- fix Java cacert database generation: use Subject rather than Issuer for

alias name; add diagnostics; fix some alias names.
This commit is contained in:
jorton 2010-01-15 20:22:01 +00:00
parent 5f392b3f7e
commit 56a6866973
3 changed files with 35 additions and 24 deletions

View File

@ -1,5 +1,5 @@
# Makefile for source rpm: ca-certificates
# $Id: Makefile,v 1.1 2008/05/30 20:08:46 kevin Exp $
# $Id: Makefile,v 1.2 2009/11/25 22:47:28 notting Exp $
NAME := ca-certificates
SPECFILE = $(firstword $(wildcard *.spec))
@ -7,7 +7,8 @@ define find-makefile-common
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
endef
MAKEFILE_COMMON := $(shell $(find-makefile-common))
MAKEFILE_COMMON := ../common/Makefile.common
#MAKEFILE_COMMON := $(shell $(find-makefile-common))
ifeq ($(MAKEFILE_COMMON),)
# attept a checkout

View File

@ -7,7 +7,7 @@
Summary: The Mozilla CA root certificate bundle
Name: ca-certificates
Version: 2010
Release: 1%{?dist}
Release: 2%{?dist}
License: Public Domain
Group: System Environment/Base
URL: http://www.mozilla.org/
@ -16,7 +16,7 @@ Source1: blacklist.txt
Source2: generate-cacerts.pl
Source3: certdata2pem.py
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: perl, java-openjdk, python
BuildRequires: perl, java-openjdk, python, rcs
BuildArch: noarch
%description
@ -25,7 +25,7 @@ Mozilla Foundation for use with the Internet PKI.
%prep
rm -rf %{name}
mkdir %{name} %{name}/certs
mkdir %{name} %{name}/certs %{name}/java
%build
pushd %{name}/certs
@ -44,11 +44,13 @@ pushd %{name}
EOF
ident -q %{SOURCE0} | sed '1d;s/^/#/';
echo '#';
for f in certs/*.crt; do
set +x; for f in certs/*.crt; do
openssl x509 -text -in "$f"
done;
done; set -x;
) > ca-bundle.crt
%{__perl} %{SOURCE2} %{_bindir}/keytool ca-bundle.crt
popd
pushd %{name}/java
%{__perl} %{SOURCE2} %{_bindir}/keytool ../certs/ca-bundle.crt
touch -r %{SOURCE0} cacerts
popd
@ -63,7 +65,7 @@ touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
# Install Java cacerts file.
mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
install -p -m 644 %{name}/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
install -p -m 644 %{name}/java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
%clean
rm -rf $RPM_BUILD_ROOT
@ -78,6 +80,10 @@ rm -rf $RPM_BUILD_ROOT
%{pkidir}/tls/cert.pem
%changelog
* Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
- fix Java cacert database generation: use Subject rather than Issuer
for alias name; add diagnostics; fix some alias names.
* Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
- adopt Python certdata.txt parsing script from Debian

View File

@ -1,4 +1,7 @@
#!/usr/bin/perl
#!/usr/bin/perl -w
use diagnostics;
use Fcntl;
# Copyright (C) 2007, 2008 Red Hat, Inc.
#
@ -27,7 +30,7 @@ $in_cert_block = 0;
$write_current_cert = 1;
foreach $cert (@certs)
{
if ($cert =~ /Issuer: /)
if ($cert =~ /Subject: /)
{
$_ = $cert;
if ($cert =~ /personal-freemail/)
@ -82,7 +85,7 @@ foreach $cert (@certs)
}
# Version 1 of Class 3 Public Primary Certification Authority
# - G2 is added. Version 3 is excluded. See below.
elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2.*1998/)
{
$cert_alias = "verisignclass3g2ca";
}
@ -94,7 +97,7 @@ foreach $cert (@certs)
elsif ($cert =~
/RSA Data Security.*Secure Server Certification Authority/)
{
$cert_alias = "verisignserverca";
$cert_alias = "rsaserverca";
}
elsif ($cert =~ /GTE CyberTrust Global Root/)
{
@ -116,7 +119,7 @@ foreach $cert (@certs)
{
$cert_alias = "entrust2048ca";
}
elsif ($cert =~ /www.entrust.net\/CPS /)
elsif ($cert =~ /www.entrust.net\/CPS incorp /)
{
$cert_alias = "entrustsslca";
}
@ -224,10 +227,6 @@ foreach $cert (@certs)
{
$cert_alias = "extra-elektronikkas2005";
}
elsif ($cert =~ /Elektronik/)
{
$cert_alias = "extra-elektronik2005";
}
# Mozilla does not provide these certificates:
# baltimorecodesigningca
# gtecybertrust5ca
@ -237,13 +236,13 @@ foreach $cert (@certs)
else
{
# Generate an alias using the OU and CN attributes of the
# Issuer field if both are present, otherwise use only the
# CN attribute. The Issuer field must have either the OU
# Subject field if both are present, otherwise use only the
# CN attribute. The Subject field must have either the OU
# or the CN attribute.
$_ = $cert;
if ($cert =~ /OU=/)
{
s/Issuer:.*?OU=//;
s/Subject:.*?OU=//;
# Remove other occurrences of OU=.
s/OU=.*CN=//;
# Remove CN= if there were not other occurrences of OU=.
@ -254,7 +253,7 @@ foreach $cert (@certs)
}
elsif ($cert =~ /CN=/)
{
s/Issuer:.*CN=//;
s/Subject:.*CN=//;
s/\/emailAddress.*//;
s/Certificate Authority/ca/g;
s/Certification Authority/ca/g;
@ -263,6 +262,7 @@ foreach $cert (@certs)
tr/A-Z/a-z/;
$cert_alias = "extra-$_";
}
print "$cert => alias $cert_alias\n";
}
# When it attempts to parse:
#
@ -297,8 +297,12 @@ foreach $cert (@certs)
if ($write_current_cert == 1)
{
$pem_file_count++;
open(PEM, ">$cert_alias.pem");
print "writing $cert_alias.pem\n";
sysopen(PEM, "$cert_alias.pem", O_WRONLY|O_CREAT|O_EXCL)
|| die("could not write file");
print "opened $cert_alias";
print PEM $cert;
print "written $cert_alias.pem\n";
}
}
elsif ($cert eq "-----END CERTIFICATE-----\n")
@ -324,7 +328,7 @@ foreach $cert (@certs)
@pem_files = <*.pem>;
if (@pem_files != $pem_file_count)
{
print "$pem_file_count";
print "$pem_file_count != ".@pem_files."\n";
die "Number of .pem files produced does not match".
" number of certs read from $file.";
}