logo

overlay

My own overlay for experimentations, use with caution, no support is provided git clone https://hacktivis.me/git/overlay.git

generate-cacerts.pl (11051B)

    

  1. #!/usr/bin/perl
  3. # Copyright (C) 2007, 2008 Red Hat, Inc.
  4. #
  5. # This program is free software; you can redistribute it and/or modify
  6. # it under the terms of the GNU General Public License as published by
  7. # the Free Software Foundation; either version 2 of the License, or
  8. # (at your option) any later version.
  9. #
  10. # This program is distributed in the hope that it will be useful,
  11. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  12. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13. # GNU General Public License for more details.
  15. # generate-cacerts.pl generates a JKS keystore named 'cacerts' from
  16. # OpenSSL's certificate bundle using OpenJDK's keytool.
  18. # First extract each of OpenSSL's bundled certificates into its own
  19. # aliased filename.
  21. # Downloaded from http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/F-12/generate-cacerts.pl?revision=1.2
  22. # Check and prevention of duplicate aliases added by Vlastimil Babka <caster@gentoo.org>
  24. $file = $ARGV[1];
  25. open(CERTS, $file);
  26. @certs = <CERTS>;
  27. close(CERTS);
  29. $pem_file_count = 0;
  30. $in_cert_block = 0;
  31. $write_current_cert = 1;
  32. foreach $cert (@certs)
  33. {
  34.     if ($cert =~ /Issuer: /)
  35.     {
  36.         $_ = $cert;
  37.         if ($cert =~ /personal-freemail/)
  38.         {
  39.             $cert_alias = "thawtepersonalfreemailca";
  40.         }
  41.         elsif ($cert =~ /personal-basic/)
  42.         {
  43.             $cert_alias = "thawtepersonalbasicca";
  44.         }
  45.         elsif ($cert =~ /personal-premium/)
  46.         {
  47.             $cert_alias = "thawtepersonalpremiumca";
  48.         }
  49.         elsif ($cert =~ /server-certs/)
  50.         {
  51.             $cert_alias = "thawteserverca";
  52.         }
  53.         elsif ($cert =~ /premium-server/)
  54.         {
  55.             $cert_alias = "thawtepremiumserverca";
  56.         }
  57.         elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
  58.         {
  59.             $cert_alias = "verisignclass1ca";
  60.         }
  61.         elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
  62.         {
  63.             $cert_alias = "verisignclass1g2ca";
  64.         }
  65.         elsif ($cert =~
  66.                /VeriSign Class 1 Public Primary Certification Authority - G3/)
  67.         {
  68.             $cert_alias = "verisignclass1g3ca";
  69.         }
  70.         elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
  71.         {
  72.             $cert_alias = "verisignclass2ca";
  73.         }
  74.         elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
  75.         {
  76.             $cert_alias = "verisignclass2g2ca";
  77.         }
  78.         elsif ($cert =~
  79.                /VeriSign Class 2 Public Primary Certification Authority - G3/)
  80.         {
  81.             $cert_alias = "verisignclass2g3ca";
  82.         }
  83.         elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
  84.         {
  85.             $cert_alias = "verisignclass3ca";
  86.         }
  87.         # Version 1 of Class 3 Public Primary Certification Authority
  88.         # - G2 is added.  Version 3 is excluded.  See below.
  89.         elsif ($cert =~
  90.                /VeriSign Class 3 Public Primary Certification Authority - G3/)
  91.         {
  92.             $cert_alias = "verisignclass3g3ca";
  93.         }
  94.         elsif ($cert =~
  95.                /RSA Data Security.*Secure Server Certification Authority/)
  96.         {
  97.             $cert_alias = "verisignserverca";
  98.         }
  99.         elsif ($cert =~ /GTE CyberTrust Global Root/)
  100.         {
  101.             $cert_alias = "gtecybertrustglobalca";
  102.         }
  103.         elsif ($cert =~ /Baltimore CyberTrust Root/)
  104.         {
  105.             $cert_alias = "baltimorecybertrustca";
  106.         }
  107.         elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
  108.         {
  109.             $cert_alias = "entrustclientca";
  110.         }
  111.         elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
  112.         {
  113.             $cert_alias = "entrustglobalclientca";
