rpms/ca-certificates/devel ca-certificates.spec, 1.3, 1.4 generate-cacerts.pl, 1.1, 1.2
Thomas Fitzsimmons (fitzsim)
fedora-extras-commits at redhat.com
Wed Jun 25 15:34:26 UTC 2008
- Previous message (by thread): rpms/fftw/EL-5 fftw.spec,1.21,1.22
- Next message (by thread): rpms/kernel/devel patch-2.6.26-rc8.bz2.sign, NONE, 1.1 .cvsignore, 1.845, 1.846 kernel.spec, 1.713, 1.714 sources, 1.806, 1.807 upstream, 1.724, 1.725 patch-2.6.26-rc7-git2.bz2.sign, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: fitzsim
Update of /cvs/pkgs/rpms/ca-certificates/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2905
Modified Files:
ca-certificates.spec generate-cacerts.pl
Log Message:
* Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim at redhat.com> - 2008-6
- Change generate-cacerts.pl to produce pretty aliases.
Index: ca-certificates.spec
===================================================================
RCS file: /cvs/pkgs/rpms/ca-certificates/devel/ca-certificates.spec,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- ca-certificates.spec 2 Jun 2008 09:28:52 -0000 1.3
+++ ca-certificates.spec 25 Jun 2008 15:33:23 -0000 1.4
@@ -7,7 +7,7 @@
Summary: The Mozilla CA root certificate bundle
Name: ca-certificates
Version: 2008
-Release: 5
+Release: 6
License: Public Domain
Group: System Environment/Base
URL: http://www.mozilla.org/
@@ -57,6 +57,9 @@
%{pkidir}/tls/cert.pem
%changelog
+* Wed Jun 25 2008 Thomas Fitzsimmons <fitzsim at redhat.com> - 2008-6
+- Change generate-cacerts.pl to produce pretty aliases.
+
* Mon Jun 2 2008 Joe Orton <jorton at redhat.com> 2008-5
- include /etc/pki/tls/cert.pem symlink to ca-bundle.crt
Index: generate-cacerts.pl
===================================================================
RCS file: /cvs/pkgs/rpms/ca-certificates/devel/generate-cacerts.pl,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- generate-cacerts.pl 2 Jun 2008 08:47:49 -0000 1.1
+++ generate-cacerts.pl 25 Jun 2008 15:33:23 -0000 1.2
@@ -22,84 +22,327 @@
@certs = <CERTS>;
close(CERTS);
-$pem_file_number = 0;
-$writing_cert = 0;
+$pem_file_count = 0;
+$in_cert_block = 0;
+$write_current_cert = 1;
foreach $cert (@certs)
{
- if ($cert eq "-----BEGIN CERTIFICATE-----\n")
- {
- if ($writing_cert != 0)
- {
- die "$file is malformed.";
- }
- $pem_file_number++;
- # Numbering each file guarantees that cert aliases will be
- # unique.
- $pem_file_name = "$pem_file_number$cert_alias.pem";
- $writing_cert = 1;
- open(PEM, ">$pem_file_name");
- print PEM $cert;
- }
- elsif ($cert eq "-----END CERTIFICATE-----\n")
- {
- $writing_cert = 0;
- print PEM $cert;
- close(PEM);
- }
- elsif ($cert =~ /Issuer: /)
- {
- # Generate an alias using the OU and CN attributes of the
- # Issuer field if both are present, otherwise use only the CN
- # attribute. The Issuer field must have either the OU or the
- # CN attribute.
- $_ = $cert;
- if ($cert =~ /OU=/)
- {
- s/Issuer:.*?OU=//;
- # Remove other occurrences of OU=.
- s/OU=.*CN=//;
- # Remove CN= if there were not other occurrences of OU=.
- s/CN=//;
- }
- elsif ($cert =~ /CN=/)
- {
- s/Issuer:.*CN=//;
- }
- s/\W//g;
- tr/A-Z/a-z/;
- $cert_alias = $_
- }
- else
- {
- if ($writing_cert == 1)
- {
- print PEM $cert;
- }
- }
+ if ($cert =~ /Issuer: /)
+ {
+ $_ = $cert;
+ if ($cert =~ /personal-freemail/)
+ {
+ $cert_alias = "thawtepersonalfreemailca";
+ }
+ elsif ($cert =~ /personal-basic/)
+ {
+ $cert_alias = "thawtepersonalbasicca";
+ }
+ elsif ($cert =~ /personal-premium/)
+ {
+ $cert_alias = "thawtepersonalpremiumca";
+ }
+ elsif ($cert =~ /server-certs/)
+ {
+ $cert_alias = "thawteserverca";
+ }
+ elsif ($cert =~ /premium-server/)
+ {
+ $cert_alias = "thawtepremiumserverca";
+ }
+ elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
+ {
+ $cert_alias = "verisignclass1ca";
+ }
+ elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
+ {
+ $cert_alias = "verisignclass1g2ca";
+ }
+ elsif ($cert =~
+ /VeriSign Class 1 Public Primary Certification Authority - G3/)
+ {
+ $cert_alias = "verisignclass1g3ca";
+ }
+ elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
+ {
+ $cert_alias = "verisignclass2ca";
+ }
+ elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
+ {
+ $cert_alias = "verisignclass2g2ca";
+ }
+ elsif ($cert =~
+ /VeriSign Class 2 Public Primary Certification Authority - G3/)
+ {
+ $cert_alias = "verisignclass2g3ca";
+ }
+ elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
+ {
+ $cert_alias = "verisignclass3ca";
+ }
+ # Version 1 of Class 3 Public Primary Certification Authority
+ # - G2 is added. Version 3 is excluded. See below.
+ elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
+ {
+ $cert_alias = "verisignclass3g2ca";
+ }
+ elsif ($cert =~
+ /VeriSign Class 3 Public Primary Certification Authority - G3/)
+ {
+ $cert_alias = "verisignclass3g3ca";
+ }
+ elsif ($cert =~
+ /RSA Data Security.*Secure Server Certification Authority/)
+ {
+ $cert_alias = "verisignserverca";
+ }
+ elsif ($cert =~ /GTE CyberTrust Global Root/)
+ {
+ $cert_alias = "gtecybertrustglobalca";
+ }
+ elsif ($cert =~ /Baltimore CyberTrust Root/)
+ {
+ $cert_alias = "baltimorecybertrustca";
+ }
+ elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
+ {
+ $cert_alias = "entrustclientca";
+ }
+ elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
+ {
+ $cert_alias = "entrustglobalclientca";
+ }
+ elsif ($cert =~ /www.entrust.net\/CPS_2048/)
+ {
+ $cert_alias = "entrust2048ca";
+ }
+ elsif ($cert =~ /www.entrust.net\/CPS /)
+ {
+ $cert_alias = "entrustsslca";
+ }
+ elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
+ {
+ $cert_alias = "entrustgsslca";
+ }
+ elsif ($cert =~ /The Go Daddy Group/)
+ {
+ $cert_alias = "godaddyclass2ca";
+ }
+ elsif ($cert =~ /Starfield Class 2 Certification Authority/)
+ {
+ $cert_alias = "starfieldclass2ca";
+ }
+ elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
+ {
+ $cert_alias = "valicertclass2ca";
+ }
+ elsif ($cert =~ /GeoTrust Global CA$/)
+ {
+ $cert_alias = "geotrustglobalca";
+ }
+ elsif ($cert =~ /Equifax Secure Certificate Authority/)
+ {
+ $cert_alias = "equifaxsecureca";
+ }
+ elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
+ {
+ $cert_alias = "equifaxsecureebusinessca1";
+ }
+ elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
+ {
+ $cert_alias = "equifaxsecureebusinessca2";
+ }
+ elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
+ {
+ $cert_alias = "equifaxsecureglobalebusinessca1";
+ }
+ elsif ($cert =~ /Sonera Class1 CA/)
+ {
+ $cert_alias = "soneraclass1ca";
+ }
+ elsif ($cert =~ /Sonera Class2 CA/)
+ {
+ $cert_alias = "soneraclass2ca";
+ }
+ elsif ($cert =~ /AAA Certificate Services/)
+ {
+ $cert_alias = "comodoaaaca";
+ }
+ elsif ($cert =~ /AddTrust Class 1 CA Root/)
+ {
+ $cert_alias = "addtrustclass1ca";
+ }
+ elsif ($cert =~ /AddTrust External CA Root/)
+ {
+ $cert_alias = "addtrustexternalca";
+ }
+ elsif ($cert =~ /AddTrust Qualified CA Root/)
+ {
+ $cert_alias = "addtrustqualifiedca";
+ }
+ elsif ($cert =~ /UTN-USERFirst-Hardware/)
+ {
+ $cert_alias = "utnuserfirsthardwareca";
+ }
+ elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
+ {
+ $cert_alias = "utnuserfirstclientauthemailca";
+ }
+ elsif ($cert =~ /UTN - DATACorp SGC/)
+ {
+ $cert_alias = "utndatacorpsgcca";
+ }
+ elsif ($cert =~ /UTN-USERFirst-Object/)
+ {
+ $cert_alias = "utnuserfirstobjectca";
+ }
+ elsif ($cert =~ /America Online Root Certification Authority 1/)
+ {
+ $cert_alias = "aolrootca1";
+ }
+ elsif ($cert =~ /DigiCert Assured ID Root CA/)
+ {
+ $cert_alias = "digicertassuredidrootca";
+ }
+ elsif ($cert =~ /DigiCert Global Root CA/)
+ {
+ $cert_alias = "digicertglobalrootca";
+ }
+ elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
+ {
+ $cert_alias = "digicerthighassuranceevrootca";
+ }
+ elsif ($cert =~ /GlobalSign Root CA$/)
+ {
+ $cert_alias = "globalsignca";
+ }
+ elsif ($cert =~ /GlobalSign Root CA - R2/)
+ {
+ $cert_alias = "globalsignr2ca";
+ }
+ elsif ($cert =~ /Elektronik.*Kas.*2005/)
+ {
+ $cert_alias = "extra-elektronikkas2005";
+ }
+ elsif ($cert =~ /Elektronik/)
+ {
+ $cert_alias = "extra-elektronik2005";
+ }
+ # Mozilla does not provide these certificates:
+ # baltimorecodesigningca
+ # gtecybertrust5ca
+ # trustcenterclass2caii
+ # trustcenterclass4caii
+ # trustcenteruniversalcai
+ else
+ {
+ # Generate an alias using the OU and CN attributes of the
+ # Issuer field if both are present, otherwise use only the
+ # CN attribute. The Issuer field must have either the OU
+ # or the CN attribute.
