Add -g/--get option to download using only s_client
This commit is contained in:
parent
c02dd19221
commit
e252b2413f
@ -1,5 +1,6 @@
|
||||
0.2 - Install source certdata.txt file
|
||||
- Provide rebuild option
|
||||
- Provide -r/--rebuild option
|
||||
- Add -g/--get option to download using only s_client
|
||||
0.1 - Check executable bit for CERTUTIL, KEYTOOL, and OPENSSL
|
||||
- Allow global configuration file
|
||||
- Use correct license text (MIT)
|
||||
|
64
make-ca
64
make-ca
@ -27,8 +27,19 @@ else
|
||||
NSSDB="${PKIDIR}/nssdb"
|
||||
LOCALDIR="${SSLDIR}/local"
|
||||
DESTDIR=""
|
||||
URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
|
||||
fi
|
||||
|
||||
# Source must be downloaded over https
|
||||
# Valid urls for download are below
|
||||
# Defualt to NSS release brach
|
||||
|
||||
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
|
||||
# https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt
|
||||
# https://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
|
||||
# https://hg.mozilla.org/releases/mozilla-beta/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
|
||||
# https://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
|
||||
|
||||
|
||||
# Some data in the certs have UTF-8 characters
|
||||
# It doesn't really matter which locale, change if you like
|
||||
@ -40,22 +51,23 @@ WITH_NSS=1
|
||||
WITH_JAVA=1
|
||||
CERTDATAY=0
|
||||
FORCE=0
|
||||
GET=0
|
||||
REBUILD=0
|
||||
|
||||
function get_args(){
|
||||
while test -n "${1}" ; do
|
||||
case "${1}" in
|
||||
-C | --certdata)
|
||||
if test "${REBUILD}" == "0"; then
|
||||
if test "${REBUILD}" == "0" -a "${GET}" == "0"; then
|
||||
check_arg $1 $2
|
||||
CERTDATA="${2}"
|
||||
CERTDATAY="1"
|
||||
shift 2
|
||||
else
|
||||
echo "Error: ${1} cannot be used with the -r/--rebuild switch."
|
||||
echo "Error: ${1} cannot be used with the -r/--rebuild or -g/--get switches."
|
||||
exit 3
|
||||
fi
|
||||
if test ! -f "${CERTDATA}"; then
|
||||
if test ! -f "${CERTDATA}" -a "${GET}" == "0"; then
|
||||
echo "Error: ${CERTDATA} not found!"
|
||||
exit 3
|
||||
fi
|
||||
@ -130,6 +142,16 @@ function get_args(){
|
||||
fi
|
||||
shift 2
|
||||
;;
|
||||
-g | --get)
|
||||
if test "${REBUILD}" == "0" -a "${CERTDATAY}" == "0"; then
|
||||
GET=1
|
||||
CERTDATA="${TEMPDIR}/certdatanew.txt"
|
||||
shift 1
|
||||
else
|
||||
echo "Error: ${1} cannot be used with the -r/--rebuild or -C/--certdata switches."
|
||||
exit 3
|
||||
fi
|
||||
;;
|
||||
-j | --javacerts)
|
||||
check_arg $1 $2
|
||||
KEYSTORE="${2}"
|
||||
@ -162,11 +184,11 @@ function get_args(){
|
||||
shift 2
|
||||
;;
|
||||
-r | --rebuild)
|
||||
if test "${CERTDATAY}" == "0"; then
|
||||
if test "${CERTDATAY}" == "0" -a "${GET}" == "0"; then
|
||||
REBUILD="1"
|
||||
shift 1
|
||||
else
|
||||
echo "Error: ${1} cannot be used with the -C/--certdata switch."
|
||||
echo "Error: ${1} cannot be used with the -C/--certdata or -g/--get switches."
|
||||
exit 3
|
||||
fi
|
||||
CERTDATA="${SSLDIR}/certdata.txt"
|
||||
@ -245,6 +267,9 @@ function showhelp(){
|
||||
echo " CA certificates"
|
||||
echo " Deault: \$SSLDIR/certs/"
|
||||
echo ""
|
||||
echo " -g --get Download certdata.txt directly from Mozilla's"
|
||||
echo " Mecurial server."
|
||||
echo ""
|
||||
echo " -j --javacerts The output path for the Java cacerts file"
|
||||
echo " Default: \$SSLDIR/java/cacerts"
|
||||
echo ""
|
||||
@ -374,6 +399,22 @@ test -x "${KEYTOOL}" || WITH_JAVA=0
|
||||
test ! -x "${OPENSSL}" && echo "OpenSSL not found at ${OPENSSL}. Exiting..." &&
|
||||
exit 1
|
||||
|
||||
mkdir -p "${TEMPDIR}"/{certs,ssl/{certs,java},pki/{nssdb,anchors},work}
|
||||
|
||||
# Download certdata.txt if selected
|
||||
if test "${GET}" == "1"; then
|
||||
HOST=$(echo "${URL}" | /usr/bin/cut -d / -f 3)
|
||||
echo GET ${URL} | \
|
||||
${OPENSSL} s_client -ign_eof -connect ${HOST}:443 2>/dev/null > "${CERTDATA}"
|
||||
fi
|
||||
|
||||
if test ! -r "${CERTDATA}"; then
|
||||
echo "${CERTDATA} was not found. The certdata.txt file must be in the local"
|
||||
echo "directory, speficied with the -C/--certdata switch, or downloaded with"
|
||||
echo "the -g/--get switch."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
VERSION=$(grep CVS_ID "${CERTDATA}" | cut -d " " -f 8)
|
||||
|
||||
if test "${VERSION}x" == "x"; then
|
||||
@ -396,7 +437,6 @@ if test "${OLDVERSION}x" == "${VERSION}x"; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
mkdir -p "${TEMPDIR}"/{certs,ssl/{certs,java},pki/{nssdb,anchors},work}
|
||||
cp "${CERTDATA}" "${WORKDIR}/certdata.txt"
|
||||
pushd "${WORKDIR}" > /dev/null
|
||||
|
||||
@ -547,7 +587,7 @@ unset tempfile
|
||||
# Sanity check
|
||||
count=$(ls "${TEMPDIR}"/ssl/certs/*.pem | wc -l)
|
||||
# Historically there have been between 152 and 190 certs
|
||||
# A minimum of 140 should be safe for a rudimentry sanity check
|
||||
# A minimum of 150 should be safe for a rudimentry sanity check
|
||||
if test "${count}" -lt "150" ; then
|
||||
echo "Error! Only ${count} certificates were generated!"
|
||||
echo "Exiting without update!"
|
||||
@ -557,11 +597,6 @@ if test "${count}" -lt "150" ; then
|
||||
fi
|
||||
unset count
|
||||
|
||||
# Install certdata.txt
|
||||
if test "${REBUILD}" == "0"; then
|
||||
install -vm644 "${CERTDATA}" "${DESTDIR}${SSLDIR}"
|
||||
fi
|
||||
|
||||
# Generate the bundle
|
||||
bundlefile=`basename "${CABUNDLE}"`
|
||||
bundledir=`echo "${CABUNDLE}" | sed "s@/${bundlefile}@@"`
|
||||
@ -748,6 +783,11 @@ fi
|
||||
/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
|
||||
popd > /dev/null
|
||||
|
||||
# Install certdata.txt
|
||||
if test "${REBUILD}" == "0"; then
|
||||
install -m644 "${CERTDATA}" "${DESTDIR}${SSLDIR}/certdata.txt"
|
||||
fi
|
||||
|
||||
# Clean up the mess
|
||||
rm -rf "${TEMPDIR}"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user