Context Navigation

source: npl/java/openjdk/scripts/generate-cacerts.pl @ a2d969e

perl-5.22

Last change on this file since a2d969e was 981dbbc, checked in by Edwin Eefting <edwin@datux.nl>, 7 years ago
build openjdk, not used yet
Property mode set to `100644`
File size: 10.8 KB

Line
1	#!/usr/bin/perl -w
2
3	# Obtained from "http://pkgs.fedoraproject.org/gitweb/?p=ca-certificates.git;a=blob_plain;f=generate-cacerts.pl;hb=HEAD"
4
5	use diagnostics;
6	use Fcntl;
7
8	# Copyright (C) 2007, 2008 Red Hat, Inc.
9	#
10	# This program is free software; you can redistribute it and/or modify
11	# it under the terms of the GNU General Public License as published by
12	# the Free Software Foundation; either version 2 of the License, or
13	# (at your option) any later version.
14	#
15	# This program is distributed in the hope that it will be useful,
16	# but WITHOUT ANY WARRANTY; without even the implied warranty of
17	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18	# GNU General Public License for more details.
19
20	# generate-cacerts.pl generates a JKS keystore named 'cacerts' from
21	# OpenSSL's certificate bundle using OpenJDK's keytool.
22
23	# First extract each of OpenSSL's bundled certificates into its own
24	# aliased filename.
25	$file = $ARGV[1];
26	open(CERTS, $file);
27	@certs = <CERTS>;
28	close(CERTS);
29
30	$pem_file_count = 0;
31	$in_cert_block = 0;
32	$write_current_cert = 1;
33	foreach $cert (@certs)
34	{
35	if ($cert =~ "Certificate:\n")
36	{
37	print "New certificate...\n";
38	}
39	elsif ($cert =~ /Subject: /)
40	{
41	$_ = $cert;
42	if ($cert =~ /personal-freemail/)
43	{
44	$cert_alias = "thawtepersonalfreemailca";
45	}
46	elsif ($cert =~ /personal-basic/)
47	{
48	$cert_alias = "thawtepersonalbasicca";
49	}
50	elsif ($cert =~ /personal-premium/)
51	{
52	$cert_alias = "thawtepersonalpremiumca";
53	}
54	elsif ($cert =~ /server-certs/)
55	{
56	$cert_alias = "thawteserverca";
57	}
58	elsif ($cert =~ /premium-server/)
59	{
60	$cert_alias = "thawtepremiumserverca";
61	}
62	elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
63	{
64	$cert_alias = "verisignclass1ca";
65	}
66	elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
67	{
68	$cert_alias = "verisignclass1g2ca";
69	}
70	elsif ($cert =~
71	/VeriSign Class 1 Public Primary Certification Authority - G3/)
72	{
73	$cert_alias = "verisignclass1g3ca";
74	}
75	elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
76	{
77	$cert_alias = "verisignclass2ca";
78	}
79	elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
80	{
81	$cert_alias = "verisignclass2g2ca";
82	}
83	elsif ($cert =~
84	/VeriSign Class 2 Public Primary Certification Authority - G3/)
85	{
86	$cert_alias = "verisignclass2g3ca";
87	}
88	elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
89	{
90	$cert_alias = "verisignclass3ca";
91	}
92	# Version 1 of Class 3 Public Primary Certification Authority
93	# - G2 is added. Version 3 is excluded. See below.
