make-ca: Add nss-{server,email}-distrust-after values in anchors.
This commit is contained in:
DJ Lucas
parent
e38a575d03
commit
6ee8e5316e
@ -6,6 +6,7 @@
|
|||||||
copy-local-modifications
|
copy-local-modifications
|
||||||
- Assume serverAuth for certificates added by 'trust anchors --store'
|
- Assume serverAuth for certificates added by 'trust anchors --store'
|
||||||
and generate a trusted certificate for use in LOCALDIR
|
and generate a trusted certificate for use in LOCALDIR
|
||||||
|
- Add nss-{server,email}-distrust-after values in anchors
|
||||||
1.7 - Revert help2man update (requires complete perl environment)
|
1.7 - Revert help2man update (requires complete perl environment)
|
||||||
1.6 - Fix install target for make -j#
|
1.6 - Fix install target for make -j#
|
||||||
- Add detailed dependency info and add note about configuration file
|
- Add detailed dependency info and add note about configuration file
|
||||||
|
|||||||
46
make-ca
46
make-ca
@ -332,6 +332,39 @@ function convert_trust(){
|
|||||||
esac
|
esac
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function convert_moz_distrust(){
|
||||||
|
# SERVER
|
||||||
|
val=$(grep "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | cut -d " " -f 2)
|
||||||
|
if test "${val}" == "CK_BBOOL"; then
|
||||||
|
val=$(grep "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | cut -d " " -f 3)
|
||||||
|
if test "${val}" == "CK_FALSE"; then
|
||||||
|
mozsadistrust="%00"
|
||||||
|
else
|
||||||
|
mozsadistrust="UNKNOWN"
|
||||||
|
fi
|
||||||
|
elif test "${val}" == "MULTILINE_OCTAL"; then
|
||||||
|
mozsadistrust=`printf $(grep -A1 "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | tail -n1)`
|
||||||
|
else
|
||||||
|
mozsadistrust="UNKNOWN"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# EMAIL
|
||||||
|
val=$(grep "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | cut -d " " -f 2)
|
||||||
|
if test "${val}" == "CK_BBOOL"; then
|
||||||
|
val=$(grep "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | cut -d " " -f 3)
|
||||||
|
if test "${val}" == "CK_FALSE"; then
|
||||||
|
mozsmdistrust="%00"
|
||||||
|
else
|
||||||
|
mozsmdistrust="UNKNOWN"
|
||||||
|
fi
|
||||||
|
elif test "${val}" == "MULTILINE_OCTAL"; then
|
||||||
|
mozsmdistrust=`printf $(grep -A1 "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | tail -n1)`
|
||||||
|
else
|
||||||
|
mozsmdistrust="UNKNOWN"
|
||||||
|
fi
|
||||||
|
unset val
|
||||||
|
}
|
||||||
|
|
||||||
function convert_trust_arg(){
|
function convert_trust_arg(){
|
||||||
case $1 in
|
case $1 in
|
||||||
C)
|
C)
|
||||||
@ -441,6 +474,9 @@ function get_trust_values() {
|
|||||||
# Not currently included in NSS certdata.txt
|
# Not currently included in NSS certdata.txt
|
||||||
#catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \
|
#catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \
|
||||||
# cut -d " " -f 3`)"
|
# cut -d " " -f 3`)"
|
||||||
|
|
||||||
|
# Determine distrust values
|
||||||
|
convert_moz_distrust ${1}
|
||||||
}
|
}
|
||||||
|
|
||||||
function get_p11_trust() {
|
function get_p11_trust() {
|
||||||
@ -483,6 +519,12 @@ function write_anchor() {
|
|||||||
echo "${p11trust}" >> "${anchorfile}"
|
echo "${p11trust}" >> "${anchorfile}"
|
||||||
echo "nss-mozilla-ca-policy: ${moz_trust}" >> "${anchorfile}"
|
echo "nss-mozilla-ca-policy: ${moz_trust}" >> "${anchorfile}"
|
||||||
echo "modifiable: false" >> "${anchorfile}"
|
echo "modifiable: false" >> "${anchorfile}"
|
||||||
|
if test "${mozsadistrust}" != "UNKNOWN"; then
|
||||||
|
echo "nss-server-distrust-after: \"${mozsadistrust}\"" >> "${anchorfile}"
|
||||||
|
fi
|
||||||
|
if test "${mozsmdistrust}" != "UNKNOWN"; then
|
||||||
|
echo "nss-email-distrust-after: \"${mozsmdistrust}\"" >> "${anchorfile}"
|
||||||
|
fi
|
||||||
echo "${certcer}" >> "${anchorfile}"
|
echo "${certcer}" >> "${anchorfile}"
|
||||||
echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}"
|
echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}"
|
||||||
echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
|
echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
|
||||||
@ -695,6 +737,7 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
|
|||||||
# Clean up the directory and environment as we go
|
# Clean up the directory and environment as we go
|
||||||
rm -f tempfile.crt
|
rm -f tempfile.crt
|
||||||
unset keyhash subject count
|
unset keyhash subject count
|
||||||
|
unset mozsadistrust mozsmdistrust
|
||||||
unset trustlist rejectlist satrust smtrust cstrust catrust
|
unset trustlist rejectlist satrust smtrust cstrust catrust
|
||||||
unset p11trust p11oid p11value trustp11 p11label anchrorfile moz_trust
|
unset p11trust p11oid p11value trustp11 p11label anchrorfile moz_trust
|
||||||
|
|
||||||
@ -783,6 +826,8 @@ if test -d "${LOCALDIR}"; then
|
|||||||
# Place certificate into trust anchors dir
|
# Place certificate into trust anchors dir
|
||||||
anchorfile="${DESTDIR}${ANCHORDIR}/${keyhash}.pem"
|
anchorfile="${DESTDIR}${ANCHORDIR}/${keyhash}.pem"
|
||||||
moz_trust="false"
|
moz_trust="false"
|
||||||
|
mozsadistrust="UNKNOWN"
|
||||||
|
mozsmdistrust="UNKNOWN"
|
||||||
write_anchor
|
write_anchor
|
||||||
|
|
||||||
# Generate working copy
|
# Generate working copy
|
||||||
@ -799,6 +844,7 @@ if test -d "${LOCALDIR}"; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
unset keyhash subject count
|
unset keyhash subject count
|
||||||
|
unset mozsadistrust mozsmdistrust
|
||||||
unset trustlist rejectlist satrust smtrust cstrust catrust
|
unset trustlist rejectlist satrust smtrust cstrust catrust
|
||||||
unset p11trust p11oid p11value trustp11 p11label anchorfile moz_trust
|
unset p11trust p11oid p11value trustp11 p11label anchorfile moz_trust
|
||||||
echo -e "\n"
|
echo -e "\n"
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user