# Tanım: Certificate Authority certificates, the Public Key Infrastructure. # URL: http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1 # Paketçi: milisarge@gmail.com # Gerekler: name=ca-certificates version=20160110 release=1 source=(http://downloads.nutyx.org/files/$name-$version.tar.gz) build() { mkdir -p $PKG/{bin,etc/ssl} cp $SRC/ca-bundle.crt $PKG/etc/ssl/ cp -a $SRC/certs $PKG/etc/ssl/certs # script to reformat a certificate into a form needed by openssl. cat > $PKG/bin/make-cert.pl << "EOF" #!/usr/bin/perl -w # Used to generate PEM encoded files from Mozilla certdata.txt. # Run as ./mkcrt.pl > certificate.crt # # Parts of this script courtesy of RedHat (mkcabundle.pl) # # This script modified for use with single file data (tempfile.cer) extracted # from certdata.txt, taken from the latest version in the Mozilla NSS source. # mozilla/security/nss/lib/ckfw/builtins/certdata.txt # # Authors: DJ Lucas # Bruce Dubbs # # Version 20120211 my $certdata = './tempfile.cer'; open( IN, "cat $certdata|" ) || die "could not open $certdata"; my $incert = 0; while ( ) { if ( /^CKA_VALUE MULTILINE_OCTAL/ ) { $incert = 1; open( OUT, "|openssl x509 -text -inform DER -fingerprint" ) || die "could not pipe to openssl x509"; } elsif ( /^END/ && $incert ) { close( OUT ); $incert = 0; print "\n\n"; } elsif ($incert) { my @bs = split( /\\/ ); foreach my $b (@bs) { chomp $b; printf( OUT "%c", oct($b) ) unless $b eq ''; } } } EOF chmod +x $PKG/bin/make-cert.pl # script to creates the certificates and a bundle of all the certificates. cat > $PKG/bin/make-ca.sh << "EOF" #!/bin/bash # Begin make-ca.sh # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs # # The file certdata.txt must exist in the local directory # Version number is obtained from the version of the data. # # Authors: DJ Lucas # Bruce Dubbs # # Version 20120211 certdata="certdata.txt" if [ ! -r $certdata ]; then echo "$certdata must be in the local directory" exit 1 fi REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$') if [ -z "${REVISION}" ]; then echo "$certfile has no 'Revision' in CVS_ID" exit 1 fi VERSION=$(echo $REVISION | cut -f2 -d" ") TEMPDIR=$(mktemp -d) TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH" BUNDLE="BLFS-ca-bundle-${VERSION}.crt" CONVERTSCRIPT="/bin/make-cert.pl" SSLDIR="/etc/ssl" mkdir "${TEMPDIR}/certs" # Get a list of staring lines for each cert CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1) # Get a list of ending lines for each cert CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1` # Start a loop for certbegin in ${CERTBEGINLIST}; do for certend in ${CERTENDLIST}; do if test "${certend}" -gt "${certbegin}"; then break fi done # Dump to a temp file with the name of the file as the beginning line number sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp" done unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend mkdir -p certs rm certs/* # Make sure the directory is clean for tempfile in ${TEMPDIR}/certs/*.tmp; do # Make sure that the cert is trusted... grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \ egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null if test "${?}" = "0"; then # Throw a meaningful error and remove the file cp "${tempfile}" tempfile.cer perl ${CONVERTSCRIPT} > tempfile.crt keyhash=$(openssl x509 -noout -in tempfile.crt -hash) echo "Certificate ${keyhash} is not trusted! Removing..." rm -f tempfile.cer tempfile.crt "${tempfile}" continue fi # If execution made it to here in the loop, the temp cert is trusted # Find the cert data and generate a cert file for it cp "${tempfile}" tempfile.cer perl ${CONVERTSCRIPT} > tempfile.crt keyhash=$(openssl x509 -noout -in tempfile.crt -hash) mv tempfile.crt "certs/${keyhash}.pem" rm -f tempfile.cer "${tempfile}" echo "Created ${keyhash}.pem" done # Remove blacklisted files # MD5 Collision Proof of Concept CA if test -f certs/8f111d69.pem; then echo "Certificate 8f111d69 is not trusted! Removing..." rm -f certs/8f111d69.pem fi # Finally, generate the bundle and clean up. cat certs/*.pem > ${BUNDLE} rm -r "${TEMPDIR}" EOF chmod +x $PKG/bin/make-ca.sh # script to remove expired certificates from a directory cat > $PKG/bin/remove-expired-certs.sh << "EOF" #!/bin/bash # Begin /bin/remove-expired-certs.sh # # Version 20120211 # Make sure the date is parsed correctly on all systems function mydate() { local y=$( echo $1 | cut -d" " -f4 ) local M=$( echo $1 | cut -d" " -f1 ) local d=$( echo $1 | cut -d" " -f2 ) local m if [ ${d} -lt 10 ]; then d="0${d}"; fi case $M in Jan) m="01";; Feb) m="02";; Mar) m="03";; Apr) m="04";; May) m="05";; Jun) m="06";; Jul) m="07";; Aug) m="08";; Sep) m="09";; Oct) m="10";; Nov) m="11";; Dec) m="12";; esac certdate="${y}${m}${d}" } OPENSSL="`which openssl`" DIR=/etc/ssl/certs if [ $# -gt 0 ]; then DIR="$1" fi certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" ) today=$( date +%Y%m%d ) for cert in $certs; do notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout ) date=$( echo ${notafter} | sed 's/^notAfter=//' ) mydate "$date" if [ ${certdate} -lt ${today} ]; then echo "${cert} expired on ${certdate}! Removing..." rm -f "${cert}" fi done EOF chmod +x $PKG/bin/remove-expired-certs.sh }