Generate single file stores using completed OpenSSL store.

CHANGELOG

@@ -1,4 +1,5 @@
-0.3
+0.3      - Generate single file stores (Java and GNUTLS) using main OpenSSL
+           store as source to avoid duplicates
 0.2      - Install source certdata.txt file
          - Provide -r/--rebuild option
          - Add -g/--get option to download using only s_client

make-ca

@@ -562,22 +562,22 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
   echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
   
   
-  # Import certificates trusted for SSL/TLS into the Java keystore and 
-  # GnuTLS certificate bundle
-  if test "${satrust}x" == "Cx"; then
-    # Java keystore
-    if test "${WITH_JAVA}" == "1"; then
-      "${KEYTOOL}" -import -noprompt -alias "${certname}"   \
-                   -keystore "${TEMPDIR}/ssl/java/cacerts"  \
-                   -storepass 'changeit' -file tempfile.crt \
-      2>&1> /dev/null | \
-      sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
-    fi
-
-    # GnuTLS certificate bundle
-    cat tempfile.crt >> "${TEMPDIR}/ssl/ca-bundle.crt.tmp"
-    echo "Added to GnuTLS ceritificate bundle."
-  fi
+#  # Import certificates trusted for SSL/TLS into the Java keystore and 
+#  # GnuTLS certificate bundle
+#  if test "${satrust}x" == "Cx"; then
+#    # Java keystore
+#    if test "${WITH_JAVA}" == "1"; then
+#      "${KEYTOOL}" -import -noprompt -alias "${certname}"   \
+#                   -keystore "${TEMPDIR}/ssl/java/cacerts"  \
+#                   -storepass 'changeit' -file tempfile.crt \
+#      2>&1> /dev/null | \
+#      sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
+#    fi
+#
+#    # GnuTLS certificate bundle
+#    cat tempfile.crt >> "${TEMPDIR}/ssl/ca-bundle.crt.tmp"
+#    echo "Added to GnuTLS ceritificate bundle."
+#  fi
 
   # Import certificate into the temporary certificate directory with
   # trust arguments
@@ -616,29 +616,6 @@ if test "${count}" -lt "150" ; then
 fi
 unset count
 
-# Generate the bundle
-bundlefile=`basename "${CABUNDLE}"`
-bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"`
-install -vdm755 "${DESTDIR}${bundledir}" 2>&1>/dev/null
-test -f "${DESTDIR}${CABUNDLE}" && mv "${DESTDIR}${CABUNDLE}" \
-                                      "${DESTDIR}${CABUNDLE}.old"
-echo "# Revision:${REVISION}" > "${DESTDIR}${CABUNDLE}"
-cat "${TEMPDIR}/ssl/ca-bundle.crt.tmp" >> "${DESTDIR}${CABUNDLE}" &&
-rm -f "${DESTDIR}${CABUNDLE}.old"
-unset bundlefile bundledir
-
-# Install Java Cacerts
-if test "${WITH_JAVA}" == "1"; then
-  javafile=`basename "${KEYSTORE}"`
-  javadir=`echo "${KEYSTORE}" | sed "s@/${javafile}@@"`
-  install -vdm755 "${DESTDIR}${javadir}" 2>&1>/dev/null
-  test -f "${DESTDIR}${KEYSTORE}" && mv "${DESTDIR}${KEYSTORE}" \
-                                        "${DESTDIR}${KEYSTORE}.old"
-  install -m644 "${TEMPDIR}/ssl/java/cacerts" "${DESTDIR}${KEYSTORE}" &&
-  rm -f "${DESTDIR}${KEYSTORE}.old"
-  unset javafile javadir
-fi
-
 # Install NSS Shared DB
 if test "${WITH_NSS}" == "1"; then
   sed -e "s@${TEMPDIR}/pki/nssdb@${NSSDB}@"              \
@@ -670,6 +647,7 @@ rm -rf "${DESTDIR}${CERTDIR}.old"
 # Import any certs in $LOCALDIR
 # Don't do any checking, just trust the admin
 if test -d "${LOCALDIR}"; then
+  echo "Processing local certificates..."
   for cert in `find "${LOCALDIR}" -name "*.pem"`; do
     # Get some information about the certificate
     keyhash=$("${OPENSSL}" x509 -noout -in "${cert}" -hash)
@@ -759,22 +737,6 @@ if test -d "${LOCALDIR}"; then
     echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}"
     echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
 
