From 0baf68696f933af46bebb11ecd9dc008b294becb Mon Sep 17 00:00:00 2001 From: DJ Lucas Date: Wed, 7 Feb 2018 22:49:55 -0600 Subject: [PATCH] Generate both PKCS#12 and JKS stores for Java Local certs keep out of band trust when copied to system certs --- CHANGELOG | 2 + make-ca | 150 +++++++++++++++++++++++++++++++++++++++++++++--------- 2 files changed, 127 insertions(+), 25 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index a627ee2..5b4cbea 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,5 @@ +0.7 - Generate both PKCS#12 and JKS stores for Java + - Local certs keep out of band trust when copied to system certs 0.6 - Allow use of proxy with OpenSSL s_client - Really check revision before download - Make sure download was successful before testing values diff --git a/make-ca b/make-ca index bdb8152..c5899aa 100644 --- a/make-ca +++ b/make-ca @@ -8,7 +8,7 @@ # Authors: DJ Lucas # Bruce Dubbs -VERSION="0.6" +VERSION="0.7" # Get/set defaults if test -f /etc/make-ca.conf; then @@ -25,7 +25,7 @@ else SMBUNDLE="${SSLDIR}/email-ca-bundle.crt" CSBUNDLE="${SSLDIR}/objsign-ca-bundle.crt" CERTDIR="${SSLDIR}/certs" - KEYSTORE="${SSLDIR}/java/cacerts" + KEYSTORE="${SSLDIR}/java" NSSDB="${PKIDIR}/nssdb" LOCALDIR="${SSLDIR}/local" DESTDIR="" @@ -98,7 +98,7 @@ function get_args(){ SSLDIR="${2}" CABUNDLE="${SSLDIR}/ca-bundle.crt" CERTDIR="${SSLDIR}/certs" - KEYSTORE="${SSLDIR}/java/cacerts" + KEYSTORE="${SSLDIR}/java" LOCALDIR="${SSLDIR}/local" echo "${@}" | grep -e "-c " -e "--cafile" \ -e "-d " -e "--cadir" \ @@ -274,8 +274,9 @@ function showhelp(){ echo " The output directory for the OpenSSL trusted" echo " CA certificates" echo "" - echo " -j, --javacerts [\$SSLDIR/java/cacerts]" - echo " The output path for the Java cacerts file" + echo " -j, --javacerts [\$SSLDIR/java" + echo " The output directory for the Java" + echo " cacerts.{jks,p12} files" echo "" echo " -l, --localdir [\$SSLDIR/local]" echo " The path to a local set of OpenSSL trusted" @@ -607,6 +608,44 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do echo "Added to NSS shared DB with trust '${satrust},${smtrust},${cstrust}'." fi + # Import all certificates with trust args to the java cacerts.p12 file + if test "${WITH_JAVA}" == "1"; then + # Remove existing certificate + "${KEYTOOL}" -delete -noprompt -alias "${certname}" \ + -keystore "${TEMPDIR}/ssl/java/cacerts.p12" \ + -storepass 'changeit' 2>&1> /dev/null + # Determine ExtendedKeyUsage + EKU="" + EKUVAL="" + if test "${satrust}" == "C"; then EKU="serverAuth"; fi + if test "${catrust}" == "C"; then + if test "${EKU}" == ""; then + EKU="clientAuth" + else + EKU="${EKU},clientAuth" + fi + fi + if test "${cstrust}" == "C"; then + if test "${EKU}" == ""; then + EKU="codeSigning" + else + EKU="${EKU},codeSigning" + fi + fi + if test "${EKU}" != ""; then + EKUVAL="-ext EKU=${EKU}" + "${KEYTOOL}" -importcert -file tempfile.crt -storetype PKCS12 \ + -noprompt -alias "${certname}" -storepass 'changeit' \ + -keystore "${TEMPDIR}/ssl/java/cacerts.p12" $EKUVAL \ + 2>&1> /dev/null | \ + sed -e "s@Certificate was a@A@" \ + -e 's@keystore@Java cacerts (PKCS#12) with trust '${satrust},${smtrust},${cstrust}'.@' \ + | sed 's@p@@' + unset EKU + unset EKUVAL + fi + fi + # Clean up the directory and environment as we go rm -f tempfile.crt unset keyhash subject certname @@ -657,6 +696,13 @@ install -dm755 "${DESTDIR}${CERTDIR}" 2>&1>/dev/null install -m644 "${TEMPDIR}"/ssl/certs/*.pem "${DESTDIR}${CERTDIR}" && rm -rf "${DESTDIR}${CERTDIR}.old" +# Install Java cacerts.p12 in ${KEYSTORE} +test -f "${DESTDIR}${KEYSTORE}/cacerts.p12" && + mv "${DESTDIR}${KEYSTORE}/cacerts.p12{,.old}" +install -dm755 "${DESTDIR}${KEYSTORE}" +install -m644 "${TEMPDIR}/ssl/java/cacerts.p12" "${DESTDIR}${KEYSTORE}" +rm -f "${DESTDIR}${KEYSTORE}/cacerts.p12.old" + # Import any certs in $LOCALDIR # Don't do any checking, just trust the admin if test -d "${LOCALDIR}"; then @@ -751,8 +797,16 @@ if test -d "${LOCALDIR}"; then echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'." # Install into OpenSSL certificate store - "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \ - -setalias "${certname}" \ + + # Get args for OpenSSL trust settings + saarg="$(convert_trust_arg "${satrust}" sa)" + smarg="$(convert_trust_arg "${smtrust}" sm)" + csarg="$(convert_trust_arg "${cstrust}" cs)" + # Not currently included in NSS certdata.txt + #caarg="$(convert_trust_arg "${catrust}" ca)" + + "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \ + -setalias "${certname}" ${saarg} ${smarg} ${csarg} \ >> "${DESTDIR}${CERTDIR}/${keyhash}.pem" echo "Added to OpenSSL certificate directory with trust '${satrust},${smtrust},${cstrust},${catrust}'." @@ -764,6 +818,47 @@ if test -d "${LOCALDIR}"; then -n "${certname}" echo "Added to NSS shared DB with trust '${satrust},${smtrust},${cstrust}'." fi + # Import certificate (with trust args) into the java cacerts.p12 file + if test "${WITH_JAVA}" == "1"; then + # Remove existing certificate + "${KEYTOOL}" -delete -noprompt -alias "${certname}" \ + -keystore "${DESTDIR}${KEYSTORE}/cacerts.p12" \ + -storepass 'changeit' 2>&1> /dev/null + # Determing ExtendedKeyUsage + EKU="" + if test "${satrust}" == "C"; then EKU="serverAuth"; fi + if test "${catrust}" == "C"; then + if test "${EKU}" == ""; then + EKU="clientAuth" + else + EKU="${EKU},clientAuth" + fi + fi + if test "${cstrust}" == "C"; then + if test "${EKU}" == ""; then + EKU="codeSigning" + else + EKU="${EKU},codeSigning" + fi + fi + if test "${EKU}" != ""; then + EKUVAL="-ext EKU=${EKU}" + "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \ + -setalias "${certname}" > "${TEMPDIR}/tempcert.pem" + + "${KEYTOOL}" -importcert -noprompt -alias "${certname}" \ + -keystore "${DESTDIR}${KEYSTORE}/cacerts.p12" \ + -storepass 'changeit' $EKUVAL \ + -file "${TEMPDIR}/tempcert.pem" \ + 2>&1> /dev/null | \ + sed -e "s@Certificate was a@A@" \ + -e 's@keystore@Java cacerts (PKCS#12) with trust '${satrust},${smtrust},${cstrust}'.@' \ + | sed 's@p@@' + rm -f "${TEMPDIR}/tempcert.pem" + unset EKU + unset EKUVAL + fi + fi unset keyhash subject count certname unset trustlist rejectlist satrust smtrust cstrust catrust @@ -774,25 +869,24 @@ if test -d "${LOCALDIR}"; then unset cert fi -# Install Java Cacerts -if test "${WITH_JAVA}" == "1"; then - javafile=`basename "${KEYSTORE}"` - javadir=`echo "${KEYSTORE}" | sed "s@/${javafile}@@"` - install -vdm755 "${DESTDIR}${javadir}" 2>&1>/dev/null - test -f "${DESTDIR}${KEYSTORE}" && mv "${DESTDIR}${KEYSTORE}" \ - "${DESTDIR}${KEYSTORE}.old" -fi - -# Build java and ca-bundle.crt +# Build cacerts.jks and ca-bundle.crt # Generate the bundle bundlefile=`basename "${CABUNDLE}"` bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"` install -vdm755 "${DESTDIR}${bundledir}" 2>&1>/dev/null test -f "${DESTDIR}${CABUNDLE}" && mv "${DESTDIR}${CABUNDLE}" \ "${DESTDIR}${CABUNDLE}.old" +test -f "${DESTDIR}${SMBUNDLE}" && mv "${DESTDIR}${SMBUNDLE}" \ + "${DESTDIR}${SMBUNDLE}.old" +test -f "${DESTDIR}${CSBUNDLE}" && mv "${DESTDIR}${CSBUNDLE}" \ + "${DESTDIR}${CSBUNDLE}.old" +test -f "${DESTDIR}${KEYSTORE}/cacerts.jks" && +mv "${DESTDIR}${KEYSTORE}"/cacerts.jks{,.old} + + echo "# Revision:${REVISION}" > "${DESTDIR}${CABUNDLE}" -echo "Processing certs for Java and GNUTLS stores..." +echo "Processing certs for Java (JKS) and GNUTLS stores..." # Generate the bundle for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do @@ -824,14 +918,18 @@ for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CABUNDLE}" echo "Added to GnuTLS certificate bundle." - # Install Java keystore + # Add to Java keystore (JKS) if test "${WITH_JAVA}" == "1"; then - "${KEYTOOL}" -import -noprompt -alias "${certname}" \ - -keystore "${DESTDIR}${KEYSTORE}" \ - -storepass 'changeit' \ - -file "${TEMPDIR}/ssl/certs/${keyhash}.pem" \ - 2>&1> /dev/null | \ - sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@' + # Remove certificate if it already exists + "${KEYTOOL}" -delete -noprompt -alias "${certname}" \ + -keystore "${DESTDIR}${KEYSTORE}/cacerts.jks" \ + -storepass 'changeit' 2>&1> /dev/null + # Import it + "${KEYTOOL}" -importcert -file "${TEMPDIR}/ssl/certs/${keyhash}.pem" \ + -noprompt -alias "${certname}" -storetype JKS \ + -keystore "${DESTDIR}${KEYSTORE}/cacerts.jks" \ + -storepass 'changeit' 2>&1> /dev/null | \ + sed -e 's@Certificate was a@A@' -e 's@keystore@Java (JKS) keystore.@' fi fi if test "${smtrust}x" == "Cx"; then @@ -868,5 +966,7 @@ fi # Clean up the mess rm -rf "${TEMPDIR}" +rm -rf "${DESTDIR}${bundledir}/*.old" +rm -f "${DESTDIR}${KEYSTORE}/cacerts.jks.old" # End /usr/sbin/make-ca