diff options
Diffstat (limited to 'abs/extra/nss/bundle.sh')
-rw-r--r-- | abs/extra/nss/bundle.sh | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/abs/extra/nss/bundle.sh b/abs/extra/nss/bundle.sh new file mode 100644 index 0000000..253e64a --- /dev/null +++ b/abs/extra/nss/bundle.sh @@ -0,0 +1,54 @@ +#!/bin/sh +# From Fedora's ca-certificates.spec + +( + cat <<EOF +# This is a bundle of X.509 certificates of public Certificate +# Authorities. It was generated from the Mozilla root CA list. +# These certificates are in the OpenSSL "TRUSTED CERTIFICATE" +# format and have trust bits set accordingly. +# An exception are auxiliary certificates, without positive or negative +# trust, but are used to assist in finding a preferred trust path. +# Those neutral certificates use the plain BEGIN CERTIFICATE format. +# +# Source: nss/lib/ckfw/builtins/certdata.txt +# Source: nss/lib/ckfw/builtins/nssckbi.h +# +# Generated from: +EOF + cat certs/nssckbi.h | grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}' + echo '#' +) > ca-bundle.trust.crt +for f in certs/*.crt; do + echo "processing $f" + tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f` + distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f` + alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'` + targs="" + if [ -n "$tbits" ]; then + for t in $tbits; do + targs="${targs} -addtrust $t" + done + fi + if [ -n "$distbits" ]; then + for t in $distbits; do + targs="${targs} -addreject $t" + done + fi + if [ -n "$targs" ]; then + echo "trust flags $targs for $f" >> info.trust + openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ca-bundle.trust.crt + else + echo "no trust flags for $f" >> info.notrust + # p11-kit-trust defines empty trust lists as "rejected for all purposes". + # That's why we use the simple file format + # (BEGIN CERTIFICATE, no trust information) + # because p11-kit-trust will treat it as a certificate with neutral trust. + # This means we cannot use the -setalias feature for neutral trust certs. + openssl x509 -text -in "$f" >> ca-bundle.neutral-trust.crt + fi +done + +for p in certs/*.p11-kit; do + cat "$p" >> ca-bundle.supplement.p11-kit +done |