Context Navigation

source: npl/java/openjdk/scripts/generate-cacerts.pl

Last change on this file was 981dbbc, checked in by Edwin Eefting <edwin@datux.nl>, 7 years ago
build openjdk, not used yet
Property mode set to `100644`
File size: 10.8 KB

Rev	Line
[981dbbc]	1	#!/usr/bin/perl -w
	2
	3	# Obtained from "http://pkgs.fedoraproject.org/gitweb/?p=ca-certificates.git;a=blob_plain;f=generate-cacerts.pl;hb=HEAD"
	4
	5	use diagnostics;
	6	use Fcntl;
	7
	8	# Copyright (C) 2007, 2008 Red Hat, Inc.
	9	#
	10	# This program is free software; you can redistribute it and/or modify
	11	# it under the terms of the GNU General Public License as published by
	12	# the Free Software Foundation; either version 2 of the License, or
	13	# (at your option) any later version.
	14	#
	15	# This program is distributed in the hope that it will be useful,
	16	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	18	# GNU General Public License for more details.
	19
	20	# generate-cacerts.pl generates a JKS keystore named 'cacerts' from
	21	# OpenSSL's certificate bundle using OpenJDK's keytool.
	22
	23	# First extract each of OpenSSL's bundled certificates into its own
	24	# aliased filename.
	25	$file = $ARGV[1];
	26	open(CERTS, $file);
	27	@certs = <CERTS>;
	28	close(CERTS);
	29
	30	$pem_file_count = 0;
	31	$in_cert_block = 0;
	32	$write_current_cert = 1;
	33	foreach $cert (@certs)
	34	{
	35	if ($cert =~ "Certificate:\n")
	36	{
	37	print "New certificate...\n";
	38	}
	39	elsif ($cert =~ /Subject: /)
	40	{
	41	$_ = $cert;
	42	if ($cert =~ /personal-freemail/)
	43	{
	44	$cert_alias = "thawtepersonalfreemailca";
	45	}
	46	elsif ($cert =~ /personal-basic/)
	47	{
	48	$cert_alias = "thawtepersonalbasicca";
	49	}
	50	elsif ($cert =~ /personal-premium/)
	51	{
	52	$cert_alias = "thawtepersonalpremiumca";
	53	}
	54	elsif ($cert =~ /server-certs/)
	55	{
	56	$cert_alias = "thawteserverca";
	57	}
	58	elsif ($cert =~ /premium-server/)
	59	{
	60	$cert_alias = "thawtepremiumserverca";
	61	}
	62	elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
	63	{
	64	$cert_alias = "verisignclass1ca";
	65	}
	66	elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
	67	{
	68	$cert_alias = "verisignclass1g2ca";
	69	}
	70	elsif ($cert =~
	71	/VeriSign Class 1 Public Primary Certification Authority - G3/)
	72	{
	73	$cert_alias = "verisignclass1g3ca";
	74	}
	75	elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
	76	{
	77	$cert_alias = "verisignclass2ca";
	78	}
	79	elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
	80	{
	81	$cert_alias = "verisignclass2g2ca";
	82	}
	83	elsif ($cert =~
	84	/VeriSign Class 2 Public Primary Certification Authority - G3/)
	85	{
	86	$cert_alias = "verisignclass2g3ca";
	87	}
	88	elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
	89	{
	90	$cert_alias = "verisignclass3ca";
	91	}
	92	# Version 1 of Class 3 Public Primary Certification Authority
	93	# - G2 is added. Version 3 is excluded. See below.
