- Change generate-cacerts.pl to produce pretty aliases.
This commit is contained in:
parent
866d688724
commit
180c47e3df
@ -7,7 +7,7 @@
|
||||
Summary: The Mozilla CA root certificate bundle
|
||||
Name: ca-certificates
|
||||
Version: 2008
|
||||
Release: 5
|
||||
Release: 6
|
||||
License: Public Domain
|
||||
Group: System Environment/Base
|
||||
URL: http://www.mozilla.org/
|
||||
@ -57,6 +57,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{pkidir}/tls/cert.pem
|
||||
|
||||
%changelog
|
||||
* Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim@redhat.com> - 2008-6
|
||||
- Change generate-cacerts.pl to produce pretty aliases.
|
||||
|
||||
* Mon Jun 2 2008 Joe Orton <jorton@redhat.com> 2008-5
|
||||
- include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
|
||||
|
||||
|
@ -22,84 +22,327 @@ open(CERTS, $file);
|
||||
@certs = <CERTS>;
|
||||
close(CERTS);
|
||||
|
||||
$pem_file_number = 0;
|
||||
$writing_cert = 0;
|
||||
$pem_file_count = 0;
|
||||
$in_cert_block = 0;
|
||||
$write_current_cert = 1;
|
||||
foreach $cert (@certs)
|
||||
{
|
||||
if ($cert eq "-----BEGIN CERTIFICATE-----\n")
|
||||
{
|
||||
if ($writing_cert != 0)
|
||||
{
|
||||
die "$file is malformed.";
|
||||
}
|
||||
$pem_file_number++;
|
||||
# Numbering each file guarantees that cert aliases will be
|
||||
# unique.
|
||||
$pem_file_name = "$pem_file_number$cert_alias.pem";
|
||||
$writing_cert = 1;
|
||||
open(PEM, ">$pem_file_name");
|
||||
print PEM $cert;
|
||||
}
|
||||
elsif ($cert eq "-----END CERTIFICATE-----\n")
|
||||
{
|
||||
$writing_cert = 0;
|
||||
print PEM $cert;
|
||||
close(PEM);
|
||||
}
|
||||
elsif ($cert =~ /Issuer: /)
|
||||
{
|
||||
# Generate an alias using the OU and CN attributes of the
|
||||
# Issuer field if both are present, otherwise use only the CN
|
||||
# attribute. The Issuer field must have either the OU or the
|
||||
# CN attribute.
|
||||
$_ = $cert;
|
||||
if ($cert =~ /OU=/)
|
||||
{
|
||||
s/Issuer:.*?OU=//;
|
||||
# Remove other occurrences of OU=.
|
||||
s/OU=.*CN=//;
|
||||
# Remove CN= if there were not other occurrences of OU=.
|
||||
s/CN=//;
|
||||
}
|
||||
elsif ($cert =~ /CN=/)
|
||||
{
|
||||
s/Issuer:.*CN=//;
|
||||
}
|
||||
s/\W//g;
|
||||
tr/A-Z/a-z/;
|
||||
$cert_alias = $_
|
||||
}
|
||||
else
|
||||
{
|
||||
if ($writing_cert == 1)
|
||||
{
|
||||
print PEM $cert;
|
||||
}
|
||||
}
|
||||
if ($cert =~ /Issuer: /)
|
||||
{
|
||||
$_ = $cert;
|
||||
if ($cert =~ /personal-freemail/)
|
||||
{
|
||||
$cert_alias = "thawtepersonalfreemailca";
|
||||
}
|
||||
elsif ($cert =~ /personal-basic/)
|
||||
{
|
||||
$cert_alias = "thawtepersonalbasicca";
|
||||
}
|
||||
elsif ($cert =~ /personal-premium/)
|
||||
{
|
||||
$cert_alias = "thawtepersonalpremiumca";
|
||||
}
|
||||
elsif ($cert =~ /server-certs/)
|
||||
{
|
||||
$cert_alias = "thawteserverca";
|
||||
}
|
||||
elsif ($cert =~ /premium-server/)
|
||||
{
|
||||
$cert_alias = "thawtepremiumserverca";
