summaryrefslogtreecommitdiffstats
path: root/abs/extra/nss/bundle.sh
diff options
context:
space:
mode:
Diffstat (limited to 'abs/extra/nss/bundle.sh')
-rw-r--r--abs/extra/nss/bundle.sh54
1 files changed, 54 insertions, 0 deletions
diff --git a/abs/extra/nss/bundle.sh b/abs/extra/nss/bundle.sh
new file mode 100644
index 0000000..253e64a
--- /dev/null
+++ b/abs/extra/nss/bundle.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+# From Fedora's ca-certificates.spec
+
+(
+ cat <<EOF
+# This is a bundle of X.509 certificates of public Certificate
+# Authorities. It was generated from the Mozilla root CA list.
+# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
+# format and have trust bits set accordingly.
+# An exception are auxiliary certificates, without positive or negative
+# trust, but are used to assist in finding a preferred trust path.
+# Those neutral certificates use the plain BEGIN CERTIFICATE format.
+#
+# Source: nss/lib/ckfw/builtins/certdata.txt
+# Source: nss/lib/ckfw/builtins/nssckbi.h
+#
+# Generated from:
+EOF
+ cat certs/nssckbi.h | grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}'
+ echo '#'
+) > ca-bundle.trust.crt
+for f in certs/*.crt; do
+ echo "processing $f"
+ tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
+ distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f`
+ alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
+ targs=""
+ if [ -n "$tbits" ]; then
+ for t in $tbits; do
+ targs="${targs} -addtrust $t"
+ done
+ fi
+ if [ -n "$distbits" ]; then
+ for t in $distbits; do
+ targs="${targs} -addreject $t"
+ done
+ fi
+ if [ -n "$targs" ]; then
+ echo "trust flags $targs for $f" >> info.trust
+ openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ca-bundle.trust.crt
+ else
+ echo "no trust flags for $f" >> info.notrust
+ # p11-kit-trust defines empty trust lists as "rejected for all purposes".
+ # That's why we use the simple file format
+ # (BEGIN CERTIFICATE, no trust information)
+ # because p11-kit-trust will treat it as a certificate with neutral trust.
+ # This means we cannot use the -setalias feature for neutral trust certs.
+ openssl x509 -text -in "$f" >> ca-bundle.neutral-trust.crt
+ fi
+done
+
+for p in certs/*.p11-kit; do
+ cat "$p" >> ca-bundle.supplement.p11-kit
+done
generated by cgit v0.12 at 2024-05-08 04:31:32 (GMT)