	94	elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2.*1998/)
	95	{
	96	$cert_alias = "verisignclass3g2ca";
	97	}
	98	elsif ($cert =~
	99	/VeriSign Class 3 Public Primary Certification Authority - G3/)
	100	{
	101	$cert_alias = "verisignclass3g3ca";
	102	}
	103	elsif ($cert =~
	104	/RSA Data Security.*Secure Server Certification Authority/)
	105	{
	106	$cert_alias = "rsaserverca";
	107	}
	108	elsif ($cert =~ /GTE CyberTrust Global Root/)
	109	{
	110	$cert_alias = "gtecybertrustglobalca";
	111	}
	112	elsif ($cert =~ /Baltimore CyberTrust Root/)
	113	{
	114	$cert_alias = "baltimorecybertrustca";
	115	}
	116	elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
	117	{
	118	$cert_alias = "entrustclientca";
	119	}
	120	elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
	121	{
	122	$cert_alias = "entrustglobalclientca";
	123	}
	124	elsif ($cert =~ /www.entrust.net\/CPS_2048/)
	125	{
	126	$cert_alias = "entrust2048ca";
	127	}
	128	elsif ($cert =~ /www.entrust.net\/CPS incorp /)
	129	{
	130	$cert_alias = "entrustsslca";
	131	}
	132	elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
	133	{
	134	$cert_alias = "entrustgsslca";
	135	}
	136	elsif ($cert =~ /The Go Daddy Group/)
	137	{
	138	$cert_alias = "godaddyclass2ca";
	139	}
	140	elsif ($cert =~ /Starfield Class 2 Certification Authority/)
	141	{
	142	$cert_alias = "starfieldclass2ca";
	143	}
	144	elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
	145	{
	146	$cert_alias = "valicertclass2ca";
	147	}
	148	elsif ($cert =~ /GeoTrust Global CA$/)
	149	{
	150	$cert_alias = "geotrustglobalca";
	151	}
	152	elsif ($cert =~ /Equifax Secure Certificate Authority/)
	153	{
	154	$cert_alias = "equifaxsecureca";
	155	}
	156	elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
	157	{
	158	$cert_alias = "equifaxsecureebusinessca1";
	159	}
	160	elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
	161	{
	162	$cert_alias = "equifaxsecureebusinessca2";
	163	}
	164	elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
	165	{
	166	$cert_alias = "equifaxsecureglobalebusinessca1";
	167	}
	168	elsif ($cert =~ /Sonera Class1 CA/)
	169	{
	170	$cert_alias = "soneraclass1ca";
	171	}
	172	elsif ($cert =~ /Sonera Class2 CA/)
	173	{
	174	$cert_alias = "soneraclass2ca";
	175	}
	176	elsif ($cert =~ /AAA Certificate Services/)
	177	{
	178	$cert_alias = "comodoaaaca";
	179	}
	180	elsif ($cert =~ /AddTrust Class 1 CA Root/)
	181	{
	182	$cert_alias = "addtrustclass1ca";
	183	}
	184	elsif ($cert =~ /AddTrust External CA Root/)
	185	{
	186	$cert_alias = "addtrustexternalca";
	187	}
	188	elsif ($cert =~ /AddTrust Qualified CA Root/)
	189	{
	190	$cert_alias = "addtrustqualifiedca";
	191	}
	192	elsif ($cert =~ /UTN-USERFirst-Hardware/)
	193	{
	194	$cert_alias = "utnuserfirsthardwareca";
	195	}
	196	elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
	197	{
	198	$cert_alias = "utnuserfirstclientauthemailca";
	199	}
	200	elsif ($cert =~ /UTN - DATACorp SGC/)
	201	{
	202	$cert_alias = "utndatacorpsgcca";
	203	}
	204	elsif ($cert =~ /UTN-USERFirst-Object/)
	205	{
	206	$cert_alias = "utnuserfirstobjectca";
	207	}
	208	elsif ($cert =~ /America Online Root Certification Authority 1/)
	209	{
	210	$cert_alias = "aolrootca1";
	211	}
	212	elsif ($cert =~ /DigiCert Assured ID Root CA/)
	213	{
	214	$cert_alias = "digicertassuredidrootca";
	215	}
	216	elsif ($cert =~ /DigiCert Global Root CA/)
	217	{
	218	$cert_alias = "digicertglobalrootca";
	219	}
	220	elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
	221	{
	222	$cert_alias = "digicerthighassuranceevrootca";
	223	}
	224	elsif ($cert =~ /GlobalSign Root CA$/)
	225	{
	226	$cert_alias = "globalsignca";
	227	}
	228	elsif ($cert =~ /GlobalSign Root CA - R2/)
	229	{
	230	$cert_alias = "globalsignr2ca";
	231	}
	232	elsif ($cert =~ /Elektronik.Kas.2005/)
	233	{
	234	$cert_alias = "extra-elektronikkas2005";
	235	}
	236	elsif ($cert =~ /Muntaner 244 Barcelona.*Firmaprofesional/)
	237	{
	238	$cert_alias = "extra-oldfirmaprofesional";
	239	}
	240	# Mozilla does not provide these certificates:
	241	# baltimorecodesigningca
	242	# gtecybertrust5ca
	243	# trustcenterclass2caii
	244	# trustcenterclass4caii
	245	# trustcenteruniversalcai
	246	else
	247	{
	248	# Generate an alias using the OU and CN attributes of the
	249	# Subject field if both are present, otherwise use only the
	250	# CN attribute. The Subject field must have either the OU
	251	# or the CN attribute.
