From 180c47e3df7d6aea29ba3468763d06d49a31d3cf Mon Sep 17 00:00:00 2001 From: Thomas Fitzsimmons Date: Jun 25 2008 15:33:23 +0000 Subject: - Change generate-cacerts.pl to produce pretty aliases. --- diff --git a/ca-certificates.spec b/ca-certificates.spec index 3e53b21..af6d0ce 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -7,7 +7,7 @@ Summary: The Mozilla CA root certificate bundle Name: ca-certificates Version: 2008 -Release: 5 +Release: 6 License: Public Domain Group: System Environment/Base URL: http://www.mozilla.org/ @@ -57,6 +57,9 @@ rm -rf $RPM_BUILD_ROOT %{pkidir}/tls/cert.pem %changelog +* Wed Jun 25 2008 Thomas Fitzsimmons - 2008-6 +- Change generate-cacerts.pl to produce pretty aliases. + * Mon Jun 2 2008 Joe Orton 2008-5 - include /etc/pki/tls/cert.pem symlink to ca-bundle.crt diff --git a/generate-cacerts.pl b/generate-cacerts.pl index b3a12e6..c89cce1 100755 --- a/generate-cacerts.pl +++ b/generate-cacerts.pl @@ -22,84 +22,327 @@ open(CERTS, $file); @certs = ; close(CERTS); -$pem_file_number = 0; -$writing_cert = 0; +$pem_file_count = 0; +$in_cert_block = 0; +$write_current_cert = 1; foreach $cert (@certs) { - if ($cert eq "-----BEGIN CERTIFICATE-----\n") - { - if ($writing_cert != 0) - { - die "$file is malformed."; - } - $pem_file_number++; - # Numbering each file guarantees that cert aliases will be - # unique. - $pem_file_name = "$pem_file_number$cert_alias.pem"; - $writing_cert = 1; - open(PEM, ">$pem_file_name"); - print PEM $cert; - } - elsif ($cert eq "-----END CERTIFICATE-----\n") - { - $writing_cert = 0; - print PEM $cert; - close(PEM); - } - elsif ($cert =~ /Issuer: /) - { - # Generate an alias using the OU and CN attributes of the - # Issuer field if both are present, otherwise use only the CN - # attribute. The Issuer field must have either the OU or the - # CN attribute. - $_ = $cert; - if ($cert =~ /OU=/) - { - s/Issuer:.*?OU=//; - # Remove other occurrences of OU=. - s/OU=.*CN=//; - # Remove CN= if there were not other occurrences of OU=. - s/CN=//; - } - elsif ($cert =~ /CN=/) - { - s/Issuer:.*CN=//; - } - s/\W//g; - tr/A-Z/a-z/; - $cert_alias = $_ - } - else - { - if ($writing_cert == 1) - { - print PEM $cert; - } - } + if ($cert =~ /Issuer: /) + { + $_ = $cert; + if ($cert =~ /personal-freemail/) + { + $cert_alias = "thawtepersonalfreemailca"; + } + elsif ($cert =~ /personal-basic/) + { + $cert_alias = "thawtepersonalbasicca"; + } + elsif ($cert =~ /personal-premium/) + { + $cert_alias = "thawtepersonalpremiumca"; + } + elsif ($cert =~ /server-certs/) + { + $cert_alias = "thawteserverca"; + } + elsif ($cert =~ /premium-server/) + { + $cert_alias = "thawtepremiumserverca"; + } + elsif ($cert =~ /Class 1 Public Primary Certification Authority$/) + { + $cert_alias = "verisignclass1ca"; + } + elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/) + { + $cert_alias = "verisignclass1g2ca"; + } + elsif ($cert =~ + /VeriSign Class 1 Public Primary Certification Authority - G3/) + { + $cert_alias = "verisignclass1g3ca"; + } + elsif ($cert =~ /Class 2 Public Primary Certification Authority$/) + { + $cert_alias = "verisignclass2ca"; + } + elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/) + { + $cert_alias = "verisignclass2g2ca"; + } + elsif ($cert =~ + /VeriSign Class 2 Public Primary Certification Authority - G3/) + { + $cert_alias = "verisignclass2g3ca"; + } + elsif ($cert =~ /Class 3 Public Primary Certification Authority$/) + { + $cert_alias = "verisignclass3ca"; + } + # Version 1 of Class 3 Public Primary Certification Authority + # - G2 is added. Version 3 is excluded. See below. + elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/) + { + $cert_alias = "verisignclass3g2ca"; + } + elsif ($cert =~ + /VeriSign Class 3 Public Primary Certification Authority - G3/) + { + $cert_alias = "verisignclass3g3ca"; + } + elsif ($cert =~ + /RSA Data Security.