emo/make-ca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove unused variables saarg, csarg, and smarg in get_trust_values() function

Browse Source 
Remove unused CERTLIST variable in copy-trust-modifications
Correct STDERR redirection in multiple functions
This commit is contained in:
DJ Lucas 2019-04-12 22:20:20 -05:00
parent ddad9bbee0
commit 31e66e0c74
3 changed files with 23 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG
View File

@ -1,6 +1,10 @@
1.3 - Added write_nss_db() and write_java_p12() functions to eliminate 1.3 - Added write_nss_db() and write_java_p12() functions to eliminate
duplicate code duplicate code
- Corrected version string - Corrected version string
- Remove unused variables saarg, csarg, and smarg in
get_trust_values() function
- Remove unused CERTLIST variable in copy-trust-modifications
- Correct STDERR redirection in multiple functions
1.2 - Use md5sum values for anchors.txt to detect p11-kit changes 1.2 - Use md5sum values for anchors.txt to detect p11-kit changes
- Added get_p11_label() function to get reliable label values - Added get_p11_label() function to get reliable label values
- Added get_trust_values(), get_p11_trust(), and write_anchor() - Added get_trust_values(), get_p11_trust(), and write_anchor()

1
copy-trust-modifications
View File

@ -9,7 +9,6 @@ else
ANCHORLIST="/etc/pki/anchors.md5sums" ANCHORLIST="/etc/pki/anchors.md5sums"
LOCALDIR="/etc/ssl/local" LOCALDIR="/etc/ssl/local"
MD5SUM="/usr/bin/md5sum" MD5SUM="/usr/bin/md5sum"
CERTLIST=""
fi fi
# Dump to a temporary directory # Dump to a temporary directory

