230 lines
5.5 KiB
Plaintext
230 lines
5.5 KiB
Plaintext
|
# Description: Certificate Authority certificates, the Public Key Infrastructure.
|
||
|
# URL: http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1
|
||
|
# Packager: tnut at nutyx dot org
|
||
|
|
||
|
name=ca-certificates
|
||
|
version=20160110
|
||
|
release=1
|
||
|
|
||
|
source=(http://downloads.nutyx.org/files/$name-$version.tar.gz)
|
||
|
|
||
|
build() {
|
||
|
|
||
|
mkdir -p $PKG/{bin,etc/ssl}
|
||
|
cp $SRC/ca-bundle.crt $PKG/etc/ssl/
|
||
|
cp -a $SRC/certs $PKG/etc/ssl/certs
|
||
|
|
||
|
# script to reformat a certificate into a form needed by openssl.
|
||
|
cat > $PKG/bin/make-cert.pl << "EOF"
|
||
|
#!/usr/bin/perl -w
|
||
|
|
||
|
# Used to generate PEM encoded files from Mozilla certdata.txt.
|
||
|
# Run as ./mkcrt.pl > certificate.crt
|
||
|
#
|
||
|
# Parts of this script courtesy of RedHat (mkcabundle.pl)
|
||
|
#
|
||
|
# This script modified for use with single file data (tempfile.cer) extracted
|
||
|
# from certdata.txt, taken from the latest version in the Mozilla NSS source.
|
||
|
# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
|
||
|
#
|
||
|
# Authors: DJ Lucas
|
||
|
# Bruce Dubbs
|
||
|
#
|
||
|
# Version 20120211
|
||
|
|
||
|
my $certdata = './tempfile.cer';
|
||
|
|
||
|
open( IN, "cat $certdata|" )
|
||
|
|| die "could not open $certdata";
|
||
|
|
||
|
my $incert = 0;
|
||
|
|
||
|
while ( <IN> )
|
||
|
{
|
||
|
if ( /^CKA_VALUE MULTILINE_OCTAL/ )
|
||
|
{
|
||
|
$incert = 1;
|
||
|
open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
|
||
|
|| die "could not pipe to openssl x509";
|
||
|
}
|
||
|
|
||
|
elsif ( /^END/ && $incert )
|
||
|
{
|
||
|
close( OUT );
|
||
|
$incert = 0;
|
||
|
print "\n\n";
|
||
|
}
|
||
|
|
||
|
elsif ($incert)
|
||
|
{
|
||
|
my @bs = split( /\\/ );
|
||
|
foreach my $b (@bs)
|
||
|
{
|
||
|
chomp $b;
|
||
|
printf( OUT "%c", oct($b) ) unless $b eq '';
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
EOF
|
||
|
chmod +x $PKG/bin/make-cert.pl
|
||
|
# script to creates the certificates and a bundle of all the certificates.
|
||
|
cat > $PKG/bin/make-ca.sh << "EOF"
|
||
|
#!/bin/bash
|
||
|
# Begin make-ca.sh
|
||
|
# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
|
||
|
#
|
||
|
# The file certdata.txt must exist in the local directory
|
||
|
# Version number is obtained from the version of the data.
|
||
|
#
|
||
|
# Authors: DJ Lucas
|
||
|
# Bruce Dubbs
|
||
|
#
|
||
|
# Version 20120211
|
||
|
|
||
|
certdata="certdata.txt"
|
||
|
|
||
|
if [ ! -r $certdata ]; then
|
||
|
echo "$certdata must be in the local directory"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
|
||
|
|
||
|
if [ -z "${REVISION}" ]; then
|
||
|
echo "$certfile has no 'Revision' in CVS_ID"
|
||
|
exit 1
|
||
|
fi
|
||
|
|
||
|
VERSION=$(echo $REVISION | cut -f2 -d" ")
|
||
|
|
||
|
TEMPDIR=$(mktemp -d)
|
||
|
TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
|
||
|
BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
|
||
|
CONVERTSCRIPT="/bin/make-cert.pl"
|
||
|
SSLDIR="/etc/ssl"
|
||
|
|
||
|
mkdir "${TEMPDIR}/certs"
