From e4b5db9b342a7cbf3dcabd0df424f9a7102ec705 Mon Sep 17 00:00:00 2001 From: DJ Lucas Date: Wed, 4 Aug 2021 22:17:50 -0500 Subject: [PATCH] make-ca,copy-trust-modifications: omit x-certificate-extension.p11kit and assume serverAuth --- copy-trust-modifications | 11 +++++++---- make-ca | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/copy-trust-modifications b/copy-trust-modifications index 46b465c..976b6b0 100644 --- a/copy-trust-modifications +++ b/copy-trust-modifications @@ -19,12 +19,12 @@ TEMPDIR=`mktemp -d` "${TEMPDIR}" # Create a list of anchors that were not present or have been modified -"${MD5SUM}" "${ANCHORDIR}"/*.pem \ +"${MD5SUM}" "${ANCHORDIR}"/* \ 2> /dev/null > "${TEMPDIR}/anchors.md5sums" diff -au "${ANCHORLIST}" "${TEMPDIR}/anchors.md5sums" \ 2> /dev/null > "${TEMPDIR}/diff" -grep "^+[a-z,0-9]" "${TEMPDIR}/diff" | cut -d " " -f 3 \ - 2> /dev/null > "${TEMPDIR}/certlist" +grep "^+[a-z,0-9]" "${TEMPDIR}/diff" | cut -d " " -f 3 | \ + sed '/x-certificate-extension/d' 2> /dev/null > "${TEMPDIR}/certlist" echo -e "\nThe following certificates have local modifications:\n" @@ -32,7 +32,10 @@ echo -e "\nThe following certificates have local modifications:\n" for certificate in `cat "${TEMPDIR}/certlist"` ; do LABEL=`grep -m 1 "label:" "${certificate}"` LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'` - cp -f "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}" + # if added this way, then just assume serverAuth only + # Auth can be changed in /etc/ssl/local or anchors + openssl x509 -in "${certificate}" -text -fingerprint \ + -addtrust serverAuth -out "${LOCALDIR}/${LABELNEW}.pem" echo -e "${LABELNEW}" unset LABEL LABELNEW done diff --git a/make-ca b/make-ca index f09f5bb..a76c312 100644 --- a/make-ca +++ b/make-ca @@ -817,7 +817,7 @@ fi popd > /dev/null 2>&1 rm -rf "${TEMPDIR}" # Build ANCHORLIST -"${MD5SUM}" "${DESTDIR}${ANCHORDIR}"/*.pem > "${DESTDIR}${ANCHORLIST}" +"${MD5SUM}" "${DESTDIR}${ANCHORDIR}"/* > "${DESTDIR}${ANCHORLIST}" # Build alternate formats using p11-kit trust mkdir -p "${DESTDIR}${BUNDLEDIR}" "${DESTDIR}${KEYSTORE}"