- fix Java cacert database generation: use Subject rather than Issuer for
alias name; add diagnostics; fix some alias names.
This commit is contained in:
parent
5f392b3f7e
commit
56a6866973
5
Makefile
5
Makefile
@ -1,5 +1,5 @@
|
||||
# Makefile for source rpm: ca-certificates
|
||||
# $Id: Makefile,v 1.1 2008/05/30 20:08:46 kevin Exp $
|
||||
# $Id: Makefile,v 1.2 2009/11/25 22:47:28 notting Exp $
|
||||
NAME := ca-certificates
|
||||
SPECFILE = $(firstword $(wildcard *.spec))
|
||||
|
||||
@ -7,7 +7,8 @@ define find-makefile-common
|
||||
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
|
||||
endef
|
||||
|
||||
MAKEFILE_COMMON := $(shell $(find-makefile-common))
|
||||
MAKEFILE_COMMON := ../common/Makefile.common
|
||||
#MAKEFILE_COMMON := $(shell $(find-makefile-common))
|
||||
|
||||
ifeq ($(MAKEFILE_COMMON),)
|
||||
# attept a checkout
|
||||
|
@ -7,7 +7,7 @@
|
||||
Summary: The Mozilla CA root certificate bundle
|
||||
Name: ca-certificates
|
||||
Version: 2010
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: Public Domain
|
||||
Group: System Environment/Base
|
||||
URL: http://www.mozilla.org/
|
||||
@ -16,7 +16,7 @@ Source1: blacklist.txt
|
||||
Source2: generate-cacerts.pl
|
||||
Source3: certdata2pem.py
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
BuildRequires: perl, java-openjdk, python
|
||||
BuildRequires: perl, java-openjdk, python, rcs
|
||||
BuildArch: noarch
|
||||
|
||||
%description
|
||||
@ -25,7 +25,7 @@ Mozilla Foundation for use with the Internet PKI.
|
||||
|
||||
%prep
|
||||
rm -rf %{name}
|
||||
mkdir %{name} %{name}/certs
|
||||
mkdir %{name} %{name}/certs %{name}/java
|
||||
|
||||
%build
|
||||
pushd %{name}/certs
|
||||
@ -44,11 +44,13 @@ pushd %{name}
|
||||
EOF
|
||||
ident -q %{SOURCE0} | sed '1d;s/^/#/';
|
||||
echo '#';
|
||||
for f in certs/*.crt; do
|
||||
set +x; for f in certs/*.crt; do
|
||||
openssl x509 -text -in "$f"
|
||||
done;
|
||||
done; set -x;
|
||||
) > ca-bundle.crt
|
||||
%{__perl} %{SOURCE2} %{_bindir}/keytool ca-bundle.crt
|
||||
popd
|
||||
pushd %{name}/java
|
||||
%{__perl} %{SOURCE2} %{_bindir}/keytool ../certs/ca-bundle.crt
|
||||
touch -r %{SOURCE0} cacerts
|
||||
popd
|
||||
|
||||
@ -63,7 +65,7 @@ touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
|
||||
|
||||
# Install Java cacerts file.
|
||||
mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
|
||||
install -p -m 644 %{name}/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
|
||||
install -p -m 644 %{name}/java/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
@ -78,6 +80,10 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{pkidir}/tls/cert.pem
|
||||
|
||||
%changelog
|
||||
* Fri Jan 15 2010 Joe Orton <jorton@redhat.com> - 2010-2
|
||||
- fix Java cacert database generation: use Subject rather than Issuer
|
||||
for alias name; add diagnostics; fix some alias names.
|
||||
|
||||
* Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
|
||||
- adopt Python certdata.txt parsing script from Debian
|
||||
|
||||
|
@ -1,4 +1,7 @@
|
||||
#!/usr/bin/perl
|
||||
#!/usr/bin/perl -w
|
||||
|
||||
use diagnostics;
|
||||
use Fcntl;
|
||||
|
||||
# Copyright (C) 2007, 2008 Red Hat, Inc.
|
||||
#
|
||||
@ -27,7 +30,7 @@ $in_cert_block = 0;
|
||||
$write_current_cert = 1;
|
||||
foreach $cert (@certs)
|
||||
{
|
||||
if ($cert =~ /Issuer: /)
|
||||
if ($cert =~ /Subject: /)
|
||||
{
|
||||
$_ = $cert;
|
||||
if ($cert =~ /personal-freemail/)
|
||||
@ -82,7 +85,7 @@ foreach $cert (@certs)
