ca-certificates/generate-cacerts.pl@d4b4127cd2bb
ca-certificates/generate-cacerts.pl
Fri, 11 Mar 2011 21:41:16 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Fri, 11 Mar 2011 21:41:16 +0100
- changeset 3
- d4b4127cd2bb
- permissions
- -rw-r--r--
Import unmodified vendor specs for introduction into repository.
1 #!/usr/bin/perl
3 # Copyright (C) 2007, 2008 Red Hat, Inc.
4 #
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 2 of the License, or
8 # (at your option) any later version.
9 #
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # generate-cacerts.pl generates a JKS keystore named 'cacerts' from
16 # OpenSSL's certificate bundle using OpenJDK's keytool.
18 # First extract each of OpenSSL's bundled certificates into its own
19 # aliased filename.
20 $file = $ARGV[1];
21 open(CERTS, $file);
22 @certs = <CERTS>;
23 close(CERTS);
25 $pem_file_count = 0;
26 $in_cert_block = 0;
27 $write_current_cert = 1;
28 foreach $cert (@certs)
29 {
30 if ($cert =~ /Issuer: /)
31 {
32 $_ = $cert;
33 if ($cert =~ /personal-freemail/)
34 {
35 $cert_alias = "thawtepersonalfreemailca";
36 }
37 elsif ($cert =~ /personal-basic/)
38 {
39 $cert_alias = "thawtepersonalbasicca";
40 }
41 elsif ($cert =~ /personal-premium/)
42 {
43 $cert_alias = "thawtepersonalpremiumca";
44 }
45 elsif ($cert =~ /server-certs/)
46 {
47 $cert_alias = "thawteserverca";
48 }
49 elsif ($cert =~ /premium-server/)
50 {
51 $cert_alias = "thawtepremiumserverca";
52 }
53 elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
54 {
55 $cert_alias = "verisignclass1ca";
56 }
57 elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
58 {
59 $cert_alias = "verisignclass1g2ca";
60 }
61 elsif ($cert =~
62 /VeriSign Class 1 Public Primary Certification Authority - G3/)
63 {
64 $cert_alias = "verisignclass1g3ca";
65 }
66 elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
67 {
68 $cert_alias = "verisignclass2ca";
69 }
70 elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
71 {
72 $cert_alias = "verisignclass2g2ca";
73 }
74 elsif ($cert =~
75 /VeriSign Class 2 Public Primary Certification Authority - G3/)
76 {
77 $cert_alias = "verisignclass2g3ca";
78 }
79 elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
80 {
81 $cert_alias = "verisignclass3ca";
82 }
83 # Version 1 of Class 3 Public Primary Certification Authority
84 # - G2 is added. Version 3 is excluded. See below.
85 elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
86 {
87 $cert_alias = "verisignclass3g2ca";
88 }
89 elsif ($cert =~
90 /VeriSign Class 3 Public Primary Certification Authority - G3/)
91 {
92 $cert_alias = "verisignclass3g3ca";
93 }
94 elsif ($cert =~
95 /RSA Data Security.*Secure Server Certification Authority/)
96 {
97 $cert_alias = "verisignserverca";
98 }
99 elsif ($cert =~ /GTE CyberTrust Global Root/)
100 {
101 $cert_alias = "gtecybertrustglobalca";
102 }
103 elsif ($cert =~ /Baltimore CyberTrust Root/)
104 {
105 $cert_alias = "baltimorecybertrustca";
106 }
107 elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
108 {
109 $cert_alias = "entrustclientca";
110 }
111 elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
112 {
113 $cert_alias = "entrustglobalclientca";
114 }
115 elsif ($cert =~ /www.entrust.net\/CPS_2048/)
116 {
117 $cert_alias = "entrust2048ca";
118 }
119 elsif ($cert =~ /www.entrust.net\/CPS /)
120 {
121 $cert_alias = "entrustsslca";
122 }
123 elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
124 {
125 $cert_alias = "entrustgsslca";
126 }
127 elsif ($cert =~ /The Go Daddy Group/)
128 {
129 $cert_alias = "godaddyclass2ca";
130 }
131 elsif ($cert =~ /Starfield Class 2 Certification Authority/)
132 {
133 $cert_alias = "starfieldclass2ca";
134 }
135 elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
136 {
137 $cert_alias = "valicertclass2ca";
138 }
139 elsif ($cert =~ /GeoTrust Global CA$/)
140 {
141 $cert_alias = "geotrustglobalca";
142 }
143 elsif ($cert =~ /Equifax Secure Certificate Authority/)
144 {
145 $cert_alias = "equifaxsecureca";
146 }
147 elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
148 {
149 $cert_alias = "equifaxsecureebusinessca1";
150 }
151 elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
152 {
153 $cert_alias = "equifaxsecureebusinessca2";
154 }
155 elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
156 {
157 $cert_alias = "equifaxsecureglobalebusinessca1";
158 }
159 elsif ($cert =~ /Sonera Class1 CA/)
160 {
161 $cert_alias = "soneraclass1ca";
162 }
163 elsif ($cert =~ /Sonera Class2 CA/)
164 {
165 $cert_alias = "soneraclass2ca";
166 }
167 elsif ($cert =~ /AAA Certificate Services/)
168 {
169 $cert_alias = "comodoaaaca";
170 }
