]>
Commit | Line | Data |
---|---|---|
057303f8 SS |
1 | #!/usr/bin/perl -w |
2 | ||
3 | use diagnostics; | |
4 | use Fcntl; | |
5 | ||
6 | # Copyright (C) 2007, 2008 Red Hat, Inc. | |
7 | # | |
8 | # This program is free software; you can redistribute it and/or modify | |
9 | # it under the terms of the GNU General Public License as published by | |
10 | # the Free Software Foundation; either version 2 of the License, or | |
11 | # (at your option) any later version. | |
12 | # | |
13 | # This program is distributed in the hope that it will be useful, | |
14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of | |
15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
16 | # GNU General Public License for more details. | |
17 | ||
18 | # generate-cacerts.pl generates a JKS keystore named 'cacerts' from | |
19 | # OpenSSL's certificate bundle using OpenJDK's keytool. | |
20 | ||
21 | # First extract each of OpenSSL's bundled certificates into its own | |
22 | # aliased filename. | |
23 | $file = $ARGV[1]; | |
24 | open(CERTS, $file); | |
25 | @certs = <CERTS>; | |
26 | close(CERTS); | |
27 | ||
28 | $pem_file_count = 0; | |
29 | $in_cert_block = 0; | |
30 | $write_current_cert = 1; | |
31 | foreach $cert (@certs) | |
32 | { | |
33 | if ($cert =~ "Certificate:\n") | |
34 | { | |
35 | print "New certificate...\n"; | |
36 | } | |
37 | elsif ($cert =~ /Subject: /) | |
38 | { | |
39 | $_ = $cert; | |
40 | if ($cert =~ /personal-freemail/) | |
41 | { | |
42 | $cert_alias = "thawtepersonalfreemailca"; | |
43 | } | |
44 | elsif ($cert =~ /personal-basic/) | |
45 | { | |
46 | $cert_alias = "thawtepersonalbasicca"; | |
47 | } | |
48 | elsif ($cert =~ /personal-premium/) | |
49 | { | |
50 | $cert_alias = "thawtepersonalpremiumca"; | |
51 | } | |
52 | elsif ($cert =~ /server-certs/) | |
53 | { | |
54 | $cert_alias = "thawteserverca"; | |
55 | } | |
56 | elsif ($cert =~ /premium-server/) | |
57 | { | |
58 | $cert_alias = "thawtepremiumserverca"; | |
59 | } | |
60 | elsif ($cert =~ /Class 1 Public Primary Certification Authority$/) | |
61 | { | |
62 | $cert_alias = "verisignclass1ca"; | |
63 | } | |
64 | elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/) | |
65 | { | |
66 | $cert_alias = "verisignclass1g2ca"; | |
67 | } | |
68 | elsif ($cert =~ | |
69 | /VeriSign Class 1 Public Primary Certification Authority - G3/) | |
70 | { | |
71 | $cert_alias = "verisignclass1g3ca"; | |
72 | } | |
73 | elsif ($cert =~ /Class 2 Public Primary Certification Authority$/) | |
74 | { | |
75 | $cert_alias = "verisignclass2ca"; | |
76 | } | |
77 | elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/) | |
78 | { | |
79 | $cert_alias = "verisignclass2g2ca"; | |
80 | } | |
81 | elsif ($cert =~ | |
82 | /VeriSign Class 2 Public Primary Certification Authority - G3/) | |
83 | { | |
84 | $cert_alias = "verisignclass2g3ca"; | |
85 | } | |
86 | elsif ($cert =~ /Class 3 Public Primary Certification Authority$/) | |
87 | { | |
88 | $cert_alias = "verisignclass3ca"; | |
89 | } | |
90 | # Version 1 of Class 3 Public Primary Certification Authority | |
91 | # - G2 is added. Version 3 is excluded. See below. | |
92 | elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2.*1998/) | |
93 | { | |
94 | $cert_alias = "verisignclass3g2ca"; | |
95 | } | |
96 | elsif ($cert =~ | |
97 | /VeriSign Class 3 Public Primary Certification Authority - G3/) | |
98 | { | |
99 | $cert_alias = "verisignclass3g3ca"; | |
100 | } | |
101 | elsif ($cert =~ | |
102 | /RSA Data Security.*Secure Server Certification Authority/) | |
103 | { | |
104 | $cert_alias = "rsaserverca"; | |
105 | } | |
106 | elsif ($cert =~ /GTE CyberTrust Global Root/) | |
107 | { | |
108 | $cert_alias = "gtecybertrustglobalca"; | |
109 | } | |
110 | elsif ($cert =~ /Baltimore CyberTrust Root/) | |
111 | { | |
