logo

overlay

My own overlay for experimentations, use with caution, no support is provided git clone https://hacktivis.me/git/overlay.git

generate-cacerts.pl (11051B)


  1. #!/usr/bin/perl
  2. # Copyright (C) 2007, 2008 Red Hat, Inc.
  3. #
  4. # This program is free software; you can redistribute it and/or modify
  5. # it under the terms of the GNU General Public License as published by
  6. # the Free Software Foundation; either version 2 of the License, or
  7. # (at your option) any later version.
  8. #
  9. # This program is distributed in the hope that it will be useful,
  10. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. # GNU General Public License for more details.
  13. # generate-cacerts.pl generates a JKS keystore named 'cacerts' from
  14. # OpenSSL's certificate bundle using OpenJDK's keytool.
  15. # First extract each of OpenSSL's bundled certificates into its own
  16. # aliased filename.
  17. # Downloaded from http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/F-12/generate-cacerts.pl?revision=1.2
  18. # Check and prevention of duplicate aliases added by Vlastimil Babka <caster@gentoo.org>
  19. $file = $ARGV[1];
  20. open(CERTS, $file);
  21. @certs = <CERTS>;
  22. close(CERTS);
  23. $pem_file_count = 0;
  24. $in_cert_block = 0;
  25. $write_current_cert = 1;
  26. foreach $cert (@certs)
  27. {
  28. if ($cert =~ /Issuer: /)
  29. {
  30. $_ = $cert;
  31. if ($cert =~ /personal-freemail/)
  32. {
  33. $cert_alias = "thawtepersonalfreemailca";
  34. }
  35. elsif ($cert =~ /personal-basic/)
  36. {
  37. $cert_alias = "thawtepersonalbasicca";
  38. }
  39. elsif ($cert =~ /personal-premium/)
  40. {
  41. $cert_alias = "thawtepersonalpremiumca";
  42. }
  43. elsif ($cert =~ /server-certs/)
  44. {
  45. $cert_alias = "thawteserverca";
  46. }
  47. elsif ($cert =~ /premium-server/)
  48. {
  49. $cert_alias = "thawtepremiumserverca";
  50. }
  51. elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
  52. {
  53. $cert_alias = "verisignclass1ca";
  54. }
  55. elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
  56. {
  57. $cert_alias = "verisignclass1g2ca";
  58. }
  59. elsif ($cert =~
  60. /VeriSign Class 1 Public Primary Certification Authority - G3/)
  61. {
  62. $cert_alias = "verisignclass1g3ca";
  63. }
  64. elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
  65. {
  66. $cert_alias = "verisignclass2ca";
  67. }
  68. elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
  69. {
  70. $cert_alias = "verisignclass2g2ca";
  71. }
  72. elsif ($cert =~
  73. /VeriSign Class 2 Public Primary Certification Authority - G3/)
  74. {
  75. $cert_alias = "verisignclass2g3ca";
  76. }
  77. elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
  78. {
  79. $cert_alias = "verisignclass3ca";
  80. }
  81. # Version 1 of Class 3 Public Primary Certification Authority
  82. # - G2 is added. Version 3 is excluded. See below.
