make-ca: Use p11label value and .p11-kit extension for anchor naming.

This commit is contained in:
DJ Lucas 2021-08-05 22:31:13 -05:00
parent 0faf62233b
commit 8baf93dc22
2 changed files with 11 additions and 8 deletions

View File

@ -4,13 +4,14 @@
- Use last OU= value for get_p11_label() fallback - Use last OU= value for get_p11_label() fallback
- Omit x-certificate-extension in comparison for - Omit x-certificate-extension in comparison for
copy-local-modifications copy-local-modifications
- Use X509v3 Key Usage section to determine local trust for anchros - Use X509v3 Key Usage section to determine local trust for anchors
added using 'trust anchor --store' added using 'trust anchor --store'
- Add nss-{server,email}-distrust-after values in anchors - requires - Add nss-{server,email}-distrust-after values in anchors - requires
p11-kit >= 0.23.19 p11-kit >= 0.23.19
- Use --filter=certificates for all stores - Use --filter=certificates for all stores
- Fix output of NSSDB and Java PCKS#12 stores - Fix output of NSSDB and Java PCKS#12 stores
- Correct incorrectly named get_p11_val() - Correct incorrectly named get_p11_val()
- Use p11label value and .p11-kit extension for anchor naming
1.7 - Revert help2man update (requires complete perl environment) 1.7 - Revert help2man update (requires complete perl environment)
1.6 - Fix install target for make -j# 1.6 - Fix install target for make -j#
- Add detailed dependency info and add note about configuration file - Add detailed dependency info and add note about configuration file

16
make-ca
View File

@ -717,7 +717,8 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
echo "Keyhash: ${keyhash}" echo "Keyhash: ${keyhash}"
# Place certificate into trust anchors dir # Place certificate into trust anchors dir
anchorfile="${TEMPDIR}/pki/anchors/${keyhash}.pem" anchorlabel=$(echo ${p11label} | sed -e 's@ @_@g' -e 's@(@@g' -e 's@)@@g')
anchorfile="${TEMPDIR}/pki/anchors/${anchorlabel}.p11-kit"
moz_trust="true" moz_trust="true"
write_anchor write_anchor
@ -734,9 +735,9 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
# Clean up the directory and environment as we go # Clean up the directory and environment as we go
rm -f tempfile.crt rm -f tempfile.crt
unset keyhash subject count unset keyhash subject count
unset mozsadistrust mozsmdistrust unset mozsadistrust mozsmdistrust anchorlabel anchorfile moz_trust
unset trustlist rejectlist satrust smtrust cstrust catrust unset trustlist rejectlist satrust smtrust cstrust catrust
unset p11trust p11oid p11value trustp11 p11label anchrorfile moz_trust unset p11trust p11oid p11value trustp11 p11label
echo -e "\n" echo -e "\n"
done done
@ -745,7 +746,7 @@ unset tempfile
# Install anchors in $ANCHORDIR # Install anchors in $ANCHORDIR
test -d "${DESTDIR}${ANCHORDIR}" && rm -rf "${DESTDIR}${ANCHORDIR}" test -d "${DESTDIR}${ANCHORDIR}" && rm -rf "${DESTDIR}${ANCHORDIR}"
install -dm755 "${DESTDIR}${ANCHORDIR}" > /dev/null 2>&1 install -dm755 "${DESTDIR}${ANCHORDIR}" > /dev/null 2>&1
install -m644 "${TEMPDIR}"/pki/anchors/*.pem "${DESTDIR}${ANCHORDIR}" install -m644 "${TEMPDIR}"/pki/anchors/*.p11-kit "${DESTDIR}${ANCHORDIR}"
# Install NSS Shared DB # Install NSS Shared DB
if test "${WITH_NSS}" == "1"; then if test "${WITH_NSS}" == "1"; then
@ -821,7 +822,8 @@ if test -d "${LOCALDIR}"; then
get_p11_trust get_p11_trust
# Place certificate into trust anchors dir # Place certificate into trust anchors dir
anchorfile="${DESTDIR}${ANCHORDIR}/${keyhash}.pem" anchorlabel=$(echo ${p11label} | sed -e 's@ @_@g' -e 's@(@@g' -e 's@)@@')
anchorfile="${DESTDIR}${ANCHORDIR}/${anchorlabel}.p11-kit"
moz_trust="false" moz_trust="false"
mozsadistrust="UNKNOWN" mozsadistrust="UNKNOWN"
mozsmdistrust="UNKNOWN" mozsmdistrust="UNKNOWN"
@ -841,9 +843,9 @@ if test -d "${LOCALDIR}"; then
fi fi
unset keyhash subject count unset keyhash subject count
unset mozsadistrust mozsmdistrust unset mozsadistrust mozsmdistrust anchorlabel anchorfile moz_trust
unset trustlist rejectlist satrust smtrust cstrust catrust unset trustlist rejectlist satrust smtrust cstrust catrust
unset p11trust p11oid p11value trustp11 p11label anchorfile moz_trust unset p11trust p11oid p11value trustp11 p11label
echo -e "\n" echo -e "\n"
done done