From 61985f642b0b5cc75fc3f254ef6c99aeb56acbe2 Mon Sep 17 00:00:00 2001 From: Alexander Scheel Date: Thu, 29 Aug 2019 16:14:08 -0400 Subject: [PATCH 2/3] Add script to add common root CAs When given an NSS DB, common_roots.sh uses the trust command to extract the root CAs trusted by the local system and add them to said NSS DB. Signed-off-by: Alexander Scheel --- tools/common_roots.sh | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100755 tools/common_roots.sh diff --git a/tools/common_roots.sh b/tools/common_roots.sh new file mode 100755 index 00000000..97341c4c --- /dev/null +++ b/tools/common_roots.sh @@ -0,0 +1,36 @@ +#!/bin/bash + +# This script reads the contents of the OS CA bundle store, +# /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit +# and places the contained CAs into the specified NSS DB. +# +# This NSS DB is used by various JSS tests that aren't enabled +# by default because they require an active internet connection. + +nssdb="$1" + +if [ -z "$nssdb" ] && [ -e "build" ]; then + nssdb="build/results/cadb" +elif [ -z "$nssdb" ] && [ -e "../build" ]; then + nssdb="../build/results/cadb" +else + echo "Must provide path to NSS DB!" 1>&2 + exit 1 +fi + +if [ -e "$nssdb" ]; then + rm -rf "$nssdb" +fi + +mkdir -p "$nssdb" +echo "" > "$nssdb/password.txt" +certutil -N -d "$nssdb" -f "$nssdb/password.txt" + +trust extract --format=pem-bundle --filter=ca-anchors "$nssdb/complete.pem" + +# From: https://serverfault.com/questions/391396/how-to-split-a-pem-file +csplit -f "$nssdb/individual-" "$nssdb/complete.pem" '/-----BEGIN CERTIFICATE-----/' '{*}' + +for cert in "$nssdb"/individual*; do + certutil -A -a -i "$cert" -n "$cert" -t CT,C,C -d "$nssdb" -f "$nssdb/password.txt" +done -- 2.21.0