ADDED build/certs/build-tree.sh Index: build/certs/build-tree.sh ================================================================== --- /dev/null +++ build/certs/build-tree.sh @@ -0,0 +1,104 @@ +#! /bin/bash + +opt_mode='showcert' + +if [ -n "$1" ]; then + opt_mode="$1" +fi + +unset sh_list tree +for cert in *.crt; do + ih="$(openssl x509 -in "${cert}" -noout -issuer_hash)" + sh="$(openssl x509 -in "${cert}" -noout -subject_hash)" + sh_list=("${sh_list[@]}" "${sh} ${cert}") + tree=("${tree[@]}" "${sh} ${ih}") +done + +function subjecthash_to_filename() { + local hash + local sh_cert hash_chk cert + + hash="$1" + + for sh_cert in "${sh_list[@]}"; do + hash_chk="$(echo "${sh_cert}" | cut -f 1 -d ' ')" + + if [ "${hash_chk}" = "${hash}" ]; then + cert="$(echo "${sh_cert}" | cut -f 2- -d ' ')" + + echo "${cert}" + + return + fi + done + + return +} + +function print_cert() { + local cert + local sh ih i_cert + + cert="$1" + ih="$(openssl x509 -in "${cert}" -noout -issuer_hash)" + sh="$(openssl x509 -in "${cert}" -noout -subject_hash)" + + i_cert="$(subjecthash_to_filename "${ih}")" + + if [ "${i_cert}" != "${cert}" ]; then + print_cert "${i_cert}" + fi + + echo "${cert}" +} + +idx=0 +unset certs + +for cert in *.crt; do + print_cert "${cert}" +done | while read cert; do + is_dupe='0' + for chk_cert in "${certs[@]}"; do + if [ "${chk_cert}" = "${cert}" ]; then + is_dupe='1' + + break + fi + done + + if [ "${is_dupe}" = '1' ]; then + continue + fi + + certs=("${certs[@]}" "${cert}") + + echo "${cert}" +done | while read cert; do + case "${opt_mode}" in + showcert) + openssl x509 -in "${cert}" -text + ;; + showfile) + echo "${cert}" + ;; + script) + i_cert="$(subjecthash_to_filename "$(openssl x509 -in "${cert}" -issuer_hash -noout)")" + + s_idx="$(openssl x509 -in "${cert}" -outform der | openssl sha1 | sed 's@.*= *@@' | cut -c 1-10)" + s_shortsubject="$(openssl x509 -in "${cert}" -subject -noout | sed 's@.*=@@' | cut -c 1-20)" + s_normsubject="$(echo "${s_shortsubject}" | sed 's@ @@g' | dd conv=lcase 2>/dev/null)" + s_filename="federal-${s_normsubject}-${s_idx}.crt" + + i_idx="$(openssl x509 -in "${i_cert}" -outform der | openssl sha1 | sed 's@.*= *@@' | cut -c 1-10)" + i_shortsubject="$(openssl x509 -in "${i_cert}" -subject -noout | sed 's@.*=@@' | cut -c 1-20)" + i_normsubject="$(echo "${i_shortsubject}" | sed 's@ @@g' | dd conv=lcase 2>/dev/null)" + i_filename="federal-${i_normsubject}-${i_idx}.crt" + + echo "cat << \_EOF_ > '${s_filename}'" + openssl x509 -in "${cert}" + echo "_EOF_" + echo "# NetScaler: link ssl certKey '${s_shortsubject} ${s_idx}' '${i_shortsubject} ${i_idx}'" + ;; + esac +done Index: build/certs/dod/Makefile ================================================================== --- build/certs/dod/Makefile +++ build/certs/dod/Makefile @@ -1,6 +1,8 @@ -all: cert-0.crt +all: certs USG-dod-bundle.pem + +certs: cert-0.crt rel3_dodroot_2048.cac: wget -O "$@.new" http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_2048.cac mv "$@.new" "$@" @@ -16,11 +18,16 @@ if [ "$${line}" == "-----END CERTIFICATE-----" ]; then \ idx=$$[$$idx + 1]; \ fi; \ done +USG-dod-bundle.pem: certs + ../build-tree.sh > "$@" + clean: rm -f cert-*.crt rm -f rel3_dodroot_2048.cac.new distclean: clean rm -f rel3_dodroot_2048.cac + +.PHONY: all certs Index: build/certs/federal/Makefile ================================================================== --- build/certs/federal/Makefile +++ build/certs/federal/Makefile @@ -1,6 +1,8 @@ -all: cert-1.crt CPCA_TRCA.crt CommonPolicy.crt +all: certs USG-federal-bundle.pem + +certs: cert-1.crt CPCA_TRCA.crt CommonPolicy.crt grep -l 'Issuer: C=US, O=U.S. Government, OU=FPKI, CN=Federal Bridge CA' *.crt | xargs rm -f grep -l 'Subject: C=US, O=U.S. Government, OU=FPKI, CN=Federal Common Policy CA' *.crt | xargs grep -H 'Issuer:' | grep -v 'Issuer: C=us, O=U.S. Government, OU=FBCA, CN=Common Policy' | cut -f 1 -d : | xargs rm -f CPCA_TRCA.crt: wget -O - --no-check-certificate https://pki.treas.gov/CPCA_TRCA.cer | openssl x509 -text > "$@.new" @@ -31,11 +33,19 @@ if [ "$${line}" == "-----END CERTIFICATE-----" ]; then \ idx=$$[$$idx + 1]; \ fi; \ done +USG-federal-bundle.pem: certs + ../build-tree.sh > "$@" + +USG-federal-bundle.pk7: USG-federal-bundle.pem + openssl crl2pkcs7 -outform der -nocrl -certfile USG-federal-bundle.pem > USG-federal-bundle.pk7 + clean: - rm -f cert-*.crt + rm -f cert-*.crt USG-federal-bundle.pem USG-federal-bundle.pk7 rm -f CPCA_TRCA.crt.new root_sia.p7b.new caCertsIssuedTofcpca.p7c.new CommonPolicy.crt.new distclean: clean rm -f CPCA_TRCA.crt root_sia.p7b caCertsIssuedTofcpca.p7c CommonPolicy.crt + +.PHONY: all certs