Check-in [6a49836224]
Overview
Comment:Added script to generate certificate bundles in heirarchy order
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | piv
Files: files | file ages | folders
SHA1: 6a498362245e8ece07a24661a6ef162c78052977
User & Date: rkeene on 2013-02-07 23:29:48
Other Links: branch diff | manifest | tags
Context
2013-08-03
02:19
Added support for outputting NetScaler cert configuration check-in: c46c2cd501 user: rkeene tags: piv
2013-02-07
23:29
Added script to generate certificate bundles in heirarchy order check-in: 6a49836224 user: rkeene tags: piv
2013-01-16
15:46
Updated macbuild contact information to have valid government email addresses to contact us. check-in: f42b92cf98 user: kvanals tags: piv
Changes

Added build/certs/build-tree.sh version [ffb492c540].















































































































































































































>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#! /bin/bash

opt_mode='showcert'

if [ -n "$1" ]; then
	opt_mode="$1"
fi

unset sh_list tree
for cert in *.crt; do
	ih="$(openssl x509 -in "${cert}" -noout -issuer_hash)"
	sh="$(openssl x509 -in "${cert}" -noout -subject_hash)"
	sh_list=("${sh_list[@]}" "${sh} ${cert}")
	tree=("${tree[@]}" "${sh} ${ih}")
done

function subjecthash_to_filename() {
	local hash
	local sh_cert hash_chk cert

	hash="$1"

	for sh_cert in "${sh_list[@]}"; do
		hash_chk="$(echo "${sh_cert}" | cut -f 1 -d ' ')"

		if [ "${hash_chk}" = "${hash}" ]; then
			cert="$(echo "${sh_cert}" | cut -f 2- -d ' ')"

			echo "${cert}"

			return
		fi
	done

	return
}

function print_cert() {
	local cert
	local sh ih i_cert

	cert="$1"
	ih="$(openssl x509 -in "${cert}" -noout -issuer_hash)"
	sh="$(openssl x509 -in "${cert}" -noout -subject_hash)"

	i_cert="$(subjecthash_to_filename "${ih}")"

	if [ "${i_cert}" != "${cert}" ]; then
		print_cert "${i_cert}"
	fi

	echo "${cert}"
}

idx=0
unset certs

for cert in *.crt; do
	print_cert "${cert}"
done | while read cert; do
	is_dupe='0'
	for chk_cert in "${certs[@]}"; do
		if [ "${chk_cert}" = "${cert}" ]; then
			is_dupe='1'

			break
		fi
	done

	if [ "${is_dupe}" = '1' ]; then
		continue
	fi

	certs=("${certs[@]}" "${cert}")

	echo "${cert}"
done | while read cert; do
	case "${opt_mode}" in
		showcert)
			openssl x509 -in "${cert}" -text
			;;
		showfile)
			echo "${cert}"
			;;
		script)
			i_cert="$(subjecthash_to_filename "$(openssl x509 -in "${cert}" -issuer_hash -noout)")"

			s_idx="$(openssl x509 -in "${cert}" -outform der | openssl sha1 | sed 's@.*= *@@' | cut -c 1-10)"
			s_shortsubject="$(openssl x509 -in "${cert}" -subject -noout | sed 's@.*=@@' | cut -c 1-20)"
			s_normsubject="$(echo "${s_shortsubject}" | sed 's@ @@g' | dd conv=lcase 2>/dev/null)"
			s_filename="federal-${s_normsubject}-${s_idx}.crt"

			i_idx="$(openssl x509 -in "${i_cert}" -outform der | openssl sha1 | sed 's@.*= *@@' | cut -c 1-10)"
			i_shortsubject="$(openssl x509 -in "${i_cert}" -subject -noout | sed 's@.*=@@' | cut -c 1-20)"
			i_normsubject="$(echo "${i_shortsubject}" | sed 's@ @@g' | dd conv=lcase 2>/dev/null)"
			i_filename="federal-${i_normsubject}-${i_idx}.crt"

			echo "cat << \_EOF_ > '${s_filename}'"
			openssl x509 -in "${cert}"
			echo "_EOF_"
			;;
	esac
done

Modified build/certs/dod/Makefile from [678511107e] to [5a8397c00a].



