1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/ca-certificates/generate-cacerts.pl Fri Mar 11 21:41:16 2011 +0100
1.3 @@ -0,0 +1,348 @@
1.4 +#!/usr/bin/perl
1.5 +
1.6 +# Copyright (C) 2007, 2008 Red Hat, Inc.
1.7 +#
1.8 +# This program is free software; you can redistribute it and/or modify
1.9 +# it under the terms of the GNU General Public License as published by
1.10 +# the Free Software Foundation; either version 2 of the License, or
1.11 +# (at your option) any later version.
1.12 +#
1.13 +# This program is distributed in the hope that it will be useful,
1.14 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
1.15 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1.16 +# GNU General Public License for more details.
1.17 +
1.18 +# generate-cacerts.pl generates a JKS keystore named 'cacerts' from
1.19 +# OpenSSL's certificate bundle using OpenJDK's keytool.
1.20 +
1.21 +# First extract each of OpenSSL's bundled certificates into its own
1.22 +# aliased filename.
1.23 +$file = $ARGV[1];
1.24 +open(CERTS, $file);
1.25 +@certs = <CERTS>;
1.26 +close(CERTS);
1.27 +
1.28 +$pem_file_count = 0;
1.29 +$in_cert_block = 0;
1.30 +$write_current_cert = 1;
1.31 +foreach $cert (@certs)
1.32 +{
1.33 + if ($cert =~ /Issuer: /)
1.34 + {
1.35 + $_ = $cert;
1.36 + if ($cert =~ /personal-freemail/)
1.37 + {
1.38 + $cert_alias = "thawtepersonalfreemailca";
1.39 + }
1.40 + elsif ($cert =~ /personal-basic/)
1.41 + {
1.42 + $cert_alias = "thawtepersonalbasicca";
1.43 + }
1.44 + elsif ($cert =~ /personal-premium/)
1.45 + {
1.46 + $cert_alias = "thawtepersonalpremiumca";
1.47 + }
1.48 + elsif ($cert =~ /server-certs/)
1.49 + {
1.50 + $cert_alias = "thawteserverca";
1.51 + }
1.52 + elsif ($cert =~ /premium-server/)
1.53 + {
1.54 + $cert_alias = "thawtepremiumserverca";
1.55 + }
1.56 + elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
1.57 + {
1.58 + $cert_alias = "verisignclass1ca";
1.59 + }
1.60 + elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
1.61 + {
1.62 + $cert_alias = "verisignclass1g2ca";
1.63 + }
1.64 + elsif ($cert =~
1.65 + /VeriSign Class 1 Public Primary Certification Authority - G3/)
1.66 + {
1.67 + $cert_alias = "verisignclass1g3ca";
1.68 + }
1.69 + elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
1.70 + {
1.71 + $cert_alias = "verisignclass2ca";
1.72 + }
1.73 + elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
1.74 + {
1.75 + $cert_alias = "verisignclass2g2ca";
1.76 + }
1.77 + elsif ($cert =~
1.78 + /VeriSign Class 2 Public Primary Certification Authority - G3/)
1.79 + {
1.80 + $cert_alias = "verisignclass2g3ca";
1.81 + }
1.82 + elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
1.83 + {
1.84 + $cert_alias = "verisignclass3ca";
1.85 + }
1.86 + # Version 1 of Class 3 Public Primary Certification Authority
1.87 + # - G2 is added. Version 3 is excluded. See below.