	252	$_ = $cert;
	253	if ($cert =~ /OU=/)
	254	{
	255	s/Subject:.*?OU=//;
	256	# Remove other occurrences of OU=.
	257	s/OU=.*CN=//;
	258	# Remove CN= if there were not other occurrences of OU=.
	259	s/CN=//;
	260	s/\/emailAddress.*//;
	261	s/Certificate Authority/ca/g;
	262	s/Certification Authority/ca/g;
	263	}
	264	elsif ($cert =~ /CN=/)
	265	{
	266	s/Subject:.*CN=//;
	267	s/\/emailAddress.*//;
	268	s/Certificate Authority/ca/g;
	269	s/Certification Authority/ca/g;
	270	}
	271	s/\W//g;
	272	tr/A-Z/a-z/;
	273	$cert_alias = "extra-$_";
	274	}
	275	print "$cert => alias $cert_alias\n";
	276	}
	277	elsif ($cert =~ "Signature Algorithm: ecdsa")
	278	{
	279	# Ignore ECC certs since keytool rejects them
	280	$write_current_cert = 0;
	281	print " => ignoring ECC certificate\n";
	282	}
	283	elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
	284	{
	285	if ($in_cert_block != 0)
	286	{
	287	die "FAIL: $file is malformed.";
	288	}
	289	$in_cert_block = 1;
	290	if ($write_current_cert == 1)
	291	{
	292	$pem_file_count++;
	293	if (!sysopen(PEM, "$cert_alias.pem", O_WRONLY\|O_CREAT\|O_EXCL)) {
	294	$cert_alias = "$cert_alias.1";
	295	sysopen(PEM, "$cert_alias.1.pem", O_WRONLY\|O_CREAT\|O_EXCL)
	296	\|\| die("FAIL: could not open file for $cert_alias.pem: $!");
	297	}
	298	print PEM $cert;
	299	print " => writing $cert_alias.pem...\n";
	300	}
	301	}
	302	elsif ($cert eq "-----END CERTIFICATE-----\n")
	303	{
	304	$in_cert_block = 0;
	305	if ($write_current_cert == 1)
	306	{
	307	print PEM $cert;
	308	close(PEM);
	309	}
	310	$write_current_cert = 1
	311	}
	312	else
	313	{
	314	if ($in_cert_block == 1 && $write_current_cert == 1)
	315	{
	316	print PEM $cert;
	317	}
	318	}
	319	}
	320
	321	# Check that the correct number of .pem files were produced.
	322	@pem_files = <*.pem>;
	323	if (@pem_files != $pem_file_count)
	324	{
	325	print "$pem_file_count != ".@pem_files."\n";
	326	die "FAIL: Number of .pem files produced does not match".
	327	" number of certs read from $file.";
	328	}
	329
	330	# Now store each cert in the 'cacerts' file using keytool.
	331	$certs_written_count = 0;
	332	foreach $pem_file (@pem_files)
	333	{
	334	print "+ Adding $pem_file...\n";
	335	if (system("$ARGV[0] -import".
	336	" -alias `basename $pem_file .pem`".
	337	" -keystore cacerts -noprompt -storepass 'changeit' -file $pem_file") == 0) {
	338	$certs_written_count++;
	339	} else {
	340	print "FAILED\n";
	341	}
	342	}
	343
	344	# Check that the correct number of certs were added to the keystore.
	345	if ($certs_written_count != $pem_file_count)
	346	{
	347	die "FAIL: Number of certs added to keystore does not match".
	348	" number of certs read from $file.";
	349	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: