Generate single file stores using completed OpenSSL store.
This commit is contained in:
DJ Lucas
parent
d88795240e
commit
cecc4af094
@ -1,4 +1,5 @@
|
|||||||
0.3
|
0.3 - Generate single file stores (Java and GNUTLS) using main OpenSSL
|
||||||
|
store as source to avoid duplicates
|
||||||
0.2 - Install source certdata.txt file
|
0.2 - Install source certdata.txt file
|
||||||
- Provide -r/--rebuild option
|
- Provide -r/--rebuild option
|
||||||
- Add -g/--get option to download using only s_client
|
- Add -g/--get option to download using only s_client
|
||||||
|
|||||||
153
make-ca
153
make-ca
@ -562,22 +562,22 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
|
|||||||
echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
|
echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
|
||||||
|
|
||||||
|
|
||||||
# Import certificates trusted for SSL/TLS into the Java keystore and
|
# # Import certificates trusted for SSL/TLS into the Java keystore and
|
||||||
# GnuTLS certificate bundle
|
# # GnuTLS certificate bundle
|
||||||
if test "${satrust}x" == "Cx"; then
|
# if test "${satrust}x" == "Cx"; then
|
||||||
# Java keystore
|
# # Java keystore
|
||||||
if test "${WITH_JAVA}" == "1"; then
|
# if test "${WITH_JAVA}" == "1"; then
|
||||||
"${KEYTOOL}" -import -noprompt -alias "${certname}" \
|
# "${KEYTOOL}" -import -noprompt -alias "${certname}" \
|
||||||
-keystore "${TEMPDIR}/ssl/java/cacerts" \
|
# -keystore "${TEMPDIR}/ssl/java/cacerts" \
|
||||||
-storepass 'changeit' -file tempfile.crt \
|
# -storepass 'changeit' -file tempfile.crt \
|
||||||
2>&1> /dev/null | \
|
# 2>&1> /dev/null | \
|
||||||
sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
|
# sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
|
||||||
fi
|
# fi
|
||||||
|
#
|
||||||
# GnuTLS certificate bundle
|
# # GnuTLS certificate bundle
|
||||||
cat tempfile.crt >> "${TEMPDIR}/ssl/ca-bundle.crt.tmp"
|
# cat tempfile.crt >> "${TEMPDIR}/ssl/ca-bundle.crt.tmp"
|
||||||
echo "Added to GnuTLS ceritificate bundle."
|
# echo "Added to GnuTLS ceritificate bundle."
|
||||||
fi
|
# fi
|
||||||
|
|
||||||
# Import certificate into the temporary certificate directory with
|
# Import certificate into the temporary certificate directory with
|
||||||
# trust arguments
|
# trust arguments
|
||||||
@ -616,29 +616,6 @@ if test "${count}" -lt "150" ; then
|
|||||||
fi
|
fi
|
||||||
unset count
|
unset count
|
||||||
|
|
||||||
# Generate the bundle
|
|
||||||
bundlefile=`basename "${CABUNDLE}"`
|
|
||||||
bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"`
|
|
||||||
install -vdm755 "${DESTDIR}${bundledir}" 2>&1>/dev/null
|
|
||||||
test -f "${DESTDIR}${CABUNDLE}" && mv "${DESTDIR}${CABUNDLE}" \
|
|
||||||
"${DESTDIR}${CABUNDLE}.old"
|
|
||||||
echo "# Revision:${REVISION}" > "${DESTDIR}${CABUNDLE}"
|
|
||||||
cat "${TEMPDIR}/ssl/ca-bundle.crt.tmp" >> "${DESTDIR}${CABUNDLE}" &&
|
|
||||||
rm -f "${DESTDIR}${CABUNDLE}.old"
|
|
||||||
unset bundlefile bundledir
|
|
||||||
|
|
||||||
# Install Java Cacerts
|
|
||||||
if test "${WITH_JAVA}" == "1"; then
|
|
||||||
javafile=`basename "${KEYSTORE}"`
|
|
||||||
javadir=`echo "${KEYSTORE}" | sed "s@/${javafile}@@"`
|
|
||||||
install -vdm755 "${DESTDIR}${javadir}" 2>&1>/dev/null
|
|
||||||
test -f "${DESTDIR}${KEYSTORE}" && mv "${DESTDIR}${KEYSTORE}" \
|
|
||||||
"${DESTDIR}${KEYSTORE}.old"
|
|
||||||
install -m644 "${TEMPDIR}/ssl/java/cacerts" "${DESTDIR}${KEYSTORE}" &&
|
|
||||||
rm -f "${DESTDIR}${KEYSTORE}.old"
|
|
||||||
unset javafile javadir
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Install NSS Shared DB
|
# Install NSS Shared DB
|
||||||
if test "${WITH_NSS}" == "1"; then
|
if test "${WITH_NSS}" == "1"; then
|
||||||
sed -e "s@${TEMPDIR}/pki/nssdb@${NSSDB}@" \
|
sed -e "s@${TEMPDIR}/pki/nssdb@${NSSDB}@" \
|
||||||
@ -670,6 +647,7 @@ rm -rf "${DESTDIR}${CERTDIR}.old"
|
|||||||
# Import any certs in $LOCALDIR
|
# Import any certs in $LOCALDIR
|
||||||
# Don't do any checking, just trust the admin
|
# Don't do any checking, just trust the admin
|
||||||
if test -d "${LOCALDIR}"; then
|
if test -d "${LOCALDIR}"; then
|
||||||
|
echo "Processing local certificates..."
|
||||||
for cert in `find "${LOCALDIR}" -name "*.pem"`; do
|
for cert in `find "${LOCALDIR}" -name "*.pem"`; do
|
||||||
# Get some information about the certificate
|
# Get some information about the certificate
|
||||||
keyhash=$("${OPENSSL}" x509 -noout -in "${cert}" -hash)
|
keyhash=$("${OPENSSL}" x509 -noout -in "${cert}" -hash)
|
||||||
@ -759,22 +737,6 @@ if test -d "${LOCALDIR}"; then
|
|||||||
echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}"
|
echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}"
|
||||||
echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
|
echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
|
||||||
|
|
||||||
# Install in Java keystore
|
|
||||||
if test "${WITH_JAVA}" == "1" -a "${satrust}x" == "Cx"; then
|
|
||||||
"${KEYTOOL}" -import -noprompt -alias "${certname}" \
|
|
||||||
-keystore "${DESTDIR}${KEYSTORE}" \
|
|
||||||
-storepass 'changeit' -file "${cert}" 2>&1> /dev/null | \
|
|
||||||
sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Append to the bundle - source should have trust info, process with
|
|
||||||
# openssl x509 to strip
|
|
||||||
if test "${satrust}x" == "Cx"; then
|
|
||||||
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
|
|
||||||
>> "${DESTDIR}${CABUNDLE}"
|
|
||||||
echo "Added to GnuTLS certificate bundle."
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Install into OpenSSL certificate store
|
# Install into OpenSSL certificate store
|
||||||
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
|
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
|
||||||
-setalias "${certname}" \
|
-setalias "${certname}" \
|
||||||
@ -799,6 +761,87 @@ if test -d "${LOCALDIR}"; then
|
|||||||
unset cert
|
unset cert
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Install Java Cacerts
|
||||||
|
if test "${WITH_JAVA}" == "1"; then
|
||||||
|
javafile=`basename "${KEYSTORE}"`
|
||||||
|
javadir=`echo "${KEYSTORE}" | sed "s@/${javafile}@@"`
|
||||||
|
install -vdm755 "${DESTDIR}${javadir}" 2>&1>/dev/null
|
||||||
|
test -f "${DESTDIR}${KEYSTORE}" && mv "${DESTDIR}${KEYSTORE}" \
|
||||||
|
"${DESTDIR}${KEYSTORE}.old"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Build java and ca-bundle.crt
|
||||||
|
# Generate the bundle
|
||||||
|
bundlefile=`basename "${CABUNDLE}"`
|
||||||
|
bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"`
|
||||||
|
install -vdm755 "${DESTDIR}${bundledir}" 2>&1>/dev/null
|
||||||
|
test -f "${DESTDIR}${CABUNDLE}" && mv "${DESTDIR}${CABUNDLE}" \
|
||||||
|
"${DESTDIR}${CABUNDLE}.old"
|
||||||
|
echo "# Revision:${REVISION}" > "${DESTDIR}${CABUNDLE}"
|
||||||
|
|
||||||
|
echo "Processing certs for Java and GNUTLS stores..."