|
||||
}
|
||||
elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
|
||||
{
|
||||
$cert_alias = "verisignclass1ca";
|
||||
}
|
||||
elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
|
||||
{
|
||||
$cert_alias = "verisignclass1g2ca";
|
||||
}
|
||||
elsif ($cert =~
|
||||
/VeriSign Class 1 Public Primary Certification Authority - G3/)
|
||||
{
|
||||
$cert_alias = "verisignclass1g3ca";
|
||||
}
|
||||
elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
|
||||
{
|
||||
$cert_alias = "verisignclass2ca";
|
||||
}
|
||||
elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
|
||||
{
|
||||
$cert_alias = "verisignclass2g2ca";
|
||||
}
|
||||
elsif ($cert =~
|
||||
/VeriSign Class 2 Public Primary Certification Authority - G3/)
|
||||
{
|
||||
$cert_alias = "verisignclass2g3ca";
|
||||
}
|
||||
elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
|
||||
{
|
||||
$cert_alias = "verisignclass3ca";
|
||||
}
|
||||
# Version 1 of Class 3 Public Primary Certification Authority
|
||||
# - G2 is added. Version 3 is excluded. See below.
|
||||
elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
|
||||
{
|
||||
$cert_alias = "verisignclass3g2ca";
|
||||
}
|
||||
elsif ($cert =~
|
||||
/VeriSign Class 3 Public Primary Certification Authority - G3/)
|
||||
{
|
||||
$cert_alias = "verisignclass3g3ca";
|
||||
}
|
||||
elsif ($cert =~
|
||||
/RSA Data Security.*Secure Server Certification Authority/)
|
||||
{
|
||||
$cert_alias = "verisignserverca";
|
||||
}
|
||||
elsif ($cert =~ /GTE CyberTrust Global Root/)
|
||||
{
|
||||
$cert_alias = "gtecybertrustglobalca";
|
||||
}
|
||||
elsif ($cert =~ /Baltimore CyberTrust Root/)
|
||||
{
|
||||
$cert_alias = "baltimorecybertrustca";
|
||||
}
|
||||
elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
|
||||
{
|
||||
$cert_alias = "entrustclientca";
|
||||
}
|
||||
elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
|
||||
{
|
||||
$cert_alias = "entrustglobalclientca";
|
||||
}
|
||||
elsif ($cert =~ /www.entrust.net\/CPS_2048/)
|
||||
{
|
||||
$cert_alias = "entrust2048ca";
|
||||
}
|
||||
elsif ($cert =~ /www.entrust.net\/CPS /)
|
||||
{
|
||||
$cert_alias = "entrustsslca";
|
||||
}
|
||||
elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
|
||||
{
|
||||
$cert_alias = "entrustgsslca";
|
||||
}
|
||||
elsif ($cert =~ /The Go Daddy Group/)
|
||||
{
|
||||
$cert_alias = "godaddyclass2ca";
|
||||
}
|
||||
elsif ($cert =~ /Starfield Class 2 Certification Authority/)
|
||||
{
|
||||
$cert_alias = "starfieldclass2ca";
|
||||
}
|
||||
elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
|
||||
{
|
||||
$cert_alias = "valicertclass2ca";
|
||||
}
|
||||
elsif ($cert =~ /GeoTrust Global CA$/)
|
||||
{
|
||||
$cert_alias = "geotrustglobalca";
|
||||
}
|
||||
elsif ($cert =~ /Equifax Secure Certificate Authority/)
|
||||
{
|
||||
$cert_alias = "equifaxsecureca";
|
||||
}
|
||||
elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
|
||||