94	elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2.*1998/)
95	{
96	$cert_alias = "verisignclass3g2ca";
97	}
98	elsif ($cert =~
99	/VeriSign Class 3 Public Primary Certification Authority - G3/)
100	{
101	$cert_alias = "verisignclass3g3ca";
102	}
103	elsif ($cert =~
104	/RSA Data Security.*Secure Server Certification Authority/)
105	{
106	$cert_alias = "rsaserverca";
107	}
108	elsif ($cert =~ /GTE CyberTrust Global Root/)
109	{
110	$cert_alias = "gtecybertrustglobalca";
111	}
112	elsif ($cert =~ /Baltimore CyberTrust Root/)
113	{
114	$cert_alias = "baltimorecybertrustca";
115	}
116	elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
117	{
118	$cert_alias = "entrustclientca";
119	}
120	elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
121	{
122	$cert_alias = "entrustglobalclientca";
123	}
124	elsif ($cert =~ /www.entrust.net\/CPS_2048/)
125	{
126	$cert_alias = "entrust2048ca";
127	}
128	elsif ($cert =~ /www.entrust.net\/CPS incorp /)
129	{
130	$cert_alias = "entrustsslca";
131	}
132	elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
133	{
134	$cert_alias = "entrustgsslca";
135	}
136	elsif ($cert =~ /The Go Daddy Group/)
137	{
138	$cert_alias = "godaddyclass2ca";
139	}
140	elsif ($cert =~ /Starfield Class 2 Certification Authority/)
141	{
142	$cert_alias = "starfieldclass2ca";
143	}
144	elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
145	{
146	$cert_alias = "valicertclass2ca";
147	}
148	elsif ($cert =~ /GeoTrust Global CA$/)
149	{
150	$cert_alias = "geotrustglobalca";
151	}
152	elsif ($cert =~ /Equifax Secure Certificate Authority/)
153	{
154	$cert_alias = "equifaxsecureca";
155	}
156	elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
157	{
158	$cert_alias = "equifaxsecureebusinessca1";
159	}
160	elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
161	{
162	$cert_alias = "equifaxsecureebusinessca2";
163	}
164	elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
165	{
166	$cert_alias = "equifaxsecureglobalebusinessca1";
167	}
168	elsif ($cert =~ /Sonera Class1 CA/)
169	{
170	$cert_alias = "soneraclass1ca";
171	}
172	elsif ($cert =~ /Sonera Class2 CA/)
173	{
174	$cert_alias = "soneraclass2ca";
175	}
176	elsif ($cert =~ /AAA Certificate Services/)
177	{
178	$cert_alias = "comodoaaaca";
179	}
180	elsif ($cert =~ /AddTrust Class 1 CA Root/)
181	{
182	$cert_alias = "addtrustclass1ca";
183	}
184	elsif ($cert =~ /AddTrust External CA Root/)
185	{
186	$cert_alias = "addtrustexternalca";
187	}
188	elsif ($cert =~ /AddTrust Qualified CA Root/)
189	{
190	$cert_alias = "addtrustqualifiedca";
191	}
192	elsif ($cert =~ /UTN-USERFirst-Hardware/)
193	{
194	$cert_alias = "utnuserfirsthardwareca";
195	}
196	elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
197	{
198	$cert_alias = "utnuserfirstclientauthemailca";
199	}
200	elsif ($cert =~ /UTN - DATACorp SGC/)
201	{
202	$cert_alias = "utndatacorpsgcca";
203	}
204	elsif ($cert =~ /UTN-USERFirst-Object/)
205	{
206	$cert_alias = "utnuserfirstobjectca";
207	}
208	elsif ($cert =~ /America Online Root Certification Authority 1/)
209	{
210	$cert_alias = "aolrootca1";
211	}
212	elsif ($cert =~ /DigiCert Assured ID Root CA/)
213	{
214	$cert_alias = "digicertassuredidrootca";
215	}
216	elsif ($cert =~ /DigiCert Global Root CA/)
217	{
218	$cert_alias = "digicertglobalrootca";
219	}
220	elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
221	{
222	$cert_alias = "digicerthighassuranceevrootca";
223	}
224	elsif ($cert =~ /GlobalSign Root CA$/)
225	{
226	$cert_alias = "globalsignca";
227	}
228	elsif ($cert =~ /GlobalSign Root CA - R2/)
229	{
230	$cert_alias = "globalsignr2ca";
231	}
232	elsif ($cert =~ /Elektronik.Kas.2005/)
233	{
234	$cert_alias = "extra-elektronikkas2005";
235	}
236	elsif ($cert =~ /Muntaner 244 Barcelona.*Firmaprofesional/)
237	{
238	$cert_alias = "extra-oldfirmaprofesional";
239	}
240	# Mozilla does not provide these certificates:
241	# baltimorecodesigningca
242	# gtecybertrust5ca
243	# trustcenterclass2caii
244	# trustcenterclass4caii
245	# trustcenteruniversalcai
246	else
247	{
248	# Generate an alias using the OU and CN attributes of the
249	# Subject field if both are present, otherwise use only the
250	# CN attribute. The Subject field must have either the OU
251	# or the CN attribute.
