sigsolucoes/ca-certificates-brazil
3
0
Fork 0
mirror of https://github.com/ekaaty/ca-certificates-brazil.git synced 2025-12-06 01:22:38 -03:00
Code Issues Actions Packages Projects Releases Wiki Activity

Replaced crt2bundle by cert-tool

Browse Source
This commit is contained in:
Christian Tosta
2025-08-04 11:38:45 -03:00
parent 830ac413d3
commit cddcb9ab39
3 changed files with 222 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
CMakeLists.txt
View File

@@ -29,72 +29,61 @@ set(SourceFiles
include(CPackLists.txt)
add_custom_target(clear-cache
COMMAND rm -rf cache/
)
add_custom_target(clear-certs
COMMAND rm -rf
certs/
docs/
pki/
COMMAND rm -rf certs/
)
add_custom_target(clear-anchors
COMMAND rm -rf pki/
)
add_custom_target(clear-docs
COMMAND rm -rf
docs/
COMMAND rm -rf docs/
)
add_custom_target(clear-all
DEPENDS
clear-anchors
clear-cache
clear-certs
clear-docs
)
add_custom_target(sources
COMMAND xargs -n1
curl
--create-dirs
--output-dir cache
-ksO < ${CMAKE_CURRENT_SOURCE_DIR}/sources
DEPENDS
clear-cache
)
add_custom_target(certs
COMMAND xargs -n1
curl
--create-dirs
--output-dir certs
-ksO < ${CMAKE_CURRENT_SOURCE_DIR}/sources
&& cd certs
&& (sha512sum -c --quiet ${HASH_FILE} || exit -1)
&& unzip ACcompactado.zip
&& rm -f ACcompactado.zip ${HASH_FILE}
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool extract
&& ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool classify
DEPENDS
clear-certs
)
add_custom_target(docs ALL
COMMAND mkdir docs
&& mv certs/*.pdf docs/
DEPENDS
clear-docs
certs
)
add_custom_target(isrg-root-x2.crt
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
pki/ca-trust-source/anchors/isrg-root-x2.crt
certs/isrg-root-x2.pem
DEPENDS
certs
)
add_custom_target(lets-encrypt-ca-bundle.crt
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
certs/lets-encrypt-e1.pem
certs/lets-encrypt-e2.pem
certs/lets-encrypt-r3.pem
certs/lets-encrypt-r4.pem
DEPENDS
certs
)
add_custom_target(icp-brasil-ca-bundle.crt
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/crt2bundle.sh
pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
certs/*.crt
DEPENDS
certs
sources
)
add_custom_target(anchors ALL
COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/utils/cert-tool anchors
DEPENDS
isrg-root-x2.crt
lets-encrypt-ca-bundle.crt
icp-brasil-ca-bundle.crt
clear-anchors
certs
)
add_custom_target(docs ALL
COMMAND mkdir docs
&& cp cache/*.pdf docs/
DEPENDS
clear-docs
sources
)
# Checks for OpeSSL utility
@@ -124,12 +113,12 @@ endif()
message("-- Set install path to CA certificates: ${CACERT_INSTALL_DIR}")
install(
FILES
${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/isrg-root-x2.crt
${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/lets-encrypt-ca-bundle.crt
${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/icp-brasil-ca-bundle.crt
DIRECTORY
${CMAKE_CURRENT_BINARY_DIR}/pki/ca-trust-source/anchors/.
DESTINATION
${CMAKE_INSTALL_PREFIX}/${CACERT_INSTALL_DIR}
FILES_MATCHING
PATTERN "*.crt"
)
set(DOCS_INSTALL_DIR "share/doc/${PROJECT_NAME}")

14
crt2bundle.sh
View File

@@ -1,14 +0,0 @@
#!/bin/bash
out=${1}
mkdir -p $(dirname ${out})
shift
in=''
for c in ${*}; do
echo "+ Loading CA certificate: ${c}";
in="${in} -certfile ${c}";
done;
openssl crl2pkcs7 -nocrl ${in} \
| openssl pkcs7 -print_certs -out ${out}

