Add anchorlist for use by p11-kit to utilize LOCALDIR

This commit is contained in:
DJ Lucas 2018-12-28 00:41:01 -06:00
parent 2526d6b813
commit 33cdab2a45
4 changed files with 52 additions and 0 deletions

View File

@ -1,3 +1,4 @@
1.1 - Add anchorlist for use by p11-kit to utilize LOCALDIR
1.0 - Move bundle defaults to /etc/pki/tls/{certs,java}/
- Fix invalid test cases on command line processing
- Remove -c/--cadir flags, replace with -b/--bundledir to store

46
README
View File

@ -36,3 +36,49 @@ particular use, replace the -addtrust flag with the -addreject flag.
Local trust overrides are handled entirely using the /etc/ssl/local directory.
To override Mozilla's trust values, simply make a copy of the certificate in
the local directory with alternate trust values.
Additionally, for the p11-kit distro hook, remove the "not configured" and
"exit 1" lines from trust/trust-extract-compat.in, and add the following
commands:
===============================================================================
# Use make-ca to manage certificates
if [ -f /etc/make-ca.conf ]; then
. /etc/make-ca.conf
else
#Use defaults if make-ca.conf does not exist
ANCHORDIR="/etc/pki/anchors"
ANCHORLIST="/etc/pki/anchors.txt"
LOCALDIR="/etc/ssl/local"
CERTLIST=""
fi
# Create a list of certificates not present at previous run
for ca in `/bin/ls -1 --color=none "${ANCHORDIR}"` ; do
/bin/grep "${ca}" "${ANCHORLIST}" 2>&1>/dev/null || \
CERTLIST="${CERTLIST} ${ca}"
done
# Dump to a temporary directory
TEMPDIR=`mktemp -d`
/usr/bin/trust extract --filter=certificates --format=openssl-directory \
--overwrite "${TEMPDIR}"
# Copy new certificates to LOCALDIR
for certificate in `echo "${CERTLIST}"` ; do
LABEL=`/bin/grep -m 1 "label:" "${ANCHORDIR}/${certificate}"`
LABELNEW=`echo "${LABEL}" | \
/bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
cp -v "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}"
unset LABEL LABELNEW
done
# Clean up
rm -rf "${TEMPDIR}"
unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR
# Generate a new trust store
/usr/sbin/make-ca -f
EOF
===============================================================================

View File

@ -24,6 +24,7 @@ else
OPENSSL="/usr/bin/openssl"
TRUST="/usr/bin/trust"
ANCHORDIR="${PKIDIR}/anchors"
ANCHORLIST="${PKIDIR}/anchors.txt"
BUNDLEDIR="${PKIDIR}/tls/certs"
CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"
@ -848,6 +849,9 @@ fi
# Clean up the mess
rm -rf "${TEMPDIR}"
# Build ANCHORLIST
/bin/ls -1 --color=none "${ANCHORDIR}" > "${ANCHORLIST}"
# Build alternate formats using p11-kit trust (if not using DESTDIR)
if test "x${DESTDIR}" == "x"; then
mkdir -p "${BUNDLEDIR}" "${KEYSTORE}"

View File

@ -8,6 +8,7 @@ KEYTOOL="${JAVA_HOME}/bin/keytool"
OPENSSL="/usr/bin/openssl"
TRUST="/usr/bin/trust"
ANCHORDIR="${PKIDIR}/anchors"
ANCHORLIST="${PKIDIR}/anchors.txt"
BUNDLEDIR="${PKIDIR}/tls/certs"
CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"