Generate both PKCS#12 and JKS stores for Java

Local certs keep out of band trust when copied to system certs
2018-02-07 22:49:55 -06:00 · 2018-02-07 22:49:55 -06:00 · 0baf68696f
commit 0baf68696f
parent e29ccf19ac
2 changed files with 127 additions and 25 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
 0.7      - Generate both PKCS#12 and JKS stores for Java
         - Local certs keep out of band trust when copied to system certs
 0.6      - Allow use of proxy with OpenSSL s_client
         - Really check revision before download
         - Make sure download was successful before testing values
--- a/148
+++ b/148
@ -8,7 +8,7 @@
 # Authors: DJ Lucas
 #          Bruce Dubbs
-VERSION="0.6"
+VERSION="0.7"
 # Get/set defaults
 if test -f /etc/make-ca.conf; then
@ -25,7 +25,7 @@ else
    SMBUNDLE="${SSLDIR}/email-ca-bundle.crt"
    CSBUNDLE="${SSLDIR}/objsign-ca-bundle.crt"
    CERTDIR="${SSLDIR}/certs"
-    KEYSTORE="${SSLDIR}/java/cacerts"
+    KEYSTORE="${SSLDIR}/java"
    NSSDB="${PKIDIR}/nssdb"
    LOCALDIR="${SSLDIR}/local"
    DESTDIR=""
@ -98,7 +98,7 @@ function get_args(){
        SSLDIR="${2}"
        CABUNDLE="${SSLDIR}/ca-bundle.crt"
        CERTDIR="${SSLDIR}/certs"
-        KEYSTORE="${SSLDIR}/java/cacerts"
+        KEYSTORE="${SSLDIR}/java"
        LOCALDIR="${SSLDIR}/local"
        echo "${@}" | grep -e "-c " -e "--cafile" \
                           -e "-d " -e "--cadir"  \
@ -274,8 +274,9 @@ function showhelp(){
  echo "                         The output directory for the OpenSSL trusted"
  echo "                         CA certificates"
  echo ""
-  echo "        -j, --javacerts [\$SSLDIR/java/cacerts]"
+  echo "        -j, --javacerts [\$SSLDIR/java"
-  echo "                         The output path for the Java cacerts file"
+  echo "                         The output directory for the Java"
  echo "                         cacerts.{jks,p12} files"
  echo ""
  echo "        -l, --localdir [\$SSLDIR/local]"
  echo "                         The path to a local set of OpenSSL trusted"
@ -607,6 +608,44 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
    echo "Added to NSS shared DB with trust '${satrust},${smtrust},${cstrust}'."
  fi
  # Import all certificates with trust args to the java cacerts.p12 file
  if test "${WITH_JAVA}" == "1"; then
    # Remove existing certificate
    "${KEYTOOL}" -delete -noprompt -alias "${certname}"       \
                 -keystore "${TEMPDIR}/ssl/java/cacerts.p12"  \
                 -storepass 'changeit' 2>&1> /dev/null
    # Determine ExtendedKeyUsage
    EKU=""
    EKUVAL=""
    if test "${satrust}" == "C"; then EKU="serverAuth"; fi
    if test "${catrust}" == "C"; then
      if test "${EKU}" == ""; then
        EKU="clientAuth"
      else
        EKU="${EKU},clientAuth"
      fi
    fi
    if test "${cstrust}" == "C"; then
      if test "${EKU}" == ""; then
        EKU="codeSigning"
      else
        EKU="${EKU},codeSigning"
      fi
    fi
    if test "${EKU}" != ""; then
      EKUVAL="-ext EKU=${EKU}"
      "${KEYTOOL}" -importcert -file tempfile.crt -storetype PKCS12     \
                   -noprompt -alias "${certname}" -storepass 'changeit' \
                   -keystore "${TEMPDIR}/ssl/java/cacerts.p12" $EKUVAL  \
                   2>&1> /dev/null | \
      sed -e "s@Certificate was a@A@" \
          -e 's@keystore@Java cacerts (PKCS#12) with trust '${satrust},${smtrust},${cstrust}'.@' \
          | sed 's@p@@'
      unset EKU
      unset EKUVAL
    fi
  fi
  # Clean up the directory and environment as we go
  rm -f tempfile.crt
  unset keyhash subject certname
@ -657,6 +696,13 @@ install -dm755 "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
 install -m644 "${TEMPDIR}"/ssl/certs/*.pem "${DESTDIR}${CERTDIR}" &&
 rm -rf "${DESTDIR}${CERTDIR}.old"
 # Install Java cacerts.p12 in ${KEYSTORE}
 test -f "${DESTDIR}${KEYSTORE}/cacerts.p12" &&
        mv "${DESTDIR}${KEYSTORE}/cacerts.p12{,.old}"
 install -dm755 "${DESTDIR}${KEYSTORE}"
 install -m644 "${TEMPDIR}/ssl/java/cacerts.p12" "${DESTDIR}${KEYSTORE}"
 rm -f "${DESTDIR}${KEYSTORE}/cacerts.p12.old"
 # Import any certs in $LOCALDIR
 # Don't do any checking, just trust the admin
 if test -d "${LOCALDIR}"; then
@ -751,8 +797,16 @@ if test -d "${LOCALDIR}"; then
    echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
    # Install into OpenSSL certificate store
    # Get args for OpenSSL trust settings
    saarg="$(convert_trust_arg "${satrust}" sa)"
    smarg="$(convert_trust_arg "${smtrust}" sm)"
    csarg="$(convert_trust_arg "${cstrust}" cs)"
    # Not currently included in NSS certdata.txt
    #caarg="$(convert_trust_arg "${catrust}" ca)"
    "${OPENSSL}" x509 -in "${cert}" -text -fingerprint                    \
-                      -setalias "${certname}"          \
+                      -setalias "${certname}" ${saarg} ${smarg} ${csarg}  \
                      >> "${DESTDIR}${CERTDIR}/${keyhash}.pem"
    echo "Added to OpenSSL certificate directory with trust '${satrust},${smtrust},${cstrust},${catrust}'."
@ -764,6 +818,47 @@ if test -d "${LOCALDIR}"; then
                    -n "${certname}"
      echo "Added to NSS shared DB with trust '${satrust},${smtrust},${cstrust}'."
    fi
    # Import certificate (with trust args) into the java cacerts.p12 file
    if test "${WITH_JAVA}" == "1"; then
      # Remove existing certificate
      "${KEYTOOL}" -delete -noprompt -alias "${certname}"         \
                   -keystore "${DESTDIR}${KEYSTORE}/cacerts.p12"  \
                   -storepass 'changeit' 2>&1> /dev/null
      # Determing ExtendedKeyUsage
      EKU=""
      if test "${satrust}" == "C"; then EKU="serverAuth"; fi
      if test "${catrust}" == "C"; then
        if test "${EKU}" == ""; then
          EKU="clientAuth"
        else
          EKU="${EKU},clientAuth"
        fi
      fi
      if test "${cstrust}" == "C"; then
        if test "${EKU}" == ""; then
          EKU="codeSigning"
        else
          EKU="${EKU},codeSigning"
        fi
      fi
      if test "${EKU}" != ""; then
        EKUVAL="-ext EKU=${EKU}"
        "${OPENSSL}" x509 -in "${cert}" -text -fingerprint                    \
                     -setalias "${certname}" > "${TEMPDIR}/tempcert.pem"
        "${KEYTOOL}" -importcert -noprompt -alias "${certname}"    \
                     -keystore "${DESTDIR}${KEYSTORE}/cacerts.p12" \
                     -storepass 'changeit' $EKUVAL                 \
                     -file "${TEMPDIR}/tempcert.pem"               \
                     2>&1> /dev/null | \
        sed -e "s@Certificate was a@A@" \
            -e 's@keystore@Java cacerts (PKCS#12) with trust '${satrust},${smtrust},${cstrust}'.@' \
            | sed 's@p@@'
        rm -f "${TEMPDIR}/tempcert.pem"
        unset EKU
        unset EKUVAL
      fi
    fi
    unset keyhash subject count certname
    unset trustlist rejectlist satrust smtrust cstrust catrust
@ -774,25 +869,24 @@ if test -d "${LOCALDIR}"; then
  unset cert
 fi
-# Install Java Cacerts
+# Build cacerts.jks and ca-bundle.crt
 if test "${WITH_JAVA}" == "1"; then
  javafile=`basename "${KEYSTORE}"`
  javadir=`echo "${KEYSTORE}" | sed "s@/${javafile}@@"`
  install -vdm755 "${DESTDIR}${javadir}" 2>&1>/dev/null
  test -f "${DESTDIR}${KEYSTORE}" && mv "${DESTDIR}${KEYSTORE}" \
                                        "${DESTDIR}${KEYSTORE}.old"
 fi
 # Build java and ca-bundle.crt
 # Generate the bundle
 bundlefile=`basename "${CABUNDLE}"`
 bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"`
 install -vdm755 "${DESTDIR}${bundledir}" 2>&1>/dev/null
 test -f "${DESTDIR}${CABUNDLE}" && mv "${DESTDIR}${CABUNDLE}" \
                                      "${DESTDIR}${CABUNDLE}.old"
 test -f "${DESTDIR}${SMBUNDLE}" && mv "${DESTDIR}${SMBUNDLE}" \
                                      "${DESTDIR}${SMBUNDLE}.old"
 test -f "${DESTDIR}${CSBUNDLE}" && mv "${DESTDIR}${CSBUNDLE}" \
                                      "${DESTDIR}${CSBUNDLE}.old"
 test -f "${DESTDIR}${KEYSTORE}/cacerts.jks" && 
 mv "${DESTDIR}${KEYSTORE}"/cacerts.jks{,.old}
 echo "# Revision:${REVISION}" > "${DESTDIR}${CABUNDLE}"
-echo "Processing certs for Java and GNUTLS stores..."
+echo "Processing certs for Java (JKS) and GNUTLS stores..."
 # Generate the bundle
 for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do
@ -824,14 +918,18 @@ for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do
    cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CABUNDLE}"
    echo "Added to GnuTLS certificate bundle."
-    # Install Java keystore
+    # Add to Java keystore (JKS)
    if test "${WITH_JAVA}" == "1"; then
-      "${KEYTOOL}" -import -noprompt -alias "${certname}"      \
+      # Remove certificate if it already exists
-                   -keystore "${DESTDIR}${KEYSTORE}"           \
+      "${KEYTOOL}" -delete -noprompt -alias "${certname}"        \
-                   -storepass 'changeit'                       \
+                   -keystore "${DESTDIR}${KEYSTORE}/cacerts.jks" \
-                   -file "${TEMPDIR}/ssl/certs/${keyhash}.pem" \
+                   -storepass 'changeit' 2>&1> /dev/null
-                   2>&1> /dev/null | \
+      # Import it
-      sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
+      "${KEYTOOL}" -importcert -file "${TEMPDIR}/ssl/certs/${keyhash}.pem" \
                   -noprompt -alias "${certname}" -storetype JKS           \
                   -keystore "${DESTDIR}${KEYSTORE}/cacerts.jks"           \
                   -storepass 'changeit' 2>&1> /dev/null |                 \
      sed -e 's@Certificate was a@A@' -e 's@keystore@Java (JKS) keystore.@'
    fi
  fi
  if test "${smtrust}x" == "Cx"; then
@ -868,5 +966,7 @@ fi
 # Clean up the mess
 rm -rf "${TEMPDIR}"
 rm -rf "${DESTDIR}${bundledir}/*.old"
 rm -f  "${DESTDIR}${KEYSTORE}/cacerts.jks.old"
 # End /usr/sbin/make-ca