  114.         }
  115.         elsif ($cert =~ /www.entrust.net\/CPS_2048/)
  116.         {
  117.             $cert_alias = "entrust2048ca";
  118.         }
  119.         elsif ($cert =~ /www.entrust.net\/CPS /)
  120.         {
  121.             $cert_alias = "entrustsslca";
  122.         }
  123.         elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
  124.         {
  125.             $cert_alias = "entrustgsslca";
  126.         }
  127.         elsif ($cert =~ /The Go Daddy Group/)
  128.         {
  129.             $cert_alias = "godaddyclass2ca";
  130.         }
  131.         elsif ($cert =~ /Starfield Class 2 Certification Authority/)
  132.         {
  133.             $cert_alias = "starfieldclass2ca";
  134.         }
  135.         elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
  136.         {
  137.             $cert_alias = "valicertclass2ca";
  138.         }
  139.         elsif ($cert =~ /GeoTrust Global CA$/)
  140.         {
  141.             $cert_alias = "geotrustglobalca";
  142.         }
  143.         elsif ($cert =~ /Equifax Secure Certificate Authority/)
  144.         {
  145.             $cert_alias = "equifaxsecureca";
  146.         }
  147.         elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
  148.         {
  149.             $cert_alias = "equifaxsecureebusinessca1";
  150.         }
  151.         elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
  152.         {
  153.             $cert_alias = "equifaxsecureebusinessca2";
  154.         }
  155.         elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
  156.         {
  157.             $cert_alias = "equifaxsecureglobalebusinessca1";
  158.         }
  159.         elsif ($cert =~ /Sonera Class1 CA/)
  160.         {
  161.             $cert_alias = "soneraclass1ca";
  162.         }
  163.         elsif ($cert =~ /Sonera Class2 CA/)
  164.         {
  165.             $cert_alias = "soneraclass2ca";
  166.         }
  167.         elsif ($cert =~ /AAA Certificate Services/)
  168.         {
  169.             $cert_alias = "comodoaaaca";
  170.         }
  171.         elsif ($cert =~ /AddTrust Class 1 CA Root/)
  172.         {
  173.             $cert_alias = "addtrustclass1ca";
  174.         }
  175.         elsif ($cert =~ /AddTrust External CA Root/)
  176.         {
  177.             $cert_alias = "addtrustexternalca";
  178.         }
  179.         elsif ($cert =~ /AddTrust Qualified CA Root/)
  180.         {
  181.             $cert_alias = "addtrustqualifiedca";
  182.         }
  183.         elsif ($cert =~ /UTN-USERFirst-Hardware/)
  184.         {
  185.             $cert_alias = "utnuserfirsthardwareca";
  186.         }
  187.         elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
  188.         {
  189.             $cert_alias = "utnuserfirstclientauthemailca";
  190.         }
  191.         elsif ($cert =~ /UTN - DATACorp SGC/)
  192.         {
  193.             $cert_alias = "utndatacorpsgcca";
  194.         }
  195.         elsif ($cert =~ /UTN-USERFirst-Object/)
  196.         {
  197.             $cert_alias = "utnuserfirstobjectca";
  198.         }
  199.         elsif ($cert =~ /America Online Root Certification Authority 1/)
  200.         {
  201.             $cert_alias = "aolrootca1";
  202.         }
  203.         elsif ($cert =~ /DigiCert Assured ID Root CA/)
  204.         {
  205.             $cert_alias = "digicertassuredidrootca";
  206.         }
  207.         elsif ($cert =~ /DigiCert Global Root CA/)
  208.         {
  209.             $cert_alias = "digicertglobalrootca";
  210.         }
  211.         elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
  212.         {
  213.             $cert_alias = "digicerthighassuranceevrootca";
  214.         }
  215.         elsif ($cert =~ /GlobalSign Root CA$/)
  216.         {
  217.             $cert_alias = "globalsignca";
  218.         }
  219.         elsif ($cert =~ /GlobalSign Root CA - R2/)
  220.         {
  221.             $cert_alias = "globalsignr2ca";
  222.         }
  223.         elsif ($cert =~ /Elektronik.*Kas.*2005/)
  224.         {
  225.             $cert_alias = "extra-elektronikkas2005";
  226.         }
  227.         elsif ($cert =~ /Elektronik/)
  228.         {
  229.             $cert_alias = "extra-elektronik2005";
  230.         }
  231.         # Mozilla does not provide these certificates:
  232.         #   baltimorecodesigningca
