From 61985f642b0b5cc75fc3f254ef6c99aeb56acbe2 Mon Sep 17 00:00:00 2001

From: Alexander Scheel <ascheel@redhat.com>

Date: Thu, 29 Aug 2019 16:14:08 -0400

Subject: [PATCH 2/3] Add script to add common root CAs

When given an NSS DB, common_roots.sh uses the trust command to extract

the root CAs trusted by the local system and add them to said NSS DB.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>

---

 tools/common_roots.sh | 36 ++++++++++++++++++++++++++++++++++++

 1 file changed, 36 insertions(+)

 create mode 100755 tools/common_roots.sh

diff --git a/tools/common_roots.sh b/tools/common_roots.sh

new file mode 100755

index 00000000..97341c4c

--- /dev/null

+++ b/tools/common_roots.sh

@@ -0,0 +1,36 @@

+#!/bin/bash

+

+# This script reads the contents of the OS CA bundle store,

+#   /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit

+# and places the contained CAs into the specified NSS DB.

+#

+# This NSS DB is used by various JSS tests that aren't enabled

+# by default because they require an active internet connection.

+

+nssdb="$1"

+

+if [ -z "$nssdb" ] && [ -e "build" ]; then

+    nssdb="build/results/cadb"

+elif [ -z "$nssdb" ] && [ -e "../build" ]; then

+    nssdb="../build/results/cadb"

+else

+    echo "Must provide path to NSS DB!" 1>&2

+    exit 1

+fi

+

+if [ -e "$nssdb" ]; then

+    rm -rf "$nssdb"

+fi

+

+mkdir -p "$nssdb"

+echo "" > "$nssdb/password.txt"

+certutil -N -d "$nssdb" -f "$nssdb/password.txt"

+

+trust extract --format=pem-bundle  --filter=ca-anchors "$nssdb/complete.pem"

+

+# From: https://serverfault.com/questions/391396/how-to-split-a-pem-file

+csplit -f "$nssdb/individual-" "$nssdb/complete.pem" '/-----BEGIN CERTIFICATE-----/' '{*}'

+

+for cert in "$nssdb"/individual*; do

+    certutil -A -a -i "$cert" -n "$cert" -t CT,C,C -d "$nssdb" -f "$nssdb/password.txt"

+done

-- 

2.21.0