From 8baf93dc22ea854b19a90e6ea46da7751de72403 Mon Sep 17 00:00:00 2001
From: DJ Lucas <dj@lucasit.com>
Date: Thu, 5 Aug 2021 22:31:13 -0500
Subject: [PATCH] make-ca: Use p11label value and .p11-kit extension for anchor
 naming.

---
 CHANGELOG |  3 ++-
 make-ca   | 16 +++++++++-------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 56f4abb..94dacee 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,13 +4,14 @@
          - Use last OU= value for get_p11_label() fallback
          - Omit x-certificate-extension in comparison for 
            copy-local-modifications
-         - Use X509v3 Key Usage section to determine local trust for anchros
+         - Use X509v3 Key Usage section to determine local trust for anchors
            added using 'trust anchor --store'
          - Add nss-{server,email}-distrust-after values in anchors - requires
            p11-kit >= 0.23.19
          - Use --filter=certificates for all stores
          - Fix output of NSSDB and Java PCKS#12 stores
          - Correct incorrectly named get_p11_val()
+         - Use p11label value and .p11-kit extension for anchor naming
 1.7      - Revert help2man update (requires complete perl environment)
 1.6      - Fix install target for make -j#
          - Add detailed dependency info and add note about configuration file 
diff --git a/make-ca b/make-ca
index 46ed9f6..44f4388 100644
--- a/make-ca
+++ b/make-ca
@@ -717,7 +717,8 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
   echo "Keyhash:      ${keyhash}"
 
   # Place certificate into trust anchors dir
-  anchorfile="${TEMPDIR}/pki/anchors/${keyhash}.pem"
+  anchorlabel=$(echo ${p11label} | sed -e 's@ @_@g' -e 's@(@@g' -e 's@)@@g')
+  anchorfile="${TEMPDIR}/pki/anchors/${anchorlabel}.p11-kit"
   moz_trust="true"
   write_anchor
 
@@ -734,9 +735,9 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
   # Clean up the directory and environment as we go
   rm -f tempfile.crt
   unset keyhash subject count
-  unset mozsadistrust mozsmdistrust
+  unset mozsadistrust mozsmdistrust anchorlabel anchorfile moz_trust
   unset trustlist rejectlist satrust smtrust cstrust catrust
-  unset p11trust p11oid p11value trustp11 p11label anchrorfile moz_trust
+  unset p11trust p11oid p11value trustp11 p11label
 
   echo -e "\n"
 done
@@ -745,7 +746,7 @@ unset tempfile
 # Install anchors in $ANCHORDIR
 test -d "${DESTDIR}${ANCHORDIR}" && rm -rf "${DESTDIR}${ANCHORDIR}"
 install -dm755 "${DESTDIR}${ANCHORDIR}" > /dev/null 2>&1
-install -m644 "${TEMPDIR}"/pki/anchors/*.pem "${DESTDIR}${ANCHORDIR}"
+install -m644 "${TEMPDIR}"/pki/anchors/*.p11-kit "${DESTDIR}${ANCHORDIR}"
 
 # Install NSS Shared DB
 if test "${WITH_NSS}" == "1"; then
@@ -821,7 +822,8 @@ if test -d "${LOCALDIR}"; then
     get_p11_trust
 
     # Place certificate into trust anchors dir
-    anchorfile="${DESTDIR}${ANCHORDIR}/${keyhash}.pem"
+    anchorlabel=$(echo ${p11label} | sed -e 's@ @_@g' -e 's@(@@g' -e 's@)@@')
+    anchorfile="${DESTDIR}${ANCHORDIR}/${anchorlabel}.p11-kit"
     moz_trust="false"
     mozsadistrust="UNKNOWN"
     mozsmdistrust="UNKNOWN"
@@ -841,9 +843,9 @@ if test -d "${LOCALDIR}"; then
     fi
 
     unset keyhash subject count
-    unset mozsadistrust mozsmdistrust
+    unset mozsadistrust mozsmdistrust anchorlabel anchorfile moz_trust
     unset trustlist rejectlist satrust smtrust cstrust catrust
-    unset p11trust p11oid p11value trustp11 p11label anchorfile moz_trust
+    unset p11trust p11oid p11value trustp11 p11label
     echo -e "\n"
 
   done