• file
• revisions
• annotate
• diff
• comparison
• raw

ca-certificates/generate-cacerts.pl@d4b4127cd2bb (annotated)

ca-certificates/generate-cacerts.pl

Fri, 11 Mar 2011 21:41:16 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Fri, 11 Mar 2011 21:41:16 +0100

changeset 3

d4b4127cd2bb

permissions

-rw-r--r--

Import unmodified vendor specs for introduction into repository.

michael@3	1	#!/usr/bin/perl
michael@3	2
michael@3	3	# Copyright (C) 2007, 2008 Red Hat, Inc.
michael@3	4	#
michael@3	5	# This program is free software; you can redistribute it and/or modify
michael@3	6	# it under the terms of the GNU General Public License as published by
michael@3	7	# the Free Software Foundation; either version 2 of the License, or
michael@3	8	# (at your option) any later version.
michael@3	9	#
michael@3	10	# This program is distributed in the hope that it will be useful,
michael@3	11	# but WITHOUT ANY WARRANTY; without even the implied warranty of
michael@3	12	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
michael@3	13	# GNU General Public License for more details.
michael@3	14
michael@3	15	# generate-cacerts.pl generates a JKS keystore named 'cacerts' from
michael@3	16	# OpenSSL's certificate bundle using OpenJDK's keytool.
michael@3	17
michael@3	18	# First extract each of OpenSSL's bundled certificates into its own
michael@3	19	# aliased filename.
michael@3	20	$file = $ARGV[1];
michael@3	21	open(CERTS, $file);
michael@3	22	@certs = <CERTS>;
michael@3	23	close(CERTS);
michael@3	24
michael@3	25	$pem_file_count = 0;
michael@3	26	$in_cert_block = 0;
michael@3	27	$write_current_cert = 1;
michael@3	28	foreach $cert (@certs)
michael@3	29	{
michael@3	30	if ($cert =~ /Issuer: /)
michael@3	31	{
michael@3	32	$_ = $cert;
michael@3	33	if ($cert =~ /personal-freemail/)
michael@3	34	{
michael@3	35	$cert_alias = "thawtepersonalfreemailca";
michael@3	36	}
michael@3	37	elsif ($cert =~ /personal-basic/)
michael@3	38	{
michael@3	39	$cert_alias = "thawtepersonalbasicca";
michael@3	40	}
michael@3	41	elsif ($cert =~ /personal-premium/)
michael@3	42	{
michael@3	43	$cert_alias = "thawtepersonalpremiumca";
michael@3	44	}
michael@3	45	elsif ($cert =~ /server-certs/)
michael@3	46	{
michael@3	47	$cert_alias = "thawteserverca";
michael@3	48	}
michael@3	49	elsif ($cert =~ /premium-server/)
michael@3	50	{
michael@3	51	$cert_alias = "thawtepremiumserverca";
michael@3	52	}
michael@3	53	elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
michael@3	54	{
michael@3	55	$cert_alias = "verisignclass1ca";
michael@3	56	}
michael@3	57	elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
michael@3	58	{
michael@3	59	$cert_alias = "verisignclass1g2ca";
michael@3	60	}
michael@3	61	elsif ($cert =~
michael@3	62	/VeriSign Class 1 Public Primary Certification Authority - G3/)
michael@3	63	{
michael@3	64	$cert_alias = "verisignclass1g3ca";
michael@3	65	}
michael@3	66	elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
michael@3	67	{
michael@3	68	$cert_alias = "verisignclass2ca";
michael@3	69	}
michael@3	70	elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
michael@3	71	{
michael@3	72	$cert_alias = "verisignclass2g2ca";
michael@3	73	}
michael@3	74	elsif ($cert =~
michael@3	75	/VeriSign Class 2 Public Primary Certification Authority - G3/)
michael@3	76	{
