Add email and code signing single stores.
This commit is contained in:
parent
73d32415a1
commit
3e5253e9f9
@ -1,4 +1,4 @@
|
|||||||
0.4 -
|
0.4 - Add email and code signing flat file certificate stores
|
||||||
0.3 - Generate single file stores (Java and GNUTLS) using main OpenSSL
|
0.3 - Generate single file stores (Java and GNUTLS) using main OpenSSL
|
||||||
store as source to avoid duplicates
|
store as source to avoid duplicates
|
||||||
0.2 - Install source certdata.txt file
|
0.2 - Install source certdata.txt file
|
||||||
|
14
CS.txt
Normal file
14
CS.txt
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
Mozilla no longer provides any trust information for code signing, opting only
|
||||||
|
to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
|
||||||
|
the functionality from NSS. There is no trusted source of authority for code
|
||||||
|
signing (such as we use Mozilla for TLS/S-Mime). The following list of
|
||||||
|
certificate hashes that are already installed (as they have TLS trust from
|
||||||
|
Mozilla) that are also trusted by Microsoft for code signing. The Microsoft
|
||||||
|
Trusted Root Certificate Program's inclusion policy is available for review at
|
||||||
|
https://technet.microsoft.com/en-us/library/mt171474.aspx.
|
||||||
|
|
||||||
|
02265526,062cdee6,157753a5,244b5494,2c543cd1,2e4eed3c,3513523f,4304c5e5,
|
||||||
|
442adcac,480720ec,48bec511,4a6481c9,4bfab552,5ad8a5d6,653b494a,6b99d060,
|
||||||
|
7d0b38bd,ae8153b9,aee5f10d,b1159c4c,b204d74a,b7a5b843,ba89ed3b,c01cdfa2,
|
||||||
|
c0ff1f52,cbf06781,d7e8dc79,e2799e36,f081611a,f3377b1b,f387163d,f39fc864
|
||||||
|
|
32
make-ca
Executable file → Normal file
32
make-ca
Executable file → Normal file
@ -22,6 +22,8 @@ else
|
|||||||
OPENSSL="/usr/bin/openssl"
|
OPENSSL="/usr/bin/openssl"
|
||||||
ANCHORDIR="${PKIDIR}/anchors"
|
ANCHORDIR="${PKIDIR}/anchors"
|
||||||
CABUNDLE="${SSLDIR}/ca-bundle.crt"
|
CABUNDLE="${SSLDIR}/ca-bundle.crt"
|
||||||
|
SMBUNDLE="${SSLDIR}/email-ca-bundle.crt"
|
||||||
|
CSBUNDLE="${SSLDIR}/objsign-ca-bundle.crt"
|
||||||
CERTDIR="${SSLDIR}/certs"
|
CERTDIR="${SSLDIR}/certs"
|
||||||
KEYSTORE="${SSLDIR}/java/cacerts"
|
KEYSTORE="${SSLDIR}/java/cacerts"
|
||||||
NSSDB="${PKIDIR}/nssdb"
|
NSSDB="${PKIDIR}/nssdb"
|
||||||
@ -773,15 +775,21 @@ for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do
|
|||||||
trustlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
|
trustlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
|
||||||
grep -A1 "Trusted Uses")
|
grep -A1 "Trusted Uses")
|
||||||
satrust=""
|
satrust=""
|
||||||
|
smtrust=""
|
||||||
|
cstrust=""
|
||||||
satrust=$(echo "${trustlist}" | \
|
satrust=$(echo "${trustlist}" | \
|
||||||
grep "TLS Web Server" 2>&1> /dev/null && echo "C")
|
grep "TLS Web Server" 2>&1> /dev/null && echo "C")
|
||||||
|
smtrust=$(echo "${trustlist}" | \
|
||||||
|
grep "E-mail Protection" 2>&1 >/dev/null && echo "C")
|
||||||
|
cstrust=$(echo "${trustlist}" | \
|
||||||
|
grep "Code Signing" 2>&1 >/dev/null && echo "C")
|
||||||
|
|
||||||
if test "${satrust}x" == "Cx"; then
|
if test "${satrust}x" == "Cx"; then
|
||||||
echo ""
|
echo ""
|
||||||
echo "${certname}" | sed 's@Alias:@Certificate: @'
|
echo "${certname}" | sed 's@Alias:@Certificate: @'
|
||||||
echo "Keyhash: ${keyhash}"
|
echo "Keyhash: ${keyhash}"
|
||||||
|
|
||||||
# Append to the bundle
|
# Append to the CA bundle
|
||||||
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
|
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
|
||||||
> "${TEMPDIR}/ssl/certs/${keyhash}.pem"
|
> "${TEMPDIR}/ssl/certs/${keyhash}.pem"
|
||||||
cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CABUNDLE}"
|
cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CABUNDLE}"
|
||||||
@ -797,6 +805,28 @@ for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do
|
|||||||
sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
|
sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
if test "${smtrust}x" == "Cx"; then
|
||||||
|
echo ""
|
||||||
|
echo "${certname}" | sed 's@Alias:@Certificate: @'
|
||||||
|
echo "Keyhash: ${keyhash}"
|
||||||
|
|
||||||
|
# Append to the s-mime bundle
|
||||||
|
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
|
||||||
|
> "${TEMPDIR}/ssl/certs/${keyhash}.pem"
|
||||||
|
cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${SMBUNDLE}"
|
||||||
|
echo "Added to s-mime certificate bundle."
|
||||||
|
fi
|
||||||
|
if test "${cstrust}x" == "Cx"; then
|
||||||
|
echo ""
|
||||||
|
echo "${certname}" | sed 's@Alias:@Certificate: @'
|
||||||
|
echo "Keyhash: ${keyhash}"
|
||||||
|
|
||||||
|
# Append to the code signing bundle
|
||||||
|
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
|
||||||
|
> "${TEMPDIR}/ssl/certs/${keyhash}.pem"
|
||||||
|
cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CSBUNDLE}"
|
||||||
|
echo "Added to code signing certificate bundle."
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
|
/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
|
||||||
|
Loading…
x
Reference in New Issue
Block a user