  83. elsif ($cert =~
  84. /VeriSign Class 3 Public Primary Certification Authority - G3/)
  85. {
  86. $cert_alias = "verisignclass3g3ca";
  87. }
  88. elsif ($cert =~
  89. /RSA Data Security.*Secure Server Certification Authority/)
  90. {
  91. $cert_alias = "verisignserverca";
  92. }
  93. elsif ($cert =~ /GTE CyberTrust Global Root/)
  94. {
  95. $cert_alias = "gtecybertrustglobalca";
  96. }
  97. elsif ($cert =~ /Baltimore CyberTrust Root/)
  98. {
  99. $cert_alias = "baltimorecybertrustca";
  100. }
  101. elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
  102. {
  103. $cert_alias = "entrustclientca";
  104. }
  105. elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
  106. {
  107. $cert_alias = "entrustglobalclientca";
  108. }
  109. elsif ($cert =~ /www.entrust.net\/CPS_2048/)
  110. {
  111. $cert_alias = "entrust2048ca";
  112. }
  113. elsif ($cert =~ /www.entrust.net\/CPS /)
  114. {
  115. $cert_alias = "entrustsslca";
  116. }
  117. elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
  118. {
  119. $cert_alias = "entrustgsslca";
  120. }
  121. elsif ($cert =~ /The Go Daddy Group/)
  122. {
  123. $cert_alias = "godaddyclass2ca";
  124. }
  125. elsif ($cert =~ /Starfield Class 2 Certification Authority/)
  126. {
  127. $cert_alias = "starfieldclass2ca";
  128. }
  129. elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
  130. {
  131. $cert_alias = "valicertclass2ca";
  132. }
  133. elsif ($cert =~ /GeoTrust Global CA$/)
  134. {
  135. $cert_alias = "geotrustglobalca";
  136. }
  137. elsif ($cert =~ /Equifax Secure Certificate Authority/)
  138. {
  139. $cert_alias = "equifaxsecureca";
  140. }
  141. elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
  142. {
  143. $cert_alias = "equifaxsecureebusinessca1";
  144. }
  145. elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
  146. {
  147. $cert_alias = "equifaxsecureebusinessca2";
  148. }
  149. elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
  150. {
  151. $cert_alias = "equifaxsecureglobalebusinessca1";
  152. }
  153. elsif ($cert =~ /Sonera Class1 CA/)
  154. {
  155. $cert_alias = "soneraclass1ca";
  156. }
  157. elsif ($cert =~ /Sonera Class2 CA/)
  158. {
  159. $cert_alias = "soneraclass2ca";
  160. }
  161. elsif ($cert =~ /AAA Certificate Services/)
  162. {
  163. $cert_alias = "comodoaaaca";
  164. }
  165. elsif ($cert =~ /AddTrust Class 1 CA Root/)
  166. {
  167. $cert_alias = "addtrustclass1ca";
  168. }
  169. elsif ($cert =~ /AddTrust External CA Root/)
  170. {
  171. $cert_alias = "addtrustexternalca";
  172. }
  173. elsif ($cert =~ /AddTrust Qualified CA Root/)
  174. {
  175. $cert_alias = "addtrustqualifiedca";
  176. }
  177. elsif ($cert =~ /UTN-USERFirst-Hardware/)
  178. {
  179. $cert_alias = "utnuserfirsthardwareca";
  180. }
  181. elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
  182. {
  183. $cert_alias = "utnuserfirstclientauthemailca";
  184. }
  185. elsif ($cert =~ /UTN - DATACorp SGC/)
  186. {
  187. $cert_alias = "utndatacorpsgcca";
  188. }
  189. elsif ($cert =~ /UTN-USERFirst-Object/)
  190. {
  191. $cert_alias = "utnuserfirstobjectca";
  192. }
  193. elsif ($cert =~ /America Online Root Certification Authority 1/)
  194. {
  195. $cert_alias = "aolrootca1";
  196. }
  197. elsif ($cert =~ /DigiCert Assured ID Root CA/)
  198. {
  199. $cert_alias = "digicertassuredidrootca";
  200. }
  201. elsif ($cert =~ /DigiCert Global Root CA/)
  202. {
  203. $cert_alias = "digicertglobalrootca";
  204. }
  205. elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
  206. {
  207. $cert_alias = "digicerthighassuranceevrootca";
  208. }
  209. elsif ($cert =~ /GlobalSign Root CA$/)
  210. {
  211. $cert_alias = "globalsignca";
  212. }
  213. elsif ($cert =~ /GlobalSign Root CA - R2/)
  214. {
  215. $cert_alias = "globalsignr2ca";
  216. }
  217. elsif ($cert =~ /Elektronik.*Kas.*2005/)
  218. {
  219. $cert_alias = "extra-elektronikkas2005";
  220. }
  221. elsif ($cert =~ /Elektronik/)
  222. {
  223. $cert_alias = "extra-elektronik2005";
  224. }
  225. # Mozilla does not provide these certificates:
  226. # baltimorecodesigningca
  227. # gtecybertrust5ca
  228. # trustcenterclass2caii
  229. # trustcenterclass4caii
  230. # trustcenteruniversalcai
  231. else
  232. {
  233. # Generate an alias using the OU and CN attributes of the
  234. # Issuer field if both are present, otherwise use only the
  235. # CN attribute. The Issuer field must have either the OU
  236. # or the CN attribute.