112 | $cert_alias = "baltimorecybertrustca"; | |
113 | } | |
114 | elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/) | |
115 | { | |
116 | $cert_alias = "entrustclientca"; | |
117 | } | |
118 | elsif ($cert =~ /www.entrust.net\/GCCA_CPS/) | |
119 | { | |
120 | $cert_alias = "entrustglobalclientca"; | |
121 | } | |
122 | elsif ($cert =~ /www.entrust.net\/CPS_2048/) | |
123 | { | |
124 | $cert_alias = "entrust2048ca"; | |
125 | } | |
126 | elsif ($cert =~ /www.entrust.net\/CPS incorp /) | |
127 | { | |
128 | $cert_alias = "entrustsslca"; | |
129 | } | |
130 | elsif ($cert =~ /www.entrust.net\/SSL_CPS/) | |
131 | { | |
132 | $cert_alias = "entrustgsslca"; | |
133 | } | |
134 | elsif ($cert =~ /The Go Daddy Group/) | |
135 | { | |
136 | $cert_alias = "godaddyclass2ca"; | |
137 | } | |
138 | elsif ($cert =~ /Starfield Class 2 Certification Authority/) | |
139 | { | |
140 | $cert_alias = "starfieldclass2ca"; | |
141 | } | |
142 | elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/) | |
143 | { | |
144 | $cert_alias = "valicertclass2ca"; | |
145 | } | |
146 | elsif ($cert =~ /GeoTrust Global CA$/) | |
147 | { | |
148 | $cert_alias = "geotrustglobalca"; | |
149 | } | |
150 | elsif ($cert =~ /Equifax Secure Certificate Authority/) | |
151 | { | |
152 | $cert_alias = "equifaxsecureca"; | |
153 | } | |
154 | elsif ($cert =~ /Equifax Secure eBusiness CA-1/) | |
155 | { | |
156 | $cert_alias = "equifaxsecureebusinessca1"; | |
157 | } | |
158 | elsif ($cert =~ /Equifax Secure eBusiness CA-2/) | |
159 | { | |
160 | $cert_alias = "equifaxsecureebusinessca2"; | |
161 | } | |
162 | elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/) | |
163 | { | |
164 | $cert_alias = "equifaxsecureglobalebusinessca1"; | |
165 | } | |
166 | elsif ($cert =~ /Sonera Class1 CA/) | |
167 | { | |
168 | $cert_alias = "soneraclass1ca"; | |
169 | } | |
170 | elsif ($cert =~ /Sonera Class2 CA/) | |
171 | { | |
172 | $cert_alias = "soneraclass2ca"; | |
173 | } | |
174 | elsif ($cert =~ /AAA Certificate Services/) | |
175 | { | |
176 | $cert_alias = "comodoaaaca"; | |
177 | } | |
178 | elsif ($cert =~ /AddTrust Class 1 CA Root/) | |
179 | { | |
180 | $cert_alias = "addtrustclass1ca"; | |
181 | } | |
182 | elsif ($cert =~ /AddTrust External CA Root/) | |
183 | { | |
184 | $cert_alias = "addtrustexternalca"; | |
185 | } | |
186 | elsif ($cert =~ /AddTrust Qualified CA Root/) | |
187 | { | |
188 | $cert_alias = "addtrustqualifiedca"; | |
189 | } | |
190 | elsif ($cert =~ /UTN-USERFirst-Hardware/) | |
191 | { | |
192 | $cert_alias = "utnuserfirsthardwareca"; | |
193 | } | |
194 | elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/) | |
195 | { | |
196 | $cert_alias = "utnuserfirstclientauthemailca"; | |
197 | } | |
198 | elsif ($cert =~ /UTN - DATACorp SGC/) | |
199 | { | |
200 | $cert_alias = "utndatacorpsgcca"; | |
201 | } | |
202 | elsif ($cert =~ /UTN-USERFirst-Object/) | |
203 | { | |
204 | $cert_alias = "utnuserfirstobjectca"; | |
205 | } | |
206 | elsif ($cert =~ /America Online Root Certification Authority 1/) | |
207 | { | |
208 | $cert_alias = "aolrootca1"; | |
209 | } | |
210 | elsif ($cert =~ /DigiCert Assured ID Root CA/) | |
211 | { | |
212 | $cert_alias = "digicertassuredidrootca"; | |
213 | } | |
214 | elsif ($cert =~ /DigiCert Global Root CA/) | |
215 | { | |
216 | $cert_alias = "digicertglobalrootca"; | |
217 | } | |
218 | elsif ($cert =~ /DigiCert High Assurance EV Root CA/) | |
219 | { | |
220 | $cert_alias = "digicerthighassuranceevrootca"; | |
221 | } | |
222 | elsif ($cert =~ /GlobalSign Root CA$/) | |
223 | { | |
224 | $cert_alias = "globalsignca"; | |
225 | } | |
226 | elsif ($cert =~ /GlobalSign Root CA - R2/) | |
227 | { | |
228 | $cert_alias = "globalsignr2ca"; | |
229 | } | |
230 | elsif ($cert =~ /Elektronik.*Kas.*2005/) | |
231 | { | |
232 | $cert_alias = "extra-elektronikkas2005"; | |
