SliTaz Repositories

     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/cacerts/stuff/make-ca.sh	Sun Mar 30 21:43:58 2014 +0200
     1.3 @@ -0,0 +1,96 @@
     1.4 +#!/bin/sh
     1.5 +# Begin make-ca.sh
     1.6 +# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
     1.7 +#
     1.8 +# The file certdata.txt must exist in the local directory
     1.9 +# Version number is obtained from the version of the data.
    1.10 +#
    1.11 +# Authors: DJ Lucas
    1.12 +#          Bruce Dubbs
    1.13 +#
    1.14 +# Version 20120211
    1.15 +
    1.16 +certdata="certdata.txt"
    1.17 +
    1.18 +if [ ! -r $certdata ]; then
    1.19 +  echo "$certdata must be in the local directory"
    1.20 +  exit 1
    1.21 +fi
    1.22 +
    1.23 +REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
    1.24 +
    1.25 +if [ -z "${REVISION}" ]; then
    1.26 +  echo "$certfile has no 'Revision' in CVS_ID"
    1.27 +  exit 1
    1.28 +fi
    1.29 +
    1.30 +VERSION=$(echo $REVISION | cut -f2 -d" ")
    1.31 +
    1.32 +TEMPDIR=$(mktemp -d)
    1.33 +TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
    1.34 +BUNDLE="ca-bundle.crt"
    1.35 +CONVERTSCRIPT="./make-cert.pl"
    1.36 +SSLDIR="${DESTDIR}/etc/ssl"
    1.37 +
    1.38 +mkdir "${TEMPDIR}/certs"
    1.39 +
    1.40 +# Get a list of staring lines for each cert
    1.41 +CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
    1.42 +
    1.43 +# Get a list of ending lines for each cert
    1.44 +CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
    1.45 +
    1.46 +# Start a loop
    1.47 +for certbegin in ${CERTBEGINLIST}; do
    1.48 +  for certend in ${CERTENDLIST}; do
    1.49 +    if test "${certend}" -gt "${certbegin}"; then
    1.50 +      break
    1.51 +    fi
    1.52 +  done
    1.53 +
    1.54 +  # Dump to a temp file with the name of the file as the beginning line number
    1.55 +  sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
    1.56 +done
    1.57 +
    1.58 +unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
    1.59 +
    1.60 +mkdir -p certs
    1.61 +touch certs/dummy
    1.62 +rm certs/*      # Make sure the directory is clean
    1.63 +
    1.64 +for tempfile in ${TEMPDIR}/certs/*.tmp; do
    1.65 +  # Make sure that the cert is trusted...
    1.66 +  grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
    1.67 +    egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
    1.68 +
    1.69 +  if test "${?}" = "0"; then
    1.70 +    # Throw a meaningful error and remove the file
    1.71 +    cp "${tempfile}" tempfile.cer
    1.72 +    perl ${CONVERTSCRIPT} > tempfile.crt
    1.73 +    keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
    1.74 +    echo "Certificate ${keyhash} is not trusted!  Removing..."
    1.75 +    rm -f tempfile.cer tempfile.crt "${tempfile}"
    1.76 +    continue
    1.77 +  fi
    1.78 +
    1.79 +  # If execution made it to here in the loop, the temp cert is trusted
    1.80 +  # Find the cert data and generate a cert file for it
    1.81 +
    1.82 +  cp "${tempfile}" tempfile.cer
    1.83 +  perl ${CONVERTSCRIPT} > tempfile.crt
    1.84 +  keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
    1.85 +  mv tempfile.crt "certs/${keyhash}.pem"
    1.86 +  rm -f tempfile.cer "${tempfile}"
    1.87 +  echo "Created ${keyhash}.pem"
    1.88 +done
    1.89 +
    1.90 +# Remove blacklisted files
    1.91 +# MD5 Collision Proof of Concept CA
    1.92 +if test -f certs/8f111d69.pem; then
    1.93 +  echo "Certificate 8f111d69 is not trusted!  Removing..."
    1.94 +  rm -f certs/8f111d69.pem
    1.95 +fi
    1.96 +
    1.97 +# Finally, generate the bundle and clean up.
    1.98 +cat certs/*.pem >  ${BUNDLE}
    1.99 +rm -r "${TEMPDIR}"