{
|
||||
$cert_alias = "equifaxsecureebusinessca1";
|
||||
}
|
||||
elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
|
||||
{
|
||||
$cert_alias = "equifaxsecureebusinessca2";
|
||||
}
|
||||
elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
|
||||
{
|
||||
$cert_alias = "equifaxsecureglobalebusinessca1";
|
||||
}
|
||||
elsif ($cert =~ /Sonera Class1 CA/)
|
||||
{
|
||||
$cert_alias = "soneraclass1ca";
|
||||
}
|
||||
elsif ($cert =~ /Sonera Class2 CA/)
|
||||
{
|
||||
$cert_alias = "soneraclass2ca";
|
||||
}
|
||||
elsif ($cert =~ /AAA Certificate Services/)
|
||||
{
|
||||
$cert_alias = "comodoaaaca";
|
||||
}
|
||||
elsif ($cert =~ /AddTrust Class 1 CA Root/)
|
||||
{
|
||||
$cert_alias = "addtrustclass1ca";
|
||||
}
|
||||
elsif ($cert =~ /AddTrust External CA Root/)
|
||||
{
|
||||
$cert_alias = "addtrustexternalca";
|
||||
}
|
||||
elsif ($cert =~ /AddTrust Qualified CA Root/)
|
||||
{
|
||||
$cert_alias = "addtrustqualifiedca";
|
||||
}
|
||||
elsif ($cert =~ /UTN-USERFirst-Hardware/)
|
||||
{
|
||||
$cert_alias = "utnuserfirsthardwareca";
|
||||
}
|
||||
elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
|
||||
{
|
||||
$cert_alias = "utnuserfirstclientauthemailca";
|
||||
}
|
||||
elsif ($cert =~ /UTN - DATACorp SGC/)
|
||||
{
|
||||
$cert_alias = "utndatacorpsgcca";
|
||||
}
|
||||
elsif ($cert =~ /UTN-USERFirst-Object/)
|
||||
{
|
||||
$cert_alias = "utnuserfirstobjectca";
|
||||
}
|
||||
elsif ($cert =~ /America Online Root Certification Authority 1/)
|
||||
{
|
||||
$cert_alias = "aolrootca1";
|
||||
}
|
||||
elsif ($cert =~ /DigiCert Assured ID Root CA/)
|
||||
{
|
||||
$cert_alias = "digicertassuredidrootca";
|
||||
}
|
||||
elsif ($cert =~ /DigiCert Global Root CA/)
|
||||
{
|
||||
$cert_alias = "digicertglobalrootca";
|
||||
}
|
||||
elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
|
||||
{
|
||||
$cert_alias = "digicerthighassuranceevrootca";
|
||||
}
|
||||
elsif ($cert =~ /GlobalSign Root CA$/)
|
||||
{
|
||||
$cert_alias = "globalsignca";
|
||||
}
|
||||
elsif ($cert =~ /GlobalSign Root CA - R2/)
|
||||
{
|
||||
$cert_alias = "globalsignr2ca";
|
||||
}
|
||||
elsif ($cert =~ /Elektronik.*Kas.*2005/)
|
||||
{
|
||||
$cert_alias = "extra-elektronikkas2005";
|
||||
}
|
||||
elsif ($cert =~ /Elektronik/)
|
||||
{
|
||||
$cert_alias = "extra-elektronik2005";
|
||||
}
|
||||
# Mozilla does not provide these certificates:
|
||||
# baltimorecodesigningca
|
||||
# gtecybertrust5ca
|
||||
# trustcenterclass2caii
|
||||
# trustcenterclass4caii
|
||||
# trustcenteruniversalcai
|
||||
else
|
||||
{
|
||||
# Generate an alias using the OU and CN attributes of the
|
||||
# Issuer field if both are present, otherwise use only the
|
||||
# CN attribute. The Issuer field must have either the OU
|
||||
# or the CN attribute.
|
||||
$_ = $cert;
|
||||
if ($cert =~ /OU=/)
|
||||
{
|
||||
s/Issuer:.*?OU=//;
|
||||
# Remove other occurrences of OU=.
|
||||
s/OU=.*CN=//;
