Changed default name of anchors list to use md5sums extension

Added copy-trust-modifcations script for use by p11-kit

CHANGELOG

@@ -3,6 +3,8 @@
          - Added get_trust_values(), get_p11_trust(), and write_anchor()
            functions to eliminate duplicate code
          - Fix certificate label in local certificates
+         - Changed default name of anchors list to use md5sums extension
+         - Added copy-trust-modifcations script for use by p11-kit
 1.1      - Add anchorlist for use by p11-kit to utilize LOCALDIR
 1.0      - Move bundle defaults to /etc/pki/tls/{certs,java}/
          - Fix invalid test cases on command line processing

Makefile

@@ -1,6 +1,7 @@
 MANDIR=/usr/share/man
 SBINDIR=/usr/sbin
 ETCDIR=/etc
+LIBEXECDIR=/usr/libexec/make-ca
 
 all: make_ca man
 
@@ -25,6 +26,8 @@ install: all install_bin install_man install_systemd install_conf
 install_bin:
 	install -vdm755 $(DESTDIR)$(SBINDIR)
 	install -vm755 make-ca $(DESTDIR)$(SBINDIR)
+	install -vdm755 $(DESTDIR)$(LIBEXECDIR)
+	install -vm700 copy-trust-modifications $(DESTDIR)$(LIBEXECDIR)
 
 install_systemd:
 	if test -d /usr/lib/systemd/system; then \

copy-trust-modifcations

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# Get configuration
+if [ -f /etc/make-ca.conf ]; then
+    . /etc/make-ca.conf
+else
+    #Use defaults if make-ca.conf does not exist
+    ANCHORDIR="/etc/pki/anchors"
+    ANCHORLIST="/etc/pki/anchors.md5sums"
+    LOCALDIR="/etc/ssl/local"
+    MD5SUM="/usr/bin/md5sum"
+    CERTLIST=""
+fi
+
+# Dump to a temporary directory
+TEMPDIR=`mktemp -d`
+/usr/bin/trust extract --filter=certificates \
+                       --format=openssl-directory \
+                       --overwrite \
+                       "${TEMPDIR}"
+
+# Create a list of certificates not present at, or modified since previous run
+"${MD5SUM}" "${ANCHORDIR}"/*.pem > "${TEMPDIR}/anchors.md5sums"
+diff -au "${ANCHORLIST}" "${TEMPDIR}/anchors.md5sums" > "${TEMPDIR}/diff"
+grep "^+[a-z,0-9]" "${TEMPDIR}/diff" | cut -d " " -f 3 > "${TEMPDIR}/certlist"
+
+echo -e "\nThe following certificates have local modifications:\n"
+# Copy new certificates to LOCALDIR
+for certificate in `cat "${TEMPDIR}/certlist"` ; do
+    LABEL=`grep -m 1 "label:" "${certificate}"`
+    LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
+    cp -f "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}"
+    echo -e "${LABELNEW}"
+    unset LABEL LABELNEW
+done
+
+# Clean up
+rm -rf "${TEMPDIR}"
+unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR
+

make-ca

@@ -25,7 +25,7 @@ else
     OPENSSL="/usr/bin/openssl"
     TRUST="/usr/bin/trust"
     ANCHORDIR="${PKIDIR}/anchors"
-    ANCHORLIST="${PKIDIR}/anchors.txt"
+    ANCHORLIST="${PKIDIR}/anchors.md5sums"
     BUNDLEDIR="${PKIDIR}/tls/certs"
     CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
     SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"

make-ca.conf.dist

@@ -9,7 +9,7 @@ MD5SUM="/usr/bin/md5sum"
 OPENSSL="/usr/bin/openssl"
 TRUST="/usr/bin/trust"
 ANCHORDIR="${PKIDIR}/anchors"
-ANCHORLIST="${PKIDIR}/anchors.txt"
+ANCHORLIST="${PKIDIR}/anchors.md5sums"
 BUNDLEDIR="${PKIDIR}/tls/certs"
 CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
 SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"