Move bundle defaults to /etc/pki/tls/certs/

Fix invalid test cases on command line processing
Remove -c/--cadir flags, replace with -b/--bindledir to store all bundles in same location
This commit is contained in:
DJ Lucas 2018-12-01 16:03:19 -06:00
parent 21ec3212be
commit ca103899f6
2 changed files with 32 additions and 43 deletions

View File

@ -1,3 +1,7 @@
1.0 - Move bundle defaults to /etc/pki/tls/certs/
- Fix invalid test cases on command line processing
- Remove -c/--cadir flags, replace with -b/--bindledir to store
all bundles in same location
0.9 - Use P11-Kit trust module to generate alternate certificate stores 0.9 - Use P11-Kit trust module to generate alternate certificate stores
from trust policy from trust policy
- Only generate the trust store (and optionally NSSDB and Java PKCS#12) - Only generate the trust store (and optionally NSSDB and Java PKCS#12)

71
make-ca
View File

@ -8,7 +8,7 @@
# Authors: DJ Lucas # Authors: DJ Lucas
# Bruce Dubbs # Bruce Dubbs
VERSION="0.9" VERSION="1.0"
# Get/set defaults # Get/set defaults
if test -f /etc/make-ca.conf; then if test -f /etc/make-ca.conf; then
@ -22,11 +22,12 @@ else
OPENSSL="/usr/bin/openssl" OPENSSL="/usr/bin/openssl"
TRUST="/usr/bin/trust" TRUST="/usr/bin/trust"
ANCHORDIR="${PKIDIR}/anchors" ANCHORDIR="${PKIDIR}/anchors"
CABUNDLE="${SSLDIR}/ca-bundle.crt" BUNDLEDIR="${PKIDIR}/tls/certs"
SMBUNDLE="${SSLDIR}/email-ca-bundle.crt" CABUNDLE="${BUNDLEDIR}/ca-bundle.crt"
CSBUNDLE="${SSLDIR}/objsign-ca-bundle.crt" SMBUNDLE="${BUNDLEDIR}/email-ca-bundle.crt"
CSBUNDLE="${BUNDLEDIR}/objsign-ca-bundle.crt"
CERTDIR="${SSLDIR}/certs" CERTDIR="${SSLDIR}/certs"
KEYSTORE="${SSLDIR}/java/cacerts" KEYSTORE="${PKIDIR}/tls/java"
NSSDB="${PKIDIR}/nssdb" NSSDB="${PKIDIR}/nssdb"
LOCALDIR="${SSLDIR}/local" LOCALDIR="${SSLDIR}/local"
DESTDIR="" DESTDIR=""
@ -97,16 +98,11 @@ function get_args(){
-S | --ssldir) -S | --ssldir)
check_arg $1 $2 check_arg $1 $2
SSLDIR="${2}" SSLDIR="${2}"
CABUNDLE="${SSLDIR}/ca-bundle.crt"
CERTDIR="${SSLDIR}/certs" CERTDIR="${SSLDIR}/certs"
KEYSTORE="${SSLDIR}/java/cacerts"
LOCALDIR="${SSLDIR}/local" LOCALDIR="${SSLDIR}/local"
echo "${@}" | grep -e "-c " -e "--cafile" \ echo "${@}" | grep -e "-d " -e "--cadir" 2>&1> /dev/null
-e "-d " -e "--cadir" \
-e "-j " -e "--javacerts" > /dev/null
if test "${?}" == "0"; then if test "${?}" == "0"; then
echo "Error! ${1} cannot be used with the -c/--cafile, -d/--cadir, or" echo "Error! ${1} cannot be used with the -d/--cadir switch."
echo "-j/--javacerts switches."
echo "" echo ""
exit 3 exit 3
fi fi
@ -116,7 +112,7 @@ function get_args(){
-a | --anchordir) -a | --anchordir)
check_arg $1 $2 check_arg $1 $2
ANCHORDIR="${2}" ANCHORDIR="${2}"
echo "${@}" | grep -e "-P " -e "--pkidir" > /dev/null echo "${@}" | grep -e "-P " -e "--pkidir" 2>&1> /dev/null
if test "${?}" == "0"; then if test "${?}" == "0"; then
echo "Error! ${1} cannot be used with the -P/--pkidir switch." echo "Error! ${1} cannot be used with the -P/--pkidir switch."
echo "" echo ""
@ -124,20 +120,15 @@ function get_args(){
fi fi
shift 2 shift 2
;; ;;
-c | --cafile) -b | --bundledir)
check_arg $1 $2 check_arg $1 $2
CABUNDLE="${2}" BUNDLEDIR="${2}"
echo "${@}" | grep -e "-S " -e "--ssldir" > /dev/null
if test "${?}" == "0"; then
echo "Error! ${1} cannot be used with the -S/--ssldir switch."
echo ""
exit 3
fi
shift 2 shift 2
;; ;;
-d | --cadir) -d | --cadir)
check_arg $1 $2 check_arg $1 $2
CADIR="${2}" CADIR="${2}"
echo "$@" | grep -e "-S" -e "--ssldir" 2>&1 > /dev/null
if test "${?}" == "0"; then if test "${?}" == "0"; then
echo "Error! ${1} cannot be used with the -S/--ssldir switch." echo "Error! ${1} cannot be used with the -S/--ssldir switch."
echo "" echo ""
@ -158,11 +149,6 @@ function get_args(){
-j | --javacerts) -j | --javacerts)
check_arg $1 $2 check_arg $1 $2
KEYSTORE="${2}" KEYSTORE="${2}"
if test "${?}" == "0"; then
echo "Error! ${1} cannot be used with the -S/--ssldir switch."
echo ""
exit 3
fi
shift 2 shift 2
;; ;;
-k | --keytool) -k | --keytool)
@ -277,32 +263,31 @@ function showhelp(){
echo "" echo ""
echo " -S, --ssldir [/etc/ssl]" echo " -S, --ssldir [/etc/ssl]"
echo " The output SSL root direcotry - Cannot be used" echo " The output SSL root direcotry - Cannot be used"
