[ipfire-3.x.git] / ca-certificates / generate-cacerts.pl

#!/usr/bin/perl -w

use diagnostics;
use Fcntl;

# Copyright (C) 2007, 2008 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# generate-cacerts.pl generates a JKS keystore named 'cacerts' from
# OpenSSL's certificate bundle using OpenJDK's keytool.

# First extract each of OpenSSL's bundled certificates into its own
# aliased filename.
$file = $ARGV[1];
open(CERTS, $file);
@certs = <CERTS>;
close(CERTS);

$pem_file_count = 0;
$in_cert_block = 0;
$write_current_cert = 1;
foreach $cert (@certs)
{
    if ($cert =~ "Certificate:\n")
    {
        print "New certificate...\n";
    }        
    elsif ($cert =~ /Subject: /)
    {
        $_ = $cert;
        if ($cert =~ /personal-freemail/)
        {
            $cert_alias = "thawtepersonalfreemailca";
        }
        elsif ($cert =~ /personal-basic/)
        {
            $cert_alias = "thawtepersonalbasicca";
        }
        elsif ($cert =~ /personal-premium/)
        {
            $cert_alias = "thawtepersonalpremiumca";
        }
        elsif ($cert =~ /server-certs/)
        {
            $cert_alias = "thawteserverca";
        }
        elsif ($cert =~ /premium-server/)
        {
            $cert_alias = "thawtepremiumserverca";
        }
        elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
        {
            $cert_alias = "verisignclass1ca";
        }
        elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
        {
            $cert_alias = "verisignclass1g2ca";
        }
        elsif ($cert =~
               /VeriSign Class 1 Public Primary Certification Authority - G3/)
        {
            $cert_alias = "verisignclass1g3ca";
        }
        elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
        {
            $cert_alias = "verisignclass2ca";
        }
        elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
        {
            $cert_alias = "verisignclass2g2ca";
        }
        elsif ($cert =~
               /VeriSign Class 2 Public Primary Certification Authority - G3/)
        {
            $cert_alias = "verisignclass2g3ca";
        }
        elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
        {
            $cert_alias = "verisignclass3ca";
        }
        # Version 1 of Class 3 Public Primary Certification Authority
        # - G2 is added.  Version 3 is excluded.  See below.
        elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2.*1998/)
        {
            $cert_alias = "verisignclass3g2ca";
        }
        elsif ($cert =~
               /VeriSign Class 3 Public Primary Certification Authority - G3/)
        {
            $cert_alias = "verisignclass3g3ca";
        }
        elsif ($cert =~
               /RSA Data Security.*Secure Server Certification Authority/)
        {
            $cert_alias = "rsaserverca";
        }
        elsif ($cert =~ /GTE CyberTrust Global Root/)
        {
            $cert_alias = "gtecybertrustglobalca";
        }
        elsif ($cert =~ /Baltimore CyberTrust Root/)
        {
            $cert_alias = "baltimorecybertrustca";
        }
        elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
        {
            $cert_alias = "entrustclientca";
        }
        elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
        {
            $cert_alias = "entrustglobalclientca";
        }
        elsif ($cert =~ /www.entrust.net\/CPS_2048/)
        {
            $cert_alias = "entrust2048ca";
        }
        elsif ($cert =~ /www.entrust.net\/CPS incorp /)
        {
            $cert_alias = "entrustsslca";
        }
        elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
        {
            $cert_alias = "entrustgsslca";
        }
        elsif ($cert =~ /The Go Daddy Group/)
        {
            $cert_alias = "godaddyclass2ca";
        }
        elsif ($cert =~ /Starfield Class 2 Certification Authority/)
        {
            $cert_alias = "starfieldclass2ca";
        }
        elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
        {
            $cert_alias = "valicertclass2ca";
        }
        elsif ($cert =~ /GeoTrust Global CA$/)
        {
            $cert_alias = "geotrustglobalca";
        }
        elsif ($cert =~ /Equifax Secure Certificate Authority/)
        {
            $cert_alias = "equifaxsecureca";
        }
        elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
        {
            $cert_alias = "equifaxsecureebusinessca1";
        }
        elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
        {
            $cert_alias = "equifaxsecureebusinessca2";
        }
        elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
        {
            $cert_alias = "equifaxsecureglobalebusinessca1";