+ $_ = $cert;
+ if ($cert =~ /OU=/)
+ {
+ s/Issuer:.*?OU=//;
+ # Remove other occurrences of OU=.
+ s/OU=.*CN=//;
+ # Remove CN= if there were not other occurrences of OU=.
+ s/CN=//;
+ s/\/emailAddress.*//;
+ s/Certificate Authority/ca/g;
+ s/Certification Authority/ca/g;
+ }
+ elsif ($cert =~ /CN=/)
+ {
+ s/Issuer:.*CN=//;
+ s/\/emailAddress.*//;
+ s/Certificate Authority/ca/g;
+ s/Certification Authority/ca/g;
+ }
+ s/\W//g;
+ tr/A-Z/a-z/;
+ $cert_alias = "extra-$_";
+ }
+ }
+ # When it attempts to parse:
+ #
+ # Class 3 Public Primary Certification Authority - G2, Version 3
+ #
+ # keytool says:
+ #
+ # #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
+ # Unparseable AuthorityInfoAccess extension due to
+ # java.io.IOException: Invalid encoding of URI
+ #
+ # If we do not exclude this file
+ # openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails
+ # on this cert, printing:
+ #
+ # Couldn't verify: java.security.SignatureException: Signature
+ # does not match.
+ #
+ elsif ($cert =~
+ /A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
+ {
+ $write_current_cert = 0;
+ $pem_file_count--;
+ }
+ elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
+ {
+ if ($in_cert_block != 0)
+ {
+ die "$file is malformed.";
+ }
+ $in_cert_block = 1;
+ if ($write_current_cert == 1)
+ {
+ $pem_file_count++;
+ open(PEM, ">$cert_alias.pem");
+ print PEM $cert;
+ }
+ }
+ elsif ($cert eq "-----END CERTIFICATE-----\n")
+ {
+ $in_cert_block = 0;
+ if ($write_current_cert == 1)
+ {
+ print PEM $cert;
+ close(PEM);
+ }
+ $write_current_cert = 1
+ }
+ else
+ {
+ if ($in_cert_block == 1 && $write_current_cert == 1)
+ {
+ print PEM $cert;
+ }
+ }
}
# Check that the correct number of .pem files were produced.
@pem_files = <*.pem>;
-if (@pem_files != $pem_file_number)
+if (@pem_files != $pem_file_count)
{
- die "Number of .pem files produced does not match".
- " number of certs read from $file.";
+ print "$pem_file_count";
+ die "Number of .pem files produced does not match".
+ " number of certs read from $file.";
}
# Now store each cert in the 'cacerts' file using keytool.
$certs_written_count = 0;
foreach $pem_file (@pem_files)
{
- system "yes | $ARGV[0] -import".
- " -alias `basename $pem_file .pem`".
- " -keystore cacerts -storepass 'changeit' -file $pem_file";
- unlink($pem_file);
- $certs_written_count++;
+ system "/bin/echo yes | $ARGV[0] -import".
+ " -alias `basename $pem_file .pem`".
+ " -keystore cacerts -storepass 'changeit' -file $pem_file";
+ unlink($pem_file);
+ $certs_written_count++;
}
# Check that the correct number of certs were added to the keystore.
-if ($certs_written_count != $pem_file_number)
+if ($certs_written_count != $pem_file_count)
{
- die "Number of certs added to keystore does not match".
- " number of certs read from $file.";
+ die "Number of certs added to keystore does not match".
+ " number of certs read from $file.";
}
- Previous message (by thread): rpms/fftw/EL-5 fftw.spec,1.21,1.22
- Next message (by thread): rpms/kernel/devel patch-2.6.26-rc8.bz2.sign, NONE, 1.1 .cvsignore, 1.845, 1.846 kernel.spec, 1.713, 1.714 sources, 1.806, 1.807 upstream, 1.724, 1.725 patch-2.6.26-rc7-git2.bz2.sign, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list