michael@3	77	$cert_alias = "verisignclass2g3ca";
michael@3	78	}
michael@3	79	elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
michael@3	80	{
michael@3	81	$cert_alias = "verisignclass3ca";
michael@3	82	}
michael@3	83	# Version 1 of Class 3 Public Primary Certification Authority
michael@3	84	# - G2 is added. Version 3 is excluded. See below.
michael@3	85	elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
michael@3	86	{
michael@3	87	$cert_alias = "verisignclass3g2ca";
michael@3	88	}
michael@3	89	elsif ($cert =~
michael@3	90	/VeriSign Class 3 Public Primary Certification Authority - G3/)
michael@3	91	{
michael@3	92	$cert_alias = "verisignclass3g3ca";
michael@3	93	}
michael@3	94	elsif ($cert =~
michael@3	95	/RSA Data Security.*Secure Server Certification Authority/)
michael@3	96	{
michael@3	97	$cert_alias = "verisignserverca";
michael@3	98	}
michael@3	99	elsif ($cert =~ /GTE CyberTrust Global Root/)
michael@3	100	{
michael@3	101	$cert_alias = "gtecybertrustglobalca";
michael@3	102	}
michael@3	103	elsif ($cert =~ /Baltimore CyberTrust Root/)
michael@3	104	{
michael@3	105	$cert_alias = "baltimorecybertrustca";
michael@3	106	}
michael@3	107	elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
michael@3	108	{
michael@3	109	$cert_alias = "entrustclientca";
michael@3	110	}
michael@3	111	elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
michael@3	112	{
michael@3	113	$cert_alias = "entrustglobalclientca";
michael@3	114	}
michael@3	115	elsif ($cert =~ /www.entrust.net\/CPS_2048/)
michael@3	116	{
michael@3	117	$cert_alias = "entrust2048ca";
michael@3	118	}
michael@3	119	elsif ($cert =~ /www.entrust.net\/CPS /)
michael@3	120	{
michael@3	121	$cert_alias = "entrustsslca";
michael@3	122	}
michael@3	123	elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
michael@3	124	{
michael@3	125	$cert_alias = "entrustgsslca";
michael@3	126	}
michael@3	127	elsif ($cert =~ /The Go Daddy Group/)
michael@3	128	{
michael@3	129	$cert_alias = "godaddyclass2ca";
michael@3	130	}
michael@3	131	elsif ($cert =~ /Starfield Class 2 Certification Authority/)
michael@3	132	{
michael@3	133	$cert_alias = "starfieldclass2ca";
michael@3	134	}
michael@3	135	elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
michael@3	136	{
michael@3	137	$cert_alias = "valicertclass2ca";
michael@3	138	}
michael@3	139	elsif ($cert =~ /GeoTrust Global CA$/)
michael@3	140	{
michael@3	141	$cert_alias = "geotrustglobalca";
michael@3	142	}
michael@3	143	elsif ($cert =~ /Equifax Secure Certificate Authority/)
michael@3	144	{
michael@3	145	$cert_alias = "equifaxsecureca";
michael@3	146	}
michael@3	147	elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
michael@3	148	{
michael@3	149	$cert_alias = "equifaxsecureebusinessca1";
michael@3	150	}
michael@3	151	elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
michael@3	152	{
michael@3	153	$cert_alias = "equifaxsecureebusinessca2";
michael@3	154	}
michael@3	155	elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
michael@3	156	{
michael@3	157	$cert_alias = "equifaxsecureglobalebusinessca1";
michael@3	158	}
michael@3	159	elsif ($cert =~ /Sonera Class1 CA/)
michael@3	160	{
michael@3	161	$cert_alias = "soneraclass1ca";
michael@3	162	}
michael@3	163	elsif ($cert =~ /Sonera Class2 CA/)
michael@3	164	{
michael@3	165	$cert_alias = "soneraclass2ca";
