From 809cde54166f959cdc84359306b4db22bb3f4c12 Mon Sep 17 00:00:00 2001 From: Guenter Knauf Date: Sun, 4 Sep 2011 17:05:49 +0200 Subject: [PATCH] Fix to skip untrusted certs. --- lib/mk-ca-bundle.pl | 50 +++++++++++++++++++++++++++++--------------------- 1 file changed, 29 insertions(+), 21 deletions(-) diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl index 231762e..5300bec 100755 --- a/lib/mk-ca-bundle.pl +++ b/lib/mk-ca-bundle.pl @@ -40,7 +40,7 @@ my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/ # If the OpenSSL commandline is not in search path you can configure it here! my $openssl = 'openssl'; -my $version = '1.15'; +my $version = '1.16'; getopts('bhilnqtuv'); @@ -77,15 +77,13 @@ my $resp; unless ($opt_n and -e $txt) { print "Downloading '$txt' ...\n" if (!$opt_q); - my $ua = new LWP::UserAgent(agent => "$0/$version"); $ua->env_proxy(); $resp = $ua->mirror($url, $txt); -} - -if ($resp && $resp->code eq '304') { + if ($resp && $resp->code eq '304') { print "Not modified\n" unless $opt_q; exit 0; + } } my $currentdate = scalar gmtime($resp ? $resp->last_modified : (stat($txt))[9]); @@ -124,6 +122,7 @@ close(CRT) or die "Couldn't close $crt: $!"; print "Processing '$txt' ...\n" if (!$opt_q); my $caname; my $certnum = 0; +my $skipnum = 0; open(TXT,"$txt") or die "Couldn't open $txt: $!"; while () { if (/\*\*\*\*\* BEGIN LICENSE BLOCK \*\*\*\*\*/) { @@ -147,6 +146,7 @@ while () { if (/^CKA_LABEL\s+[A-Z0-9]+\s+\"(.*)\"/) { $caname = $1; } + my $untrusted = 0; if (/^CKA_VALUE MULTILINE_OCTAL/) { my $data; while () { @@ -158,28 +158,36 @@ while () { $data .= chr(oct); } } - my $pem = "-----BEGIN CERTIFICATE-----\n" - . MIME::Base64::encode($data) - . "-----END CERTIFICATE-----\n"; - open(CRT, ">>$crt") or die "Couldn't open $crt: $!"; - print CRT "\n$caname\n"; - print CRT ("=" x length($caname) . "\n"); - if (!$opt_t) { - print CRT $pem; + while () { + last if (/^#$/); + $untrusted = 1 if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/); } - close(CRT) or die "Couldn't close $crt: $!"; - if ($opt_t) { - open(TMP, "|$openssl x509 -md5 -fingerprint -text -inform PEM >> $crt") or die "Couldn't open openssl pipe: $!"; - print TMP $pem; - close(TMP) or die "Couldn't close openssl pipe: $!"; + if ($untrusted) { + $skipnum ++; + } else { + my $pem = "-----BEGIN CERTIFICATE-----\n" + . MIME::Base64::encode($data) + . "-----END CERTIFICATE-----\n"; + open(CRT, ">>$crt") or die "Couldn't open $crt: $!"; + print CRT "\n$caname\n"; + print CRT ("=" x length($caname) . "\n"); + if (!$opt_t) { + print CRT $pem; + } + close(CRT) or die "Couldn't close $crt: $!"; + if ($opt_t) { + open(TMP, "|$openssl x509 -md5 -fingerprint -text -inform PEM >> $crt") or die "Couldn't open openssl pipe: $!"; + print TMP $pem; + close(TMP) or die "Couldn't close openssl pipe: $!"; + } + print "Parsing: $caname\n" if ($opt_v); + $certnum ++; } - print "Parsing: $caname\n" if ($opt_v); - $certnum ++; } } close(TXT) or die "Couldn't close $txt: $!"; unlink $txt if ($opt_u); -print "Done ($certnum CA certs processed).\n" if (!$opt_q); +print "Done ($certnum CA certs processed, $skipnum skipped).\n" if (!$opt_q); exit; -- 2.7.4