176
utils/cert-tool Executable file
View File

@@ -0,0 +1,176 @@
#!/bin/bash
set -euo pipefail
check_cert_validity() {
local cert=("${@}")
# Get validity dates of certificate
local expire=$(printf "%s\\n" "${cert[@]:1}" \
| openssl x509 \
-noout \
-dates \
| sed '/notAfter/!d;s/notAfter=//g;s/ /\\ /g' \
| xargs date +%s -d
)
# Checks if certificate is valid at this date
if [[ ${expire} -gt $(date +%s -d now) ]]; then
return 0
else
printf "%s: %s [%s %s]\\n" \
$"-- WARNING" \
$"Certificate was expired" \
$"Fingerprint=(SHA256)" \
${cert[0]}
return 1
fi
}
unzip_fingerprint() {
local zip_source=${1:-}
local fp_algo=sha256
local files=$(
[[ -f "${zip_source}" ]] && \
(unzip -qql ${zip_source} | awk '{print $4}')
)
# Unzip cert into array and compute their fingerprint
printf "%s: %s\\n" $"Archive" "${zip_source}"
local file; for file in ${files}; do
readarray -t cert < <(
unzip -p ${zip_source} ${file} \
| openssl x509 \
-fingerprint \
-${fp_algo} \
| sed 's/.*Fingerprint=//g;s/://g'
)
# Check validity dates of certificate then writes it to disk
if check_cert_validity "${cert[@]}"; then
local cert_file="certs/${cert[0]}.crt"
printf " %s %s\\n" $"Inflating" "certs/${file}"
#printf " %s %s\\n" $"Inflating" "certs/${cert[0]}.crt"
#printf " - %s=(%s) %s\\n" "Fingerprint" "${fp_algo^^}" "${cert[0]}"
printf "%s\\n" "${cert[@]:1}" > "${cert_file}"
fi
done
}
copy_fingerprint() {
local cert_source=${1:-}
local fp_algo=sha256
readarray -t cert < <(
cat ${cert_source} \
| openssl x509 \
-fingerprint \
-${fp_algo} \
| sed 's/.*Fingerprint=//g;s/://g'
)
# Check validity dates of certificate then writes it to disk
if check_cert_validity "${cert[@]}"; then
local cert_file="certs/${cert[0]}.crt"
printf "%s %s\\n" $"Copying" "certs/${cert_source}"
printf "%s\\n" "${cert[@]:1}" > "${cert_file}"
fi
}
#split() {
# local certs=("${@}")
#
# printf "%s\\n" "${certs[@]}" \
# | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
# | csplit \
# --quiet \
# --elide-empty-files \
# --prefix ${random_prefix:-}-cert \
# --suffix-format=-%02d.crt \
# - '/-END CERTIFICATE-/1' \
# '{*}'
#}
function extract() {
local file
mkdir -p certs
find cache -type f | while read file; do
case "$(file -b --mime-type ${file})" in
application/zip) unzip_fingerprint "${file}" ;;
application/x-pem-file) copy_fingerprint ${file} ;;
esac
done
}
function classify() {
# Create classified output directories
mkdir -p certs/{ca-root,ca-trust,servers}
# Process and classify generated files
echo -e "\n-- CLASSIFYING CACHED CERTIFICATES\n"
count=0
cert_files=$(find certs/ -maxdepth 1 -type f)
for cert_file in ${cert_files}; do
fingerprint="(SHA256) ${cert_file}"
echo "+ Processing certificate [Fingerprint: ${fingerprint}]"
issuer=$(openssl x509 -in "${cert_file}" -noout -issuer | sed 's/^issuer=//g')
issuer_o=$(echo "${issuer}" | grep -iPo 'O\s*=\s*\K[^,]+' || :)
subject=$(openssl x509 -in "${cert_file}" -noout -subject | sed 's/^subject=//g')
subject_o=$(echo "${subject}" | grep -iPo 'O\s*=\s*\K[^,]+' || :)
subject_cn=$(echo "${subject}" | grep -iPo 'CN\s*=\s*\K[^,]+' || :)
cert_o=$(echo "${subject_o^^}" | sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g")
cert_cn=$(echo "${subject_cn}" | sed -E "s/\s/_/g;s/\/.*//g;s/^\*\./wildcard-/g")
# save temporary pem file to .CRT file
if [[ "${subject_cn}" =~ "gov.br" ]]; then # it's a server certificate
cert_crt_file="${issuer_o^^}-${cert_cn}.crt"
openssl x509 -in "${cert_file}" -out "certs/servers/${cert_crt_file}"
let count=count+1
elif [[ "${subject}" == "${issuer}" ]]; then # it's a root certificate (self-signed)
cert_crt_file="${cert_o}-${cert_cn}.crt"
openssl x509 -in "${cert_file}" -out "certs/ca-root/${cert_crt_file}"
let count=count+1
else # it's an intermediate certificate
cert_crt_file="${cert_o}-${cert_cn}.crt"
openssl x509 -in "${cert_file}" -out "certs/ca-trust/${cert_crt_file}"
let count=count+1
fi
done
echo "-- Processed certificates: ${count}"
}
function anchors() {
echo -e "\n-- GENERATING P11-KIT SOURCE ANCHORS"
local ca_list=$(
(for cert in certs/{ca-root,ca-trust}/*.crt; do
openssl x509 -in ${cert} -noout -subject \
| grep -iPo 'O\s*=\s*\K[^,]+' \
| sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g;s/.*/\U&/";
done;
for cert in certs/servers/*.crt; do
openssl x509 -in ${cert} -noout -issuer \
| grep -iPo 'O\s*=\s*\K[^,]+' \
| sed -E "s/\s/_/g;s/'//g;s/\/.*//g;s/\*\.//g;s/.*/\U&/";
done;) | sort -u)
for ca in ${ca_list}; do
echo -e "\n-> Generating p11-kit source anchors for CA \"${ca}\""
local out=pki/ca-trust-source/anchors/${ca,,}-ca-bundle.crt
mkdir -p $(dirname ${out}); in=
for c in $(find certs/{ca-root,ca-trust,servers}/ -name ${ca}*); do
echo "+ Loading CA certificate: ${c}"
in="${in} -certfile ${c}"
done \
&& openssl crl2pkcs7 -nocrl ${in} \
| openssl pkcs7 -print_certs -out ${out}
done
}
cmd=${@:1}; shift
${cmd} ${@}
exit 0
# vim: ts=2:sw=2:sts=2:et