        }
        elsif ($cert =~ /Sonera Class1 CA/)
        {
            $cert_alias = "soneraclass1ca";
        }
        elsif ($cert =~ /Sonera Class2 CA/)
        {
            $cert_alias = "soneraclass2ca";
        }
        elsif ($cert =~ /AAA Certificate Services/)
        {
            $cert_alias = "comodoaaaca";
        }
        elsif ($cert =~ /AddTrust Class 1 CA Root/)
        {
            $cert_alias = "addtrustclass1ca";
        }
        elsif ($cert =~ /AddTrust External CA Root/)
        {
            $cert_alias = "addtrustexternalca";
        }
        elsif ($cert =~ /AddTrust Qualified CA Root/)
        {
            $cert_alias = "addtrustqualifiedca";
        }
        elsif ($cert =~ /UTN-USERFirst-Hardware/)
        {
            $cert_alias = "utnuserfirsthardwareca";
        }
        elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
        {
            $cert_alias = "utnuserfirstclientauthemailca";
        }
        elsif ($cert =~ /UTN - DATACorp SGC/)
        {
            $cert_alias = "utndatacorpsgcca";
        }
        elsif ($cert =~ /UTN-USERFirst-Object/)
        {
            $cert_alias = "utnuserfirstobjectca";
        }
        elsif ($cert =~ /America Online Root Certification Authority 1/)
        {
            $cert_alias = "aolrootca1";
        }
        elsif ($cert =~ /DigiCert Assured ID Root CA/)
        {
            $cert_alias = "digicertassuredidrootca";
        }
        elsif ($cert =~ /DigiCert Global Root CA/)
        {
            $cert_alias = "digicertglobalrootca";
        }
        elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
        {
            $cert_alias = "digicerthighassuranceevrootca";
        }
        elsif ($cert =~ /GlobalSign Root CA$/)
        {
            $cert_alias = "globalsignca";
        }
        elsif ($cert =~ /GlobalSign Root CA - R2/)
        {
            $cert_alias = "globalsignr2ca";
        }
        elsif ($cert =~ /Elektronik.*Kas.*2005/)
        {
            $cert_alias = "extra-elektronikkas2005";
        }
        elsif ($cert =~ /Muntaner 244 Barcelona.*Firmaprofesional/)
        {
            $cert_alias = "extra-oldfirmaprofesional";
        }
        # Mozilla does not provide these certificates:
        #   baltimorecodesigningca
        #   gtecybertrust5ca
        #   trustcenterclass2caii
        #   trustcenterclass4caii
        #   trustcenteruniversalcai
        else
        {
            # Generate an alias using the OU and CN attributes of the
            # Subject field if both are present, otherwise use only the
            # CN attribute.  The Subject field must have either the OU
            # or the CN attribute.
            $_ = $cert;
            if ($cert =~ /OU=/)
            {
                s/Subject:.*?OU=//;
                # Remove other occurrences of OU=.
                s/OU=.*CN=//;
                # Remove CN= if there were not other occurrences of OU=.
                s/CN=//;
                s/\/emailAddress.*//;
                s/Certificate Authority/ca/g;
                s/Certification Authority/ca/g;
            }
            elsif ($cert =~ /CN=/)
            {
                s/Subject:.*CN=//;
                s/\/emailAddress.*//;
                s/Certificate Authority/ca/g;
                s/Certification Authority/ca/g;
            }
            s/\W//g;
            tr/A-Z/a-z/;
            $cert_alias = "extra-$_";
        }
        print "$cert => alias $cert_alias\n";
    }
    elsif ($cert =~ "Signature Algorithm: ecdsa")
    {
        # Ignore ECC certs since keytool rejects them
        $write_current_cert = 0;
        print " => ignoring ECC certificate\n";
    }
    elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
    {
        if ($in_cert_block != 0)
        {
            die "FAIL: $file is malformed.";
        }
        $in_cert_block = 1;
        if ($write_current_cert == 1)
        {
            $pem_file_count++;
            if (!sysopen(PEM, "$cert_alias.pem", O_WRONLY|O_CREAT|O_EXCL)) {
                $cert_alias = "$cert_alias.1";
                sysopen(PEM, "$cert_alias.1.pem", O_WRONLY|O_CREAT|O_EXCL)
                    || die("FAIL: could not open file for $cert_alias.pem: $!");
            }
            print PEM $cert;
            print " => writing $cert_alias.pem...\n";
        }
    }
    elsif ($cert eq "-----END CERTIFICATE-----\n")
    {
        $in_cert_block = 0;
        if ($write_current_cert == 1)
        {
            print PEM $cert;
            close(PEM);
        }
        $write_current_cert = 1
    }
    else
    {
        if ($in_cert_block == 1 && $write_current_cert == 1)
        {
            print PEM $cert;
        }
    }
}