45
make-ca
View File

@ -93,7 +93,7 @@ function get_args(){
SSLDIR="${2}" SSLDIR="${2}"
CERTDIR="${SSLDIR}/certs" CERTDIR="${SSLDIR}/certs"
LOCALDIR="${SSLDIR}/local" LOCALDIR="${SSLDIR}/local"
echo "${@}" | grep -e "-d " -e "--cadir" 2>&1> /dev/null echo "${@}" | grep -e "-d " -e "--cadir" > /dev/null 2>&1
if test "${?}" == "0"; then if test "${?}" == "0"; then
echo "Error! ${1} cannot be used with the -d/--cadir switch." echo "Error! ${1} cannot be used with the -d/--cadir switch."
echo "" echo ""
@ -105,7 +105,7 @@ function get_args(){
-a | --anchordir) -a | --anchordir)
check_arg $1 $2 check_arg $1 $2
ANCHORDIR="${2}" ANCHORDIR="${2}"
echo "${@}" | grep -e "-P " -e "--pkidir" 2>&1> /dev/null echo "${@}" | grep -e "-P " -e "--pkidir" > /dev/null 2>&1
if test "${?}" == "0"; then if test "${?}" == "0"; then
echo "Error! ${1} cannot be used with the -P/--pkidir switch." echo "Error! ${1} cannot be used with the -P/--pkidir switch."
echo "" echo ""
@ -120,8 +120,8 @@ function get_args(){
;; ;;
-d | --cadir) -d | --cadir)
check_arg $1 $2 check_arg $1 $2
CADIR="${2}" CERTDIR="${2}"
echo "$@" | grep -e "-S" -e "--ssldir" 2>&1 > /dev/null echo "$@" | grep -e "-S" -e "--ssldir" > /dev/null 2>&1
if test "${?}" == "0"; then if test "${?}" == "0"; then
echo "Error! ${1} cannot be used with the -S/--ssldir switch." echo "Error! ${1} cannot be used with the -S/--ssldir switch."
echo "" echo ""
@ -442,13 +442,6 @@ function get_trust_values() {
# Not currently included in NSS certdata.txt # Not currently included in NSS certdata.txt
#catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \ #catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \
# cut -d " " -f 3`)" # cut -d " " -f 3`)"
# Get args for OpenSSL trust settings
saarg="$(convert_trust_arg "${satrust}" sa)"
smarg="$(convert_trust_arg "${smtrust}" sm)"
csarg="$(convert_trust_arg "${cstrust}" cs)"
# Not currently included in NSS certdata.txt
#caarg="$(convert_trust_arg "${catrust}" ca)"
} }
function get_p11_trust() { function get_p11_trust() {
@ -513,7 +506,7 @@ function write_java_p12() {
# Remove existing certificate # Remove existing certificate
"${KEYTOOL}" -delete -noprompt -alias "${certname}" \ "${KEYTOOL}" -delete -noprompt -alias "${certname}" \
-keystore "${1}" \ -keystore "${1}" \
-storepass 'changeit' 2>&1> /dev/null -storepass 'changeit' > /dev/null 2>&1
# Determine ExtendedKeyUsage # Determine ExtendedKeyUsage
EKU="" EKU=""
EKUVAL="" EKUVAL=""
@ -537,7 +530,7 @@ function write_java_p12() {
"${KEYTOOL}" -importcert -file "${2}" -storetype PKCS12 \ "${KEYTOOL}" -importcert -file "${2}" -storetype PKCS12 \
-noprompt -alias "${certname}" -storepass 'changeit' \ -noprompt -alias "${certname}" -storepass 'changeit' \
-keystore "${1}" $EKUVAL \ -keystore "${1}" $EKUVAL \
2>&1> /dev/null | \ > /dev/null 2>&1 | \
sed -e "s@Certificate was a@A@" \ sed -e "s@Certificate was a@A@" \
-e 's@keystore@Java cacerts (PKCS#12) with trust '${satrust},${smtrust},${cstrust}'.@' \ -e 's@keystore@Java cacerts (PKCS#12) with trust '${satrust},${smtrust},${cstrust}'.@' \
| sed 's@p@@' | sed 's@p@@'
@ -577,11 +570,11 @@ if test "${GET}" == "1"; then
SARGS="${SARGS} -proxy ${PROXY}" SARGS="${SARGS} -proxy ${PROXY}"
fi fi
echo GET ${_url} | \ echo GET ${_url} | \
${OPENSSL} s_client ${SARGS} 2>/dev/null > "${TEMPDIR}/certdata.txt.log" ${OPENSSL} s_client ${SARGS} 2> /dev/null > "${TEMPDIR}/certdata.txt.log"
unset _url unset _url
# Error out here if we couldn't get the file # Error out here if we couldn't get the file
grep -m1 "<i>" "${TEMPDIR}/certdata.txt.log" 2>&1>/dev/null grep -m1 "<i>" "${TEMPDIR}/certdata.txt.log" > /dev/null 2>&1
if test "$?" -gt 0; then if test "$?" -gt 0; then
echo "Unable to get revision from server! Exiting." echo "Unable to get revision from server! Exiting."
exit 1 exit 1
