summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'dev-java/icedtea/files/generate-cacerts.pl')
-rw-r--r--dev-java/icedtea/files/generate-cacerts.pl358
1 files changed, 358 insertions, 0 deletions
diff --git a/dev-java/icedtea/files/generate-cacerts.pl b/dev-java/icedtea/files/generate-cacerts.pl
new file mode 100644
index 000000000000..17d29b36676d
--- /dev/null
+++ b/dev-java/icedtea/files/generate-cacerts.pl
@@ -0,0 +1,358 @@
+#!/usr/bin/perl
+
+# Copyright (C) 2007, 2008 Red Hat, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# generate-cacerts.pl generates a JKS keystore named 'cacerts' from
+# OpenSSL's certificate bundle using OpenJDK's keytool.
+
+# First extract each of OpenSSL's bundled certificates into its own
+# aliased filename.
+
+# Downloaded from http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/F-12/generate-cacerts.pl?revision=1.2
+# Check and prevention of duplicate aliases added by Vlastimil Babka <caster@gentoo.org>
+
+$file = $ARGV[1];
+open(CERTS, $file);
+@certs = <CERTS>;
+close(CERTS);
+
+$pem_file_count = 0;
+$in_cert_block = 0;
+$write_current_cert = 1;
+foreach $cert (@certs)
+{
+ if ($cert =~ /Issuer: /)
+ {
+ $_ = $cert;
+ if ($cert =~ /personal-freemail/)
+ {
+ $cert_alias = "thawtepersonalfreemailca";
+ }
+ elsif ($cert =~ /personal-basic/)
+ {
+ $cert_alias = "thawtepersonalbasicca";
+ }
+ elsif ($cert =~ /personal-premium/)
+ {
+ $cert_alias = "thawtepersonalpremiumca";
+ }
+ elsif ($cert =~ /server-certs/)
+ {
+ $cert_alias = "thawteserverca";
+ }
+ elsif ($cert =~ /premium-server/)
+ {
+ $cert_alias = "thawtepremiumserverca";
+ }
+ elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
+ {
+ $cert_alias = "verisignclass1ca";
+ }
+ elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
+ {
+ $cert_alias = "verisignclass1g2ca";
+ }
+ elsif ($cert =~
+ /VeriSign Class 1 Public Primary Certification Authority - G3/)
+ {
+ $cert_alias = "verisignclass1g3ca";
+ }
+ elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
+ {
+ $cert_alias = "verisignclass2ca";
+ }
+ elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
+ {
+ $cert_alias = "verisignclass2g2ca";
+ }
+ elsif ($cert =~
+ /VeriSign Class 2 Public Primary Certification Authority - G3/)
+ {
+ $cert_alias = "verisignclass2g3ca";
+ }
+ elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
+ {
+ $cert_alias = "verisignclass3ca";
+ }
+ # Version 1 of Class 3 Public Primary Certification Authority
+ # - G2 is added. Version 3 is excluded. See below.
+ elsif ($cert =~
+ /VeriSign Class 3 Public Primary Certification Authority - G3/)
+ {
+ $cert_alias = "verisignclass3g3ca";
+ }
+ elsif ($cert =~
+ /RSA Data Security.*Secure Server Certification Authority/)
+ {
+ $cert_alias = "verisignserverca";
+ }
+ elsif ($cert =~ /GTE CyberTrust Global Root/)
+ {
+ $cert_alias = "gtecybertrustglobalca";
+ }
+ elsif ($cert =~ /Baltimore CyberTrust Root/)
+ {
+ $cert_alias = "baltimorecybertrustca";
+ }
+ elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
+ {
+ $cert_alias = "entrustclientca";
+ }
+ elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
+ {
+ $cert_alias = "entrustglobalclientca";
+ }
+ elsif ($cert =~ /www.entrust.net\/CPS_2048/)
+ {
+ $cert_alias = "entrust2048ca";
+ }
+ elsif ($cert =~ /www.entrust.net\/CPS /)
+ {
+ $cert_alias = "entrustsslca";
+ }
+ elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
+ {
+ $cert_alias = "entrustgsslca";
+ }
+ elsif ($cert =~ /The Go Daddy Group/)
+ {
+ $cert_alias = "godaddyclass2ca";
+ }
+ elsif ($cert =~ /Starfield Class 2 Certification Authority/)
+ {
+ $cert_alias = "starfieldclass2ca";
+ }
+ elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
+ {
+ $cert_alias = "valicertclass2ca";
+ }
+ elsif ($cert =~ /GeoTrust Global CA$/)
+ {
+ $cert_alias = "geotrustglobalca";
+ }
+ elsif ($cert =~ /Equifax Secure Certificate Authority/)
+ {
+ $cert_alias = "equifaxsecureca";
+ }
+ elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
+ {
+ $cert_alias = "equifaxsecureebusinessca1";
+ }
+ elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
+ {
+ $cert_alias = "equifaxsecureebusinessca2";
+ }
+ elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
+ {
+ $cert_alias = "equifaxsecureglobalebusinessca1";
+ }
+ elsif ($cert =~ /Sonera Class1 CA/)
+ {
+ $cert_alias = "soneraclass1ca";
+ }
+ elsif ($cert =~ /Sonera Class2 CA/)
+ {
+ $cert_alias = "soneraclass2ca";
+ }
+ elsif ($cert =~ /AAA Certificate Services/)
+ {