  233.         #   gtecybertrust5ca
  234.         #   trustcenterclass2caii
  235.         #   trustcenterclass4caii
  236.         #   trustcenteruniversalcai
  237.         else
  238.         {
  239.             # Generate an alias using the OU and CN attributes of the
  240.             # Issuer field if both are present, otherwise use only the
  241.             # CN attribute.  The Issuer field must have either the OU
  242.             # or the CN attribute.
  243.             $_ = $cert;
  244.             if ($cert =~ /OU=/)
  245.             {
  246.                 s/Issuer:.*?OU=//;
  247.                 # Remove other occurrences of OU=.
  248.                 s/OU=.*CN=//;
  249.                 # Remove CN= if there were not other occurrences of OU=.
  250.                 s/CN=//;
  251.                 s/\/emailAddress.*//;
  252.                 s/Certificate Authority/ca/g;
  253.                 s/Certification Authority/ca/g;
  254.             }
  255.             elsif ($cert =~ /CN=/)
  256.             {
  257.                 s/Issuer:.*CN=//;
  258.                 s/\/emailAddress.*//;
  259.                 s/Certificate Authority/ca/g;
  260.                 s/Certification Authority/ca/g;
  261.             }
  262.             s/\W//g;
  263.             tr/A-Z/a-z/;
  264.             $cert_alias = "extra-$_";
  266.         }
  267.         while (-e "$cert_alias.pem")
  268.         {
  269.             $cert_alias = "$cert_alias" . "_";
  270.         }
  271.     }
  272.     # When it attempts to parse:
  273.     #
  274.     # Class 3 Public Primary Certification Authority - G2, Version 3
  275.     #
  276.     # keytool says:
  277.     #
  278.     # #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
  279.     # Unparseable AuthorityInfoAccess extension due to
  280.     # java.io.IOException: Invalid encoding of URI
  281.     #
  282.     # If we do not exclude this file
  283.     # openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails
  284.     # on this cert, printing:
  285.     #
  286.     # Couldn't verify: java.security.SignatureException: Signature
  287.     # does not match.
  288.     #
  289.     elsif ($cert =~
  290.            /A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
  291.     {
  292.         $write_current_cert = 0;
  293.         $pem_file_count--;
  294.     }
  295.     elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
  296.     {
  297.         if ($in_cert_block != 0)
  298.         {
  299.             die "$file is malformed.";
  300.         }
  301.         $in_cert_block = 1;
  302.         if ($write_current_cert == 1)
  303.         {
  304.             $pem_file_count++;
  305.             if (-e "$cert_alias.pem")
  306.             {
  307.                 print "$cert_alias";
  308.                 die "already exists"
  309.             }
  310.             open(PEM, ">$cert_alias.pem");
  311.             print PEM $cert;
  312.         }
  313.     }
  314.     elsif ($cert eq "-----END CERTIFICATE-----\n")
  315.     {
  316.         $in_cert_block = 0;
  317.         if ($write_current_cert == 1)
  318.         {
  319.             print PEM $cert;
  320.             close(PEM);
  321.         }
  322.         $write_current_cert = 1
  323.     }
  324.     else
  325.     {
  326.         if ($in_cert_block == 1 && $write_current_cert == 1)
  327.         {
  328.             print PEM $cert;
  329.         }
  330.     }
  331. }
  333. # Check that the correct number of .pem files were produced.
  334. @pem_files = <*.pem>;
  335. if (@pem_files != $pem_file_count)
  336. {
  337.     print "$pem_file_count";
  338.     die "Number of .pem files produced does not match".
  339.         " number of certs read from $file.";
  340. }
  342. # Now store each cert in the 'cacerts' file using keytool.
  343. $certs_written_count = 0;
  344. foreach $pem_file (@pem_files)
  345. {
  346.     system "$ARGV[0] -noprompt -import".
  347.         " -alias `basename $pem_file .pem`".
  348.         " -keystore cacerts -storepass 'changeit' -file $pem_file";
  349.     unlink($pem_file);
  350.     $certs_written_count++;
  351. }
  353. # Check that the correct number of certs were added to the keystore.
  354. if ($certs_written_count != $pem_file_count)
  355. {
  356.     die "Number of certs added to keystore does not match".
  357.         " number of certs read from $file.";
  358. }