171 elsif ($cert =~ /AddTrust Class 1 CA Root/)
172 {
173 $cert_alias = "addtrustclass1ca";
174 }
175 elsif ($cert =~ /AddTrust External CA Root/)
176 {
177 $cert_alias = "addtrustexternalca";
178 }
179 elsif ($cert =~ /AddTrust Qualified CA Root/)
180 {
181 $cert_alias = "addtrustqualifiedca";
182 }
183 elsif ($cert =~ /UTN-USERFirst-Hardware/)
184 {
185 $cert_alias = "utnuserfirsthardwareca";
186 }
187 elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
188 {
189 $cert_alias = "utnuserfirstclientauthemailca";
190 }
191 elsif ($cert =~ /UTN - DATACorp SGC/)
192 {
193 $cert_alias = "utndatacorpsgcca";
194 }
195 elsif ($cert =~ /UTN-USERFirst-Object/)
196 {
197 $cert_alias = "utnuserfirstobjectca";
198 }
199 elsif ($cert =~ /America Online Root Certification Authority 1/)
200 {
201 $cert_alias = "aolrootca1";
202 }
203 elsif ($cert =~ /DigiCert Assured ID Root CA/)
204 {
205 $cert_alias = "digicertassuredidrootca";
206 }
207 elsif ($cert =~ /DigiCert Global Root CA/)
208 {
209 $cert_alias = "digicertglobalrootca";
210 }
211 elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
212 {
213 $cert_alias = "digicerthighassuranceevrootca";
214 }
215 elsif ($cert =~ /GlobalSign Root CA$/)
216 {
217 $cert_alias = "globalsignca";
218 }
219 elsif ($cert =~ /GlobalSign Root CA - R2/)
220 {
221 $cert_alias = "globalsignr2ca";
222 }
223 elsif ($cert =~ /Elektronik.*Kas.*2005/)
224 {
225 $cert_alias = "extra-elektronikkas2005";
226 }
227 elsif ($cert =~ /Elektronik/)
228 {
229 $cert_alias = "extra-elektronik2005";
230 }
231 # Mozilla does not provide these certificates:
232 # baltimorecodesigningca
233 # gtecybertrust5ca
234 # trustcenterclass2caii
235 # trustcenterclass4caii
236 # trustcenteruniversalcai
237 else
238 {
239 # Generate an alias using the OU and CN attributes of the
240 # Issuer field if both are present, otherwise use only the
241 # CN attribute. The Issuer field must have either the OU
242 # or the CN attribute.
243 $_ = $cert;
244 if ($cert =~ /OU=/)
245 {
246 s/Issuer:.*?OU=//;
247 # Remove other occurrences of OU=.
248 s/OU=.*CN=//;
249 # Remove CN= if there were not other occurrences of OU=.
250 s/CN=//;
251 s/\/emailAddress.*//;
252 s/Certificate Authority/ca/g;
253 s/Certification Authority/ca/g;
254 }
255 elsif ($cert =~ /CN=/)
256 {
257 s/Issuer:.*CN=//;
258 s/\/emailAddress.*//;
259 s/Certificate Authority/ca/g;
260 s/Certification Authority/ca/g;
261 }
262 s/\W//g;
263 tr/A-Z/a-z/;
264 $cert_alias = "extra-$_";
265 }
266 }
267 # When it attempts to parse:
268 #
269 # Class 3 Public Primary Certification Authority - G2, Version 3
270 #
271 # keytool says:
272 #
273 # #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
274 # Unparseable AuthorityInfoAccess extension due to
275 # java.io.IOException: Invalid encoding of URI
276 #
277 # If we do not exclude this file
278 # openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails
279 # on this cert, printing:
280 #
281 # Couldn't verify: java.security.SignatureException: Signature
282 # does not match.
283 #
284 elsif ($cert =~
285 /A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
286 {
287 $write_current_cert = 0;
288 $pem_file_count--;
289 }
290 elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
291 {
292 if ($in_cert_block != 0)
293 {
294 die "$file is malformed.";
295 }
296 $in_cert_block = 1;
297 if ($write_current_cert == 1)
298 {
299 $pem_file_count++;
300 open(PEM, ">$cert_alias.pem");
301 print PEM $cert;
302 }
303 }
304 elsif ($cert eq "-----END CERTIFICATE-----\n")
305 {
306 $in_cert_block = 0;
307 if ($write_current_cert == 1)
308 {
309 print PEM $cert;
310 close(PEM);
311 }
312 $write_current_cert = 1
313 }
314 else
315 {
316 if ($in_cert_block == 1 && $write_current_cert == 1)
317 {
318 print PEM $cert;
319 }
320 }
321 }
323 # Check that the correct number of .pem files were produced.
324 @pem_files = <*.pem>;
325 if (@pem_files != $pem_file_count)
326 {
327 print "$pem_file_count";
328 die "Number of .pem files produced does not match".
329 " number of certs read from $file.";
330 }
332 # Now store each cert in the 'cacerts' file using keytool.
333 $certs_written_count = 0;
334 foreach $pem_file (@pem_files)
335 {
336 system "/bin/echo yes | $ARGV[0] -import".
337 " -alias `basename $pem_file .pem`".
338 " -keystore cacerts -storepass 'changeit' -file $pem_file";
339 unlink($pem_file);
340 $certs_written_count++;
341 }
343 # Check that the correct number of certs were added to the keystore.
344 if ($certs_written_count != $pem_file_count)
345 {
346 die "Number of certs added to keystore does not match".
347 " number of certs read from $file.";
348 }