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20



21
22
23
24
25
26




all: cert-0.crt

rel3_dodroot_2048.cac:
	wget -O "$@.new" http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac
	mv "$@.new" "$@"

cert-%.crt: rel3_dodroot_2048.cac
	idx=0; \
	( \
		openssl pkcs7 -in rel3_dodroot_2048.cac -inform DER -print_certs -text; \
	) | while IFS='' read -r line; do \
		if [ -z "$${line}" ]; then \
			continue; \
		fi; \
		echo "$${line}" >> "cert-$${idx}.crt"; \
		if [ "$${line}" == "-----END CERTIFICATE-----" ]; then \
			idx=$$[$$idx + 1]; \
		fi; \
	done




clean:
	rm -f cert-*.crt
	rm -f rel3_dodroot_2048.cac.new

distclean: clean
	rm -f rel3_dodroot_2048.cac


>
>
|



















>
>
>






>
>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
all: certs USG-dod-bundle.pem

certs: cert-0.crt

rel3_dodroot_2048.cac:
	wget -O "$@.new" http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac
	mv "$@.new" "$@"

cert-%.crt: rel3_dodroot_2048.cac
	idx=0; \
	( \
		openssl pkcs7 -in rel3_dodroot_2048.cac -inform DER -print_certs -text; \
	) | while IFS='' read -r line; do \
		if [ -z "$${line}" ]; then \
			continue; \
		fi; \
		echo "$${line}" >> "cert-$${idx}.crt"; \
		if [ "$${line}" == "-----END CERTIFICATE-----" ]; then \
			idx=$$[$$idx + 1]; \
		fi; \
	done

USG-dod-bundle.pem: certs
	../build-tree.sh > "$@"

clean:
	rm -f cert-*.crt
	rm -f rel3_dodroot_2048.cac.new

distclean: clean
	rm -f rel3_dodroot_2048.cac

.PHONY: all certs

Modified build/certs/federal/Makefile from [7088ba1ceb] to [c15ccd8551].



1
2
3
4
5
6
7
8


all: cert-1.crt CPCA_TRCA.crt CommonPolicy.crt
	grep -l 'Issuer: C=US, O=U.S. Government, OU=FPKI, CN=Federal Bridge CA' *.crt | xargs rm -f
	grep -l 'Subject: C=US, O=U.S. Government, OU=FPKI, CN=Federal Common Policy CA' *.crt  | xargs grep -H 'Issuer:' | grep -v 'Issuer: C=us, O=U.S. Government, OU=FBCA, CN=Common Policy' | cut -f 1 -d : | xargs rm -f

CPCA_TRCA.crt:
	wget -O - --no-check-certificate https://pki.treas.gov/CPCA_TRCA.cer | openssl x509 -text > "$@.new"
	mv "$@.new" "$@"

>
>
|







1
2
3
4
5
6
7
8
9
10
all: certs USG-federal-bundle.pem

certs: cert-1.crt CPCA_TRCA.crt CommonPolicy.crt
	grep -l 'Issuer: C=US, O=U.S. Government, OU=FPKI, CN=Federal Bridge CA' *.crt | xargs rm -f
	grep -l 'Subject: C=US, O=U.S. Government, OU=FPKI, CN=Federal Common Policy CA' *.crt  | xargs grep -H 'Issuer:' | grep -v 'Issuer: C=us, O=U.S. Government, OU=FBCA, CN=Common Policy' | cut -f 1 -d : | xargs rm -f

CPCA_TRCA.crt:
	wget -O - --no-check-certificate https://pki.treas.gov/CPCA_TRCA.cer | openssl x509 -text > "$@.new"
	mv "$@.new" "$@"

29
30
31
32
33
34
35



36
37
38
39
40
41


		fi; \
		echo "$${line}" >> "cert-$${idx}.crt"; \
		if [ "$${line}" == "-----END CERTIFICATE-----" ]; then \
			idx=$$[$$idx + 1]; \
		fi; \
	done




clean:
	rm -f cert-*.crt
	rm -f CPCA_TRCA.crt.new root_sia.p7b.new caCertsIssuedTofcpca.p7c.new CommonPolicy.crt.new

distclean: clean
	rm -f CPCA_TRCA.crt root_sia.p7b caCertsIssuedTofcpca.p7c CommonPolicy.crt









>
>
>

|




>
>
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
		fi; \
		echo "$${line}" >> "cert-$${idx}.crt"; \
		if [ "$${line}" == "-----END CERTIFICATE-----" ]; then \
			idx=$$[$$idx + 1]; \
		fi; \
	done

USG-federal-bundle.pem: certs
	../build-tree.sh > "$@"

clean:
	rm -f cert-*.crt USG-federal-bundle.pem
	rm -f CPCA_TRCA.crt.new root_sia.p7b.new caCertsIssuedTofcpca.p7c.new CommonPolicy.crt.new

distclean: clean
	rm -f CPCA_TRCA.crt root_sia.p7b caCertsIssuedTofcpca.p7c CommonPolicy.crt

.PHONY: all certs