michael@3	166	}
michael@3	167	elsif ($cert =~ /AAA Certificate Services/)
michael@3	168	{
michael@3	169	$cert_alias = "comodoaaaca";
michael@3	170	}
michael@3	171	elsif ($cert =~ /AddTrust Class 1 CA Root/)
michael@3	172	{
michael@3	173	$cert_alias = "addtrustclass1ca";
michael@3	174	}
michael@3	175	elsif ($cert =~ /AddTrust External CA Root/)
michael@3	176	{
michael@3	177	$cert_alias = "addtrustexternalca";
michael@3	178	}
michael@3	179	elsif ($cert =~ /AddTrust Qualified CA Root/)
michael@3	180	{
michael@3	181	$cert_alias = "addtrustqualifiedca";
michael@3	182	}
michael@3	183	elsif ($cert =~ /UTN-USERFirst-Hardware/)
michael@3	184	{
michael@3	185	$cert_alias = "utnuserfirsthardwareca";
michael@3	186	}
michael@3	187	elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
michael@3	188	{
michael@3	189	$cert_alias = "utnuserfirstclientauthemailca";
michael@3	190	}
michael@3	191	elsif ($cert =~ /UTN - DATACorp SGC/)
michael@3	192	{
michael@3	193	$cert_alias = "utndatacorpsgcca";
michael@3	194	}
michael@3	195	elsif ($cert =~ /UTN-USERFirst-Object/)
michael@3	196	{
michael@3	197	$cert_alias = "utnuserfirstobjectca";
michael@3	198	}
michael@3	199	elsif ($cert =~ /America Online Root Certification Authority 1/)
michael@3	200	{
michael@3	201	$cert_alias = "aolrootca1";
michael@3	202	}
michael@3	203	elsif ($cert =~ /DigiCert Assured ID Root CA/)
michael@3	204	{
michael@3	205	$cert_alias = "digicertassuredidrootca";
michael@3	206	}
michael@3	207	elsif ($cert =~ /DigiCert Global Root CA/)
michael@3	208	{
michael@3	209	$cert_alias = "digicertglobalrootca";
michael@3	210	}
michael@3	211	elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
michael@3	212	{
michael@3	213	$cert_alias = "digicerthighassuranceevrootca";
michael@3	214	}
michael@3	215	elsif ($cert =~ /GlobalSign Root CA$/)
michael@3	216	{
michael@3	217	$cert_alias = "globalsignca";
michael@3	218	}
michael@3	219	elsif ($cert =~ /GlobalSign Root CA - R2/)
michael@3	220	{
michael@3	221	$cert_alias = "globalsignr2ca";
michael@3	222	}
michael@3	223	elsif ($cert =~ /Elektronik.*Kas.*2005/)
michael@3	224	{
michael@3	225	$cert_alias = "extra-elektronikkas2005";
michael@3	226	}
michael@3	227	elsif ($cert =~ /Elektronik/)
michael@3	228	{
michael@3	229	$cert_alias = "extra-elektronik2005";
michael@3	230	}
michael@3	231	# Mozilla does not provide these certificates:
michael@3	232	# baltimorecodesigningca
michael@3	233	# gtecybertrust5ca
michael@3	234	# trustcenterclass2caii
michael@3	235	# trustcenterclass4caii
michael@3	236	# trustcenteruniversalcai
michael@3	237	else
michael@3	238	{
michael@3	239	# Generate an alias using the OU and CN attributes of the
michael@3	240	# Issuer field if both are present, otherwise use only the
michael@3	241	# CN attribute. The Issuer field must have either the OU
michael@3	242	# or the CN attribute.
michael@3	243	$_ = $cert;
michael@3	244	if ($cert =~ /OU=/)
michael@3	245	{
michael@3	246	s/Issuer:.*?OU=//;
michael@3	247	# Remove other occurrences of OU=.
michael@3	248	s/OU=.*CN=//;
michael@3	249	# Remove CN= if there were not other occurrences of OU=.
michael@3	250	s/CN=//;
michael@3	251	s/\/emailAddress.*//;
michael@3	252	s/Certificate Authority/ca/g;
michael@3	253	s/Certification Authority/ca/g;
michael@3	254	}
michael@3	255	elsif ($cert =~ /CN=/)
