]>
git.ipfire.org Git - people/amarx/ipfire-3.x.git/blob - ca-certificates/generate-cacerts.pl
6 # Copyright (C) 2007, 2008 Red Hat, Inc.
8 # This program is free software; you can redistribute it and/or modify
9 # it under the terms of the GNU General Public License as published by
10 # the Free Software Foundation; either version 2 of the License, or
11 # (at your option) any later version.
13 # This program is distributed in the hope that it will be useful,
14 # but WITHOUT ANY WARRANTY; without even the implied warranty of
15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 # GNU General Public License for more details.
18 # generate-cacerts.pl generates a JKS keystore named 'cacerts' from
19 # OpenSSL's certificate bundle using OpenJDK's keytool.
21 # First extract each of OpenSSL's bundled certificates into its own
30 $write_current_cert = 1;
31 foreach $cert (@certs)
33 if ($cert =~ "Certificate:\n")
35 print "New certificate...\n";
37 elsif ($cert =~ /Subject: /)
40 if ($cert =~ /personal-freemail/)
42 $cert_alias = "thawtepersonalfreemailca";
44 elsif ($cert =~ /personal-basic/)
46 $cert_alias = "thawtepersonalbasicca";
48 elsif ($cert =~ /personal-premium/)
50 $cert_alias = "thawtepersonalpremiumca";
52 elsif ($cert =~ /server-certs/)
54 $cert_alias = "thawteserverca";
56 elsif ($cert =~ /premium-server/)
58 $cert_alias = "thawtepremiumserverca";
60 elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
62 $cert_alias = "verisignclass1ca";
64 elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
66 $cert_alias = "verisignclass1g2ca";
69 /VeriSign Class 1 Public Primary Certification Authority - G3/)
71 $cert_alias = "verisignclass1g3ca";
73 elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
75 $cert_alias = "verisignclass2ca";
77 elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
79 $cert_alias = "verisignclass2g2ca";
82 /VeriSign Class 2 Public Primary Certification Authority - G3/)
84 $cert_alias = "verisignclass2g3ca";
86 elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
88 $cert_alias = "verisignclass3ca";
90 # Version 1 of Class 3 Public Primary Certification Authority
91 # - G2 is added. Version 3 is excluded. See below.
92 elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2.*1998/)
94 $cert_alias = "verisignclass3g2ca";
97 /VeriSign Class 3 Public Primary Certification Authority - G3/)
99 $cert_alias = "verisignclass3g3ca";
102 /RSA Data Security.*Secure Server Certification Authority/)
104 $cert_alias = "rsaserverca";
106 elsif ($cert =~ /GTE CyberTrust Global Root/)
108 $cert_alias = "gtecybertrustglobalca";
110 elsif ($cert =~ /Baltimore CyberTrust Root/)
112 $cert_alias = "baltimorecybertrustca";
114 elsif ($cert =~ /www.entrust.net\/Client_CA_Info\
/CPS/)
116 $cert_alias = "entrustclientca";
118 elsif ($cert =~ /www.entrust.net\/GCCA_CPS
/)
120 $cert_alias = "entrustglobalclientca";
122 elsif ($cert =~ /www.entrust.net\/CPS_2048
/)
124 $cert_alias = "entrust2048ca";
126 elsif ($cert =~ /www.entrust.net\/CPS incorp
/)
128 $cert_alias = "entrustsslca";
130 elsif ($cert =~ /www.entrust.net\/SSL_CPS
/)
132 $cert_alias = "entrustgsslca";
134 elsif ($cert =~ /The Go Daddy Group/)
136 $cert_alias = "godaddyclass2ca";
138 elsif ($cert =~ /Starfield Class 2 Certification Authority/)
140 $cert_alias = "starfieldclass2ca";
142 elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
144 $cert_alias = "valicertclass2ca";
146 elsif ($cert =~ /GeoTrust Global CA$/)
148 $cert_alias = "geotrustglobalca";
150 elsif ($cert =~ /Equifax Secure Certificate Authority/)
152 $cert_alias = "equifaxsecureca";
154 elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
156 $cert_alias = "equifaxsecureebusinessca1";
158 elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
160 $cert_alias = "equifaxsecureebusinessca2";
162 elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
164 $cert_alias = "equifaxsecureglobalebusinessca1";
166 elsif ($cert =~ /Sonera Class1 CA/)
168 $cert_alias = "soneraclass1ca";