|
||
|
|
||
|
# Get a list of staring lines for each cert
|
||
|
CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
|
||
|
|
||
|
# Get a list of ending lines for each cert
|
||
|
CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
|
||
|
|
||
|
# Start a loop
|
||
|
for certbegin in ${CERTBEGINLIST}; do
|
||
|
for certend in ${CERTENDLIST}; do
|
||
|
if test "${certend}" -gt "${certbegin}"; then
|
||
|
break
|
||
|
fi
|
||
|
done
|
||
|
|
||
|
# Dump to a temp file with the name of the file as the beginning line number
|
||
|
sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
|
||
|
done
|
||
|
|
||
|
unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
|
||
|
|
||
|
mkdir -p certs
|
||
|
rm certs/* # Make sure the directory is clean
|
||
|
|
||
|
for tempfile in ${TEMPDIR}/certs/*.tmp; do
|
||
|
# Make sure that the cert is trusted...
|
||
|
grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
|
||
|
egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
|
||
|
|
||
|
if test "${?}" = "0"; then
|
||
|
# Throw a meaningful error and remove the file
|
||
|
cp "${tempfile}" tempfile.cer
|
||
|
perl ${CONVERTSCRIPT} > tempfile.crt
|
||
|
keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
|
||
|
echo "Certificate ${keyhash} is not trusted! Removing..."
|
||
|
rm -f tempfile.cer tempfile.crt "${tempfile}"
|
||
|
continue
|
||
|
fi
|
||
|
|
||
|
# If execution made it to here in the loop, the temp cert is trusted
|
||
|
# Find the cert data and generate a cert file for it
|
||
|
|
||
|
cp "${tempfile}" tempfile.cer
|
||
|
perl ${CONVERTSCRIPT} > tempfile.crt
|
||
|
keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
|
||
|
mv tempfile.crt "certs/${keyhash}.pem"
|
||
|
rm -f tempfile.cer "${tempfile}"
|
||
|
echo "Created ${keyhash}.pem"
|
||
|
done
|
||
|
|
||
|
# Remove blacklisted files
|
||
|
# MD5 Collision Proof of Concept CA
|
||
|
if test -f certs/8f111d69.pem; then
|
||
|
echo "Certificate 8f111d69 is not trusted! Removing..."
|
||
|
rm -f certs/8f111d69.pem
|
||
|
fi
|
||
|
|
||
|
# Finally, generate the bundle and clean up.
|
||
|
cat certs/*.pem > ${BUNDLE}
|
||
|
rm -r "${TEMPDIR}"
|
||
|
EOF
|
||
|
|
||
|
chmod +x $PKG/bin/make-ca.sh
|
||
|
|
||
|
# script to remove expired certificates from a directory
|
||
|
cat > $PKG/bin/remove-expired-certs.sh << "EOF"
|
||
|
#!/bin/bash
|
||
|
# Begin /bin/remove-expired-certs.sh
|
||
|
#
|
||
|
# Version 20120211
|
||
|
|
||
|
# Make sure the date is parsed correctly on all systems
|
||
|
function mydate()
|
||
|
{
|
||
|
local y=$( echo $1 | cut -d" " -f4 )
|
||
|
local M=$( echo $1 | cut -d" " -f1 )
|
||
|
local d=$( echo $1 | cut -d" " -f2 )
|
||
|
local m
|
||
|
|
||
|
if [ ${d} -lt 10 ]; then d="0${d}"; fi
|
||
|
|
||
|
case $M in
|
||
|
Jan) m="01";;
|
||
|
Feb) m="02";;
|
||
|
Mar) m="03";;
|
||
|
Apr) m="04";;
|
||
|
May) m="05";;
|
||
|
Jun) m="06";;
|
||
|
Jul) m="07";;
|
||
|
Aug) m="08";;
|
||
|
Sep) m="09";;
|
||
|
Oct) m="10";;
|
||
|
Nov) m="11";;
|
||
|
Dec) m="12";;
|
||
|
esac
|
||
|
|
||
|
certdate="${y}${m}${d}"
|
||
|
}
|
||
|
|
||
|
OPENSSL="`which openssl`"
|
||
|
DIR=/etc/ssl/certs
|
||
|
|
||
|
if [ $# -gt 0 ]; then
|
||
|
DIR="$1"
|
||
|
fi
|
||
|
|
||
|
certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
|
||
|
today=$( date +%Y%m%d )
|
||
|
|
||
|
for cert in $certs; do
|
||
|
notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
|
||
|
date=$( echo ${notafter} | sed 's/^notAfter=//' )
|
||
|
mydate "$date"
|
||
|
|
||
|
if [ ${certdate} -lt ${today} ]; then
|
||
|
echo "${cert} expired on ${certdate}! Removing..."
|
||
|
rm -f "${cert}"
|
||
|
fi
|
||
|
done
|
||
|
EOF
|
||
|
|
||
|
chmod +x $PKG/bin/remove-expired-certs.sh
|
||
|
}
|