diff options
Diffstat (limited to 'abs/core/ca-certificates/update-ca-trust')
| -rw-r--r-- | abs/core/ca-certificates/update-ca-trust | 37 |
1 files changed, 26 insertions, 11 deletions
diff --git a/abs/core/ca-certificates/update-ca-trust b/abs/core/ca-certificates/update-ca-trust index 9a97e34..53441b3 100644 --- a/abs/core/ca-certificates/update-ca-trust +++ b/abs/core/ca-certificates/update-ca-trust @@ -1,27 +1,42 @@ #!/bin/bash # At this time, while this script is trivial, we ignore any parameters given. -# However, for backwards compatibility reasons, future versions of this script must -# support the syntax "update-ca-trust extract" trigger the generation of output +# However, for backwards compatibility reasons, future versions of this script must +# support the syntax "update-ca-trust extract" trigger the generation of output # files in $DEST. DEST=/etc/ca-certificates/extracted +# Prevent p11-kit from reading user configuration files. +export P11_KIT_NO_USER_CONFIG=1 + +extract() { + trust extract --overwrite "$@" +} + +## Simple PEM bundles +extract --comment --format=pem-bundle --filter=ca-anchors --purpose=server-auth $DEST/tls-ca-bundle.pem +extract --comment --format=pem-bundle --filter=ca-anchors --purpose=email $DEST/email-ca-bundle.pem +extract --comment --format=pem-bundle --filter=ca-anchors --purpose=code-signing $DEST/objsign-ca-bundle.pem + +## OpenSSL PEM bundle that includes trust flags +extract --comment --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt + +## TianoCore EDK II bundle +extract --format=edk2-cacerts --filter=ca-anchors --purpose=server-auth $DEST/edk2-cacerts.bin + +## Java bundle +extract --format=java-cacerts --filter=ca-anchors --purpose=server-auth /etc/ssl/certs/java/cacerts + +## OpenSSL-style directory with individual PEM files and hash links # The directory-format extractors remove all files in the target directory, but not directories or files therein -trust extract --overwrite --format=pem-directory-hash --filter=ca-anchors --purpose server-auth $DEST/cadir -trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose server-auth $DEST/tls-ca-bundle.pem -trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose email $DEST/email-ca-bundle.pem -trust extract --overwrite --format=pem-bundle --filter=ca-anchors --purpose code-signing $DEST/objsign-ca-bundle.pem -trust extract --overwrite --format=openssl-bundle --filter=certificates $DEST/ca-bundle.trust.crt +extract --format=pem-directory-hash --filter=ca-anchors --purpose=server-auth $DEST/cadir # We don't want to have to remove everything from the certs directory but neither -# do we want to leave stale certs around, so symlink it all from somewhere else +# do we want to leave stale certs around, so only place symlinks in the real cadir for f in $DEST/cadir/*; do ln -fsr -t /etc/ssl/certs "$f" done # Now find and remove all broken symlinks find -L /etc/ssl/certs -maxdepth 1 -type l -delete - -# Java bundle -trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose server-auth /etc/ssl/certs/java/cacerts |