From cecc4af094ba7eb3f117700c504d5d6cc84586ab Mon Sep 17 00:00:00 2001 From: DJ Lucas Date: Sun, 24 Sep 2017 20:51:49 -0500 Subject: [PATCH] Generate single file stores using completed OpenSSL store. --- CHANGELOG | 3 +- make-ca | 153 ++++++++++++++++++++++++++++++++++-------------------- 2 files changed, 100 insertions(+), 56 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 4134482..13e6b61 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,4 +1,5 @@ -0.3 +0.3 - Generate single file stores (Java and GNUTLS) using main OpenSSL + store as source to avoid duplicates 0.2 - Install source certdata.txt file - Provide -r/--rebuild option - Add -g/--get option to download using only s_client diff --git a/make-ca b/make-ca index 33502e5..3bde26d 100644 --- a/make-ca +++ b/make-ca @@ -562,22 +562,22 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'." - # Import certificates trusted for SSL/TLS into the Java keystore and - # GnuTLS certificate bundle - if test "${satrust}x" == "Cx"; then - # Java keystore - if test "${WITH_JAVA}" == "1"; then - "${KEYTOOL}" -import -noprompt -alias "${certname}" \ - -keystore "${TEMPDIR}/ssl/java/cacerts" \ - -storepass 'changeit' -file tempfile.crt \ - 2>&1> /dev/null | \ - sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@' - fi - - # GnuTLS certificate bundle - cat tempfile.crt >> "${TEMPDIR}/ssl/ca-bundle.crt.tmp" - echo "Added to GnuTLS ceritificate bundle." - fi +# # Import certificates trusted for SSL/TLS into the Java keystore and +# # GnuTLS certificate bundle +# if test "${satrust}x" == "Cx"; then +# # Java keystore +# if test "${WITH_JAVA}" == "1"; then +# "${KEYTOOL}" -import -noprompt -alias "${certname}" \ +# -keystore "${TEMPDIR}/ssl/java/cacerts" \ +# -storepass 'changeit' -file tempfile.crt \ +# 2>&1> /dev/null | \ +# sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@' +# fi +# +# # GnuTLS certificate bundle +# cat tempfile.crt >> "${TEMPDIR}/ssl/ca-bundle.crt.tmp" +# echo "Added to GnuTLS ceritificate bundle." +# fi # Import certificate into the temporary certificate directory with # trust arguments @@ -616,29 +616,6 @@ if test "${count}" -lt "150" ; then fi unset count -# Generate the bundle -bundlefile=`basename "${CABUNDLE}"` -bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"` -install -vdm755 "${DESTDIR}${bundledir}" 2>&1>/dev/null -test -f "${DESTDIR}${CABUNDLE}" && mv "${DESTDIR}${CABUNDLE}" \ - "${DESTDIR}${CABUNDLE}.old" -echo "# Revision:${REVISION}" > "${DESTDIR}${CABUNDLE}" -cat "${TEMPDIR}/ssl/ca-bundle.crt.tmp" >> "${DESTDIR}${CABUNDLE}" && -rm -f "${DESTDIR}${CABUNDLE}.old" -unset bundlefile bundledir - -# Install Java Cacerts -if test "${WITH_JAVA}" == "1"; then - javafile=`basename "${KEYSTORE}"` - javadir=`echo "${KEYSTORE}" | sed "s@/${javafile}@@"` - install -vdm755 "${DESTDIR}${javadir}" 2>&1>/dev/null - test -f "${DESTDIR}${KEYSTORE}" && mv "${DESTDIR}${KEYSTORE}" \ - "${DESTDIR}${KEYSTORE}.old" - install -m644 "${TEMPDIR}/ssl/java/cacerts" "${DESTDIR}${KEYSTORE}" && - rm -f "${DESTDIR}${KEYSTORE}.old" - unset javafile javadir -fi - # Install NSS Shared DB if test "${WITH_NSS}" == "1"; then sed -e "s@${TEMPDIR}/pki/nssdb@${NSSDB}@" \ @@ -670,6 +647,7 @@ rm -rf "${DESTDIR}${CERTDIR}.old" # Import any certs in $LOCALDIR # Don't do any checking, just trust the admin if test -d "${LOCALDIR}"; then + echo "Processing local certificates..." for cert in `find "${LOCALDIR}" -name "*.pem"`; do # Get some information about the certificate keyhash=$("${OPENSSL}" x509 -noout -in "${cert}" -hash) @@ -759,22 +737,6 @@ if test -d "${LOCALDIR}"; then echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}" echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'." - # Install in Java keystore - if test "${WITH_JAVA}" == "1" -a "${satrust}x" == "Cx"; then - "${KEYTOOL}" -import -noprompt -alias "${certname}" \ - -keystore "${DESTDIR}${KEYSTORE}" \ - -storepass 'changeit' -file "${cert}" 2>&1> /dev/null | \ - sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@' - fi - - # Append to the bundle - source should have trust info, process with - # openssl x509 to strip - if test "${satrust}x" == "Cx"; then - "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \ - >> "${DESTDIR}${CABUNDLE}" - echo "Added to GnuTLS certificate bundle." - fi - # Install into OpenSSL certificate store "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \ -setalias "${certname}" \ @@ -799,6 +761,87 @@ if test -d "${LOCALDIR}"; then unset cert fi +# Install Java Cacerts +if test "${WITH_JAVA}" == "1"; then + javafile=`basename "${KEYSTORE}"` + javadir=`echo "${KEYSTORE}" | sed "s@/${javafile}@@"` + install -vdm755 "${DESTDIR}${javadir}" 2>&1>/dev/null + test -f "${DESTDIR}${KEYSTORE}" && mv "${DESTDIR}${KEYSTORE}" \ + "${DESTDIR}${KEYSTORE}.old" +fi + +# Build java and ca-bundle.crt +# Generate the bundle +bundlefile=`basename "${CABUNDLE}"` +bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"` +install -vdm755 "${DESTDIR}${bundledir}" 2>&1>/dev/null +test -f "${DESTDIR}${CABUNDLE}" && mv "${DESTDIR}${CABUNDLE}" \ + "${DESTDIR}${CABUNDLE}.old" +echo "# Revision:${REVISION}" > "${DESTDIR}${CABUNDLE}" + +echo "Processing certs for Java and GNUTLS stores..." +# Generate the bundle + +for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do + # Get some information about the certificate + keyhash=$("${OPENSSL}" x509 -noout -in "${cert}" -hash) + certname=$(grep "Alias" "${cert}") + + # Get trust information + trustlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \ + grep -A1 "Trusted Uses") + satrust="" + smtrust="" + cstrust="" + catrust="" + satrust=$(echo "${trustlist}" | \ + grep "TLS Web Server" 2>&1> /dev/null && echo "C") + smtrust=$(echo "${trustlist}" | \ + grep "E-mail Protection" 2>&1 >/dev/null && echo "C") + cstrust=$(echo "${trustlist}" | \ + grep "Code Signing" 2>&1 >/dev/null && echo "C") + catrust=$(echo "${trustlist}" | \ + grep "Client Auth" 2>&1 >/dev/null && echo "C") + # Get reject information + rejectlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \ + grep -A1 "Rejected Uses") + if test "${satrust}" == ""; then satrust=$(echo "${rejectlist}" | \ + grep "TLS Web Server" 2>&1> /dev/null && echo "p"); fi + if test "${smtrust}" == ""; then smtrust=$(echo "${rejectlist}" | \ + grep "E-mail Protection" 2>&1> /dev/null && echo "p"); fi + if test "${cstrust}" == ""; then cstrust=$(echo "${rejectlist}" | \ + grep "Code Signing" 2>&1> /dev/null && echo "p"); fi + if test "${catrust}" == ""; then catrust=$(echo "${rejectlist}" | \ + grep "Client Auth" 2>&1> /dev/null && echo "p"); fi + + if test "${satrust}x" == "Cx"; then + echo "" + echo "${certname}" | sed 's@Alias:@Certificate: @' + echo "Keyhash: ${keyhash}" + + # Append to the bundle + "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \ + > "${TEMPDIR}/ssl/certs/${keyhash}.pem" + cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CABUNDLE}" + echo "Added to GnuTLS certificate bundle." + + # Install Java keystore + if test "${WITH_JAVA}" == "1"; then +# echo "Debug, we have java..." +# echo "KEYTOOL is ${KEYTOOL}" +# echo "certname is ${certname}" +# echo "DESTDIR/KEYSTORE is ${DESTDIR}${KEYSTORE}" +# echo "file is ${TEMPDIR}/ssl/certs/${keyhash}.pem" + "${KEYTOOL}" -import -noprompt -alias "${certname}" \ + -keystore "${DESTDIR}${KEYSTORE}" \ + -storepass 'changeit' \ + -file "${TEMPDIR}/ssl/certs/${keyhash}.pem" \ + 2>&1> /dev/null | \ + sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@' + fi + fi +done + /usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null popd > /dev/null