*Secure Server Certification Authority/) + { + $cert_alias = "verisignserverca"; + } + elsif ($cert =~ /GTE CyberTrust Global Root/) + { + $cert_alias = "gtecybertrustglobalca"; + } + elsif ($cert =~ /Baltimore CyberTrust Root/) + { + $cert_alias = "baltimorecybertrustca"; + } + elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/) + { + $cert_alias = "entrustclientca"; + } + elsif ($cert =~ /www.entrust.net\/GCCA_CPS/) + { + $cert_alias = "entrustglobalclientca"; + } + elsif ($cert =~ /www.entrust.net\/CPS_2048/) + { + $cert_alias = "entrust2048ca"; + } + elsif ($cert =~ /www.entrust.net\/CPS /) + { + $cert_alias = "entrustsslca"; + } + elsif ($cert =~ /www.entrust.net\/SSL_CPS/) + { + $cert_alias = "entrustgsslca"; + } + elsif ($cert =~ /The Go Daddy Group/) + { + $cert_alias = "godaddyclass2ca"; + } + elsif ($cert =~ /Starfield Class 2 Certification Authority/) + { + $cert_alias = "starfieldclass2ca"; + } + elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/) + { + $cert_alias = "valicertclass2ca"; + } + elsif ($cert =~ /GeoTrust Global CA$/) + { + $cert_alias = "geotrustglobalca"; + } + elsif ($cert =~ /Equifax Secure Certificate Authority/) + { + $cert_alias = "equifaxsecureca"; + } + elsif ($cert =~ /Equifax Secure eBusiness CA-1/) + { + $cert_alias = "equifaxsecureebusinessca1"; + } + elsif ($cert =~ /Equifax Secure eBusiness CA-2/) + { + $cert_alias = "equifaxsecureebusinessca2"; + } + elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/) + { + $cert_alias = "equifaxsecureglobalebusinessca1"; + } + elsif ($cert =~ /Sonera Class1 CA/) + { + $cert_alias = "soneraclass1ca"; + } + elsif ($cert =~ /Sonera Class2 CA/) + { + $cert_alias = "soneraclass2ca"; + } + elsif ($cert =~ /AAA Certificate Services/) + { + $cert_alias = "comodoaaaca"; + } + elsif ($cert =~ /AddTrust Class 1 CA Root/) + { + $cert_alias = "addtrustclass1ca"; + } + elsif ($cert =~ /AddTrust External CA Root/) + { + $cert_alias = "addtrustexternalca"; + } + elsif ($cert =~ /AddTrust Qualified CA Root/) + { + $cert_alias = "addtrustqualifiedca"; + } + elsif ($cert =~ /UTN-USERFirst-Hardware/) + { + $cert_alias = "utnuserfirsthardwareca"; + } + elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/) + { + $cert_alias = "utnuserfirstclientauthemailca"; + } + elsif ($cert =~ /UTN - DATACorp SGC/) + { + $cert_alias = "utndatacorpsgcca"; + } + elsif ($cert =~ /UTN-USERFirst-Object/) + { + $cert_alias = "utnuserfirstobjectca"; + } + elsif ($cert =~ /America Online Root Certification Authority 1/) + { + $cert_alias = "aolrootca1"; + } + elsif ($cert =~ /DigiCert Assured ID Root CA/) + { + $cert_alias = "digicertassuredidrootca"; + } + elsif ($cert =~ /DigiCert Global Root CA/) + { + $cert_alias = "digicertglobalrootca"; + } + elsif ($cert =~ /DigiCert High Assurance EV Root CA/) + { + $cert_alias = "digicerthighassuranceevrootca"; + } + elsif ($cert =~ /GlobalSign Root CA$/) + { + $cert_alias = "globalsignca"; + } + elsif ($cert =~ /GlobalSign Root CA - R2/) + { + $cert_alias = "globalsignr2ca"; + } + elsif ($cert =~ /Elektronik.