Add email and code signing single stores.

CHANGELOG

@@ -1,4 +1,4 @@
-0.4      -
+0.4      - Add email and code signing flat file certificate stores
 0.3      - Generate single file stores (Java and GNUTLS) using main OpenSSL
            store as source to avoid duplicates
 0.2      - Install source certdata.txt file

CS.txt

@@ -0,0 +1,14 @@
+Mozilla no longer provides any trust information for code signing, opting only
+to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
+the functionality from NSS. There is no trusted source of authority for code
+signing (such as we use Mozilla for TLS/S-Mime). The following list of
+certificate hashes that are already installed (as they have TLS trust from
+Mozilla) that are also trusted by Microsoft for code signing. The Microsoft
+Trusted Root Certificate Program's inclusion policy is available for review at
+https://technet.microsoft.com/en-us/library/mt171474.aspx.
+
+02265526,062cdee6,157753a5,244b5494,2c543cd1,2e4eed3c,3513523f,4304c5e5,
+442adcac,480720ec,48bec511,4a6481c9,4bfab552,5ad8a5d6,653b494a,6b99d060,
+7d0b38bd,ae8153b9,aee5f10d,b1159c4c,b204d74a,b7a5b843,ba89ed3b,c01cdfa2,
+c0ff1f52,cbf06781,d7e8dc79,e2799e36,f081611a,f3377b1b,f387163d,f39fc864
+

make-ca

@@ -22,6 +22,8 @@ else
     OPENSSL="/usr/bin/openssl"
     ANCHORDIR="${PKIDIR}/anchors"
     CABUNDLE="${SSLDIR}/ca-bundle.crt"
+    SMBUNDLE="${SSLDIR}/email-ca-bundle.crt"
+    CSBUNDLE="${SSLDIR}/objsign-ca-bundle.crt"
     CERTDIR="${SSLDIR}/certs"
     KEYSTORE="${SSLDIR}/java/cacerts"
     NSSDB="${PKIDIR}/nssdb"
@@ -773,15 +775,21 @@ for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do
   trustlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
                      grep -A1 "Trusted Uses")
   satrust=""
+  smtrust=""
+  cstrust=""
   satrust=$(echo "${trustlist}" | \
             grep "TLS Web Server" 2>&1> /dev/null && echo "C")
+  smtrust=$(echo "${trustlist}" | \
+            grep "E-mail Protection" 2>&1 >/dev/null && echo "C")
+  cstrust=$(echo "${trustlist}" | \
+            grep "Code Signing" 2>&1 >/dev/null && echo "C")
 
   if test "${satrust}x" == "Cx"; then
     echo ""
     echo "${certname}" | sed 's@Alias:@Certificate: @'
     echo "Keyhash:      ${keyhash}"
 
-    # Append to the bundle
+    # Append to the CA bundle
     "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
          > "${TEMPDIR}/ssl/certs/${keyhash}.pem"
     cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CABUNDLE}"
@@ -797,6 +805,28 @@ for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do
       sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
     fi
   fi
+  if test "${smtrust}x" == "Cx"; then
+    echo ""
+    echo "${certname}" | sed 's@Alias:@Certificate: @'
+    echo "Keyhash:      ${keyhash}"
+
+    # Append to the s-mime bundle
+    "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
+         > "${TEMPDIR}/ssl/certs/${keyhash}.pem"
+    cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${SMBUNDLE}"
+    echo "Added to s-mime certificate bundle."
+  fi
+  if test "${cstrust}x" == "Cx"; then
+    echo ""
+    echo "${certname}" | sed 's@Alias:@Certificate: @'
+    echo "Keyhash:      ${keyhash}"
+
+    # Append to the code signing bundle
+    "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
+         > "${TEMPDIR}/ssl/certs/${keyhash}.pem"
+    cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CSBUNDLE}"
+    echo "Added to code signing certificate bundle."
+  fi
 done
 
 /usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null