make-ca,copy-trust-modifications: omit x-certificate-extension.p11kit and assume serverAuth

This commit is contained in:
DJ Lucas 2021-08-04 22:17:50 -05:00
parent 45e198f198
commit e4b5db9b34
2 changed files with 8 additions and 5 deletions

View File

@ -19,12 +19,12 @@ TEMPDIR=`mktemp -d`
"${TEMPDIR}" "${TEMPDIR}"
# Create a list of anchors that were not present or have been modified # Create a list of anchors that were not present or have been modified
"${MD5SUM}" "${ANCHORDIR}"/*.pem \ "${MD5SUM}" "${ANCHORDIR}"/* \
2> /dev/null > "${TEMPDIR}/anchors.md5sums" 2> /dev/null > "${TEMPDIR}/anchors.md5sums"
diff -au "${ANCHORLIST}" "${TEMPDIR}/anchors.md5sums" \ diff -au "${ANCHORLIST}" "${TEMPDIR}/anchors.md5sums" \
2> /dev/null > "${TEMPDIR}/diff" 2> /dev/null > "${TEMPDIR}/diff"
grep "^+[a-z,0-9]" "${TEMPDIR}/diff" | cut -d " " -f 3 \ grep "^+[a-z,0-9]" "${TEMPDIR}/diff" | cut -d " " -f 3 | \
2> /dev/null > "${TEMPDIR}/certlist" sed '/x-certificate-extension/d' 2> /dev/null > "${TEMPDIR}/certlist"
echo -e "\nThe following certificates have local modifications:\n" echo -e "\nThe following certificates have local modifications:\n"
@ -32,7 +32,10 @@ echo -e "\nThe following certificates have local modifications:\n"
for certificate in `cat "${TEMPDIR}/certlist"` ; do for certificate in `cat "${TEMPDIR}/certlist"` ; do
LABEL=`grep -m 1 "label:" "${certificate}"` LABEL=`grep -m 1 "label:" "${certificate}"`
LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'` LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
cp -f "${TEMPDIR}/${LABELNEW}.pem" "${LOCALDIR}" # if added this way, then just assume serverAuth only
# Auth can be changed in /etc/ssl/local or anchors
openssl x509 -in "${certificate}" -text -fingerprint \
-addtrust serverAuth -out "${LOCALDIR}/${LABELNEW}.pem"
echo -e "${LABELNEW}" echo -e "${LABELNEW}"
unset LABEL LABELNEW unset LABEL LABELNEW
done done

View File

@ -817,7 +817,7 @@ fi
popd > /dev/null 2>&1 popd > /dev/null 2>&1
rm -rf "${TEMPDIR}" rm -rf "${TEMPDIR}"
# Build ANCHORLIST # Build ANCHORLIST
"${MD5SUM}" "${DESTDIR}${ANCHORDIR}"/*.pem > "${DESTDIR}${ANCHORLIST}" "${MD5SUM}" "${DESTDIR}${ANCHORDIR}"/* > "${DESTDIR}${ANCHORLIST}"
# Build alternate formats using p11-kit trust # Build alternate formats using p11-kit trust
mkdir -p "${DESTDIR}${BUNDLEDIR}" "${DESTDIR}${KEYSTORE}" mkdir -p "${DESTDIR}${BUNDLEDIR}" "${DESTDIR}${KEYSTORE}"