Revisión | bdbcbde41da8e59f8edd4f3430adea87b26fec6d (tree) |
---|---|
Tiempo | 2012-02-26 19:08:47 |
Autor | matsuand <matsuand@user...> |
Commiter | matsuand |
Added cacerts.sh, git.sh.
@@ -0,0 +1,270 @@ | ||
1 | +#!/bin/sh | |
2 | + | |
3 | +TARGET=cacerts | |
4 | +TARGETDIR=$TARGET | |
5 | + | |
6 | +. ./_blfsset.sh | |
7 | + | |
8 | +echo Check Required... | |
9 | +./_checkRequired.sh openssl || exit 1 | |
10 | +if test "$1" == "check"; then | |
11 | + exit 0 | |
12 | +fi | |
13 | + | |
14 | +if test "$1" == "check"; then | |
15 | + exit 0 | |
16 | +fi | |
17 | + | |
18 | +cd $SRC | |
19 | + | |
20 | +echo $TARGET | |
21 | + | |
22 | +echo \ \ Removing old directory... | |
23 | +rm -fr $TARGETDIR | |
24 | + | |
25 | +echo \ \ Creating directory | |
26 | +mkdir -pv $TARGETDIR | |
27 | + | |
28 | +cd $TARGETDIR | |
29 | + | |
30 | +cat > /bin/make-cert.pl << "EOF" | |
31 | +#!/usr/bin/perl -w | |
32 | + | |
33 | +# Used to generate PEM encoded files from Mozilla certdata.txt. | |
34 | +# Run as ./mkcrt.pl > certificate.crt | |
35 | +# | |
36 | +# Parts of this script courtesy of RedHat (mkcabundle.pl) | |
37 | +# | |
38 | +# This script modified for use with single file data (tempfile.cer) extracted | |
39 | +# from certdata.txt, taken from the latest version in the Mozilla NSS source. | |
40 | +# mozilla/security/nss/lib/ckfw/builtins/certdata.txt | |
41 | +# | |
42 | +# Authors: DJ Lucas | |
43 | +# Bruce Dubbs | |
44 | +# | |
45 | +# Version 20120211 | |
46 | + | |
47 | +my $certdata = './tempfile.cer'; | |
48 | + | |
49 | +open( IN, "cat $certdata|" ) | |
50 | + || die "could not open $certdata"; | |
51 | + | |
52 | +my $incert = 0; | |
53 | + | |
54 | +while ( <IN> ) | |
55 | +{ | |
56 | + if ( /^CKA_VALUE MULTILINE_OCTAL/ ) | |
57 | + { | |
58 | + $incert = 1; | |
59 | + open( OUT, "|openssl x509 -text -inform DER -fingerprint" ) | |
60 | + || die "could not pipe to openssl x509"; | |
61 | + } | |
62 | + | |
63 | + elsif ( /^END/ && $incert ) | |
64 | + { | |
65 | + close( OUT ); | |
66 | + $incert = 0; | |
67 | + print "\n\n"; | |
68 | + } | |
69 | + | |
70 | + elsif ($incert) | |
71 | + { | |
72 | + my @bs = split( /\\/ ); | |
73 | + foreach my $b (@bs) | |
74 | + { | |
75 | + chomp $b; | |
76 | + printf( OUT "%c", oct($b) ) unless $b eq ''; | |
77 | + } | |
78 | + } | |
79 | +} | |
80 | +EOF | |
81 | + | |
82 | +paco -p $TARGET "touch /bin/make-cert.pl" | |
83 | +chmod +x /bin/make-cert.pl | |
84 | + | |
85 | +cat > /bin/make-ca.sh << "EOF" | |
86 | +#!/bin/bash | |
87 | +# Begin make-ca.sh | |
88 | +# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs | |
89 | +# | |
90 | +# The file certdata.txt must exist in the local directory | |
91 | +# Version number is obtained from the version of the data. | |
92 | +# | |
93 | +# Authors: DJ Lucas | |
94 | +# Bruce Dubbs | |
95 | +# | |
96 | +# Version 20120211 | |
97 | + | |
98 | +certdata="certdata.txt" | |
99 | + | |
100 | +if [ ! -r $certdata ]; then | |
101 | + echo "$certdata must be in the local directory" | |
102 | + exit 1 | |
103 | +fi | |
104 | + | |
105 | +REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$') | |
106 | + | |
107 | +if [ -z "${REVISION}" ]; then | |
108 | + echo "$certfile has no 'Revision' in CVS_ID" | |
109 | + exit 1 | |
110 | +fi | |
111 | + | |
112 | +VERSION=$(echo $REVISION | cut -f2 -d" ") | |
113 | + | |
114 | +TEMPDIR=$(mktemp -d) | |
