTUTIL="certutil"
-KEYTOOL="keytool"
-OPENSSL="openssl"
-ANCHORDIR="${PKIDIR}/anchors"
-CABUNDLE="${SSLDIR}/ca-bundle.crt"
-CERTDIR="${SSLDIR}/certs"
-KEYSTORE="${SSLDIR}/java/cacerts"
-NSSDB="${PKIDIR}/nssdb"
-LOCALDIR="${SSLDIR}/local"
-DESTDIR=""
-
-# Some data in the certs have UTF-8 characters
-export LANG=en_US.utf8
-
-TEMPDIR=$(mktemp -d)
-WORKDIR="${TEMPDIR}/work"
-WITH_NSS=1
-WITH_JAVA=1
-FORCE=0
-
-function get_args(){
- while test -n "${1}" ; do
- case "${1}" in
- -C | --certdata)
- check_arg $1 $2
- CERTDATA="${2}"
- shift 2
- ;;
- -D | --destdir)
- check_arg $1 $2
- DESTDIR="${2}"
- shift 2
- ;;
- -P | --pkidir)
- check_arg $1 $2
- PKIDIR="${2}"
- ANCHORDIR="${PKIDIR}/anchors"
- NSSDB="${PKIDIR}/nssdb"
- echo "${@}" | grep -e "-a " -e "--anchordir" \
- -e "-n " -e "--nssdb" > /dev/null
- if test "${?}" == "0"; then
- echo "Error! ${1} cannot be used with the -a/--anchordir or -n/--nssdb switches."
- echo ""
- exit 3
- fi
- shift 2
- ;;
- -S | --ssldir)
- check_arg $1 $2
- SSLDIR="${2}"
- CABUNDLE="${SSLDIR}/ca-bundle.crt"
- CERTDIR="${SSLDIR}/certs"
- KEYSTORE="${SSLDIR}/java/cacerts"
- LOCALDIR="${SSLDIR}/local"
- echo "${@}" | grep -e "-c " -e "--cafile" \
- -e "-d " -e "--cadir" \
- -e "-j " -e "--javacerts" > /dev/null
- if test "${?}" == "0"; then
- echo "Error! ${1} cannot be used with the -c/--cafile, -d/--cadir, or"
- echo "-j/--javacerts switches."
- echo ""
- exit 3
- fi
-
- shift 2
- ;;
- -a | --anchordir)
- check_arg $1 $2
- ANCHORDIR="${2}"
- echo "${@}" | grep -e "-P " -e "--pkidir" > /dev/null
- if test "${?}" == "0"; then
- echo "Error! ${1} cannot be used with the -P/--pkidir switch."
- echo ""
- exit 3
- fi
- shift 2
- ;;
- -c | --cafile)
- check_arg $1 $2
- CABUNDLE="${2}"
- echo "${@}" | grep -e "-S " -e "--ssldir" > /dev/null
- if test "${?}" == "0"; then
- echo "Error! ${1} cannot be used with the -S/--ssldir switch."
- echo ""
- exit 3
- fi
- shift 2
- ;;
- -d | --cadir)
- check_arg $1 $2
- CADIR="${2}"
- if test "${?}" == "0"; then
- echo "Error! ${1} cannot be used with the -S/--ssldir switch."
- echo ""
- exit 3
- fi
- shift 2
- ;;
- -j | --javacerts)
- check_arg $1 $2
- KEYSTORE="${2}"
- if test "${?}" == "0"; then
- echo "Error! ${1} cannot be used with the -S/--ssldir switch."
- echo ""
- exit 3
- fi
- shift 2
- ;;
- -l | --localdir)
- check_arg $1 $2
- LOCALDIR="${2}"
- shift 2
- ;;
- -n | --nssdb)
- check_arg $1 $2
- NSSDB="${2}"
- echo "${@}" | grep -e "-P " -e "--pkidir" > /dev/null
- if test "${?}" == "0"; then
- echo "Error! ${1} cannot be used with the -P/--pkidir switch."
