From 0faf62233b04bbfffbbff500e675f066c756cdb5 Mon Sep 17 00:00:00 2001
From: DJ Lucas <dj@lucasit.com>
Date: Thu, 5 Aug 2021 22:27:20 -0500
Subject: [PATCH] copy-trust-modifications: Use X509v3 Key Usage section to
 determine local trust for anchros added using tust utiltiy.

---
 CHANGELOG                |  4 ++--
 copy-trust-modifications | 24 +++++++++++++++++-------
 2 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 5313f53..56f4abb 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,8 +4,8 @@
          - Use last OU= value for get_p11_label() fallback
          - Omit x-certificate-extension in comparison for 
            copy-local-modifications
-         - Assume serverAuth for certificates added by 'trust anchors --store'
-           and generate a trusted certificate for use in LOCALDIR
+         - Use X509v3 Key Usage section to determine local trust for anchros
+           added using 'trust anchor --store'
          - Add nss-{server,email}-distrust-after values in anchors - requires
            p11-kit >= 0.23.19
          - Use --filter=certificates for all stores
diff --git a/copy-trust-modifications b/copy-trust-modifications
index 976b6b0..46470c7 100644
--- a/copy-trust-modifications
+++ b/copy-trust-modifications
@@ -30,15 +30,25 @@ echo -e "\nThe following certificates have local modifications:\n"
 
 # Copy new certificates to LOCALDIR
 for certificate in `cat "${TEMPDIR}/certlist"` ; do
-    LABEL=`grep -m 1 "label:" "${certificate}"`
-    LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
-    # if added this way, then just assume serverAuth only
-    # Auth can be changed in /etc/ssl/local or anchors
-    openssl x509 -in "${certificate}" -text -fingerprint \
-            -addtrust serverAuth -out "${LOCALDIR}/${LABELNEW}.pem"
+    LABEL=`grep -m 1 "^label:" "${certificate}" | sed 's@^label: @@'`
+    LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@"@@g' -e 's@ @_@g'`
+
+    # Determine default usage (this can be changed later)
+    usage=$(openssl x509 -in ${certificate} -noout -text | \
+                grep -A1 "X509v3 Key Usage:")
+    trust=""
+    echo ${usage} | grep -q "Certificate Sign" &&
+         trust="${trust} -addtrust serverAuth"
+    echo ${usage} | grep -q "Digital Signature" &&
+         trust="${trust} -addtrust emailProtection"
+
+    # Place into LOCALDIR
+    openssl x509 -in ${certificate} -text -fingerprint -setalias "${LABEL}" \
+            ${trust} -out "${LOCALDIR}/${LABELNEW}.pem"
     echo -e "${LABELNEW}"
-    unset LABEL LABELNEW
+    unset LABEL LABELNEW usage trust
 done
+echo ""
 
 # Clean up
 rm -rf "${TEMPDIR}"