Add anchorlist for use by p11-kit to utilize LOCALDIR

2018-12-28 00:41:01 -06:00
parent 2526d6b813
commit 33cdab2a45
4 changed files with 52 additions and 0 deletions
--- a/1
+++ b/1
@@ -1,3 +1,4 @@
+1.1      - Add anchorlist for use by p11-kit to utilize LOCALDIR
 1.0      - Move bundle defaults to /etc/pki/tls/{certs,java}/
         - Fix invalid test cases on command line processing
         - Remove -c/--cadir flags, replace with -b/--bundledir to store
--- a/46
+++ b/46
@@ -36,3 +36,49 @@ particular use, replace the -addtrust flag with the -addreject flag.
 Local trust overrides are handled entirely using the /etc/ssl/local directory.
 To override Mozilla's trust values, simply make a copy of the certificate in
 the local directory with alternate trust values.
+
+Additionally, for the p11-kit distro hook, remove the "not configured" and
+"exit 1" lines from trust/trust-extract-compat.in, and add the following
+commands:
+
+===============================================================================
+# Use make-ca to manage certificates
+if [ -f /etc/make-ca.conf ]; then
+    . /etc/make-ca.conf
+else
+    #Use defaults if make-ca.conf does not exist
+    ANCHORDIR="/etc/pki/anchors"
+    ANCHORLIST="/etc/pki/anchors.txt"
+    LOCALDIR="/etc/ssl/local"
+    CERTLIST=""
+fi
+
+# Create a list of certificates not present at previous run
+for ca in `/bin/ls -1 --color=none "${ANCHORDIR}"` ; do
+    /bin/grep "${ca}" "${ANCHORLIST}" 2>&1>/dev/null || \
+        CERTLIST="${CERTLIST} ${ca}"
+done
+
+# Dump to a temporary directory
+TEMPDIR=`mktemp -d`
+/usr/bin/trust extract --filter=certificates --format=openssl-directory \
+                       --overwrite "${TEMPDIR}"
+
+# Copy new certificates to LOCALDIR
+for certificate in `echo "${CERTLIST}"` ; do
+    LABEL=`/bin/grep -m 1 "label:" "${ANCHORDIR}/${certificate}"`
+    LABELNEW=`echo "${LABEL}" | \
+                   /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
+    cp -v "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}"
+    unset LABEL LABELNEW
+done
+
+# Clean up
+rm -rf "${TEMPDIR}"
+unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR
+
+# Generate a new trust store
+/usr/sbin/make-ca -f
+EOF
+===============================================================================
+
--- a/4
+++ b/4
@@ -24,6 +24,7 @@ else
    OPENSSL="/usr/bin/openssl"
    TRUST="/usr/bin/trust"
    ANCHORDIR="${PKIDIR}/anchors"
+    ANCHORLIST="${PKIDIR}/anchors.txt"
    BUNDLEDIR="${PKIDIR}/tls/certs"
    CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
    SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"
@@ -848,6 +849,9 @@ fi
 # Clean up the mess
 rm -rf "${TEMPDIR}"

+# Build ANCHORLIST
+/bin/ls -1 --color=none "${ANCHORDIR}" > "${ANCHORLIST}"
+
 # Build alternate formats using p11-kit trust (if not using DESTDIR)
 if test "x${DESTDIR}" == "x"; then
  mkdir -p "${BUNDLEDIR}" "${KEYSTORE}"
--- a/make-ca.conf.dist
+++ b/make-ca.conf.dist
@@ -8,6 +8,7 @@ KEYTOOL="${JAVA_HOME}/bin/keytool"
 OPENSSL="/usr/bin/openssl"
 TRUST="/usr/bin/trust"
 ANCHORDIR="${PKIDIR}/anchors"
+ANCHORLIST="${PKIDIR}/anchors.txt"
 BUNDLEDIR="${PKIDIR}/tls/certs"
 CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
 SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"