233 | } | |
234 | elsif ($cert =~ /Muntaner 244 Barcelona.*Firmaprofesional/) | |
235 | { | |
236 | $cert_alias = "extra-oldfirmaprofesional"; | |
237 | } | |
238 | # Mozilla does not provide these certificates: | |
239 | # baltimorecodesigningca | |
240 | # gtecybertrust5ca | |
241 | # trustcenterclass2caii | |
242 | # trustcenterclass4caii | |
243 | # trustcenteruniversalcai | |
244 | else | |
245 | { | |
246 | # Generate an alias using the OU and CN attributes of the | |
247 | # Subject field if both are present, otherwise use only the | |
248 | # CN attribute. The Subject field must have either the OU | |
249 | # or the CN attribute. | |
250 | $_ = $cert; | |
251 | if ($cert =~ /OU=/) | |
252 | { | |
253 | s/Subject:.*?OU=//; | |
254 | # Remove other occurrences of OU=. | |
255 | s/OU=.*CN=//; | |
256 | # Remove CN= if there were not other occurrences of OU=. | |
257 | s/CN=//; | |
258 | s/\/emailAddress.*//; | |
259 | s/Certificate Authority/ca/g; | |
260 | s/Certification Authority/ca/g; | |
261 | } | |
262 | elsif ($cert =~ /CN=/) | |
263 | { | |
264 | s/Subject:.*CN=//; | |
265 | s/\/emailAddress.*//; | |
266 | s/Certificate Authority/ca/g; | |
267 | s/Certification Authority/ca/g; | |
268 | } | |
269 | s/\W//g; | |
270 | tr/A-Z/a-z/; | |
271 | $cert_alias = "extra-$_"; | |
272 | } | |
273 | print "$cert => alias $cert_alias\n"; | |
274 | } | |
275 | elsif ($cert =~ "Signature Algorithm: ecdsa") | |
276 | { | |
277 | # Ignore ECC certs since keytool rejects them | |
278 | $write_current_cert = 0; | |
279 | print " => ignoring ECC certificate\n"; | |
280 | } | |
281 | elsif ($cert eq "-----BEGIN CERTIFICATE-----\n") | |
282 | { | |
283 | if ($in_cert_block != 0) | |
284 | { | |
285 | die "FAIL: $file is malformed."; | |
286 | } | |
287 | $in_cert_block = 1; | |
288 | if ($write_current_cert == 1) | |
289 | { | |
290 | $pem_file_count++; | |
291 | if (!sysopen(PEM, "$cert_alias.pem", O_WRONLY|O_CREAT|O_EXCL)) { | |
292 | $cert_alias = "$cert_alias.1"; | |
293 | sysopen(PEM, "$cert_alias.1.pem", O_WRONLY|O_CREAT|O_EXCL) | |
294 | || die("FAIL: could not open file for $cert_alias.pem: $!"); | |
295 | } | |
296 | print PEM $cert; | |
297 | print " => writing $cert_alias.pem...\n"; | |
298 | } | |
299 | } | |
300 | elsif ($cert eq "-----END CERTIFICATE-----\n") | |
301 | { | |
302 | $in_cert_block = 0; | |
303 | if ($write_current_cert == 1) | |
304 | { | |
305 | print PEM $cert; | |
306 | close(PEM); | |
307 | } | |
308 | $write_current_cert = 1 | |
309 | } | |
310 | else | |
311 | { | |
312 | if ($in_cert_block == 1 && $write_current_cert == 1) | |
313 | { | |
314 | print PEM $cert; | |
315 | } | |
316 | } | |
317 | } | |
318 | ||
319 | # Check that the correct number of .pem files were produced. | |
320 | @pem_files = <*.pem>; | |
321 | if (@pem_files != $pem_file_count) | |
322 | { | |
323 | print "$pem_file_count != ".@pem_files."\n"; | |
324 | die "FAIL: Number of .pem files produced does not match". | |
325 | " number of certs read from $file."; | |
326 | } | |
327 | ||
328 | # Now store each cert in the 'cacerts' file using keytool. | |
329 | $certs_written_count = 0; | |
330 | foreach $pem_file (@pem_files) | |
331 | { | |
332 | print "+ Adding $pem_file...\n"; | |
333 | if (system("$ARGV[0] -import". | |
334 | " -alias `basename $pem_file .pem`". | |
335 | " -keystore cacerts -noprompt -storepass 'changeit' -file $pem_file") == 0) { | |
336 | $certs_written_count++; | |
337 | } else { | |
338 | print "FAILED\n"; | |
339 | } | |
340 | } | |
341 | ||
342 | # Check that the correct number of certs were added to the keystore. | |
343 | if ($certs_written_count != $pem_file_count) | |
344 | { | |
345 | die "FAIL: Number of certs added to keystore does not match". | |
346 | " number of certs read from $file."; | |
347 | } |