# Check that the correct number of .pem files were produced.
@pem_files = <*.pem>;
if (@pem_files != $pem_file_count)
{
    print "$pem_file_count != ".@pem_files."\n";
    die "FAIL: Number of .pem files produced does not match".
        " number of certs read from $file.";
}

# Now store each cert in the 'cacerts' file using keytool.
$certs_written_count = 0;
foreach $pem_file (@pem_files)
{
    print "+ Adding $pem_file...\n";
    if (system("$ARGV[0] -import".
               " -alias `basename $pem_file .pem`".
               " -keystore cacerts -noprompt -storepass 'changeit' -file $pem_file") == 0) {
        $certs_written_count++;
    } else {
        print "FAILED\n";
    }
}

# Check that the correct number of certs were added to the keystore.
if ($certs_written_count != $pem_file_count)
{
    die "FAIL: Number of certs added to keystore does not match".
        " number of certs read from $file.";
}
Commit	Line	Data
057303f8 SS	1	#!/usr/bin/perl -w
	2
	3	use diagnostics;
	4	use Fcntl;
	5
	6	# Copyright (C) 2007, 2008 Red Hat, Inc.
	7	#
	8	# This program is free software; you can redistribute it and/or modify
	9	# it under the terms of the GNU General Public License as published by
	10	# the Free Software Foundation; either version 2 of the License, or
	11	# (at your option) any later version.
	12	#
	13	# This program is distributed in the hope that it will be useful,
	14	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	# GNU General Public License for more details.
	17
	18	# generate-cacerts.pl generates a JKS keystore named 'cacerts' from
	19	# OpenSSL's certificate bundle using OpenJDK's keytool.
	20
	21	# First extract each of OpenSSL's bundled certificates into its own
	22	# aliased filename.
	23	$file = $ARGV[1];
	24	open(CERTS, $file);
	25	@certs = <CERTS>;
	26	close(CERTS);
	27
	28	$pem_file_count = 0;
	29	$in_cert_block = 0;
	30	$write_current_cert = 1;
	31	foreach $cert (@certs)
	32	{
	33	if ($cert =~ "Certificate:\n")
	34	{
	35	print "New certificate...\n";
	36	}
	37	elsif ($cert =~ /Subject: /)
	38	{
	39	$_ = $cert;
	40	if ($cert =~ /personal-freemail/)
	41	{
	42	$cert_alias = "thawtepersonalfreemailca";
	43	}
	44	elsif ($cert =~ /personal-basic/)
	45	{
	46	$cert_alias = "thawtepersonalbasicca";
	47	}
	48	elsif ($cert =~ /personal-premium/)
	49	{
	50	$cert_alias = "thawtepersonalpremiumca";
	51	}
	52	elsif ($cert =~ /server-certs/)
	53	{
	54	$cert_alias = "thawteserverca";
	55	}
	56	elsif ($cert =~ /premium-server/)
	57	{
	58	$cert_alias = "thawtepremiumserverca";
	59	}
	60	elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
	61	{
	62	$cert_alias = "verisignclass1ca";
	63	}
	64	elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
65	{
66	$cert_alias = "verisignclass1g2ca";
67	}
68	elsif ($cert =~
69	/VeriSign Class 1 Public Primary Certification Authority - G3/)
70	{
71	$cert_alias = "verisignclass1g3ca";
72	}
73	elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
74	{
75	$cert_alias = "verisignclass2ca";
76	}
77	elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
78	{
79	$cert_alias = "verisignclass2g2ca";
80	}
81	elsif ($cert =~
82	/VeriSign Class 2 Public Primary Certification Authority - G3/)
83	{
84	$cert_alias = "verisignclass2g3ca";
85	}
86	elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
87	{
88	$cert_alias = "verisignclass3ca";
89	}
90	# Version 1 of Class 3 Public Primary Certification Authority
91	# - G2 is added. Version 3 is excluded. See below.
