copy-trust-modifications: Use X509v3 Key Usage section to determine local trust for anchros added using tust utiltiy.
This commit is contained in:
parent
62864a82a5
commit
0faf62233b
@ -4,8 +4,8 @@
|
|||||||
- Use last OU= value for get_p11_label() fallback
|
- Use last OU= value for get_p11_label() fallback
|
||||||
- Omit x-certificate-extension in comparison for
|
- Omit x-certificate-extension in comparison for
|
||||||
copy-local-modifications
|
copy-local-modifications
|
||||||
- Assume serverAuth for certificates added by 'trust anchors --store'
|
- Use X509v3 Key Usage section to determine local trust for anchros
|
||||||
and generate a trusted certificate for use in LOCALDIR
|
added using 'trust anchor --store'
|
||||||
- Add nss-{server,email}-distrust-after values in anchors - requires
|
- Add nss-{server,email}-distrust-after values in anchors - requires
|
||||||
p11-kit >= 0.23.19
|
p11-kit >= 0.23.19
|
||||||
- Use --filter=certificates for all stores
|
- Use --filter=certificates for all stores
|
||||||
|
@ -30,15 +30,25 @@ echo -e "\nThe following certificates have local modifications:\n"
|
|||||||
|
|
||||||
# Copy new certificates to LOCALDIR
|
# Copy new certificates to LOCALDIR
|
||||||
for certificate in `cat "${TEMPDIR}/certlist"` ; do
|
for certificate in `cat "${TEMPDIR}/certlist"` ; do
|
||||||
LABEL=`grep -m 1 "label:" "${certificate}"`
|
LABEL=`grep -m 1 "^label:" "${certificate}" | sed 's@^label: @@'`
|
||||||
LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@^label: @@' -e 's@"@@g' -e 's@ @_@g'`
|
LABELNEW=`echo "${LABEL}" | /bin/sed -e 's@"@@g' -e 's@ @_@g'`
|
||||||
# if added this way, then just assume serverAuth only
|
|
||||||
# Auth can be changed in /etc/ssl/local or anchors
|
# Determine default usage (this can be changed later)
|
||||||
openssl x509 -in "${certificate}" -text -fingerprint \
|
usage=$(openssl x509 -in ${certificate} -noout -text | \
|
||||||
-addtrust serverAuth -out "${LOCALDIR}/${LABELNEW}.pem"
|
grep -A1 "X509v3 Key Usage:")
|
||||||
|
trust=""
|
||||||
|
echo ${usage} | grep -q "Certificate Sign" &&
|
||||||
|
trust="${trust} -addtrust serverAuth"
|
||||||
|
echo ${usage} | grep -q "Digital Signature" &&
|
||||||
|
trust="${trust} -addtrust emailProtection"
|
||||||
|
|
||||||
|
# Place into LOCALDIR
|
||||||
|
openssl x509 -in ${certificate} -text -fingerprint -setalias "${LABEL}" \
|
||||||
|
${trust} -out "${LOCALDIR}/${LABELNEW}.pem"
|
||||||
echo -e "${LABELNEW}"
|
echo -e "${LABELNEW}"
|
||||||
unset LABEL LABELNEW
|
unset LABEL LABELNEW usage trust
|
||||||
done
|
done
|
||||||
|
echo ""
|
||||||
|
|
||||||
# Clean up
|
# Clean up
|
||||||
rm -rf "${TEMPDIR}"
|
rm -rf "${TEMPDIR}"
|
||||||
|
Loading…
Reference in New Issue
Block a user