|
||||
}
|
||||
# Version 1 of Class 3 Public Primary Certification Authority
|
||||
# - G2 is added. Version 3 is excluded. See below.
|
||||
elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
|
||||
elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2.*1998/)
|
||||
{
|
||||
$cert_alias = "verisignclass3g2ca";
|
||||
}
|
||||
@ -94,7 +97,7 @@ foreach $cert (@certs)
|
||||
elsif ($cert =~
|
||||
/RSA Data Security.*Secure Server Certification Authority/)
|
||||
{
|
||||
$cert_alias = "verisignserverca";
|
||||
$cert_alias = "rsaserverca";
|
||||
}
|
||||
elsif ($cert =~ /GTE CyberTrust Global Root/)
|
||||
{
|
||||
@ -116,7 +119,7 @@ foreach $cert (@certs)
|
||||
{
|
||||
$cert_alias = "entrust2048ca";
|
||||
}
|
||||
elsif ($cert =~ /www.entrust.net\/CPS /)
|
||||
elsif ($cert =~ /www.entrust.net\/CPS incorp /)
|
||||
{
|
||||
$cert_alias = "entrustsslca";
|
||||
}
|
||||
@ -224,10 +227,6 @@ foreach $cert (@certs)
|
||||
{
|
||||
$cert_alias = "extra-elektronikkas2005";
|
||||
}
|
||||
elsif ($cert =~ /Elektronik/)
|
||||
{
|
||||
$cert_alias = "extra-elektronik2005";
|
||||
}
|
||||
# Mozilla does not provide these certificates:
|
||||
# baltimorecodesigningca
|
||||
# gtecybertrust5ca
|
||||
@ -237,13 +236,13 @@ foreach $cert (@certs)
|
||||
else
|
||||
{
|
||||
# Generate an alias using the OU and CN attributes of the
|
||||
# Issuer field if both are present, otherwise use only the
|
||||
# CN attribute. The Issuer field must have either the OU
|
||||
# Subject field if both are present, otherwise use only the
|
||||
# CN attribute. The Subject field must have either the OU
|
||||
# or the CN attribute.
|
||||
$_ = $cert;
|
||||
if ($cert =~ /OU=/)
|
||||
{
|
||||
s/Issuer:.*?OU=//;
|
||||
s/Subject:.*?OU=//;
|
||||
# Remove other occurrences of OU=.
|
||||
s/OU=.*CN=//;
|
||||
# Remove CN= if there were not other occurrences of OU=.
|
||||
@ -254,7 +253,7 @@ foreach $cert (@certs)
|
||||
}
|
||||
elsif ($cert =~ /CN=/)
|
||||
{
|
||||
s/Issuer:.*CN=//;
|
||||
s/Subject:.*CN=//;
|
||||
s/\/emailAddress.*//;
|
||||
s/Certificate Authority/ca/g;
|
||||
s/Certification Authority/ca/g;
|
||||
@ -263,6 +262,7 @@ foreach $cert (@certs)
|
||||
tr/A-Z/a-z/;
|
||||
$cert_alias = "extra-$_";
|
||||
}
|
||||
print "$cert => alias $cert_alias\n";
|
||||
}
|
||||
# When it attempts to parse:
|
||||
#
|
||||
@ -297,8 +297,12 @@ foreach $cert (@certs)
|
||||
if ($write_current_cert == 1)
|
||||
{
|
||||
$pem_file_count++;
|
||||
open(PEM, ">$cert_alias.pem");
|
||||
print "writing $cert_alias.pem\n";
|
||||
sysopen(PEM, "$cert_alias.pem", O_WRONLY|O_CREAT|O_EXCL)
|
||||
|| die("could not write file");
|
||||
print "opened $cert_alias";
|
||||
print PEM $cert;
|
||||
print "written $cert_alias.pem\n";
|
||||
}
|
||||
}
|
||||
elsif ($cert eq "-----END CERTIFICATE-----\n")
|
||||
@ -324,7 +328,7 @@ foreach $cert (@certs)
|
||||
@pem_files = <*.pem>;
|
||||
if (@pem_files != $pem_file_count)
|
||||
{
|
||||
print "$pem_file_count";
|
||||
print "$pem_file_count != ".@pem_files."\n";
|
||||
die "Number of .pem files produced does not match".
|
||||
" number of certs read from $file.";
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user