92	elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2.*1998/)
93	{
94	$cert_alias = "verisignclass3g2ca";
95	}
96	elsif ($cert =~
97	/VeriSign Class 3 Public Primary Certification Authority - G3/)
98	{
99	$cert_alias = "verisignclass3g3ca";
100	}
101	elsif ($cert =~
102	/RSA Data Security.*Secure Server Certification Authority/)
103	{
104	$cert_alias = "rsaserverca";
105	}
106	elsif ($cert =~ /GTE CyberTrust Global Root/)
107	{
108	$cert_alias = "gtecybertrustglobalca";
109	}
110	elsif ($cert =~ /Baltimore CyberTrust Root/)
111	{
112	$cert_alias = "baltimorecybertrustca";
113	}
114	elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
115	{
116	$cert_alias = "entrustclientca";
117	}
118	elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
119	{
120	$cert_alias = "entrustglobalclientca";
121	}
122	elsif ($cert =~ /www.entrust.net\/CPS_2048/)
123	{
124	$cert_alias = "entrust2048ca";
125	}
126	elsif ($cert =~ /www.entrust.net\/CPS incorp /)
127	{
128	$cert_alias = "entrustsslca";
129	}
130	elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
131	{
132	$cert_alias = "entrustgsslca";
133	}
134	elsif ($cert =~ /The Go Daddy Group/)
135	{
136	$cert_alias = "godaddyclass2ca";
137	}
138	elsif ($cert =~ /Starfield Class 2 Certification Authority/)
139	{
140	$cert_alias = "starfieldclass2ca";
141	}
142	elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
143	{
144	$cert_alias = "valicertclass2ca";
145	}
146	elsif ($cert =~ /GeoTrust Global CA$/)
147	{
148	$cert_alias = "geotrustglobalca";
149	}
150	elsif ($cert =~ /Equifax Secure Certificate Authority/)
151	{
152	$cert_alias = "equifaxsecureca";
153	}
154	elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
155	{
156	$cert_alias = "equifaxsecureebusinessca1";
157	}
158	elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
159	{
160	$cert_alias = "equifaxsecureebusinessca2";
161	}
162	elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
163	{
164	$cert_alias = "equifaxsecureglobalebusinessca1";
165	}
166	elsif ($cert =~ /Sonera Class1 CA/)
167	{
168	$cert_alias = "soneraclass1ca";
169	}
170	elsif ($cert =~ /Sonera Class2 CA/)
171	{
172	$cert_alias = "soneraclass2ca";
173	}
174	elsif ($cert =~ /AAA Certificate Services/)
175	{
176	$cert_alias = "comodoaaaca";
177	}
178	elsif ($cert =~ /AddTrust Class 1 CA Root/)
179	{
180	$cert_alias = "addtrustclass1ca";
181	}
182	elsif ($cert =~ /AddTrust External CA Root/)
183	{
184	$cert_alias = "addtrustexternalca";
185	}
186	elsif ($cert =~ /AddTrust Qualified CA Root/)
187	{
188	$cert_alias = "addtrustqualifiedca";
189	}
190	elsif ($cert =~ /UTN-USERFirst-Hardware/)
191	{
192	$cert_alias = "utnuserfirsthardwareca";
193	}
194	elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
195	{
196	$cert_alias = "utnuserfirstclientauthemailca";
197	}
198	elsif ($cert =~ /UTN - DATACorp SGC/)
199	{
200	$cert_alias = "utndatacorpsgcca";
201	}
202	elsif ($cert =~ /UTN-USERFirst-Object/)
203	{
204	$cert_alias = "utnuserfirstobjectca";
205	}
206	elsif ($cert =~ /America Online Root Certification Authority 1/)
207	{
208	$cert_alias = "aolrootca1";
209	}
210	elsif ($cert =~ /DigiCert Assured ID Root CA/)
211	{
212	$cert_alias = "digicertassuredidrootca";
213	}
214	elsif ($cert =~ /DigiCert Global Root CA/)
215	{
216	$cert_alias = "digicertglobalrootca";
217	}
218	elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
219	{
220	$cert_alias = "digicerthighassuranceevrootca";
221	}
222	elsif ($cert =~ /GlobalSign Root CA$/)
223	{
224	$cert_alias = "globalsignca";
225	}
226	elsif ($cert =~ /GlobalSign Root CA - R2/)
227	{
228	$cert_alias = "globalsignr2ca";
229	}
230	elsif ($cert =~ /Elektronik.Kas.2005/)
231	{
232	$cert_alias = "extra-elektronikkas2005";
233	}
234	elsif ($cert =~ /Muntaner 244 Barcelona.*Firmaprofesional/)
235	{
236	$cert_alias = "extra-oldfirmaprofesional";
237	}
238	# Mozilla does not provide these certificates:
239	# baltimorecodesigningca
240	# gtecybertrust5ca
241	# trustcenterclass2caii
242	# trustcenterclass4caii
243	# trustcenteruniversalcai
244	else
245	{
246	# Generate an alias using the OU and CN attributes of the
247	# Subject field if both are present, otherwise use only the
248	# CN attribute. The Subject field must have either the OU
249	# or the CN attribute.