170 elsif ($cert =~ /Sonera Class2 CA/)
172 $cert_alias = "soneraclass2ca";
174 elsif ($cert =~ /AAA Certificate Services/)
176 $cert_alias = "comodoaaaca";
178 elsif ($cert =~ /AddTrust Class 1 CA Root/)
180 $cert_alias = "addtrustclass1ca";
182 elsif ($cert =~ /AddTrust External CA Root/)
184 $cert_alias = "addtrustexternalca";
186 elsif ($cert =~ /AddTrust Qualified CA Root/)
188 $cert_alias = "addtrustqualifiedca";
190 elsif ($cert =~ /UTN-USERFirst-Hardware/)
192 $cert_alias = "utnuserfirsthardwareca";
194 elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
196 $cert_alias = "utnuserfirstclientauthemailca";
198 elsif ($cert =~ /UTN - DATACorp SGC/)
200 $cert_alias = "utndatacorpsgcca";
202 elsif ($cert =~ /UTN-USERFirst-Object/)
204 $cert_alias = "utnuserfirstobjectca";
206 elsif ($cert =~ /America Online Root Certification Authority 1/)
208 $cert_alias = "aolrootca1";
210 elsif ($cert =~ /DigiCert Assured ID Root CA/)
212 $cert_alias = "digicertassuredidrootca";
214 elsif ($cert =~ /DigiCert Global Root CA/)
216 $cert_alias = "digicertglobalrootca";
218 elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
220 $cert_alias = "digicerthighassuranceevrootca";
222 elsif ($cert =~ /GlobalSign Root CA$/)
224 $cert_alias = "globalsignca";
226 elsif ($cert =~ /GlobalSign Root CA - R2/)
228 $cert_alias = "globalsignr2ca";
230 elsif ($cert =~ /Elektronik.*Kas.*2005/)
232 $cert_alias = "extra-elektronikkas2005";
234 elsif ($cert =~ /Muntaner 244 Barcelona.*Firmaprofesional/)
236 $cert_alias = "extra-oldfirmaprofesional";
238 # Mozilla does not provide these certificates:
239 # baltimorecodesigningca
241 # trustcenterclass2caii
242 # trustcenterclass4caii
243 # trustcenteruniversalcai
246 # Generate an alias using the OU and CN attributes of the
247 # Subject field if both are present, otherwise use only the
248 # CN attribute. The Subject field must have either the OU
249 # or the CN attribute.
254 # Remove other occurrences of OU=.
256 # Remove CN= if there were not other occurrences of OU=.
258 s/\/emailAddress.*//;
259 s/Certificate Authority/ca/g;
260 s/Certification Authority/ca/g;
262 elsif ($cert =~ /CN=/)
265 s/\/emailAddress.*//;
266 s/Certificate Authority/ca/g;
267 s/Certification Authority/ca/g;
271 $cert_alias = "extra-$_";
273 print "$cert => alias $cert_alias\n";
275 elsif ($cert =~ "Signature Algorithm: ecdsa")
277 # Ignore ECC certs since keytool rejects them
278 $write_current_cert = 0;
279 print " => ignoring ECC certificate\n";
281 elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
283 if ($in_cert_block != 0)
285 die "FAIL: $file is malformed.";
288 if ($write_current_cert == 1)
291 if (!sysopen(PEM
, "$cert_alias.pem", O_WRONLY
|O_CREAT
|O_EXCL
)) {
292 $cert_alias = "$cert_alias.1";
293 sysopen(PEM
, "$cert_alias.1.pem", O_WRONLY
|O_CREAT
|O_EXCL
)
294 || die("FAIL: could not open file for $cert_alias.pem: $!");
297 print " => writing $cert_alias.pem...\n";
300 elsif ($cert eq "-----END CERTIFICATE-----\n")
303 if ($write_current_cert == 1)
308 $write_current_cert = 1
312 if ($in_cert_block == 1 && $write_current_cert == 1)
319 # Check that the correct number of .pem files were produced.
320 @pem_files = <*.pem
>;
321 if (@pem_files != $pem_file_count)
323 print "$pem_file_count != ".@pem_files."\n";
324 die "FAIL: Number of .pem files produced does not match".
325 " number of certs read from $file.";
328 # Now store each cert in the 'cacerts' file using keytool.
329 $certs_written_count = 0;
330 foreach $pem_file (@pem_files)
332 print "+ Adding $pem_file...\n";
333 if (system("$ARGV[0] -import".
334 " -alias `basename $pem_file .pem`".
335 " -keystore cacerts -noprompt -storepass 'changeit' -file $pem_file") == 0) {
336 $certs_written_count++;
342 # Check that the correct number of certs were added to the keystore.
343 if ($certs_written_count != $pem_file_count)
345 die "FAIL: Number of certs added to keystore does not match".
346 " number of certs read from $file.";