echo " with the -c / --cafile, -d / --cadir, or" echo " with the -d / --cadir switch"
echo " -j / --javacerts switches"
echo "" echo ""
echo " -a, --anchordir [\$PKIDIR/anchors]" echo " -a, --anchordir [\$PKIDIR/anchors]"
echo " The output directory for OpenSSL trusted" echo " The output directory for OpenSSL trusted"
echo " CA certificates used as trust anchors" echo " CA certificates used as trust anchors"
echo "" echo ""
echo " -c, --cafile [\$SSLDIR/ca-bundle.crt]" echo " -b, --bundledir [\$PKIDIR/certs]"
echo " The output filename for the PEM formated bundle" echo " The output direcotry for the PEM formated bundles"
echo "" echo ""
echo " -d, --cadir [\$SSLDIR/certs]" echo " -d, --cadir [\$SSLDIR/certs]"
echo " The output directory for the OpenSSL trusted" echo " The output directory for the OpenSSL trusted"
echo " CA certificates" echo " CA certificates"
echo "" echo ""
echo " -j, --javacerts [\$SSLDIR/java/cacerts]" echo " -j, --javacerts [\$PKIDIR/java/cacerts]"
echo " The output filename for the Java cacerts file" echo " The output directory for the Java cacerts file(s)"
echo "" echo ""
echo " -l, --localdir [\$SSLDIR/local]" echo " -l, --localdir [\$SSLDIR/local]"
echo " The path to a local set of OpenSSL trusted" echo " The path to a local set of OpenSSL trusted"
echo " certificates, used to both override trust bits" echo " certificates, used to both override trust bits"
echo " from upstream sources and provide locally" echo " from upstream sources and provide system local"
echo " provided certifiates" echo " certifiates"
echo "" echo ""
echo " -m, --java-p12" echo " -m, --java-p12"
echo " Export Java PKCS#12 store - will default to" echo " Export Java PKCS#12 store - will default to"
echo " \$SSLDIR/java/cacerts.p12 unless modified by" echo " \$PKIDIR/java/cacerts.p12 unless modified by"
echo " the '-j/--javacerts' switch" echo " the '-j/--javacerts' switch"
echo "" echo ""
echo " -n, --nssdb {\$PKIDIR/nssdb}" echo " -n, --nssdb {\$PKIDIR/nssdb}"
@ -699,9 +684,10 @@ fi
# Install Java cacerts.p12 in ${KEYSTORE} # Install Java cacerts.p12 in ${KEYSTORE}
if test "${WITH_P12}" == "1"; then if test "${WITH_P12}" == "1"; then
test -f "${DESTDIR}${KEYSTORE}.p12" && test -f "${DESTDIR}${KEYSTORE}/cacerts.p12" &&
rm -f "${DESTDIR}${KEYSTORE}.p12" rm -f "${DESTDIR}${KEYSTORE}/cacerts.p12"
install -dm644 "${TEMPDIR}/ssl/java/cacerts.p12" "${DESTDIR}${KEYSTORE}.p12" install -dm644 "${TEMPDIR}/ssl/java/cacerts.p12" \
"${DESTDIR}${KEYSTORE}/cacerts.p12"
fi fi
# Import any certs in $LOCALDIR # Import any certs in $LOCALDIR
@ -873,7 +859,7 @@ rm -rf "${TEMPDIR}"
# Build alternate formats using p11-kit trust (if not using DESTDIR) # Build alternate formats using p11-kit trust (if not using DESTDIR)
if test "x${DESTDIR}" == "x"; then if test "x${DESTDIR}" == "x"; then
mkdir -p /etc/ssl/{certs,java} mkdir -p "${BUNDLEDIR}" "${KEYSTORE}"
echo -n "Extracting OpenSSL certificates to ${CERTDIR}..." echo -n "Extracting OpenSSL certificates to ${CERTDIR}..."
"${TRUST}" extract --filter=certificates --format=openssl-directory \ "${TRUST}" extract --filter=certificates --format=openssl-directory \
--overwrite --comment "${CERTDIR}" \ --overwrite --comment "${CERTDIR}" \
@ -890,12 +876,11 @@ if test "x${DESTDIR}" == "x"; then
"${TRUST}" extract --filter=ca-anchors --format=pem-bundle \ "${TRUST}" extract --filter=ca-anchors --format=pem-bundle \
--purpose code-signing --overwrite --comment \ --purpose code-signing --overwrite --comment \
"${CSBUNDLE}" && echo "Done!" || echo "Failed!!!" "${CSBUNDLE}" && echo "Done!" || echo "Failed!!!"
echo -n "Extracting Java cacerts (JKS) to ${KEYSTORE}..." echo -n "Extracting Java cacerts (JKS) to ${KEYSTORE}/cacerts..."
"${TRUST}" extract --filter=ca-anchors --format=java-cacerts \ "${TRUST}" extract --filter=ca-anchors --format=java-cacerts \
--purpose server-auth --overwrite --comment "${KEYSTORE}" \ --purpose server-auth --overwrite \
--comment "${KEYSTORE}/cacerts" \
&& echo "Done!" || echo "Failed!!!" && echo "Done!" || echo "Failed!!!"
# Remove compatibility symlink for 0.8 at 0.10
ln -sf cacerts "${KEYSTORE}.jks"
fi fi
# End /usr/sbin/make-ca # End /usr/sbin/make-ca