115 | +TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH" | |
116 | +BUNDLE="BLFS-ca-bundle-${VERSION}.crt" | |
117 | +CONVERTSCRIPT="make-cert.pl" | |
118 | +SSLDIR="/etc/ssl" | |
119 | + | |
120 | +mkdir "${TEMPDIR}/certs" | |
121 | + | |
122 | +# Get a list of staring lines for each cert | |
123 | +CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1) | |
124 | + | |
125 | +# Get a list of ending lines for each cert | |
126 | +CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1` | |
127 | + | |
128 | +# Start a loop | |
129 | +for certbegin in ${CERTBEGINLIST}; do | |
130 | + for certend in ${CERTENDLIST}; do | |
131 | + if test "${certend}" -gt "${certbegin}"; then | |
132 | + break | |
133 | + fi | |
134 | + done | |
135 | + | |
136 | + # Dump to a temp file with the name of the file as the beginning line number | |
137 | + sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp" | |
138 | +done | |
139 | + | |
140 | +unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend | |
141 | + | |
142 | +mkdir -p certs | |
143 | +rm certs/* # Make sure the directory is clean | |
144 | + | |
145 | +for tempfile in ${TEMPDIR}/certs/*.tmp; do | |
146 | + # Make sure that the cert is trusted... | |
147 | + grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \ | |
148 | + egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null | |
149 | + | |
150 | + if test "${?}" = "0"; then | |
151 | + # Throw a meaningful error and remove the file | |
152 | + cp "${tempfile}" tempfile.cer | |
153 | + "${CONVERTSCRIPT}" > tempfile.crt | |
154 | + keyhash=$(openssl x509 -noout -in tempfile.crt -hash) | |
155 | + echo "Certificate ${keyhash} is not trusted! Removing..." | |
156 | + rm -f tempfile.cer tempfile.crt "${tempfile}" | |
157 | + continue | |
158 | + fi | |
159 | + | |
160 | + # If execution made it to here in the loop, the temp cert is trusted | |
161 | + # Find the cert data and generate a cert file for it | |
162 | + | |
163 | + cp "${tempfile}" tempfile.cer | |
164 | + "${CONVERTSCRIPT}" > tempfile.crt | |
165 | + keyhash=$(openssl x509 -noout -in tempfile.crt -hash) | |
166 | + mv tempfile.crt "certs/${keyhash}.pem" | |
167 | + rm -f tempfile.cer "${tempfile}" | |
168 | + echo "Created ${keyhash}.pem" | |
169 | +done | |
170 | + | |
171 | +# Remove blacklisted files | |
172 | +# MD5 Collision Proof of Concept CA | |
173 | +if test -f certs/8f111d69.pem; then | |
174 | + echo "Certificate 8f111d69 is not trusted! Removing..." | |
175 | + rm -f certs/8f111d69.pem | |
176 | +fi | |
177 | + | |
178 | +# Finally, generate the bundle and clean up. | |
179 | +cat certs/*.pem > ${BUNDLE} | |
180 | +rm -r "${TEMPDIR}" | |
181 | +EOF | |
182 | + | |
183 | +paco -p+ $TARGET "touch /bin/make-ca.sh" | |
184 | +chmod +x /bin/make-ca.sh | |
185 | + | |
186 | +cat > /bin/remove-expired-certs.sh << "EOF" | |
187 | +#!/bin/bash | |
188 | +# Begin /bin/remove-expired-certs.sh | |
189 | +# | |
190 | +# Version 20120211 | |
191 | + | |
192 | +# Make sure the date is parsed correctly on all systems | |
193 | +function mydate() | |
194 | +{ | |
195 | + local y=$( echo $1 | cut -d" " -f4 ) | |
196 | + local M=$( echo $1 | cut -d" " -f1 ) | |
197 | + local d=$( echo $1 | cut -d" " -f2 ) | |
198 | + local m | |
199 | + | |
200 | + if [ ${d} -lt 10 ]; then d="0${d}"; fi | |
201 | + | |
202 | + case $M in | |
203 | + Jan) m="01";; | |
