Add anchorlist for use by p11-kit to utilize LOCALDIR

CHANGELOG

@@ -1,3 +1,4 @@
+1.1      - Add anchorlist for use by p11-kit to utilize LOCALDIR
 1.0      - Move bundle defaults to /etc/pki/tls/{certs,java}/
          - Fix invalid test cases on command line processing
          - Remove -c/--cadir flags, replace with -b/--bundledir to store

README

@@ -36,3 +36,49 @@ particular use, replace the -addtrust flag with the -addreject flag.
 Local trust overrides are handled entirely using the /etc/ssl/local directory.
 To override Mozilla's trust values, simply make a copy of the certificate in
 the local directory with alternate trust values.
+
+Additionally, for the p11-kit distro hook, remove the "not configured" and
+"exit 1" lines from trust/trust-extract-compat.in, and add the following
+commands:
+
+===============================================================================
+# Use make-ca to manage certificates
+if [ -f /etc/make-ca.conf ]; then
+    . /etc/make-ca.conf
+else
+    #Use defaults if make-ca.conf does not exist
+    ANCHORDIR="/etc/pki/anchors"
+    ANCHORLIST="/etc/pki/anchors.txt"
+    LOCALDIR="/etc/ssl/local"
+    CERTLIST=""
+fi
+
+# Create a list of certificates not present at previous run
+for ca in `/bin/ls -1 --color=none "${ANCHORDIR}"` ; do
+    /bin/grep "${ca}" "${ANCHORLIST}" 2>&1>/dev/null || \
+        CERTLIST="${CERTLIST} ${ca}"
+done
+
+# Dump to a temporary directory
+TEMPDIR=`mktemp -d`
+/usr/bin/trust extract --filter=certificates --format=openssl-directory \
+                       --overwrite "${TEMPDIR}"
+
+# Copy new certificates to LOCALDIR
+for certificate in `echo "${CERTLIST}"` ; do
+    LABEL=`/bin/grep -m 1 "label:" "${ANCHORDIR}/${certificate}"`
+    LABELNEW=`echo "${LABEL}" | \
+                   /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
+    cp -v "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}"
+    unset LABEL LABELNEW
+done
+
+# Clean up
+rm -rf "${TEMPDIR}"
+unset ANCHORDIR ANCHORLIST LOCALDIR CERTLIST TEMPDIR
+
+# Generate a new trust store
+/usr/sbin/make-ca -f
+EOF
+===============================================================================
+

make-ca

@@ -24,6 +24,7 @@ else
     OPENSSL="/usr/bin/openssl"
     TRUST="/usr/bin/trust"
     ANCHORDIR="${PKIDIR}/anchors"
+    ANCHORLIST="${PKIDIR}/anchors.txt"
     BUNDLEDIR="${PKIDIR}/tls/certs"
     CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
     SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"
@@ -848,6 +849,9 @@ fi
 # Clean up the mess
 rm -rf "${TEMPDIR}"
 
+# Build ANCHORLIST
+/bin/ls -1 --color=none "${ANCHORDIR}" > "${ANCHORLIST}"
+
 # Build alternate formats using p11-kit trust (if not using DESTDIR)
 if test "x${DESTDIR}" == "x"; then
   mkdir -p "${BUNDLEDIR}" "${KEYSTORE}"

make-ca.conf.dist

@@ -8,6 +8,7 @@ KEYTOOL="${JAVA_HOME}/bin/keytool"
 OPENSSL="/usr/bin/openssl"
 TRUST="/usr/bin/trust"
 ANCHORDIR="${PKIDIR}/anchors"
+ANCHORLIST="${PKIDIR}/anchors.txt"
 BUNDLEDIR="${PKIDIR}/tls/certs"
 CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
 SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"