  237. $_ = $cert;
  238. if ($cert =~ /OU=/)
  239. {
  240. s/Issuer:.*?OU=//;
  241. # Remove other occurrences of OU=.
  242. s/OU=.*CN=//;
  243. # Remove CN= if there were not other occurrences of OU=.
  244. s/CN=//;
  245. s/\/emailAddress.*//;
  246. s/Certificate Authority/ca/g;
  247. s/Certification Authority/ca/g;
  248. }
  249. elsif ($cert =~ /CN=/)
  250. {
  251. s/Issuer:.*CN=//;
  252. s/\/emailAddress.*//;
  253. s/Certificate Authority/ca/g;
  254. s/Certification Authority/ca/g;
  255. }
  256. s/\W//g;
  257. tr/A-Z/a-z/;
  258. $cert_alias = "extra-$_";
  259. }
  260. while (-e "$cert_alias.pem")
  261. {
  262. $cert_alias = "$cert_alias" . "_";
  263. }
  264. }
  265. # When it attempts to parse:
  266. #
  267. # Class 3 Public Primary Certification Authority - G2, Version 3
  268. #
  269. # keytool says:
  270. #
  271. # #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
  272. # Unparseable AuthorityInfoAccess extension due to
  273. # java.io.IOException: Invalid encoding of URI
  274. #
  275. # If we do not exclude this file
  276. # openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails
  277. # on this cert, printing:
  278. #
  279. # Couldn't verify: java.security.SignatureException: Signature
  280. # does not match.
  281. #
  282. elsif ($cert =~
  283. /A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
  284. {
  285. $write_current_cert = 0;
  286. $pem_file_count--;
  287. }
  288. elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
  289. {
  290. if ($in_cert_block != 0)
  291. {
  292. die "$file is malformed.";
  293. }
  294. $in_cert_block = 1;
  295. if ($write_current_cert == 1)
  296. {
  297. $pem_file_count++;
  298. if (-e "$cert_alias.pem")
  299. {
  300. print "$cert_alias";
  301. die "already exists"
  302. }
  303. open(PEM, ">$cert_alias.pem");
  304. print PEM $cert;
  305. }
  306. }
  307. elsif ($cert eq "-----END CERTIFICATE-----\n")
  308. {
  309. $in_cert_block = 0;
  310. if ($write_current_cert == 1)
  311. {
  312. print PEM $cert;
  313. close(PEM);
  314. }
  315. $write_current_cert = 1
  316. }
  317. else
  318. {
  319. if ($in_cert_block == 1 && $write_current_cert == 1)
  320. {
  321. print PEM $cert;
  322. }
  323. }
  324. }
  325. # Check that the correct number of .pem files were produced.
  326. @pem_files = <*.pem>;
  327. if (@pem_files != $pem_file_count)
  328. {
  329. print "$pem_file_count";
  330. die "Number of .pem files produced does not match".
  331. " number of certs read from $file.";
  332. }
  333. # Now store each cert in the 'cacerts' file using keytool.
  334. $certs_written_count = 0;
  335. foreach $pem_file (@pem_files)
  336. {
  337. system "$ARGV[0] -noprompt -import".
  338. " -alias `basename $pem_file .pem`".
  339. " -keystore cacerts -storepass 'changeit' -file $pem_file";
  340. unlink($pem_file);
  341. $certs_written_count++;
  342. }
  343. # Check that the correct number of certs were added to the keystore.
  344. if ($certs_written_count != $pem_file_count)
  345. {
  346. die "Number of certs added to keystore does not match".
  347. " number of certs read from $file.";
  348. }