- echo ""
- exit 3
- fi
- shift 2
- ;;
- -k | --keytool)
- check_arg $1 $2
- KEYTOOL="${2}"
- shift 2
- ;;
- -s | --openssl)
- check_arg $1 $2
- OPENSSL="${2}"
- shift 2
- ;;
- -t | --certutil)
- check_arg $1 $2
- CERTUTIL="${2}"
- shift 2
- ;;
- -f | --force)
- FORCE="1"
- shift 1
- ;;
- -h | --help)
- showhelp
- exit 0
- ;;
- -v | --version)
- echo -e "$(basename ${0}) ${VERSION}\n"
- exit 0
- ;;
- *)
- showhelp
- exit 1
- ;;
- esac
- done
-}
-
-function check_arg(){
- echo "${2}" | grep -v "^-" > /dev/null
- if [ -z "$?" -o ! -n "$2" ]; then
- echo "Error: $1 requires a valid argument."
- exit 1
- fi
-}
-
-function showhelp(){
- echo ""
- echo "`basename ${0}` converts certdata.txt (provided by the Mozilla Foundation)"
- echo "into a complete PKI distribution for use with LFS or like distributions."
- echo ""
- echo " -C --certdata The certdata.txt file (provided by Mozilla)"
- echo " Default: ./certdata.txt"
- echo ""
- echo " -D --destdir Change the output directory and use relative"
- echo " paths for all other values."
- echo " Default: unset"
- echo ""
- echo " -P --pkidir The output PKI directory - Cannot be used with"
- echo " the -a/--anchordir or -n/--nssdb switches"
- echo " Default: /etc/pki"
- echo ""
- echo " -S --ssldir The output SSL root direcotry - Cannot be used"
- echo " with the -c/--cafile, -d/--cadir, or"
- echo " -j/--javacerts switches"
- echo " Defualt: /etc/ssl"
- echo ""
- echo " -a --anchordir The output directory for OpenSSL trusted"
- echo " CA certificates used as trust anchors."
- echo " Default: \$PKIDIR/anchors"
- echo ""
- echo " -c --cafile The output filename for the PEM formated bundle"
- echo " Default: \$SSLDIR/ca-bundle.crt"
- echo ""
- echo " -d --cadir The output directory for the OpenSSL trusted"
- echo " CA certificates"
- echo " Deault: \$SSLDIR/certs/"
- echo ""
- echo " -j --javacerts The output path for the Java cacerts file"
- echo " Default: \$SSLDIR/java/cacerts"
- echo ""
- echo " -l --localdir The path to a local set of OpenSSL trusted"
- echo " certificates to include in the output"
- echo " Default: \$SSLDIR/local"
- echo ""
- echo " -n --nssdb The output path for the shared NSS DB"
- echo " Default: \$PKIDIR/nssdb"
- echo ""
- echo " -k --keytool The path to the java keytool utility"
- echo ""
- echo " -s --openssl The path to the openssl utility"
- echo ""
- echo " -t --certutil The path the certutil utility"
- echo ""
- echo " -f --force Force run, even if source is not newer"
- echo ""
- echo " -h --help Show this help message and exit"
- echo ""
- echo " -v --version Show version information and exit"
- echo ""
- echo "Example: `basename ${0}` -f -C ~/certdata.txt"
- echo ""
-}
-
-# Convert CKA_TRUST values to trust flags for certutil
-function convert_trust(){
- case $1 in
- CKT_NSS_TRUSTED_DELEGATOR)
- echo "C"
- ;;
- CKT_NSS_NOT_TRUSTED)
- echo "p"
- ;;
- CKT_NSS_MUST_VERIFY_TRUST)
- echo ""
- ;;
- esac
-}
-
-function convert_trust_arg(){
- case $1 in
- C)
- case $2 in
- sa)
- echo "-addtrust serverAuth"
- ;;
- sm)
- echo "-addtrust emailProtection"
- ;;
- cs)
- echo "-addtrust codeSigning"
- ;;
- ca)
- echo "-addtrust clientAuth"
- ;;
- esac
- ;;
- p)
- case $2 in
- sa)