|
||||
# Remove CN= if there were not other occurrences of OU=.
|
||||
s/CN=//;
|
||||
s/\/emailAddress.*//;
|
||||
s/Certificate Authority/ca/g;
|
||||
s/Certification Authority/ca/g;
|
||||
}
|
||||
elsif ($cert =~ /CN=/)
|
||||
{
|
||||
s/Issuer:.*CN=//;
|
||||
s/\/emailAddress.*//;
|
||||
s/Certificate Authority/ca/g;
|
||||
s/Certification Authority/ca/g;
|
||||
}
|
||||
s/\W//g;
|
||||
tr/A-Z/a-z/;
|
||||
$cert_alias = "extra-$_";
|
||||
}
|
||||
}
|
||||
# When it attempts to parse:
|
||||
#
|
||||
# Class 3 Public Primary Certification Authority - G2, Version 3
|
||||
#
|
||||
# keytool says:
|
||||
#
|
||||
# #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
|
||||
# Unparseable AuthorityInfoAccess extension due to
|
||||
# java.io.IOException: Invalid encoding of URI
|
||||
#
|
||||
# If we do not exclude this file
|
||||
# openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails
|
||||
# on this cert, printing:
|
||||
#
|
||||
# Couldn't verify: java.security.SignatureException: Signature
|
||||
# does not match.
|
||||
#
|
||||
elsif ($cert =~
|
||||
/A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
|
||||
{
|
||||
$write_current_cert = 0;
|
||||
$pem_file_count--;
|
||||
}
|
||||
elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
|
||||
{
|
||||
if ($in_cert_block != 0)
|
||||
{
|
||||
die "$file is malformed.";
|
||||
}
|
||||
$in_cert_block = 1;
|
||||
if ($write_current_cert == 1)
|
||||
{
|
||||
$pem_file_count++;
|
||||
open(PEM, ">$cert_alias.pem");
|
||||
print PEM $cert;
|
||||
}
|
||||
}
|
||||
elsif ($cert eq "-----END CERTIFICATE-----\n")
|
||||
{
|
||||
$in_cert_block = 0;
|
||||
if ($write_current_cert == 1)
|
||||
{
|
||||
print PEM $cert;
|
||||
close(PEM);
|
||||
}
|
||||
$write_current_cert = 1
|
||||
}
|
||||
else
|
||||
{
|
||||
if ($in_cert_block == 1 && $write_current_cert == 1)
|
||||
{
|
||||
print PEM $cert;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Check that the correct number of .pem files were produced.
|
||||
@pem_files = <*.pem>;
|
||||
if (@pem_files != $pem_file_number)
|
||||
if (@pem_files != $pem_file_count)
|
||||
{
|
||||
die "Number of .pem files produced does not match".
|
||||
" number of certs read from $file.";
|
||||
print "$pem_file_count";
|
||||
die "Number of .pem files produced does not match".
|
||||
" number of certs read from $file.";
|
||||
}
|
||||
|
||||
# Now store each cert in the 'cacerts' file using keytool.
|
||||
$certs_written_count = 0;
|
||||
foreach $pem_file (@pem_files)
|
||||
{
|
||||
system "yes | $ARGV[0] -import".
|
||||
" -alias `basename $pem_file .pem`".
|
||||
" -keystore cacerts -storepass 'changeit' -file $pem_file";
|
||||
unlink($pem_file);
|
||||
$certs_written_count++;
|
||||
system "/bin/echo yes | $ARGV[0] -import".
|
||||
" -alias `basename $pem_file .pem`".
|
||||
" -keystore cacerts -storepass 'changeit' -file $pem_file";
|
||||
unlink($pem_file);
|
||||
$certs_written_count++;
|
||||
}
|
||||
|
||||
# Check that the correct number of certs were added to the keystore.
|
||||
if ($certs_written_count != $pem_file_number)
|
||||
if ($certs_written_count != $pem_file_count)
|
||||
{
|
||||
die "Number of certs added to keystore does not match".
|
||||
" number of certs read from $file.";
|
||||
die "Number of certs added to keystore does not match".
|
||||
" number of certs read from $file.";
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user