Use md5sum values for anchors.txt to detect p11-kit changes

Added get_p11_label function to get reliable label values
2019-01-01 14:08:35 -06:00 · 2019-01-01 14:08:35 -06:00 · 5316943b46
commit 5316943b46
parent 33cdab2a45
3 changed files with 25 additions and 6 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+1.2      - Use md5sum values for anchors.txt to detect p11-kit changes
+         - Added get_p11_label function to get reliable label values
 1.1      - Add anchorlist for use by p11-kit to utilize LOCALDIR
 1.0      - Move bundle defaults to /etc/pki/tls/{certs,java}/
         - Fix invalid test cases on command line processing
--- a/28
+++ b/28
@ -21,6 +21,7 @@ else
    SSLDIR="/etc/ssl"
    CERTUTIL="/usr/bin/certutil"
    KEYTOOL="${JAVA_HOME}/bin/keytool"
+    MD5SUM="/usr/bin/md5sum"
    OPENSSL="/usr/bin/openssl"
    TRUST="/usr/bin/trust"
    ANCHORDIR="${PKIDIR}/anchors"
@ -372,7 +373,7 @@ function convert_trust_arg(){
 }
    
 # Define p11-kit ext value constants (see p11-kit API documentation)
-get-p11-val() {
+function get-p11-val() {
  case $1 in
    p11sasmcs)
      p11value="0%2a%06%03U%1d%25%01%01%ff%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
@ -408,6 +409,23 @@ get-p11-val() {
  esac
 }

+function get_p11_label() {
+    p11label="$(grep -m1 "Issuer" ${1} | grep -o CN=.*$ | \
+                cut -d ',' -f 1 | sed 's@CN=@@')"
+
+    # Fallback to the OU value if CN does not exeist in Issuer string
+    if [ "${p11label}" == "" ]; then
+        p11label="$(grep -m1 "Issuer" ${1} | grep -o "OU=.*$" | \
+                    cut -d ',' -f 1 | sed 's@OU=@@')"
+
+        # If still empty, fall back to Object value as a last resort
+        if [ "${p11label}" == "" ]; then
+            p11label="$(grep -m1 "Issuer" ${1} | grep -o "O=.*$" | \
+                        cut -d ',' -f 1 | sed 's@O=@@')"
+        fi
+    fi
+}
+
 # Process command line arguments
 get_args $@

@ -549,8 +567,7 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
  certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)"

  # Get p11-kit label, oid, and values
-  p11label="$(grep -m1 "Issuer" ${tempfile} | grep -o CN=.*$ | \
-              cut -d ',' -f 1 | sed 's@CN=@@')"
+  get_p11_label "${tempfile}"

  # if distrusted at all, x-distrusted
  if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p"
@ -736,8 +753,7 @@ if test -d "${LOCALDIR}"; then
    certtxt="$(${OPENSSL} x509 -in ${cert} -noout -text)"

    # Place certificate into trust anchors dir
-    p11label="$(grep -m1 "Issuer" ${cert} | grep -o CN=.*$ | \
-                cut -d ',' -f 1 | sed 's@CN=@@')"
+    get_p11_label "${cert}"

    # if distrusted at all, x-distrusted
    if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p"
@ -850,7 +866,7 @@ fi
 rm -rf "${TEMPDIR}"

 # Build ANCHORLIST
-/bin/ls -1 --color=none "${ANCHORDIR}" > "${ANCHORLIST}"
+"${MD5SUM}" "${ANCHORDIR}"/*.pem > "${ANCHORLIST}"

 # Build alternate formats using p11-kit trust (if not using DESTDIR)
 if test "x${DESTDIR}" == "x"; then
--- a/make-ca.conf.dist
+++ b/make-ca.conf.dist
@ -5,6 +5,7 @@ PKIDIR="/etc/pki"
 SSLDIR="/etc/ssl"
 CERTUTIL="/usr/bin/certutil"
 KEYTOOL="${JAVA_HOME}/bin/keytool"
+MD5SUM="/usr/bin/md5sum"
 OPENSSL="/usr/bin/openssl"
 TRUST="/usr/bin/trust"
 ANCHORDIR="${PKIDIR}/anchors"