- echo "-addreject serverAuth"
- ;;
- sm)
- echo "-addreject emailProtection"
- ;;
- cs)
- echo "-addreject codeSigning"
- ;;
- ca)
- echo "-addreject clientAuth"
- ;;
- esac
- ;;
- *)
- echo ""
- ;;
- esac
-}
-
-# Define p11-kit ext value constants (see p11-kit API documentation)
-get-p11-val() {
- case $1 in
- p11sasmcs)
- p11value="0%2a%06%03U%1d%25%01%01%ff%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
- ;;
-
- p11sasm)
- p11value="0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01"
- ;;
-
- p11sacs)
- p11value="0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
- ;;
-
- p11sa)
- p11value="0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%01"
- ;;
-
- p11smcs)
- p11value="0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%03"
- ;;
-
- p11sm)
- p11value="0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%04"
- ;;
-
- p11cs)
- p11value="0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%03"
- ;;
-
- p11)
- p11value="0%18%06%03U%1d%25%01%01%ff%04%0e0%0c%06%0a%2b%06%01%04%01%99w%06%0a%10"
- ;;
- esac
-}
-
-# Process command line arguments
-get_args $@
-
-if test ! -r "${CERTDATA}"; then
- echo "${CERTDATA} was not found. The certdata.txt file must be in the local"
- echo "directory, or speficied with the --certdata switch."
- exit 1
-fi
-
-test -f "${CERTUTIL}" || WITH_NSS=0
-test -f "${KEYTOOL}" || WITH_JAVA=0
-
-VERSION=$(grep CVS_ID "${CERTDATA}" | cut -d " " -f 8)
-
-if test "${VERSION}x" == "x"; then
- echo "WARNING! ${CERTDATA} has no 'Revision' in CVS_ID"
- echo "Will run conversion unconditionally."
- sleep 2
- VERSION="$(date -u +%Y%m%d-%H%M)"
-else
- if test "${FORCE}" == "1"; then
- echo "Output forced. Will run conversion unconditionally."
- sleep 2
- elif test "${DESTDIR}x" == "x"; then
- test -f "${CABUNDLE}" &&
- OLDVERSION=$(grep "^VERSION:" "${CABUNDLE}" | cut -d ":" -f 2)
- fi
-fi
-
-if test "${OLDVERSION}x" == "${VERSION}x"; then
- echo "No update required! Use --force to update anyway."
- exit 0
-fi
-
-mkdir -p "${TEMPDIR}"/{certs,ssl/{certs,java},pki/{nssdb,anchors},work}
-cp "${CERTDATA}" "${WORKDIR}/certdata.txt"
-pushd "${WORKDIR}" > /dev/null
-
-if test "${WITH_NSS}" == "1"; then
- # Create a blank NSS DB
- "${CERTUTIL}" -N --empty-password -d "sql:${TEMPDIR}/pki/nssdb"
-fi
-
-# Get a list of starting lines for each cert
-CERTBEGINLIST=`grep -n "^# Certificate" "${WORKDIR}/certdata.txt" | \
- cut -d ":" -f1`
-
-# Dump individual certs to temp file
-for certbegin in ${CERTBEGINLIST}; do
- awk "NR==$certbegin,/^CKA_TRUST_STEP_UP_APPROVED/" "${WORKDIR}/certdata.txt" \
- > "${TEMPDIR}/certs/${certbegin}.tmp"
-done
-
-unset CERTBEGINLIST certbegin
-
-for tempfile in ${TEMPDIR}/certs/*.tmp; do
- # Get a name for the cert
- certname="$(grep "^# Certificate" "${tempfile}" | cut -d '"' -f 2)"
-
- # Determine certificate trust values for SSL/TLS, S/MIME, and Code Signing
- satrust="$(convert_trust `grep '^CKA_TRUST_SERVER_AUTH' ${tempfile} | \
- cut -d " " -f 3`)"
- smtrust="$(convert_trust `grep '^CKA_TRUST_EMAIL_PROTECTION' ${tempfile} | \
- cut -d " " -f 3`)"
- cstrust="$(convert_trust `grep '^CKA_TRUST_CODE_SIGNING' ${tempfile} | \
- cut -d " " -f 3`)"
- # Not currently included in NSS certdata.txt