204 | + Feb) m="02";; | |
205 | + Mar) m="03";; | |
206 | + Apr) m="04";; | |
207 | + May) m="05";; | |
208 | + Jun) m="06";; | |
209 | + Jul) m="07";; | |
210 | + Aug) m="08";; | |
211 | + Sep) m="09";; | |
212 | + Oct) m="10";; | |
213 | + Nov) m="11";; | |
214 | + Dec) m="12";; | |
215 | + esac | |
216 | + | |
217 | + certdate="${y}${m}${d}" | |
218 | +} | |
219 | + | |
220 | +OPENSSL=/usr/bin/openssl | |
221 | +DIR=/etc/ssl/certs | |
222 | + | |
223 | +if [ $# -gt 0 ]; then | |
224 | + DIR="$1" | |
225 | +fi | |
226 | + | |
227 | +certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" ) | |
228 | +today=$( date +%Y%m%d ) | |
229 | + | |
230 | +for cert in $certs; do | |
231 | + notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout ) | |
232 | + date=$( echo ${notafter} | sed 's/^notAfter=//' ) | |
233 | + mydate "$date" | |
234 | + | |
235 | + if [ ${certdate} -lt ${today} ]; then | |
236 | + echo "${cert} expired on ${certdate}! Removing..." | |
237 | + rm -f "${cert}" | |
238 | + fi | |
239 | +done | |
240 | +EOF | |
241 | + | |
242 | +paco -p+ $TARGET "touch /bin/remove-expired-certs.sh" | |
243 | +chmod +x /bin/remove-expired-certs.sh | |
244 | + | |
245 | +certhost='http://mxr.mozilla.org' | |
246 | +certdir='/mozilla/source/security/nss/lib/ckfw/builtins' | |
247 | +url="$certhost$certdir/certdata.txt?raw=1" | |
248 | + | |
249 | +wget --output-document certdata.txt $url | |
250 | +unset certhost certdir url | |
251 | +make-ca.sh | |
252 | +remove-expired-certs.sh certs | |
253 | + | |
254 | +SSLDIR=/etc/ssl | |
255 | + | |
256 | +paco -p+ $TARGET "\ | |
257 | +install -d ${SSLDIR}/certs" | |
258 | + | |
259 | +paco -p+ $TARGET "\ | |
260 | +cp -v certs/*.pem ${SSLDIR}/certs" | |
261 | + | |
262 | +c_rehash | |
263 | + | |
264 | +paco -p+ $TARGET "\ | |
265 | +install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt" | |
266 | + | |
267 | +unset SSLDIR | |
268 | + | |
269 | +rm -r certs BLFS-ca-bundle* | |
270 | + |
@@ -0,0 +1,51 @@ | ||
1 | +#!/bin/sh | |
2 | + | |
3 | +. ./_blfsset.sh | |
4 | + | |
5 | +VER=1.7.9.2 | |
6 | +TARGET=git-$VER | |
7 | +TARGETBALL=$TARGET.tar.gz | |
8 | +TARGETDIR=$TARGET | |
9 | + | |
10 | +echo Check Required... | |
11 | +./_checkRequired.sh openssl expat curl python || exit 1 | |
12 | +if test "$1" == "check"; then | |
13 | + exit 0 | |
14 | +fi | |
15 | + | |
16 | +if test "$1" == "check"; then | |
17 | + exit 0 | |
18 | +fi | |
19 | + | |
20 | +cd $SRC | |
21 | + | |
22 | +echo $TARGET | |
23 | + | |
24 | +echo \ \ Removing old directory... | |
25 | +rm -fr $TARGETDIR | |
26 | + | |
27 | +echo \ \ Extracting... | |
28 | +tar xf $DLD/$TARGETBALL || (echo Tarball not found && exit 1) | |
29 | + | |
30 | +cd $TARGETDIR | |
31 | + | |
32 | +echo \ \ Configuring... | |
33 | +./configure --prefix=/usr \ | |
34 | + --sysconfdir=/etc \ | |
35 | + --libexecdir=/usr/lib \ | |
36 | + --with-openssl --with-curl --with-expat \ | |
37 | + 1> $LOG/$TARGET.1_conf.log 2>&1 | |
38 | + | |
39 | +echo \ \ Making... | |
40 | +make \ | |
41 | + 1> $LOG/$TARGET.2_make.log 2>&1 | |
42 | + | |
43 | +echo \ \ Installing... | |
44 | +paco -p $TARGET 'make install' \ | |
45 | + 1> $LOG/$TARGET.3_install.log 2>&1 | |
46 | + | |
47 | +echo -n \ \ Pacoing:\ && paco -a1 | grep $TARGET || echo none | |
48 | + | |
49 | +echo \ \ Removing directory... | |
50 | +cd .. && rm -fr $TARGETDIR | |
51 | + |