#!/bin/sh# Begin make-ca.sh# Script to populate OpenSSL's CApath from a bund

1. #!/bin/sh
2. # Begin make-ca.sh
3. # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
4. #
5. # The file certdata.txt must exist in the local directory
6. # Version number is obtained from the version of the data.
7. #
8. # Authors: DJ Lucas
9. # Bruce Dubbs
10. #
11. # Version 20120211
12.  
13. certdata="certdata.txt"
14.  
15. if [ ! -r $certdata ]; then
16. echo "$certdata must be in the local directory"
17. exit 1
18. fi
19.  
20. REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
21.  
22. if [ -z "${REVISION}" ]; then
23. echo "$certfile has no 'Revision' in CVS_ID"
24. exit 1
25. fi
26.  
27. VERSION=$(echo $REVISION | cut -f2 -d" ")
28.  
29. TEMPDIR=$(mktemp -d)
30. TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
31. BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
32. CONVERTSCRIPT="/usr/bin/make-cert.pl"
33. SSLDIR="/etc/ssl"
34.  
35. mkdir "${TEMPDIR}/certs"
36.  
37. # Get a list of starting lines for each cert
38. CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
39.  
40. # Get a list of ending lines for each cert
41. CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
42.  
43. # Start a loop
44. for certbegin in ${CERTBEGINLIST}; do
45. for certend in ${CERTENDLIST}; do
46. if test "${certend}" -gt "${certbegin}"; then
47. break
48. fi
49. done
50.  
51. # Dump to a temp file with the name of the file as the beginning line number
52. sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
53. done
54.  
55. unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
56.  
57. mkdir -p certs
58. rm -f certs/* # Make sure the directory is clean
59.  
60. for tempfile in ${TEMPDIR}/certs/*.tmp; do
61. # Make sure that the cert is trusted...
62. grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
63. egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
64.  
65. if test "${?}" = "0"; then
66. # Throw a meaningful error and remove the file
67. cp "${tempfile}" tempfile.cer
68. perl ${CONVERTSCRIPT} > tempfile.crt
69. keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
70. echo "Certificate ${keyhash} is not trusted! Removing..."
71. rm -f tempfile.cer tempfile.crt "${tempfile}"
72. continue
73. fi
74.  
75. # If execution made it to here in the loop, the temp cert is trusted
76. # Find the cert data and generate a cert file for it
77.  
78. cp "${tempfile}" tempfile.cer
79. perl ${CONVERTSCRIPT} > tempfile.crt
80. keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
81. mv tempfile.crt "certs/${keyhash}.pem"
82. rm -f tempfile.cer "${tempfile}"
83. echo "Created ${keyhash}.pem"
84. done
85.  
86. # Remove blacklisted files
87. # MD5 Collision Proof of Concept CA
88. if test -f certs/8f111d69.pem; then
89. echo "Certificate 8f111d69 is not trusted! Removing..."
90. rm -f certs/8f111d69.pem
91. fi
92.  
93. # Finally, generate the bundle and clean up.
94. cat certs/*.pem > ${BUNDLE}
95. rm -r "${TEMPDIR}"