- #catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${tempfile} | \
- # cut -d " " -f 3`)"
-
- # Get args for OpenSSL trust settings
- saarg="$(convert_trust_arg "${satrust}" sa)"
- smarg="$(convert_trust_arg "${smtrust}" sm)"
- csarg="$(convert_trust_arg "${cstrust}" cs)"
- # Not currently included in NSS certdata.txt
- #caarg="$(convert_trust_arg "${catrust}" ca)"
-
- # Convert to a PEM formated certificate
- printf $(awk '/^CKA_VALUE/{flag=1;next}/^END/{flag=0}flag{printf $0}' \
- "${tempfile}") | "${OPENSSL}" x509 -text -inform DER -fingerprint \
- > tempfile.crt
-
- # Get individual values for certificates
- certkey="$(${OPENSSL} x509 -in tempfile.crt -noout -pubkey)"
- certcer="$(${OPENSSL} x509 -in tempfile.crt)"
- certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)"
-
- # Get p11-kit label, oid, and values
- p11label="$(grep -m1 "Issuer" ${tempfile} | grep -o CN=.*$ | \
- cut -d ',' -f 1 | sed 's@CN=@@')"
-
- # if distrusted at all, x-distrusted
- if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p"
- then
- # if any distrusted, x-distrusted
- p11trust="x-distrusted: true"
- p11oid="1.3.6.1.4.1.3319.6.10.1"
- p11value="0.%06%0a%2b%06%01%04%01%99w%06%0a%01%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
- else
- p11trust="trusted: true"
- p11oid="2.5.29.37"
- trustp11="p11"
- if test "${satrust}" == "C"; then
- trustp11="${trustp11}sa"
- fi
- if test "${smtrust}" == "C"; then
- trustp11="${trustp11}sm"
- fi
- if test "${cstrust}" == "C"; then
- trustp11="${trustp11}cs"
- fi
- get-p11-val "${trustp11}"
- fi
-
- # Get a hash for the cert
- keyhash=$("${OPENSSL}" x509 -noout -in tempfile.crt -hash)
-
- # Print information about cert
- echo "Certificate: ${certname}"
- echo "Keyhash: ${keyhash}"
-
- # Place certificate into trust anchors dir
- anchorfile="${TEMPDIR}/pki/anchors/${keyhash}.pem"
- echo "[p11-kit-object-v1]" >> "${anchorfile}"
- echo "label: \"${p11label}\"" >> "${anchorfile}"
- echo "class: x-certificate-extension" >> "${anchorfile}"
- echo "object-id: ${p11oid}" >> "${anchorfile}"
- echo "value: \"${p11value}\"" >> "${anchorfile}"
- echo "modifiable: false" >> "${anchorfile}"
- echo "${certkey}" >> "${anchorfile}"
- echo "" >> "${anchorfile}"
- echo "[p11-kit-object-v1]" >> "${anchorfile}"
- echo "label: \"${p11label}\"" >> "${anchorfile}"
- echo "${p11trust}" >> "${anchorfile}"
- echo "nss-mozilla-ca-policy: true" >> "${anchorfile}"
- echo "modifiable: false" >> "${anchorfile}"
- echo "${certcer}" >> "${anchorfile}"
- echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}"
- echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
-
-
- # Import certificates trusted for SSL/TLS into the Java keystore and
- # GnuTLS certificate bundle
- if test "${satrust}x" == "Cx"; then
- # Java keystore
- if test "${WITH_JAVA}" == "1"; then
- "${KEYTOOL}" -import -noprompt -alias "${certname}" \
- -keystore "${TEMPDIR}/ssl/java/cacerts" \
- -storepass 'changeit' -file tempfile.crt \
- 2>&1> /dev/null | \
- sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
- fi
-
- # GnuTLS certificate bundle
- cat tempfile.crt >> "${TEMPDIR}/ssl/ca-bundle.crt.tmp"
- echo "Added to GnuTLS ceritificate bundle."