252	$_ = $cert;
253	if ($cert =~ /OU=/)
254	{
255	s/Subject:.*?OU=//;
256	# Remove other occurrences of OU=.
257	s/OU=.*CN=//;
258	# Remove CN= if there were not other occurrences of OU=.
259	s/CN=//;
260	s/\/emailAddress.*//;
261	s/Certificate Authority/ca/g;
262	s/Certification Authority/ca/g;
263	}
264	elsif ($cert =~ /CN=/)
265	{
266	s/Subject:.*CN=//;
267	s/\/emailAddress.*//;
268	s/Certificate Authority/ca/g;
269	s/Certification Authority/ca/g;
270	}
271	s/\W//g;
272	tr/A-Z/a-z/;
273	$cert_alias = "extra-$_";
274	}
275	print "$cert => alias $cert_alias\n";
276	}
277	elsif ($cert =~ "Signature Algorithm: ecdsa")
278	{
279	# Ignore ECC certs since keytool rejects them
280	$write_current_cert = 0;
281	print " => ignoring ECC certificate\n";
282	}
283	elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
284	{
285	if ($in_cert_block != 0)
286	{
287	die "FAIL: $file is malformed.";
288	}
289	$in_cert_block = 1;
290	if ($write_current_cert == 1)
291	{
292	$pem_file_count++;
293	if (!sysopen(PEM, "$cert_alias.pem", O_WRONLY\|O_CREAT\|O_EXCL)) {
294	$cert_alias = "$cert_alias.1";
295	sysopen(PEM, "$cert_alias.1.pem", O_WRONLY\|O_CREAT\|O_EXCL)
296	\|\| die("FAIL: could not open file for $cert_alias.pem: $!");
297	}
298	print PEM $cert;
299	print " => writing $cert_alias.pem...\n";
300	}
301	}
302	elsif ($cert eq "-----END CERTIFICATE-----\n")
303	{
304	$in_cert_block = 0;
305	if ($write_current_cert == 1)
306	{
307	print PEM $cert;
308	close(PEM);
309	}
310	$write_current_cert = 1
311	}
312	else
313	{
314	if ($in_cert_block == 1 && $write_current_cert == 1)
315	{
316	print PEM $cert;
317	}
318	}
319	}
320
321	# Check that the correct number of .pem files were produced.
322	@pem_files = <*.pem>;
323	if (@pem_files != $pem_file_count)
324	{
325	print "$pem_file_count != ".@pem_files."\n";
326	die "FAIL: Number of .pem files produced does not match".
327	" number of certs read from $file.";
328	}
329
330	# Now store each cert in the 'cacerts' file using keytool.
331	$certs_written_count = 0;
332	foreach $pem_file (@pem_files)
333	{
334	print "+ Adding $pem_file...\n";
335	if (system("$ARGV[0] -import".
336	" -alias `basename $pem_file .pem`".
337	" -keystore cacerts -noprompt -storepass 'changeit' -file $pem_file") == 0) {
338	$certs_written_count++;
339	} else {
340	print "FAILED\n";
341	}
342	}
343
344	# Check that the correct number of certs were added to the keystore.
345	if ($certs_written_count != $pem_file_count)
346	{
347	die "FAIL: Number of certs added to keystore does not match".
348	" number of certs read from $file.";
349	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: