Check-in [6a49836224]
Overview
Comment:Added script to generate certificate bundles in heirarchy order
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | piv
Files: files | file ages | folders
SHA1:6a498362245e8ece07a24661a6ef162c78052977
User & Date: rkeene on 2013-02-07 23:29:48
Other Links: manifest | tags
Context
2013-08-03
02:19
Added support for outputting NetScaler cert configuration check-in: c46c2cd501 user: rkeene tags: piv
2013-02-07
23:29
Added script to generate certificate bundles in heirarchy order check-in: 6a49836224 user: rkeene tags: piv
2013-01-16
15:46
Updated macbuild contact information to have valid government email addresses to contact us. check-in: f42b92cf98 user: kvanals tags: piv
Changes

Added build/certs/build-tree.sh version [ffb492c540].

            1  +#! /bin/bash
            2  +
            3  +opt_mode='showcert'
            4  +
            5  +if [ -n "$1" ]; then
            6  +	opt_mode="$1"
            7  +fi
            8  +
            9  +unset sh_list tree
           10  +for cert in *.crt; do
           11  +	ih="$(openssl x509 -in "${cert}" -noout -issuer_hash)"
           12  +	sh="$(openssl x509 -in "${cert}" -noout -subject_hash)"
           13  +	sh_list=("${sh_list[@]}" "${sh} ${cert}")
           14  +	tree=("${tree[@]}" "${sh} ${ih}")
           15  +done
           16  +
           17  +function subjecthash_to_filename() {
           18  +	local hash
           19  +	local sh_cert hash_chk cert
           20  +
           21  +	hash="$1"
           22  +
           23  +	for sh_cert in "${sh_list[@]}"; do
           24  +		hash_chk="$(echo "${sh_cert}" | cut -f 1 -d ' ')"
           25  +
           26  +		if [ "${hash_chk}" = "${hash}" ]; then
           27  +			cert="$(echo "${sh_cert}" | cut -f 2- -d ' ')"
           28  +
           29  +			echo "${cert}"
           30  +
           31  +			return
           32  +		fi
           33  +	done
           34  +
           35  +	return
           36  +}
           37  +
           38  +function print_cert() {
           39  +	local cert
           40  +	local sh ih i_cert
           41  +
           42  +	cert="$1"
           43  +	ih="$(openssl x509 -in "${cert}" -noout -issuer_hash)"
           44  +	sh="$(openssl x509 -in "${cert}" -noout -subject_hash)"
           45  +
           46  +	i_cert="$(subjecthash_to_filename "${ih}")"
           47  +
           48  +	if [ "${i_cert}" != "${cert}" ]; then
           49  +		print_cert "${i_cert}"
           50  +	fi
           51  +
           52  +	echo "${cert}"
           53  +}
           54  +
           55  +idx=0
           56  +unset certs
           57  +
           58  +for cert in *.crt; do
           59  +	print_cert "${cert}"
           60  +done | while read cert; do
           61  +	is_dupe='0'
           62  +	for chk_cert in "${certs[@]}"; do
           63  +		if [ "${chk_cert}" = "${cert}" ]; then
           64  +			is_dupe='1'
           65  +
           66  +			break
           67  +		fi
           68  +	done
           69  +
           70  +	if [ "${is_dupe}" = '1' ]; then
           71  +		continue
           72  +	fi
           73  +
           74  +	certs=("${certs[@]}" "${cert}")
           75  +
           76  +	echo "${cert}"
           77  +done | while read cert; do
           78  +	case "${opt_mode}" in
           79  +		showcert)
           80  +			openssl x509 -in "${cert}" -text
           81  +			;;
           82  +		showfile)
           83  +			echo "${cert}"
           84  +			;;
           85  +		script)
           86  +			i_cert="$(subjecthash_to_filename "$(openssl x509 -in "${cert}" -issuer_hash -noout)")"
           87  +
           88  +			s_idx="$(openssl x509 -in "${cert}" -outform der | openssl sha1 | sed 's@.*= *@@' | cut -c 1-10)"
           89  +			s_shortsubject="$(openssl x509 -in "${cert}" -subject -noout | sed 's@.*=@@' | cut -c 1-20)"
           90  +			s_normsubject="$(echo "${s_shortsubject}" | sed 's@ @@g' | dd conv=lcase 2>/dev/null)"
           91  +			s_filename="federal-${s_normsubject}-${s_idx}.crt"
           92  +
           93  +			i_idx="$(openssl x509 -in "${i_cert}" -outform der | openssl sha1 | sed 's@.*= *@@' | cut -c 1-10)"
           94  +			i_shortsubject="$(openssl x509 -in "${i_cert}" -subject -noout | sed 's@.*=@@' | cut -c 1-20)"
           95  +			i_normsubject="$(echo "${i_shortsubject}" | sed 's@ @@g' | dd conv=lcase 2>/dev/null)"
           96  +			i_filename="federal-${i_normsubject}-${i_idx}.crt"
           97  +
           98  +			echo "cat << \_EOF_ > '${s_filename}'"
           99  +			openssl x509 -in "${cert}"
          100  +			echo "_EOF_"
          101  +			;;
          102  +	esac
          103  +done

Modified build/certs/dod/Makefile from [678511107e] to [5a8397c00a].

     1         -all: cert-0.crt
            1  +all: certs USG-dod-bundle.pem
            2  +
            3  +certs: cert-0.crt
     2      4   
     3      5   rel3_dodroot_2048.cac:
     4      6   	wget -O "$@.new" http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac
     5      7   	mv "$@.new" "$@"
     6      8   
     7      9   cert-%.crt: rel3_dodroot_2048.cac
     8     10   	idx=0; \
................................................................................
    14     16   		fi; \
    15     17   		echo "$${line}" >> "cert-$${idx}.crt"; \
    16     18   		if [ "$${line}" == "-----END CERTIFICATE-----" ]; then \
    17     19   			idx=$$[$$idx + 1]; \
    18     20   		fi; \
    19     21   	done
    20     22   
           23  +USG-dod-bundle.pem: certs
           24  +	../build-tree.sh > "$@"
           25  +
    21     26   clean:
    22     27   	rm -f cert-*.crt
    23     28   	rm -f rel3_dodroot_2048.cac.new
    24     29   
    25     30   distclean: clean
    26     31   	rm -f rel3_dodroot_2048.cac
           32  +
           33  +.PHONY: all certs

Modified build/certs/federal/Makefile from [7088ba1ceb] to [c15ccd8551].

     1         -all: cert-1.crt CPCA_TRCA.crt CommonPolicy.crt
            1  +all: certs USG-federal-bundle.pem
            2  +
            3  +certs: cert-1.crt CPCA_TRCA.crt CommonPolicy.crt
     2      4   	grep -l 'Issuer: C=US, O=U.S. Government, OU=FPKI, CN=Federal Bridge CA' *.crt | xargs rm -f
     3      5   	grep -l 'Subject: C=US, O=U.S. Government, OU=FPKI, CN=Federal Common Policy CA' *.crt  | xargs grep -H 'Issuer:' | grep -v 'Issuer: C=us, O=U.S. Government, OU=FBCA, CN=Common Policy' | cut -f 1 -d : | xargs rm -f
     4      6   
     5      7   CPCA_TRCA.crt:
     6      8   	wget -O - --no-check-certificate https://pki.treas.gov/CPCA_TRCA.cer | openssl x509 -text > "$@.new"
     7      9   	mv "$@.new" "$@"
     8     10   
................................................................................
    29     31   		fi; \
    30     32   		echo "$${line}" >> "cert-$${idx}.crt"; \
    31     33   		if [ "$${line}" == "-----END CERTIFICATE-----" ]; then \
    32     34   			idx=$$[$$idx + 1]; \
    33     35   		fi; \
    34     36   	done
    35     37   
           38  +USG-federal-bundle.pem: certs
           39  +	../build-tree.sh > "$@"
           40  +
    36     41   clean:
    37         -	rm -f cert-*.crt
           42  +	rm -f cert-*.crt USG-federal-bundle.pem
    38     43   	rm -f CPCA_TRCA.crt.new root_sia.p7b.new caCertsIssuedTofcpca.p7c.new CommonPolicy.crt.new
    39     44   
    40     45   distclean: clean
    41     46   	rm -f CPCA_TRCA.crt root_sia.p7b caCertsIssuedTofcpca.p7c CommonPolicy.crt
           47  +
           48  +.PHONY: all certs