- fi
-
- # Import certificate into the temporary certificate directory with
- # trust arguments
- "${OPENSSL}" x509 -in tempfile.crt -text -fingerprint \
- -setalias "${certname}" ${saarg} ${smarg} ${csarg} \
- > "${TEMPDIR}/ssl/certs/${keyhash}.pem"
- echo "Added to OpenSSL certificate directory with trust '${satrust},${smtrust},${cstrust}'."
-
- # Import all certificates with trust args to the temporary NSS DB
- if test "${WITH_NSS}" == "1"; then
- "${CERTUTIL}" -d "sql:${TEMPDIR}/pki/nssdb" -A \
- -t "${satrust},${smtrust},${cstrust}" \
- -n "${certname}" -i tempfile.crt
- echo "Added to NSS shared DB with trust '${satrust},${smtrust},${cstrust}'."
- fi
-
- # Clean up the directory and environment as we go
- rm -f tempfile.crt
- unset keyhash subject certname
- unset satrust smtrust cstrust catrust sarg smarg csarg caarg
- unset p11trust p11oid p11value trustp11 certkey certcer certtxt
- echo -e "\n"
-done
-unset tempfile
-
-# Sanity check
-count=$(ls "${TEMPDIR}"/ssl/certs/*.pem | wc -l)
-# Historically there have been between 152 and 165 certs
-# A minimum of 140 should be safe for a rudimentry sanity check
-if test "${count}" -lt "140" ; then
- echo "Error! Only ${count} certificates were generated!"
- echo "Exiting without update!"
- echo ""
- echo "${TEMPDIR} is the temporary working directory"
- exit 2
-fi
-unset count
-
-# Generate the bundle
-bundlefile=`basename "${CABUNDLE}"`
-bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"`
-install -vdm755 "${DESTDIR}${bundledir}" 2>&1>/dev/null
-test -f "${DESTDIR}${CABUNDLE}" && mv "${DESTDIR}${CABUNDLE}" \
- "${DESTDIR}${CABUNDLE}.old"
-echo "VERSION:${VERSION}" > "${DESTDIR}${CABUNDLE}"
-cat "${TEMPDIR}/ssl/ca-bundle.crt.tmp" >> "${DESTDIR}${CABUNDLE}" &&
-rm -f "${DESTDIR}${CABUNDLE}.old"
-unset bundlefile bundledir
-
-# Install Java Cacerts
-if test "${WITH_JAVA}" == "1"; then
- javafile=`basename "${KEYSTORE}"`
- javadir=`echo "${KEYSTORE}" | sed "s@/${javafile}@@"`
- install -vdm755 "${DESTDIR}${javadir}" 2>&1>/dev/null
- test -f "${DESTDIR}${KEYSTORE}" && mv "${DESTDIR}${KEYSTORE}" \
- "${DESTDIR}${KEYSTORE}.old"
- install -m644 "${TEMPDIR}/ssl/java/cacerts" "${DESTDIR}${KEYSTORE}" &&
- rm -f "${DESTDIR}${KEYSTORE}.old"
- unset javafile javadir
-fi
-
-# Install NSS Shared DB
-if test "${WITH_NSS}" == "1"; then
- sed -e "s@${TEMPDIR}/pki/nssdb@${NSSDB}@" \
- -e 's/library=/library=libnsssysinit.so/' \
- -e 's/Flags=internal/Flags=internal,moduleDBOnly/' \
- -i "${TEMPDIR}/pki/nssdb/pkcs11.txt"
- test -d "${DESTDIR}${NSSDB}" && mv "${DESTDIR}${NSSDB}" \
- "${DESTDIR}${NSSDB}.old"
- install -dm755 "${DESTDIR}${NSSDB}" 2>&1>/dev/null
- install -m644 "${TEMPDIR}"/pki/nssdb/{cert9.db,key4.db,pkcs11.txt} \
- "${DESTDIR}${NSSDB}" &&
