Radix cross Linux

Index: README
===================================================================
--- README	(nonexistent)
+++ README	(revision 5)
@@ -0,0 +1,18 @@
+
+Scripts make-cert.pl and make-splitted.sh used to create splitted
+certificates ftom mozilla certdata.txt file:
+
+  mkdir tmp
+  cp mozilla/certdata.txt tmp/
+  cp make-cert.pl make-splitted.sh tmp/
+  chmod a+x tmp/make-cert.pl tmp/make-splitted.sh
+  cd tmp
+  ./make-splitted.sh 20210320
+
+where 20191101 is a version of certdata.txt.
+
+This scripts are deprecated. They not ignore certs with following
+CKA_TRUST_SERVER_AUTH value:
+
+  CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+                                 -------------------------
\ No newline at end of file
Index: make-cert.pl
===================================================================
--- make-cert.pl	(nonexistent)
+++ make-cert.pl	(revision 5)
@@ -0,0 +1,49 @@
+#!/usr/bin/perl -w
+
+# Used to generate PEM encoded files from Mozilla certdata.txt.
+# Run as ./make-cert.pl > certificate.crt
+#
+# Parts of this script courtesy of RedHat (mkcabundle.pl)
+#
+# This script modified for use with single file data (tempfile.cer) extracted
+# from certdata.txt, taken from the latest version in the Mozilla NSS source.
+# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+#
+# Authors: DJ Lucas
+#          Bruce Dubbs
+#
+# Version 20120211
+
+my $certdata = './tempfile.cer';
+
+open( IN, "cat $certdata|" )
+    || die "could not open $certdata";
+
+my $incert = 0;
+
+while ( <IN> )
+{
+    if ( /^CKA_VALUE MULTILINE_OCTAL/ )
+    {
+        $incert = 1;
+        open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
+            || die "could not pipe to openssl x509";
+    }
+
+    elsif ( /^END/ && $incert )
+    {
+        close( OUT );
+        $incert = 0;
+        print "\n\n";
+    }
+
+    elsif ($incert)
+    {
+        my @bs = split( /\\/ );
+        foreach my $b (@bs)
+        {
+            chomp $b;
+            printf( OUT "%c", oct($b) ) unless $b eq '';
+        }
+    }
+}
Index: make-splitted.sh
===================================================================
--- make-splitted.sh	(nonexistent)
+++ make-splitted.sh	(revision 5)
@@ -0,0 +1,120 @@
+#!/bin/sh
+#
+# make-ca.sh
+# ==========
+#
+# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
+#
+# The file certdata.txt must exist in the local directory
+# Version number is obtained from the version of the data.
+#
+
+certdata="certdata.txt"
+
+if [ ! -r $certdata ]; then
+  echo "$certdata must be in the local directory"
+  exit 1
+fi
+
+VERSION=$1
+
+EXITSTATUS=0
+
+TEMPDIR=$(mktemp -d /tmp/XXXXXXXX) || { echo "Cannot create '/tmp/...' directory" ; exit 92; }
+trap "rm -rf $TMP" EXIT
+
+genfname() {
+  file=$1
+  line=`head -n 1 $file`
+  fname=`echo $line | cut -f 2 -d '"' | sed -e 's, ,_,g' -e 's,/,_,g' -e 's,(,=,g' -e 's,),=,g' -e 's/,/_/g'`
+  echo "$fname"
+}
+
+splitted="splitted"
+
+create_ca_file() {
+  name=$1
+  pemfl=$2
+  START=`grep -n "BEGIN CERTIFICATE" $pemfl | cut -f 1 -d ':'`
+  END=`grep -n "END CERTIFICATE" $pemfl | cut -f 1 -d ':'`
+  cat $pemfl | sed -n ${START},${END}p > ${splitted}/${name}.crt
+}
+
+
+TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
+BUNDLE="ca-bundle-${VERSION}.crt"
+SPLITTED_CERTS="ca-certificates-${VERSION}.crt"
+CONVERTSCRIPT="./make-cert.pl"
+SSLDIR="/etc/ssl"
+
+mkdir "${TEMPDIR}/certs"
+
+# Get a list of starting lines for each cert
+CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
+
+# Get a list of ending lines for each cert
+CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
+
+# Start a loop
+for certbegin in ${CERTBEGINLIST}; do
+  for certend in ${CERTENDLIST}; do
+    if test "${certend}" -gt "${certbegin}"; then
+      break
+    fi
+  done
+
+  # Dump to a temp file with the name of the file as the beginning line number
+  sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
+done
+
+unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
+
+mkdir -p certs
+rm -f certs/*       # Make sure the directory is clean
+
+mkdir -p ${splitted}
+rm -f ${splitted}/* # Make sure the directory is clean
+
+for tempfile in ${TEMPDIR}/certs/*.tmp; do
+  # Make sure that the cert is trusted...
