From 5316943b4687a5263377eda5e82091770ef19f51 Mon Sep 17 00:00:00 2001
From: DJ Lucas <dj@lucasit.com>
Date: Tue, 1 Jan 2019 14:08:35 -0600
Subject: [PATCH] Use md5sum values for anchors.txt to detect p11-kit changes
 Added get_p11_label function to get reliable label values

---
 CHANGELOG         |  2 ++
 make-ca           | 28 ++++++++++++++++++++++------
 make-ca.conf.dist |  1 +
 3 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 7198140..5198a2a 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,5 @@
+1.2      - Use md5sum values for anchors.txt to detect p11-kit changes
+         - Added get_p11_label function to get reliable label values
 1.1      - Add anchorlist for use by p11-kit to utilize LOCALDIR
 1.0      - Move bundle defaults to /etc/pki/tls/{certs,java}/
          - Fix invalid test cases on command line processing
diff --git a/make-ca b/make-ca
index 69e0f70..0a58577 100644
--- a/make-ca
+++ b/make-ca
@@ -21,6 +21,7 @@ else
     SSLDIR="/etc/ssl"
     CERTUTIL="/usr/bin/certutil"
     KEYTOOL="${JAVA_HOME}/bin/keytool"
+    MD5SUM="/usr/bin/md5sum"
     OPENSSL="/usr/bin/openssl"
     TRUST="/usr/bin/trust"
     ANCHORDIR="${PKIDIR}/anchors"
@@ -372,7 +373,7 @@ function convert_trust_arg(){
 }
     
 # Define p11-kit ext value constants (see p11-kit API documentation)
-get-p11-val() {
+function get-p11-val() {
   case $1 in
     p11sasmcs)
       p11value="0%2a%06%03U%1d%25%01%01%ff%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
@@ -408,6 +409,23 @@ get-p11-val() {
   esac
 }
 
+function get_p11_label() {
+    p11label="$(grep -m1 "Issuer" ${1} | grep -o CN=.*$ | \
+                cut -d ',' -f 1 | sed 's@CN=@@')"
+
+    # Fallback to the OU value if CN does not exeist in Issuer string
+    if [ "${p11label}" == "" ]; then
+        p11label="$(grep -m1 "Issuer" ${1} | grep -o "OU=.*$" | \
+                    cut -d ',' -f 1 | sed 's@OU=@@')"
+
+        # If still empty, fall back to Object value as a last resort
+        if [ "${p11label}" == "" ]; then
+            p11label="$(grep -m1 "Issuer" ${1} | grep -o "O=.*$" | \
+                        cut -d ',' -f 1 | sed 's@O=@@')"
+        fi
+    fi
+}
+
 # Process command line arguments
 get_args $@
 
@@ -549,8 +567,7 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
   certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)"
 
   # Get p11-kit label, oid, and values
-  p11label="$(grep -m1 "Issuer" ${tempfile} | grep -o CN=.*$ | \
-              cut -d ',' -f 1 | sed 's@CN=@@')"
+  get_p11_label "${tempfile}"
 
   # if distrusted at all, x-distrusted
   if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p"
@@ -736,8 +753,7 @@ if test -d "${LOCALDIR}"; then
     certtxt="$(${OPENSSL} x509 -in ${cert} -noout -text)"
 
     # Place certificate into trust anchors dir
-    p11label="$(grep -m1 "Issuer" ${cert} | grep -o CN=.*$ | \
-                cut -d ',' -f 1 | sed 's@CN=@@')"
+    get_p11_label "${cert}"
 
     # if distrusted at all, x-distrusted
     if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p"
@@ -850,7 +866,7 @@ fi
 rm -rf "${TEMPDIR}"
 
 # Build ANCHORLIST
-/bin/ls -1 --color=none "${ANCHORDIR}" > "${ANCHORLIST}"
+"${MD5SUM}" "${ANCHORDIR}"/*.pem > "${ANCHORLIST}"
 
 # Build alternate formats using p11-kit trust (if not using DESTDIR)
 if test "x${DESTDIR}" == "x"; then
diff --git a/make-ca.conf.dist b/make-ca.conf.dist
index 6119848..5361c43 100644
--- a/make-ca.conf.dist
+++ b/make-ca.conf.dist
@@ -5,6 +5,7 @@ PKIDIR="/etc/pki"
 SSLDIR="/etc/ssl"
 CERTUTIL="/usr/bin/certutil"
 KEYTOOL="${JAVA_HOME}/bin/keytool"
+MD5SUM="/usr/bin/md5sum"
 OPENSSL="/usr/bin/openssl"
 TRUST="/usr/bin/trust"
 ANCHORDIR="${PKIDIR}/anchors"