- rm -rf "${DESTDIR}${NSSDB}.old"
-fi
-
-# Install anchors in $ANCHORDIR
-test -d "${DESTDIR}${ANCHORDIR}" && mv "${DESTDIR}${ANCHORDIR}"\
- "${DESTDIR}${ANCHORDIR}.old"
-install -dm755 "${DESTDIR}${ANCHORDIR}" 2>&1>/dev/null
-install -m644 "${TEMPDIR}"/pki/anchors/*.pem "${DESTDIR}${ANCHORDIR}" &&
-rm -rf "${DESTDIR}${ANCHORDIR}.old"
-
-# Install certificates in $CERTDIR
-test -d "${DESTDIR}${CERTDIR}" && mv "${DESTDIR}${CERTDIR}" \
- "${DESTDIR}${CERTDIR}.old"
-install -dm755 "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
-install -m644 "${TEMPDIR}"/ssl/certs/*.pem "${DESTDIR}${CERTDIR}" &&
-rm -rf "${DESTDIR}${CERTDIR}.old"
-
-# Import any certs in $LOCALDIR
-# Don't do any checking, just trust the admin
-if test -d "${LOCALDIR}"; then
- for cert in `find "${LOCALDIR}" -name "*.pem"`; do
- # Get some information about the certificate
- keyhash=$("${OPENSSL}" x509 -noout -in "${cert}" -hash)
- subject=$("${OPENSSL}" x509 -noout -in "${cert}" -subject)
- count=1
- while test "${count}" -lt 10; do
- echo "${subject}" | cut -d "/" -f "${count}" | grep "CN=" >/dev/null \
- && break
- let count++
- done
- certname=$(echo "${subject}" | cut -d "/" -f "${count}" | sed 's@CN=@@')
-
- echo "Certificate: ${certname}"
- echo "Keyhash: ${keyhash}"
-
- # Get trust information
- trustlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
- grep -A1 "Trusted Uses")
- satrust=""
- smtrust=""
- cstrust=""
- catrust=""
- satrust=$(echo "${trustlist}" | \
- grep "TLS Web Server" 2>&1> /dev/null && echo "C")
- smtrust=$(echo "${trustlist}" | \
- grep "E-mail Protection" 2>&1 >/dev/null && echo "C")
- cstrust=$(echo "${trustlist}" | \
- grep "Code Signing" 2>&1 >/dev/null && echo "C")
- catrust=$(echo "${trustlist}" | \
- grep "Client Auth" 2>&1 >/dev/null && echo "C")
-
- # Get reject information
- rejectlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
- grep -A1 "Rejected Uses")
- if test "${satrust}" == ""; then satrust=$(echo "${rejectlist}" | \
- grep "TLS Web Server" 2>&1> /dev/null && echo "p"); fi
- if test "${smtrust}" == ""; then smtrust=$(echo "${rejectlist}" | \
- grep "E-mail Protection" 2>&1> /dev/null && echo "p"); fi
- if test "${cstrust}" == ""; then cstrust=$(echo "${rejectlist}" | \
- grep "Code Signing" 2>&1> /dev/null && echo "p"); fi
- if test "${catrust}" == ""; then catrust=$(echo "${rejectlist}" | \
- grep "Client Auth" 2>&1> /dev/null && echo "p"); fi
-
-
- # Place certificate into trust anchors dir
- p11label="$(grep -m1 "Issuer" ${cert} | grep -o CN=.*$ | \
- cut -d ',' -f 1 | sed 's@CN=@@')"
-
- # if distrusted at all, x-distrusted
- if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p"
- then
- # if any distrusted, x-distrusted
- p11trust="x-distrusted: true"