*Kas.*2005/) + { + $cert_alias = "extra-elektronikkas2005"; + } + elsif ($cert =~ /Elektronik/) + { + $cert_alias = "extra-elektronik2005"; + } + # Mozilla does not provide these certificates: + # baltimorecodesigningca + # gtecybertrust5ca + # trustcenterclass2caii + # trustcenterclass4caii + # trustcenteruniversalcai + else + { + # Generate an alias using the OU and CN attributes of the + # Issuer field if both are present, otherwise use only the + # CN attribute. The Issuer field must have either the OU + # or the CN attribute. + $_ = $cert; + if ($cert =~ /OU=/) + { + s/Issuer:.*?OU=//; + # Remove other occurrences of OU=. + s/OU=.*CN=//; + # Remove CN= if there were not other occurrences of OU=. + s/CN=//; + s/\/emailAddress.*//; + s/Certificate Authority/ca/g; + s/Certification Authority/ca/g; + } + elsif ($cert =~ /CN=/) + { + s/Issuer:.*CN=//; + s/\/emailAddress.*//; + s/Certificate Authority/ca/g; + s/Certification Authority/ca/g; + } + s/\W//g; + tr/A-Z/a-z/; + $cert_alias = "extra-$_"; + } + } + # When it attempts to parse: + # + # Class 3 Public Primary Certification Authority - G2, Version 3 + # + # keytool says: + # + # #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false + # Unparseable AuthorityInfoAccess extension due to + # java.io.IOException: Invalid encoding of URI + # + # If we do not exclude this file + # openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails + # on this cert, printing: + # + # Couldn't verify: java.security.SignatureException: Signature + # does not match. + # + elsif ($cert =~ + /A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/) + { + $write_current_cert = 0; + $pem_file_count--; + } + elsif ($cert eq "-----BEGIN CERTIFICATE-----\n") + { + if ($in_cert_block != 0) + { + die "$file is malformed."; + } + $in_cert_block = 1; + if ($write_current_cert == 1) + { + $pem_file_count++; + open(PEM, ">$cert_alias.pem"); + print PEM $cert; + } + } + elsif ($cert eq "-----END CERTIFICATE-----\n") + { + $in_cert_block = 0; + if ($write_current_cert == 1) + { + print PEM $cert; + close(PEM); + } + $write_current_cert = 1 + } + else + { + if ($in_cert_block == 1 && $write_current_cert == 1) + { + print PEM $cert; + } + } } # Check that the correct number of .pem files were produced. @pem_files = <*.pem>; -if (@pem_files != $pem_file_number) +if (@pem_files != $pem_file_count) { - die "Number of .pem files produced does not match". - " number of certs read from $file."; + print "$pem_file_count"; + die "Number of .pem files produced does not match". + " number of certs read from $file."; } # Now store each cert in the 'cacerts' file using keytool. $certs_written_count = 0; foreach $pem_file (@pem_files) { - system "yes | $ARGV[0] -import". - " -alias `basename $pem_file .pem`". - " -keystore cacerts -storepass 'changeit' -file $pem_file"; - unlink($pem_file); - $certs_written_count++; + system "/bin/echo yes | $ARGV[0] -import". + " -alias `basename $pem_file .pem`". + " -keystore cacerts -storepass 'changeit' -file $pem_file"; + unlink($pem_file); + $certs_written_count++; } # Check that the correct number of certs were added to the keystore. -if ($certs_written_count != $pem_file_number) +if ($certs_written_count != $pem_file_count) { - die "Number of certs added to keystore does not match". - " number of certs read from $file."; + die "Number of certs added to keystore does not match". + " number of certs read from $file."; }