-    # Install in Java keystore
-    if test "${WITH_JAVA}" == "1" -a "${satrust}x" == "Cx"; then
-      "${KEYTOOL}" -import -noprompt -alias "${certname}"                  \
-                   -keystore "${DESTDIR}${KEYSTORE}"                       \
-                   -storepass 'changeit' -file "${cert}" 2>&1> /dev/null | \
-      sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
-    fi
-
-    # Append to the bundle - source should have trust info, process with
-    # openssl x509 to strip
-    if test "${satrust}x" == "Cx"; then
-      "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
-           >> "${DESTDIR}${CABUNDLE}"
-      echo "Added to GnuTLS certificate bundle."
-    fi
-
     # Install into OpenSSL certificate store
     "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
                       -setalias "${certname}"          \
@@ -799,6 +761,87 @@ if test -d "${LOCALDIR}"; then
   unset cert
 fi
 
+# Install Java Cacerts
+if test "${WITH_JAVA}" == "1"; then
+  javafile=`basename "${KEYSTORE}"`
+  javadir=`echo "${KEYSTORE}" | sed "s@/${javafile}@@"`
+  install -vdm755 "${DESTDIR}${javadir}" 2>&1>/dev/null
+  test -f "${DESTDIR}${KEYSTORE}" && mv "${DESTDIR}${KEYSTORE}" \
+                                        "${DESTDIR}${KEYSTORE}.old"
+fi
+
+# Build java and ca-bundle.crt
+# Generate the bundle
+bundlefile=`basename "${CABUNDLE}"`
+bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"`
+install -vdm755 "${DESTDIR}${bundledir}" 2>&1>/dev/null
+test -f "${DESTDIR}${CABUNDLE}" && mv "${DESTDIR}${CABUNDLE}" \
+                                      "${DESTDIR}${CABUNDLE}.old"
+echo "# Revision:${REVISION}" > "${DESTDIR}${CABUNDLE}"
+
+echo "Processing certs for Java and GNUTLS stores..."
+# Generate the bundle
+
+for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do
+  # Get some information about the certificate
+  keyhash=$("${OPENSSL}" x509 -noout -in "${cert}" -hash)
+  certname=$(grep "Alias" "${cert}")
+
+  # Get trust information
+  trustlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
+                     grep -A1 "Trusted Uses")
+  satrust=""
+  smtrust=""
+  cstrust=""
+  catrust=""
+  satrust=$(echo "${trustlist}" | \
+            grep "TLS Web Server" 2>&1> /dev/null && echo "C")
+  smtrust=$(echo "${trustlist}" | \
+            grep "E-mail Protection" 2>&1 >/dev/null && echo "C")
+  cstrust=$(echo "${trustlist}" | \
+            grep "Code Signing" 2>&1 >/dev/null && echo "C")
+  catrust=$(echo "${trustlist}" | \
+            grep "Client Auth" 2>&1 >/dev/null && echo "C")
+  # Get reject information
+  rejectlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
+                   grep -A1 "Rejected Uses")
+  if test "${satrust}" == ""; then satrust=$(echo "${rejectlist}" | \
+            grep "TLS Web Server" 2>&1> /dev/null && echo "p"); fi
+  if test "${smtrust}" == ""; then smtrust=$(echo "${rejectlist}" | \
+            grep "E-mail Protection" 2>&1> /dev/null && echo "p"); fi
+  if test "${cstrust}" == ""; then cstrust=$(echo "${rejectlist}" | \
+            grep "Code Signing" 2>&1> /dev/null && echo "p"); fi
+  if test "${catrust}" == ""; then catrust=$(echo "${rejectlist}" | \
+            grep "Client Auth" 2>&1> /dev/null && echo "p"); fi
+
+  if test "${satrust}x" == "Cx"; then
+    echo ""
+    echo "${certname}" | sed 's@Alias:@Certificate: @'
+    echo "Keyhash:      ${keyhash}"
+
+    # Append to the bundle
+    "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
+         > "${TEMPDIR}/ssl/certs/${keyhash}.pem"
+    cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CABUNDLE}"
+    echo "Added to GnuTLS certificate bundle."
+
+    # Install Java keystore
+    if test "${WITH_JAVA}" == "1"; then
+#      echo "Debug, we have java..."
+#      echo "KEYTOOL is ${KEYTOOL}"
+#      echo "certname is ${certname}"
+#      echo "DESTDIR/KEYSTORE is ${DESTDIR}${KEYSTORE}"
+#      echo "file is ${TEMPDIR}/ssl/certs/${keyhash}.pem"
+      "${KEYTOOL}" -import -noprompt -alias "${certname}"      \
+                   -keystore "${DESTDIR}${KEYSTORE}"           \
+                   -storepass 'changeit'                       \
+                   -file "${TEMPDIR}/ssl/certs/${keyhash}.pem" \
+                   2>&1> /dev/null | \
+      sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
+    fi
+  fi
+done
+
 /usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
 popd > /dev/null