1.88 + elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
1.89 + {
1.90 + $cert_alias = "verisignclass3g2ca";
1.91 + }
1.92 + elsif ($cert =~
1.93 + /VeriSign Class 3 Public Primary Certification Authority - G3/)
1.94 + {
1.95 + $cert_alias = "verisignclass3g3ca";
1.96 + }
1.97 + elsif ($cert =~
1.98 + /RSA Data Security.*Secure Server Certification Authority/)
1.99 + {
1.100 + $cert_alias = "verisignserverca";
1.101 + }
1.102 + elsif ($cert =~ /GTE CyberTrust Global Root/)
1.103 + {
1.104 + $cert_alias = "gtecybertrustglobalca";
1.105 + }
1.106 + elsif ($cert =~ /Baltimore CyberTrust Root/)
1.107 + {
1.108 + $cert_alias = "baltimorecybertrustca";
1.109 + }
1.110 + elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
1.111 + {
1.112 + $cert_alias = "entrustclientca";
1.113 + }
1.114 + elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
1.115 + {
1.116 + $cert_alias = "entrustglobalclientca";
1.117 + }
1.118 + elsif ($cert =~ /www.entrust.net\/CPS_2048/)
1.119 + {
1.120 + $cert_alias = "entrust2048ca";
1.121 + }
1.122 + elsif ($cert =~ /www.entrust.net\/CPS /)
1.123 + {
1.124 + $cert_alias = "entrustsslca";
1.125 + }
1.126 + elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
1.127 + {
1.128 + $cert_alias = "entrustgsslca";
1.129 + }
1.130 + elsif ($cert =~ /The Go Daddy Group/)
1.131 + {
1.132 + $cert_alias = "godaddyclass2ca";
1.133 + }
1.134 + elsif ($cert =~ /Starfield Class 2 Certification Authority/)
1.135 + {
1.136 + $cert_alias = "starfieldclass2ca";
1.137 + }
1.138 + elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
1.139 + {
1.140 + $cert_alias = "valicertclass2ca";
1.141 + }
1.142 + elsif ($cert =~ /GeoTrust Global CA$/)
1.143 + {
1.144 + $cert_alias = "geotrustglobalca";
1.145 + }
1.146 + elsif ($cert =~ /Equifax Secure Certificate Authority/)
1.147 + {
1.148 + $cert_alias = "equifaxsecureca";
1.149 + }
1.150 + elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
1.151 + {
1.152 + $cert_alias = "equifaxsecureebusinessca1";
1.153 + }
1.154 + elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
1.155 + {
1.156 + $cert_alias = "equifaxsecureebusinessca2";
1.157 + }
1.158 + elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
1.159 + {
1.160 + $cert_alias = "equifaxsecureglobalebusinessca1";
1.161 + }
1.162 + elsif ($cert =~ /Sonera Class1 CA/)
1.163 + {
1.164 + $cert_alias = "soneraclass1ca";
1.165 + }
1.166 + elsif ($cert =~ /Sonera Class2 CA/)
1.167 + {
1.168 + $cert_alias = "soneraclass2ca";
1.169 + }
1.170 + elsif ($cert =~ /AAA Certificate Services/)
1.171 + {
1.172 + $cert_alias = "comodoaaaca";
1.173 + }
1.174 + elsif ($cert =~ /AddTrust Class 1 CA Root/)
1.175 + {
1.176 + $cert_alias = "addtrustclass1ca";
1.177 + }
1.178 + elsif ($cert =~ /AddTrust External CA Root/)
1.179 + {
1.180 + $cert_alias = "addtrustexternalca";
1.181 + }
1.182 + elsif ($cert =~ /AddTrust Qualified CA Root/)
1.183 + {
1.184 + $cert_alias = "addtrustqualifiedca";
1.185 + }
1.186 + elsif ($cert =~ /UTN-USERFirst-Hardware/)
1.187 + {
1.188 + $cert_alias = "utnuserfirsthardwareca";
1.189 + }
1.190 + elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
1.191 + {
1.192 + $cert_alias = "utnuserfirstclientauthemailca";
1.193 + }
1.194 + elsif ($cert =~ /UTN - DATACorp SGC/)
1.195 + {
1.196 + $cert_alias = "utndatacorpsgcca";
1.197 + }
1.198 + elsif ($cert =~ /UTN-USERFirst-Object/)
1.199 + {
1.200 + $cert_alias = "utnuserfirstobjectca";
1.201 + }
1.202 + elsif ($cert =~ /America Online Root Certification Authority 1/)
1.203 + {
1.204 + $cert_alias = "aolrootca1";
1.205 + }
1.206 + elsif ($cert =~ /DigiCert Assured ID Root CA/)
1.207 + {
1.208 + $cert_alias = "digicertassuredidrootca";
1.209 + }
1.210 + elsif ($cert =~ /DigiCert Global Root CA/)
1.211 + {
1.212 + $cert_alias = "digicertglobalrootca";
1.213 + }
1.214 + elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
1.215 + {
1.216 + $cert_alias = "digicerthighassuranceevrootca";
1.217 + }
1.218 + elsif ($cert =~ /GlobalSign Root CA$/)
1.219 + {
1.220 + $cert_alias = "globalsignca";
1.221 + }
1.222 + elsif ($cert =~ /GlobalSign Root CA - R2/)
1.223 + {
1.224 + $cert_alias = "globalsignr2ca";
1.225 + }
1.226 + elsif ($cert =~ /Elektronik.*Kas.*2005/)
1.227 + {
1.228 + $cert_alias = "extra-elektronikkas2005";
1.229 + }
1.230 + elsif ($cert =~ /Elektronik/)
1.231 + {
1.232 + $cert_alias = "extra-elektronik2005";
1.233 + }
1.234 + # Mozilla does not provide these certificates:
1.235 + # baltimorecodesigningca
1.236 + # gtecybertrust5ca
1.237 + # trustcenterclass2caii
1.238 + # trustcenterclass4caii
1.239 + # trustcenteruniversalcai
1.240 + else
1.241 + {
1.242 + # Generate an alias using the OU and CN attributes of the
1.243 + # Issuer field if both are present, otherwise use only the
1.244 + # CN attribute. The Issuer field must have either the OU
1.245 + # or the CN attribute.
