emo/make-ca
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use md5sum values for anchors.txt to detect p11-kit changes

Browse Source 
Added get_p11_label function to get reliable label values
This commit is contained in:
DJ Lucas 2019-01-01 14:08:35 -06:00
parent 33cdab2a45
commit 5316943b46
3 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG
View File

@ -1,3 +1,5 @@
1.2 - Use md5sum values for anchors.txt to detect p11-kit changes
- Added get_p11_label function to get reliable label values
1.1 - Add anchorlist for use by p11-kit to utilize LOCALDIR 1.1 - Add anchorlist for use by p11-kit to utilize LOCALDIR
1.0 - Move bundle defaults to /etc/pki/tls/{certs,java}/ 1.0 - Move bundle defaults to /etc/pki/tls/{certs,java}/
- Fix invalid test cases on command line processing - Fix invalid test cases on command line processing

28
make-ca
View File

@ -21,6 +21,7 @@ else
SSLDIR="/etc/ssl" SSLDIR="/etc/ssl"
CERTUTIL="/usr/bin/certutil" CERTUTIL="/usr/bin/certutil"
KEYTOOL="${JAVA_HOME}/bin/keytool" KEYTOOL="${JAVA_HOME}/bin/keytool"
MD5SUM="/usr/bin/md5sum"
OPENSSL="/usr/bin/openssl" OPENSSL="/usr/bin/openssl"
TRUST="/usr/bin/trust" TRUST="/usr/bin/trust"
ANCHORDIR="${PKIDIR}/anchors" ANCHORDIR="${PKIDIR}/anchors"
@ -372,7 +373,7 @@ function convert_trust_arg(){
} }
# Define p11-kit ext value constants (see p11-kit API documentation) # Define p11-kit ext value constants (see p11-kit API documentation)
get-p11-val() { function get-p11-val() {
case $1 in case $1 in
p11sasmcs) p11sasmcs)
p11value="0%2a%06%03U%1d%25%01%01%ff%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03" p11value="0%2a%06%03U%1d%25%01%01%ff%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
@ -408,6 +409,23 @@ get-p11-val() {
esac esac
} }
function get_p11_label() {
p11label="$(grep -m1 "Issuer" ${1} | grep -o CN=.*$ | \
cut -d ',' -f 1 | sed 's@CN=@@')"
# Fallback to the OU value if CN does not exeist in Issuer string
if [ "${p11label}" == "" ]; then
p11label="$(grep -m1 "Issuer" ${1} | grep -o "OU=.*$" | \
cut -d ',' -f 1 | sed 's@OU=@@')"
# If still empty, fall back to Object value as a last resort
if [ "${p11label}" == "" ]; then
p11label="$(grep -m1 "Issuer" ${1} | grep -o "O=.*$" | \
cut -d ',' -f 1 | sed 's@O=@@')"
fi
fi
}
# Process command line arguments # Process command line arguments
get_args $@ get_args $@
@ -549,8 +567,7 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)" certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)"
# Get p11-kit label, oid, and values # Get p11-kit label, oid, and values
p11label="$(grep -m1 "Issuer" ${tempfile} | grep -o CN=.*$ | \ get_p11_label "${tempfile}"
cut -d ',' -f 1 | sed 's@CN=@@')"
# if distrusted at all, x-distrusted # if distrusted at all, x-distrusted
if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p" if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p"
@ -736,8 +753,7 @@ if test -d "${LOCALDIR}"; then
certtxt="$(${OPENSSL} x509 -in ${cert} -noout -text)" certtxt="$(${OPENSSL} x509 -in ${cert} -noout -text)"
# Place certificate into trust anchors dir # Place certificate into trust anchors dir
p11label="$(grep -m1 "Issuer" ${cert} | grep -o CN=.*$ | \ get_p11_label "${cert}"
cut -d ',' -f 1 | sed 's@CN=@@')"
# if distrusted at all, x-distrusted # if distrusted at all, x-distrusted
if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p" if test "${satrust}" == "p" -o "${smtrust}" == "p" -o "${cstrust}" == "p"
@ -850,7 +866,7 @@ fi
rm -rf "${TEMPDIR}" rm -rf "${TEMPDIR}"
# Build ANCHORLIST # Build ANCHORLIST
/bin/ls -1 --color=none "${ANCHORDIR}" > "${ANCHORLIST}" "${MD5SUM}" "${ANCHORDIR}"/*.pem > "${ANCHORLIST}"
# Build alternate formats using p11-kit trust (if not using DESTDIR) # Build alternate formats using p11-kit trust (if not using DESTDIR)
if test "x${DESTDIR}" == "x"; then if test "x${DESTDIR}" == "x"; then

1
make-ca.conf.dist
View File

@ -5,6 +5,7 @@ PKIDIR="/etc/pki"
SSLDIR="/etc/ssl" SSLDIR="/etc/ssl"
CERTUTIL="/usr/bin/certutil" CERTUTIL="/usr/bin/certutil"
KEYTOOL="${JAVA_HOME}/bin/keytool" KEYTOOL="${JAVA_HOME}/bin/keytool"
MD5SUM="/usr/bin/md5sum"
OPENSSL="/usr/bin/openssl" OPENSSL="/usr/bin/openssl"
TRUST="/usr/bin/trust" TRUST="/usr/bin/trust"
ANCHORDIR="${PKIDIR}/anchors" ANCHORDIR="${PKIDIR}/anchors"