@ -600,7 +593,7 @@ if test "${GET}" == "1"; then
# Download the new file # Download the new file
echo GET ${URL} | \ echo GET ${URL} | \
${OPENSSL} s_client ${SARGS} 2>/dev/null >> "${CERTDATA}" ${OPENSSL} s_client ${SARGS} 2> /dev/null >> "${CERTDATA}"
_line=$(( $(grep -n "certdata.txt" "${CERTDATA}" | cut -d ":" -f 1) - 1)) _line=$(( $(grep -n "certdata.txt" "${CERTDATA}" | cut -d ":" -f 1) - 1))
sed -e "1,${_line}d" -i "${CERTDATA}" sed -e "1,${_line}d" -i "${CERTDATA}"
sed "1i # Revision:${REVISION}" -i "${CERTDATA}" sed "1i # Revision:${REVISION}" -i "${CERTDATA}"
@ -710,7 +703,7 @@ unset tempfile
# Install anchors in $ANCHORDIR # Install anchors in $ANCHORDIR
test -d "${DESTDIR}${ANCHORDIR}" && rm -rf "${DESTDIR}${ANCHORDIR}" test -d "${DESTDIR}${ANCHORDIR}" && rm -rf "${DESTDIR}${ANCHORDIR}"
install -dm755 "${DESTDIR}${ANCHORDIR}" 2>&1>/dev/null install -dm755 "${DESTDIR}${ANCHORDIR}" > /dev/null 2>&1
install -m644 "${TEMPDIR}"/pki/anchors/*.pem "${DESTDIR}${ANCHORDIR}" install -m644 "${TEMPDIR}"/pki/anchors/*.pem "${DESTDIR}${ANCHORDIR}"
# Install NSS Shared DB # Install NSS Shared DB
@ -720,7 +713,7 @@ if test "${WITH_NSS}" == "1"; then
-e 's/Flags=internal/Flags=internal,moduleDBOnly/' \ -e 's/Flags=internal/Flags=internal,moduleDBOnly/' \
-i "${TEMPDIR}/pki/nssdb/pkcs11.txt" -i "${TEMPDIR}/pki/nssdb/pkcs11.txt"
test -d "${DESTDIR}${NSSDB}" && rm -rf "${DESTDIR}${NSSDB}" test -d "${DESTDIR}${NSSDB}" && rm -rf "${DESTDIR}${NSSDB}"
install -dm755 "${DESTDIR}${NSSDB}" 2>&1>/dev/null install -dm755 "${DESTDIR}${NSSDB}" > /dev/null 2>&1
install -m644 "${TEMPDIR}"/pki/nssdb/{cert9.db,key4.db,pkcs11.txt} \ install -m644 "${TEMPDIR}"/pki/nssdb/{cert9.db,key4.db,pkcs11.txt} \
"${DESTDIR}${NSSDB}" "${DESTDIR}${NSSDB}"
fi fi
@ -755,25 +748,25 @@ if test -d "${LOCALDIR}"; then
cstrust="" cstrust=""
catrust="" catrust=""
satrust=$(echo "${trustlist}" | \ satrust=$(echo "${trustlist}" | \
grep "TLS Web Server" 2>&1> /dev/null && echo "C") grep "TLS Web Server" > /dev/null 2>&1 && echo "C")
smtrust=$(echo "${trustlist}" | \ smtrust=$(echo "${trustlist}" | \
grep "E-mail Protection" 2>&1 >/dev/null && echo "C") grep "E-mail Protection" > /dev/null 2>&1 && echo "C")
cstrust=$(echo "${trustlist}" | \ cstrust=$(echo "${trustlist}" | \
grep "Code Signing" 2>&1 >/dev/null && echo "C") grep "Code Signing" > /dev/null 2>&1 && echo "C")
catrust=$(echo "${trustlist}" | \ catrust=$(echo "${trustlist}" | \
grep "Client Auth" 2>&1 >/dev/null && echo "C") grep "Client Auth" > /dev/null 2>&1 && echo "C")
# Get reject information # Get reject information
rejectlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \ rejectlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
grep -A1 "Rejected Uses") grep -A1 "Rejected Uses")
if test "${satrust}" == ""; then satrust=$(echo "${rejectlist}" | \ if test "${satrust}" == ""; then satrust=$(echo "${rejectlist}" | \
grep "TLS Web Server" 2>&1> /dev/null && echo "p"); fi grep "TLS Web Server" > /dev/null 2>&1 && echo "p"); fi
if test "${smtrust}" == ""; then smtrust=$(echo "${rejectlist}" | \ if test "${smtrust}" == ""; then smtrust=$(echo "${rejectlist}" | \
grep "E-mail Protection" 2>&1> /dev/null && echo "p"); fi grep "E-mail Protection" > /dev/null 2>&1 && echo "p"); fi
if test "${cstrust}" == ""; then cstrust=$(echo "${rejectlist}" | \ if test "${cstrust}" == ""; then cstrust=$(echo "${rejectlist}" | \
grep "Code Signing" 2>&1> /dev/null && echo "p"); fi grep "Code Signing" > /dev/null 2>&1 && echo "p"); fi
if test "${catrust}" == ""; then catrust=$(echo "${rejectlist}" | \ if test "${catrust}" == ""; then catrust=$(echo "${rejectlist}" | \
grep "Client Auth" 2>&1> /dev/null && echo "p"); fi grep "Client Auth" > /dev/null 2>&1 && echo "p"); fi
# Get individual values for certificates # Get individual values for certificates