250	$_ = $cert;
251	if ($cert =~ /OU=/)
252	{
253	s/Subject:.*?OU=//;
254	# Remove other occurrences of OU=.
255	s/OU=.*CN=//;
256	# Remove CN= if there were not other occurrences of OU=.
257	s/CN=//;
258	s/\/emailAddress.*//;
259	s/Certificate Authority/ca/g;
260	s/Certification Authority/ca/g;
261	}
262	elsif ($cert =~ /CN=/)
263	{
264	s/Subject:.*CN=//;
265	s/\/emailAddress.*//;
266	s/Certificate Authority/ca/g;
267	s/Certification Authority/ca/g;
268	}
269	s/\W//g;
270	tr/A-Z/a-z/;
271	$cert_alias = "extra-$_";
272	}
273	print "$cert => alias $cert_alias\n";
274	}
275	elsif ($cert =~ "Signature Algorithm: ecdsa")
276	{
277	# Ignore ECC certs since keytool rejects them
278	$write_current_cert = 0;
279	print " => ignoring ECC certificate\n";
280	}
281	elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
282	{
283	if ($in_cert_block != 0)
284	{
285	die "FAIL: $file is malformed.";
286	}
287	$in_cert_block = 1;
288	if ($write_current_cert == 1)
289	{
290	$pem_file_count++;
291	if (!sysopen(PEM, "$cert_alias.pem", O_WRONLY\|O_CREAT\|O_EXCL)) {
292	$cert_alias = "$cert_alias.1";
293	sysopen(PEM, "$cert_alias.1.pem", O_WRONLY\|O_CREAT\|O_EXCL)
294	\|\| die("FAIL: could not open file for $cert_alias.pem: $!");
295	}
296	print PEM $cert;
297	print " => writing $cert_alias.pem...\n";
298	}
299	}
300	elsif ($cert eq "-----END CERTIFICATE-----\n")
301	{
302	$in_cert_block = 0;
303	if ($write_current_cert == 1)
304	{
305	print PEM $cert;
306	close(PEM);
307	}
308	$write_current_cert = 1
309	}
310	else
311	{
312	if ($in_cert_block == 1 && $write_current_cert == 1)
313	{
314	print PEM $cert;
315	}
316	}
317	}
318
319	# Check that the correct number of .pem files were produced.
320	@pem_files = <*.pem>;
321	if (@pem_files != $pem_file_count)
322	{
323	print "$pem_file_count != ".@pem_files."\n";
324	die "FAIL: Number of .pem files produced does not match".
325	" number of certs read from $file.";
326	}
327
328	# Now store each cert in the 'cacerts' file using keytool.
329	$certs_written_count = 0;
330	foreach $pem_file (@pem_files)
331	{
332	print "+ Adding $pem_file...\n";
333	if (system("$ARGV[0] -import".
334	" -alias `basename $pem_file .pem`".
335	" -keystore cacerts -noprompt -storepass 'changeit' -file $pem_file") == 0) {
336	$certs_written_count++;
337	} else {
338	print "FAILED\n";
339	}
340	}
341
342	# Check that the correct number of certs were added to the keystore.
343	if ($certs_written_count != $pem_file_count)
344	{
345	die "FAIL: Number of certs added to keystore does not match".
346	" number of certs read from $file.";
347	}