michael@3	256	{
michael@3	257	s/Issuer:.*CN=//;
michael@3	258	s/\/emailAddress.*//;
michael@3	259	s/Certificate Authority/ca/g;
michael@3	260	s/Certification Authority/ca/g;
michael@3	261	}
michael@3	262	s/\W//g;
michael@3	263	tr/A-Z/a-z/;
michael@3	264	$cert_alias = "extra-$_";
michael@3	265	}
michael@3	266	}
michael@3	267	# When it attempts to parse:
michael@3	268	#
michael@3	269	# Class 3 Public Primary Certification Authority - G2, Version 3
michael@3	270	#
michael@3	271	# keytool says:
michael@3	272	#
michael@3	273	# #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
michael@3	274	# Unparseable AuthorityInfoAccess extension due to
michael@3	275	# java.io.IOException: Invalid encoding of URI
michael@3	276	#
michael@3	277	# If we do not exclude this file
michael@3	278	# openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails
michael@3	279	# on this cert, printing:
michael@3	280	#
michael@3	281	# Couldn't verify: java.security.SignatureException: Signature
michael@3	282	# does not match.
michael@3	283	#
michael@3	284	elsif ($cert =~
michael@3	285	/A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
michael@3	286	{
michael@3	287	$write_current_cert = 0;
michael@3	288	$pem_file_count--;
michael@3	289	}
michael@3	290	elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
michael@3	291	{
michael@3	292	if ($in_cert_block != 0)
michael@3	293	{
michael@3	294	die "$file is malformed.";
michael@3	295	}
michael@3	296	$in_cert_block = 1;
michael@3	297	if ($write_current_cert == 1)
michael@3	298	{
michael@3	299	$pem_file_count++;
michael@3	300	open(PEM, ">$cert_alias.pem");
michael@3	301	print PEM $cert;
michael@3	302	}
michael@3	303	}
michael@3	304	elsif ($cert eq "-----END CERTIFICATE-----\n")
michael@3	305	{
michael@3	306	$in_cert_block = 0;
michael@3	307	if ($write_current_cert == 1)
michael@3	308	{
michael@3	309	print PEM $cert;
michael@3	310	close(PEM);
michael@3	311	}
michael@3	312	$write_current_cert = 1
michael@3	313	}
michael@3	314	else
michael@3	315	{
michael@3	316	if ($in_cert_block == 1 && $write_current_cert == 1)
michael@3	317	{
michael@3	318	print PEM $cert;
michael@3	319	}
michael@3	320	}
michael@3	321	}
michael@3	322
michael@3	323	# Check that the correct number of .pem files were produced.
michael@3	324	@pem_files = <*.pem>;
michael@3	325	if (@pem_files != $pem_file_count)
michael@3	326	{
michael@3	327	print "$pem_file_count";
michael@3	328	die "Number of .pem files produced does not match".
michael@3	329	" number of certs read from $file.";
michael@3	330	}
michael@3	331
michael@3	332	# Now store each cert in the 'cacerts' file using keytool.
michael@3	333	$certs_written_count = 0;
michael@3	334	foreach $pem_file (@pem_files)
michael@3	335	{
michael@3	336	system "/bin/echo yes | $ARGV[0] -import".
michael@3	337	" -alias `basename $pem_file .pem`".
michael@3	338	" -keystore cacerts -storepass 'changeit' -file $pem_file";
michael@3	339	unlink($pem_file);
michael@3	340	$certs_written_count++;
michael@3	341	}
michael@3	342
michael@3	343	# Check that the correct number of certs were added to the keystore.
michael@3	344	if ($certs_written_count != $pem_file_count)
michael@3	345	{
michael@3	346	die "Number of certs added to keystore does not match".
michael@3	347	" number of certs read from $file.";
michael@3	348	}