|
||||||
|
# Generate the bundle
|
||||||
|
|
||||||
|
for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do
|
||||||
|
# Get some information about the certificate
|
||||||
|
keyhash=$("${OPENSSL}" x509 -noout -in "${cert}" -hash)
|
||||||
|
certname=$(grep "Alias" "${cert}")
|
||||||
|
|
||||||
|
# Get trust information
|
||||||
|
trustlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
|
||||||
|
grep -A1 "Trusted Uses")
|
||||||
|
satrust=""
|
||||||
|
smtrust=""
|
||||||
|
cstrust=""
|
||||||
|
catrust=""
|
||||||
|
satrust=$(echo "${trustlist}" | \
|
||||||
|
grep "TLS Web Server" 2>&1> /dev/null && echo "C")
|
||||||
|
smtrust=$(echo "${trustlist}" | \
|
||||||
|
grep "E-mail Protection" 2>&1 >/dev/null && echo "C")
|
||||||
|
cstrust=$(echo "${trustlist}" | \
|
||||||
|
grep "Code Signing" 2>&1 >/dev/null && echo "C")
|
||||||
|
catrust=$(echo "${trustlist}" | \
|
||||||
|
grep "Client Auth" 2>&1 >/dev/null && echo "C")
|
||||||
|
# Get reject information
|
||||||
|
rejectlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
|
||||||
|
grep -A1 "Rejected Uses")
|
||||||
|
if test "${satrust}" == ""; then satrust=$(echo "${rejectlist}" | \
|
||||||
|
grep "TLS Web Server" 2>&1> /dev/null && echo "p"); fi
|
||||||
|
if test "${smtrust}" == ""; then smtrust=$(echo "${rejectlist}" | \
|
||||||
|
grep "E-mail Protection" 2>&1> /dev/null && echo "p"); fi
|
||||||
|
if test "${cstrust}" == ""; then cstrust=$(echo "${rejectlist}" | \
|
||||||
|
grep "Code Signing" 2>&1> /dev/null && echo "p"); fi
|
||||||
|
if test "${catrust}" == ""; then catrust=$(echo "${rejectlist}" | \
|
||||||
|
grep "Client Auth" 2>&1> /dev/null && echo "p"); fi
|
||||||
|
|
||||||
|
if test "${satrust}x" == "Cx"; then
|
||||||
|
echo ""
|
||||||
|
echo "${certname}" | sed 's@Alias:@Certificate: @'
|
||||||
|
echo "Keyhash: ${keyhash}"
|
||||||
|
|
||||||
|
# Append to the bundle
|
||||||
|
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
|
||||||
|
> "${TEMPDIR}/ssl/certs/${keyhash}.pem"
|
||||||
|
cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CABUNDLE}"
|
||||||
|
echo "Added to GnuTLS certificate bundle."
|
||||||
|
|
||||||
|
# Install Java keystore
|
||||||
|
if test "${WITH_JAVA}" == "1"; then
|
||||||
|
# echo "Debug, we have java..."
|
||||||
|
# echo "KEYTOOL is ${KEYTOOL}"
|
||||||
|
# echo "certname is ${certname}"
|
||||||
|
# echo "DESTDIR/KEYSTORE is ${DESTDIR}${KEYSTORE}"
|
||||||
|
# echo "file is ${TEMPDIR}/ssl/certs/${keyhash}.pem"
|
||||||
|
"${KEYTOOL}" -import -noprompt -alias "${certname}" \
|
||||||
|
-keystore "${DESTDIR}${KEYSTORE}" \
|
||||||
|
-storepass 'changeit' \
|
||||||
|
-file "${TEMPDIR}/ssl/certs/${keyhash}.pem" \
|
||||||
|
2>&1> /dev/null | \
|
||||||
|
sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
|
/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
|
||||||
popd > /dev/null
|
popd > /dev/null
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user