1.246 + $_ = $cert;
1.247 + if ($cert =~ /OU=/)
1.248 + {
1.249 + s/Issuer:.*?OU=//;
1.250 + # Remove other occurrences of OU=.
1.251 + s/OU=.*CN=//;
1.252 + # Remove CN= if there were not other occurrences of OU=.
1.253 + s/CN=//;
1.254 + s/\/emailAddress.*//;
1.255 + s/Certificate Authority/ca/g;
1.256 + s/Certification Authority/ca/g;
1.257 + }
1.258 + elsif ($cert =~ /CN=/)
1.259 + {
1.260 + s/Issuer:.*CN=//;
1.261 + s/\/emailAddress.*//;
1.262 + s/Certificate Authority/ca/g;
1.263 + s/Certification Authority/ca/g;
1.264 + }
1.265 + s/\W//g;
1.266 + tr/A-Z/a-z/;
1.267 + $cert_alias = "extra-$_";
1.268 + }
1.269 + }
1.270 + # When it attempts to parse:
1.271 + #
1.272 + # Class 3 Public Primary Certification Authority - G2, Version 3
1.273 + #
1.274 + # keytool says:
1.275 + #
1.276 + # #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
1.277 + # Unparseable AuthorityInfoAccess extension due to
1.278 + # java.io.IOException: Invalid encoding of URI
1.279 + #
1.280 + # If we do not exclude this file
1.281 + # openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails
1.282 + # on this cert, printing:
1.283 + #
1.284 + # Couldn't verify: java.security.SignatureException: Signature
1.285 + # does not match.
1.286 + #
1.287 + elsif ($cert =~
1.288 + /A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
1.289 + {
1.290 + $write_current_cert = 0;
1.291 + $pem_file_count--;
1.292 + }
1.293 + elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
1.294 + {
1.295 + if ($in_cert_block != 0)
1.296 + {
1.297 + die "$file is malformed.";
1.298 + }
1.299 + $in_cert_block = 1;
1.300 + if ($write_current_cert == 1)
1.301 + {
1.302 + $pem_file_count++;
1.303 + open(PEM, ">$cert_alias.pem");
1.304 + print PEM $cert;
1.305 + }
1.306 + }
1.307 + elsif ($cert eq "-----END CERTIFICATE-----\n")
1.308 + {
1.309 + $in_cert_block = 0;
1.310 + if ($write_current_cert == 1)
1.311 + {
1.312 + print PEM $cert;
1.313 + close(PEM);
1.314 + }
1.315 + $write_current_cert = 1
1.316 + }
1.317 + else
1.318 + {
1.319 + if ($in_cert_block == 1 && $write_current_cert == 1)
1.320 + {
1.321 + print PEM $cert;
1.322 + }
1.323 + }
1.324 +}
1.325 +
1.326 +# Check that the correct number of .pem files were produced.
1.327 +@pem_files = <*.pem>;
1.328 +if (@pem_files != $pem_file_count)
1.329 +{
1.330 + print "$pem_file_count";
1.331 + die "Number of .pem files produced does not match".
1.332 + " number of certs read from $file.";
1.333 +}
1.334 +
1.335 +# Now store each cert in the 'cacerts' file using keytool.
1.336 +$certs_written_count = 0;
1.337 +foreach $pem_file (@pem_files)
1.338 +{
1.339 + system "/bin/echo yes | $ARGV[0] -import".
1.340 + " -alias `basename $pem_file .pem`".
1.341 + " -keystore cacerts -storepass 'changeit' -file $pem_file";
1.342 + unlink($pem_file);
1.343 + $certs_written_count++;
1.344 +}
1.345 +
1.346 +# Check that the correct number of certs were added to the keystore.
1.347 +if ($certs_written_count != $pem_file_count)
1.348 +{
1.349 + die "Number of certs added to keystore does not match".
1.350 + " number of certs read from $file.";
1.351 +}