+  grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
+    egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
+
+  if test "${?}" = "0"; then
+    # Throw a meaningful error and remove the file
+    cp "${tempfile}" tempfile.cer
+    perl ${CONVERTSCRIPT} > tempfile.crt
+    keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
+    echo "Certificate ${keyhash} is not trusted!  Removing..."
+    rm -f tempfile.cer tempfile.crt "${tempfile}"
+    continue
+  fi
+
+  # If execution made it to here in the loop, the temp cert is trusted
+  # Find the cert data and generate a cert file for it
+
+  cp "${tempfile}" tempfile.cer
+  perl ${CONVERTSCRIPT} > tempfile.crt
+  keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
+  mv tempfile.crt "certs/${keyhash}.pem"
+
+  # Create separate certificate file
+  crtfname=`genfname tempfile.cer`
+  create_ca_file $crtfname "certs/${keyhash}.pem"
+
+  rm -f tempfile.cer "${tempfile}"
+  echo "Created ${keyhash}.pem"
+done
+
+# Remove blacklisted files
+# MD5 Collision Proof of Concept CA
+if test -f certs/8f111d69.pem; then
+  echo "Certificate 8f111d69 is not trusted!  Removing..."
+  rm -f certs/8f111d69.pem
+fi
+
+# Finally, generate the bundle and clean up.
+cat certs/*.pem > ${BUNDLE}
+cat ${splitted}/*.crt > ${SPLITTED_CERTS}
+
+exit $EXITSTATUS
Index: setup.11.cacerts
===================================================================
--- setup.11.cacerts	(nonexistent)
+++ setup.11.cacerts	(revision 5)
@@ -0,0 +1,5 @@
+#!/bin/sh
+#
+# Rebuild SSL certificate database.
+#
+chroot . usr/sbin/update-ca-certificates --fresh 1> /dev/null 2> /dev/null
Index: .
===================================================================
--- .	(nonexistent)
+++ .	(revision 5)

Property changes on: .
___________________________________________________________________
Added: svn:ignore
## -0,0 +1,73 ##
+
+# install dir
+dist
+
+# Target build dirs
+.a1x-newlib
+.a2x-newlib
+.at91sam7s-newlib
+
+.build-machine
+
+.a1x-glibc
+.a2x-glibc
+.h3-glibc
+.h5-glibc
+.i586-glibc
+.i686-glibc
+.imx6-glibc
+.jz47xx-glibc
+.makefile
+.am335x-glibc
+.omap543x-glibc
+.p5600-glibc
+.power8-glibc
+.power8le-glibc
+.power9-glibc
+.power9le-glibc
+.m1000-glibc
+.riscv64-glibc
+.rk328x-glibc
+.rk33xx-glibc
+.rk339x-glibc
+.s8xx-glibc
+.s9xx-glibc
+.x86_64-glibc
+
+# Hidden files (each file)
+.makefile
+.dist
+.rootfs
+
+# src & hw requires
+.src_requires
+.src_requires_depend
+.requires
+.requires_depend
+
+# Tarballs
+*.gz
+*.bz2
+*.lz
+*.xz
+*.tgz
+*.txz
+
+# Signatures
+*.asc
+*.sig
+*.sign
+*.sha1sum
+
+# Patches
+*.patch
+
+# Descriptions
+*.dsc
+*.txt
+
+# Default linux config files
+*.defconfig
+
+# backup copies
+*~