From 53ac95f8fd0bdb5950aea3f7d48081340d6a74d7 Mon Sep 17 00:00:00 2001
From: DJ Lucas <dj@lucasit.com>
Date: Sun, 8 Aug 2021 00:26:59 -0500
Subject: [PATCH] make-ca: remove workarounds and use certdata.txt values
 first, remove trailing spaces from x509 Subject derived p11label.

---
 make-ca | 36 +++++++++++++++++++++---------------
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/make-ca b/make-ca
index 7b145aa..e8bec98 100644
--- a/make-ca
+++ b/make-ca
@@ -462,30 +462,36 @@ function get_p11_label() {
   # $1 == individual nss certificate extracted from certdata.txt
   #       or x509 certificate with OpenSSL text values
 
-  # Get the subject line for any certs and do some early normalization
-  subjectline=$(grep -m1 "Subject:" ${1} | sed -e 's@\s*=\s*@=@g' \
-                     -e "s@(@ - @g" -e "s@)@ - @g" -e 's@\\@-@g' )
+  # Start with the label assigned by Mozilla
+  p11label=$(grep -m1 "^CKA_LABEL" ${1} | cut -d '"' -f 2 | sed 's@"@@g')
 
-  # Try for CN first (and further normalize)
-  p11label="$(echo ${subjectline} | grep -o "CN=.*$" | cut -d '=' -f 2 | \
-              sed -e 's@[A-Z]*$@@g' -e 's@, $@@' -e 's@"@@g' -e 's@,@@g')"
+  # If not coming from certdata.txt, get from x509 Subject line
+  if [ "${p11label}" == "" ]; then
+    # Get the subject line for any certs and do some early normalization
+    subjectline=$(grep -m1 "Subject:" ${1} | sed -e 's@\s*=\s*@=@g' \
+                       -e "s@(@ - @g" -e "s@)@ - @g" -e 's@\\@-@g' )
 
-  # Special case for NetLock Arany certs
-  echo ${p11label} | grep -q "^NetLock" && p11label="NetLock Arany - Class Gold"
+    # Try for CN Next (and further normalize) if not from certdata.txt
+    p11label="$(echo ${subjectline} | grep -o "CN=.*$" | cut -d '=' -f 2 | \
+                sed -e 's@[A-Z]*$@@g' -e 's@, $@@' -e 's@"@@g' \
+                    -e 's@,@@g' -e 's@ $@@')"
 
-  # Fallback to the last OU value if CN does not exeist in Subject string
-  ## Special case for GlobalSign certs
-  if [ "${p11label}" == "" -o "${p11label}" == "GlobalSign" ]; then
-      p11label="$(echo ${subjectline} | grep -o "OU=.*$" | \
-                  sed 's@OU=.*, OU=@OU=@g'| cut -d '=' -f 2 | \
-                  sed -e 's@[A-Z]*$@@' -e 's@, $@@' -e 's@"@@g' -e 's@,@@g')"
+    # Fallback to the last OU value if CN does not exeist in Subject string
+    ## Special case for GlobalSign certs
+    if [ "${p11label}" == "" ]; then
+        p11label="$(echo ${subjectline} | grep -o "OU=.*$" | \
+                    sed 's@OU=.*, OU=@OU=@g'| cut -d '=' -f 2 | \
+                    sed -e 's@[A-Z]*$@@' -e 's@, $@@' -e 's@"@@g' \
+                        -e 's@,@@g' -e 's@ $@@')"
 
       # If still empty, fall back to Object value as a last resort
       if [ "${p11label}" == "" ]; then
           p11label="$(echo ${subjectline} | grep -o "O=.*$" | \
                       cut -d '=' -f 2 | sed -e 's@[A-Z]*$@@g' \
-                      -e 's@, $@@' -e 's@"@@g' -e 's@,@@g')"
+                          -e 's@, $@@' -e 's@"@@g' \
+                          -e 's@,@@g' -e 's@ $@@')"
       fi
+    fi
   fi
 }