5 kx #!/bin/sh
5 kx #
5 kx # make-ca.sh
5 kx # ==========
5 kx #
5 kx # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
5 kx #
5 kx # The file certdata.txt must exist in the local directory
5 kx # Version number is obtained from the version of the data.
5 kx #
5 kx
5 kx certdata="certdata.txt"
5 kx
5 kx if [ ! -r $certdata ]; then
5 kx echo "$certdata must be in the local directory"
5 kx exit 1
5 kx fi
5 kx
5 kx VERSION=$1
5 kx
5 kx EXITSTATUS=0
5 kx
5 kx TEMPDIR=$(mktemp -d /tmp/XXXXXXXX) || { echo "Cannot create '/tmp/...' directory" ; exit 92; }
5 kx trap "rm -rf $TMP" EXIT
5 kx
5 kx genfname() {
5 kx file=$1
5 kx line=`head -n 1 $file`
5 kx fname=`echo $line | cut -f 2 -d '"' | sed -e 's, ,_,g' -e 's,/,_,g' -e 's,(,=,g' -e 's,),=,g' -e 's/,/_/g'`
5 kx echo "$fname"
5 kx }
5 kx
5 kx splitted="splitted"
5 kx
5 kx create_ca_file() {
5 kx name=$1
5 kx pemfl=$2
5 kx START=`grep -n "BEGIN CERTIFICATE" $pemfl | cut -f 1 -d ':'`
5 kx END=`grep -n "END CERTIFICATE" $pemfl | cut -f 1 -d ':'`
5 kx cat $pemfl | sed -n ${START},${END}p > ${splitted}/${name}.crt
5 kx }
5 kx
5 kx
5 kx TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
5 kx BUNDLE="ca-bundle-${VERSION}.crt"
5 kx SPLITTED_CERTS="ca-certificates-${VERSION}.crt"
5 kx CONVERTSCRIPT="./make-cert.pl"
5 kx SSLDIR="/etc/ssl"
5 kx
5 kx mkdir "${TEMPDIR}/certs"
5 kx
5 kx # Get a list of starting lines for each cert
5 kx CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
5 kx
5 kx # Get a list of ending lines for each cert
5 kx CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
5 kx
5 kx # Start a loop
5 kx for certbegin in ${CERTBEGINLIST}; do
5 kx for certend in ${CERTENDLIST}; do
5 kx if test "${certend}" -gt "${certbegin}"; then
5 kx break
5 kx fi
5 kx done
5 kx
5 kx # Dump to a temp file with the name of the file as the beginning line number
5 kx sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
5 kx done
5 kx
5 kx unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
5 kx
5 kx mkdir -p certs
5 kx rm -f certs/* # Make sure the directory is clean
5 kx
5 kx mkdir -p ${splitted}
5 kx rm -f ${splitted}/* # Make sure the directory is clean
5 kx
5 kx for tempfile in ${TEMPDIR}/certs/*.tmp; do
5 kx # Make sure that the cert is trusted...
5 kx grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
5 kx egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
5 kx
5 kx if test "${?}" = "0"; then
5 kx # Throw a meaningful error and remove the file
5 kx cp "${tempfile}" tempfile.cer
5 kx perl ${CONVERTSCRIPT} > tempfile.crt
5 kx keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
5 kx echo "Certificate ${keyhash} is not trusted! Removing..."
5 kx rm -f tempfile.cer tempfile.crt "${tempfile}"
5 kx continue
5 kx fi
5 kx
5 kx # If execution made it to here in the loop, the temp cert is trusted
5 kx # Find the cert data and generate a cert file for it
5 kx
5 kx cp "${tempfile}" tempfile.cer
5 kx perl ${CONVERTSCRIPT} > tempfile.crt
5 kx keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
5 kx mv tempfile.crt "certs/${keyhash}.pem"
5 kx
5 kx # Create separate certificate file
5 kx crtfname=`genfname tempfile.cer`
5 kx create_ca_file $crtfname "certs/${keyhash}.pem"
5 kx
5 kx rm -f tempfile.cer "${tempfile}"
5 kx echo "Created ${keyhash}.pem"
5 kx done
5 kx
5 kx # Remove blacklisted files
5 kx # MD5 Collision Proof of Concept CA
5 kx if test -f certs/8f111d69.pem; then
5 kx echo "Certificate 8f111d69 is not trusted! Removing..."
5 kx rm -f certs/8f111d69.pem
5 kx fi
5 kx
5 kx # Finally, generate the bundle and clean up.
5 kx cat certs/*.pem > ${BUNDLE}
5 kx cat ${splitted}/*.crt > ${SPLITTED_CERTS}
5 kx
5 kx exit $EXITSTATUS
Radix cross Linux
The main Radix cross Linux repository contains the build scripts of packages, which have the most complete and common functionality for desktop machines
452 Commits
2 Branches
1 Tag