- p11oid="1.3.6.1.4.1.3319.6.10.1"
- p11value="0.%06%0a%2b%06%01%04%01%99w%06%0a%01%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
- else
- p11trust="trusted: true"
- p11oid="2.5.29.37"
- trustp11="p11"
- if test "${satrust}" == "C"; then
- trustp11="${trustp11}sa"
- fi
- if test "${smtrust}" == "C"; then
- trustp11="${trustp11}sm"
- fi
- if test "${cstrust}" == "C"; then
- trustp11="${trustp11}cs"
- fi
- get-p11-val "${trustp11}"
- fi
-
- anchorfile="${DESTDIR}${ANCHORDIR}/${keyhash}.pem"
-
- echo "[p11-kit-object-v1]" >> "${anchorfile}"
- echo "label: \"${p11label}\"" >> "${anchorfile}"
- echo "class: x-certificate-extension" >> "${anchorfile}"
- echo "object-id: ${p11oid}" >> "${anchorfile}"
- echo "value: \"${p11value}\"" >> "${anchorfile}"
- echo "modifiable: false" >> "${anchorfile}"
- echo "${certkey}" >> "${anchorfile}"
- echo "" >> "${anchorfile}"
- echo "[p11-kit-object-v1]" >> "${anchorfile}"
- echo "label: \"${p11label}\"" >> "${anchorfile}"
- echo "${p11trust}" >> "${anchorfile}"
- echo "modifiable: false" >> "${anchorfile}"
- echo "${certcer}" >> "${anchorfile}"
- echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}"
- echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
-
- # Install in Java keystore
- if test "${WITH_JAVA}" == "1" -a "${satrust}x" == "Cx"; then
- "${KEYTOOL}" -import -noprompt -alias "${certname}" \
- -keystore "${DESTDIR}${KEYSTORE}" \
- -storepass 'changeit' -file "${cert}" 2>&1> /dev/null | \
- sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
- fi
-
- # Append to the bundle - source should have trust info, process with
- # openssl x509 to strip
- if test "${satrust}x" == "Cx"; then
- "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
- >> "${DESTDIR}${CABUNDLE}"
- echo "Added to GnuTLS certificate bundle."
- fi
-
- # Install into OpenSSL certificate store
- "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
- -setalias "${certname}" \
- >> "${DESTDIR}${CERTDIR}/${keyhash}.pem"
- echo "Added to OpenSSL certificate directory with trust '${satrust},${smtrust},${cstrust},${catrust}'."
-
- # Add to Shared NSS DB
- if test "${WITH_NSS}" == "1"; then
- "${OPENSSL}" x509 -in "${cert}" -text -fingerprint | \
- "${CERTUTIL}" -d "sql:${DESTDIR}${NSSDB}" -A \
- -t "${satrust},${smtrust},${cstrust}" \
- -n "${certname}"
- echo "Added to NSS shared DB with trust '${satrust},${smtrust},${cstrust}'."
- fi
-
- unset keyhash subject count certname
- unset trustlist rejectlist satrust smtrust cstrust catrust
- unset p11trust p11oid p11value trustp11 certkey certcer certtxt
- echo ""
-
- done
- unset cert
-fi
-
-/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
-popd > /dev/null
-
-# Clean up the mess
-rm -rf "${TEMPDIR}"
-
-# End /usr/sbin/make-ca.sh
--
GitLab