make-ca: Backup and restore anchors with PKIX extensions.
This commit is contained in:
DJ Lucas
parent
c2a3d1d837
commit
b138f67112
@ -16,6 +16,7 @@
|
||||
- Handle getopt style short options in get_args()
|
||||
- Use Microsoft's trust for code signing with -i | --mscodesign
|
||||
Note: this is manually generated, will add CCADB when avaialble
|
||||
- Backup and restore anchors with PKIX extensions
|
||||
1.7 - Revert help2man update (requires complete perl environment)
|
||||
1.6 - Fix install target for make -j#
|
||||
- Add detailed dependency info and add note about configuration file
|
||||
|
||||
28
make-ca
28
make-ca
@ -36,6 +36,7 @@ else
|
||||
KEYSTORE="${PKIDIR}/tls/java"
|
||||
NSSDB="${PKIDIR}/nssdb"
|
||||
LOCALDIR="${SSLDIR}/local"
|
||||
OVERRIDEDIR="${PKIDIR}/local"
|
||||
DESTDIR=""
|
||||
URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
|
||||
fi
|
||||
@ -794,6 +795,13 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
|
||||
done
|
||||
unset tempfile
|
||||
|
||||
# Backup any anchors with PKIX extensions - any object-id that is not 2.5.29.37
|
||||
mkdir -p ${TEMPDIR}/override
|
||||
for file in $( grep -r "^object-id: 2\.5\.29\.[0-9]" "${ANCHORDIR}" | \
|
||||
grep -v "2\.5\.29\.37" | cut -d ":" -f 1); do
|
||||
cp "${file}" "${TEMPDIR}/override/"
|
||||
done
|
||||
|
||||
# Install anchors in $ANCHORDIR
|
||||
if test -d "${DESTDIR}${ANCHORDIR}"; then
|
||||
rm -rf "${DESTDIR}${ANCHORDIR}"
|
||||
@ -801,6 +809,11 @@ fi
|
||||
install -dm755 "${DESTDIR}${ANCHORDIR}"
|
||||
install -m644 "${TEMPDIR}"/pki/anchors/*.p11-kit "${DESTDIR}${ANCHORDIR}"
|
||||
|
||||
# Restore anchors with PKIX extensions
|
||||
if test -f "${TEMPDIR}"/override/*.p11-kit; then
|
||||
cp "${TEMPDIR}"override/*.p11-kit "${DESTDIR}${ANCHORDIR}"
|
||||
fi
|
||||
|
||||
# Install NSS Shared DB
|
||||
if test "${WITH_NSS}" == "1"; then
|
||||
sed -e "s@${TEMPDIR}/pki/nssdb@${NSSDB}@" \
|
||||
@ -923,23 +936,28 @@ rm -rf "${TEMPDIR}"
|
||||
|
||||
# Build alternate formats using p11-kit trust
|
||||
install -dm755 "${DESTDIR}${CERTDIR}" "${DESTDIR}${BUNDLEDIR}" "${DESTDIR}${KEYSTORE}"
|
||||
echo -n "Extracting OpenSSL certificates to ${DESTDIR}${CERTDIR}..."
|
||||
echo "Extracting OpenSSL certificates to:"
|
||||
echo -n "${DESTDIR}${CERTDIR}..."
|
||||
"${TRUST}" extract --filter=certificates --format=openssl-directory \
|
||||
--overwrite --comment "${DESTDIR}${CERTDIR}" \
|
||||
&& echo "Done!" || echo "Failed!!!"
|
||||
echo -n "Extracting GNUTLS server auth certificates to ${DESTDIR}${CABUNDLE}..."
|
||||
echo "Extracting GNUTLS server auth certificates to:"
|
||||
echo -n "${DESTDIR}${CABUNDLE}..."
|
||||
"${TRUST}" extract --filter=certificates --format=pem-bundle \
|
||||
--purpose server-auth --overwrite --comment "${DESTDIR}${CABUNDLE}" \
|
||||
&& echo "Done!" || echo "Failed!!!"
|
||||
echo -n "Extracting GNUTLS S-Mime certificates to ${DESTDIR}${SMBUNDLE}..."
|
||||
echo "Extracting GNUTLS S-Mime certificates to:"
|
||||
echo -n "${DESTDIR}${SMBUNDLE}..."
|
||||
"${TRUST}" extract --filter=certificates --format=pem-bundle \
|
||||
--purpose email --overwrite --comment "${DESTDIR}${SMBUNDLE}" \
|
||||
&& echo "Done!" || echo "Failed!!!"
|
||||
echo -n "Extracting GNUTLS code signing certificates to ${DESTDIR}${CSBUNDLE}..."
|
||||
echo "Extracting GNUTLS code signing certificates to:"
|
||||
echo -n "${DESTDIR}${CSBUNDLE}..."
|
||||
"${TRUST}" extract --filter=certificates --format=pem-bundle \
|
||||
--purpose code-signing --overwrite --comment \
|
||||
"${DESTDIR}${CSBUNDLE}" && echo "Done!" || echo "Failed!!!"
|
||||
echo -n "Extracting Java cacerts (JKS) to ${DESTDIR}${KEYSTORE}/cacerts..."
|
||||
echo "Extracting Java cacerts (JKS) to:"
|
||||
echo -n "${DESTDIR}${KEYSTORE}/cacerts..."
|
||||
"${TRUST}" extract --filter=certificates --format=java-cacerts \
|
||||
--purpose server-auth --overwrite \
|
||||
--comment "${DESTDIR}${KEYSTORE}/cacerts" \
|
||||
|
||||
Loading…
Reference in New Issue
Block a user