From 61985f642b0b5cc75fc3f254ef6c99aeb56acbe2 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <ascheel@redhat.com>
Date: Thu, 29 Aug 2019 16:14:08 -0400
Subject: [PATCH 2/3] Add script to add common root CAs

When given an NSS DB, common_roots.sh uses the trust command to extract
the root CAs trusted by the local system and add them to said NSS DB.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
---
 tools/common_roots.sh | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100755 tools/common_roots.sh

diff --git a/tools/common_roots.sh b/tools/common_roots.sh
new file mode 100755
index 00000000..97341c4c
--- /dev/null
+++ b/tools/common_roots.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+
+# This script reads the contents of the OS CA bundle store,
+#   /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
+# and places the contained CAs into the specified NSS DB.
+#
+# This NSS DB is used by various JSS tests that aren't enabled
+# by default because they require an active internet connection.
+
+nssdb="$1"
+
+if [ -z "$nssdb" ] && [ -e "build" ]; then
+    nssdb="build/results/cadb"
+elif [ -z "$nssdb" ] && [ -e "../build" ]; then
+    nssdb="../build/results/cadb"
+else
+    echo "Must provide path to NSS DB!" 1>&2
+    exit 1
+fi
+
+if [ -e "$nssdb" ]; then
+    rm -rf "$nssdb"
+fi
+
+mkdir -p "$nssdb"
+echo "" > "$nssdb/password.txt"
+certutil -N -d "$nssdb" -f "$nssdb/password.txt"
+
+trust extract --format=pem-bundle  --filter=ca-anchors "$nssdb/complete.pem"
+
+# From: https://serverfault.com/questions/391396/how-to-split-a-pem-file
+csplit -f "$nssdb/individual-" "$nssdb/complete.pem" '/-----BEGIN CERTIFICATE-----/' '{*}'
+
+for cert in "$nssdb"/individual*; do
+    certutil -A -a -i "$cert" -n "$cert" -t CT,C,C -d "$nssdb" -f "$nssdb/password.txt"
+done
-- 
2.21.0