+ $cert_alias = "comodoaaaca";
+ }
+ elsif ($cert =~ /AddTrust Class 1 CA Root/)
+ {
+ $cert_alias = "addtrustclass1ca";
+ }
+ elsif ($cert =~ /AddTrust External CA Root/)
+ {
+ $cert_alias = "addtrustexternalca";
+ }
+ elsif ($cert =~ /AddTrust Qualified CA Root/)
+ {
+ $cert_alias = "addtrustqualifiedca";
+ }
+ elsif ($cert =~ /UTN-USERFirst-Hardware/)
+ {
+ $cert_alias = "utnuserfirsthardwareca";
+ }
+ elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
+ {
+ $cert_alias = "utnuserfirstclientauthemailca";
+ }
+ elsif ($cert =~ /UTN - DATACorp SGC/)
+ {
+ $cert_alias = "utndatacorpsgcca";
+ }
+ elsif ($cert =~ /UTN-USERFirst-Object/)
+ {
+ $cert_alias = "utnuserfirstobjectca";
+ }
+ elsif ($cert =~ /America Online Root Certification Authority 1/)
+ {
+ $cert_alias = "aolrootca1";
+ }
+ elsif ($cert =~ /DigiCert Assured ID Root CA/)
+ {
+ $cert_alias = "digicertassuredidrootca";
+ }
+ elsif ($cert =~ /DigiCert Global Root CA/)
+ {
+ $cert_alias = "digicertglobalrootca";
+ }
+ elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
+ {
+ $cert_alias = "digicerthighassuranceevrootca";
+ }
+ elsif ($cert =~ /GlobalSign Root CA$/)
+ {
+ $cert_alias = "globalsignca";
+ }
+ elsif ($cert =~ /GlobalSign Root CA - R2/)
+ {
+ $cert_alias = "globalsignr2ca";
+ }
+ elsif ($cert =~ /Elektronik.*Kas.*2005/)
+ {
+ $cert_alias = "extra-elektronikkas2005";
+ }
+ elsif ($cert =~ /Elektronik/)
+ {
+ $cert_alias = "extra-elektronik2005";
+ }
+ # Mozilla does not provide these certificates:
+ # baltimorecodesigningca
+ # gtecybertrust5ca
+ # trustcenterclass2caii
+ # trustcenterclass4caii
+ # trustcenteruniversalcai
+ else
+ {
+ # Generate an alias using the OU and CN attributes of the
+ # Issuer field if both are present, otherwise use only the
+ # CN attribute. The Issuer field must have either the OU
+ # or the CN attribute.
+ $_ = $cert;
+ if ($cert =~ /OU=/)
+ {
+ s/Issuer:.*?OU=//;
+ # Remove other occurrences of OU=.
+ s/OU=.*CN=//;
+ # Remove CN= if there were not other occurrences of OU=.
+ s/CN=//;
+ s/\/emailAddress.*//;
+ s/Certificate Authority/ca/g;
+ s/Certification Authority/ca/g;
+ }
+ elsif ($cert =~ /CN=/)
+ {
+ s/Issuer:.*CN=//;
+ s/\/emailAddress.*//;
+ s/Certificate Authority/ca/g;
+ s/Certification Authority/ca/g;
+ }
+ s/\W//g;
+ tr/A-Z/a-z/;
+ $cert_alias = "extra-$_";
+
+ }
+ while (-e "$cert_alias.pem")
+ {
+ $cert_alias = "$cert_alias" . "_";
+ }
+ }
+ # When it attempts to parse:
+ #
+ # Class 3 Public Primary Certification Authority - G2, Version 3
+ #
+ # keytool says:
+ #
+ # #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
+ # Unparseable AuthorityInfoAccess extension due to
+ # java.io.IOException: Invalid encoding of URI
+ #
+ # If we do not exclude this file
+ # openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails
+ # on this cert, printing:
+ #
+ # Couldn't verify: java.security.SignatureException: Signature
+ # does not match.
+ #
+ elsif ($cert =~
+ /A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
+ {
+ $write_current_cert = 0;
+ $pem_file_count--;
+ }
+ elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
+ {
+ if ($in_cert_block != 0)
+ {
+ die "$file is malformed.";
+ }
+ $in_cert_block = 1;
+ if ($write_current_cert == 1)
+ {
+ $pem_file_count++;
+ if (-e "$cert_alias.pem")
+ {
+ print "$cert_alias";
+ die "already exists"
+ }
+ open(PEM, ">$cert_alias.pem");
+ print PEM $cert;
+ }
+ }
+ elsif ($cert eq "-----END CERTIFICATE-----\n")
+ {
+ $in_cert_block = 0;
+ if ($write_current_cert == 1)
+ {
+ print PEM $cert;
+ close(PEM);
+ }
+ $write_current_cert = 1
+ }
+ else
+ {
+ if ($in_cert_block == 1 && $write_current_cert == 1)
+ {
+ print PEM $cert;
+ }
+ }
+}
+
+# Check that the correct number of .pem files were produced.
+@pem_files = <*.pem>;
+if (@pem_files != $pem_file_count)
+{
+ print "$pem_file_count";
+ die "Number of .pem files produced does not match".
+ " number of certs read from $file.";
+}
+
+# Now store each cert in the 'cacerts' file using keytool.
+$certs_written_count = 0;
+foreach $pem_file (@pem_files)
+{
+ system "$ARGV[0] -noprompt -import".
+ " -alias `basename $pem_file .pem`".
+ " -keystore cacerts -storepass 'changeit' -file $pem_file";
+ unlink($pem_file);
+ $certs_written_count++;
+}
+
+# Check that the correct number of certs were added to the keystore.
+if ($certs_written_count != $pem_file_count)
+{
+ die "Number of certs added to keystore does not match".
+ " number of certs read from $file.";
+}