diff --git a/CHANGELOG b/CHANGELOG index 536b4c0..19b229a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -3,6 +3,8 @@ - Added get_trust_values(), get_p11_trust(), and write_anchor() functions to eliminate duplicate code - Fix certificate label in local certificates + - Changed default name of anchors list to use md5sums extension + - Added copy-trust-modifcations script for use by p11-kit 1.1 - Add anchorlist for use by p11-kit to utilize LOCALDIR 1.0 - Move bundle defaults to /etc/pki/tls/{certs,java}/ - Fix invalid test cases on command line processing diff --git a/Makefile b/Makefile index cb9908a..1a54c8c 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,7 @@ MANDIR=/usr/share/man SBINDIR=/usr/sbin ETCDIR=/etc +LIBEXECDIR=/usr/libexec/make-ca all: make_ca man @@ -25,6 +26,8 @@ install: all install_bin install_man install_systemd install_conf install_bin: install -vdm755 $(DESTDIR)$(SBINDIR) install -vm755 make-ca $(DESTDIR)$(SBINDIR) + install -vdm755 $(DESTDIR)$(LIBEXECDIR) + install -vm700 copy-trust-modifications $(DESTDIR)$(LIBEXECDIR) install_systemd: if test -d /usr/lib/systemd/system; then \ diff --git a/copy-trust-modifcations b/copy-trust-modifcations new file mode 100644 index 0000000..941c60c --- /dev/null +++ b/copy-trust-modifcations @@ -0,0 +1,40 @@ +#!/bin/bash + +# Get configuration +if [ -f /etc/make-ca.conf ]; then + . /etc/make-ca.conf +else + #Use defaults if make-ca.conf does not exist + ANCHORDIR="/etc/pki/anchors" + ANCHORLIST="/etc/pki/anchors.md5sums" + LOCALDIR="/etc/ssl/local" + MD5SUM="/usr/bin/md5sum" + CERTLIST="" +fi + +# Dump to a temporary directory +TEMPDIR=`mktemp -d` +/usr/bin/trust extract --filter=certificates \ + --format=openssl-directory \ + --overwrite \ + "${TEMPDIR}" + +# Create a list of certificates not present at, or modified since previous run +"${MD5SUM}" "${ANCHORDIR}"/*.pem > "${TEMPDIR}/anchors.md5sums" +diff -au "${ANCHORLIST}" "${TEMPDIR}/anchors.md5sums" > "${TEMPDIR}/diff" +grep "^+[a-z,0-9]" "${TEMPDIR}/diff" | cut -d " " -f 3 > "${TEMPDIR}/certlist" + +echo -e "\nThe following certificates have local modifications:\n" +# Copy new certificates to LOCALDIR +for certificate in `cat "${TEMPDIR}/certlist"` ; do + LABEL=`grep -m 1 "label:" "${certificate}"` + LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'` + cp -f "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}" + echo -e "${LABELNEW}" + unset LABEL LABELNEW +done + +# Clean up +rm -rf "${TEMPDIR}" +unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR + diff --git a/make-ca b/make-ca index ddcf359..c31a994 100644 --- a/make-ca +++ b/make-ca @@ -25,7 +25,7 @@ else OPENSSL="/usr/bin/openssl" TRUST="/usr/bin/trust" ANCHORDIR="${PKIDIR}/anchors" - ANCHORLIST="${PKIDIR}/anchors.txt" + ANCHORLIST="${PKIDIR}/anchors.md5sums" BUNDLEDIR="${PKIDIR}/tls/certs" CABUNDLE="${BUNDLEDIR}/ca-bundle.crt" SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt" diff --git a/make-ca.conf.dist b/make-ca.conf.dist index 5361c43..a7e9435 100644 --- a/make-ca.conf.dist +++ b/make-ca.conf.dist @@ -9,7 +9,7 @@ MD5SUM="/usr/bin/md5sum" OPENSSL="/usr/bin/openssl" TRUST="/usr/bin/trust" ANCHORDIR="${PKIDIR}/anchors" -ANCHORLIST="${PKIDIR}/anchors.txt" +ANCHORLIST="${PKIDIR}/anchors.md5sums" BUNDLEDIR="${PKIDIR}/tls/certs" CABUNDLE="${BUNDLEDIR}/ca-bundle.crt" SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"