From 33cdab2a45101c3242bcf16a0aebf466c12b943e Mon Sep 17 00:00:00 2001 From: DJ Lucas Date: Fri, 28 Dec 2018 00:41:01 -0600 Subject: [PATCH] Add anchorlist for use by p11-kit to utilize LOCALDIR --- CHANGELOG | 1 + README | 46 ++++++++++++++++++++++++++++++++++++++++++++++ make-ca | 4 ++++ make-ca.conf.dist | 1 + 4 files changed, 52 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index f9a3bcf..7198140 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,4 @@ +1.1 - Add anchorlist for use by p11-kit to utilize LOCALDIR 1.0 - Move bundle defaults to /etc/pki/tls/{certs,java}/ - Fix invalid test cases on command line processing - Remove -c/--cadir flags, replace with -b/--bundledir to store diff --git a/README b/README index 3997d53..7cb5fb2 100644 --- a/README +++ b/README @@ -36,3 +36,49 @@ particular use, replace the -addtrust flag with the -addreject flag. Local trust overrides are handled entirely using the /etc/ssl/local directory. To override Mozilla's trust values, simply make a copy of the certificate in the local directory with alternate trust values. + +Additionally, for the p11-kit distro hook, remove the "not configured" and +"exit 1" lines from trust/trust-extract-compat.in, and add the following +commands: + +=============================================================================== +# Use make-ca to manage certificates +if [ -f /etc/make-ca.conf ]; then + . /etc/make-ca.conf +else + #Use defaults if make-ca.conf does not exist + ANCHORDIR="/etc/pki/anchors" + ANCHORLIST="/etc/pki/anchors.txt" + LOCALDIR="/etc/ssl/local" + CERTLIST="" +fi + +# Create a list of certificates not present at previous run +for ca in `/bin/ls -1 --color=none "${ANCHORDIR}"` ; do + /bin/grep "${ca}" "${ANCHORLIST}" 2>&1>/dev/null || \ + CERTLIST="${CERTLIST} ${ca}" +done + +# Dump to a temporary directory +TEMPDIR=`mktemp -d` +/usr/bin/trust extract --filter=certificates --format=openssl-directory \ + --overwrite "${TEMPDIR}" + +# Copy new certificates to LOCALDIR +for certificate in `echo "${CERTLIST}"` ; do + LABEL=`/bin/grep -m 1 "label:" "${ANCHORDIR}/${certificate}"` + LABELNEW=`echo "${LABEL}" | \ + /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'` + cp -v "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}" + unset LABEL LABELNEW +done + +# Clean up +rm -rf "${TEMPDIR}" +unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR + +# Generate a new trust store +/usr/sbin/make-ca -f +EOF +=============================================================================== + diff --git a/make-ca b/make-ca index 34ac134..69e0f70 100644 --- a/make-ca +++ b/make-ca @@ -24,6 +24,7 @@ else OPENSSL="/usr/bin/openssl" TRUST="/usr/bin/trust" ANCHORDIR="${PKIDIR}/anchors" + ANCHORLIST="${PKIDIR}/anchors.txt" BUNDLEDIR="${PKIDIR}/tls/certs" CABUNDLE="${BUNDLEDIR}/ca-bundle.crt" SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt" @@ -848,6 +849,9 @@ fi # Clean up the mess rm -rf "${TEMPDIR}" +# Build ANCHORLIST +/bin/ls -1 --color=none "${ANCHORDIR}" > "${ANCHORLIST}" + # Build alternate formats using p11-kit trust (if not using DESTDIR) if test "x${DESTDIR}" == "x"; then mkdir -p "${BUNDLEDIR}" "${KEYSTORE}" diff --git a/make-ca.conf.dist b/make-ca.conf.dist index 267037d..6119848 100644 --- a/make-ca.conf.dist +++ b/make-ca.conf.dist @@ -8,6 +8,7 @@ KEYTOOL="${JAVA_HOME}/bin/keytool" OPENSSL="/usr/bin/openssl" TRUST="/usr/bin/trust" ANCHORDIR="${PKIDIR}/anchors" +ANCHORLIST="${PKIDIR}/anchors.txt" BUNDLEDIR="${PKIDIR}/tls/certs" CABUNDLE="${BUNDLEDIR}/ca-bundle.crt" SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"