generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

mk-ca-bundle: detect start of trust section better

Browse Source 
Each certificate section of the input certdata.txt file has a trust
section following it with details.

This script failed to detect the start of the trust for at least one
cert[*], which made the script continue pass that section into the next
one where it found an 'untrusted' marker and as a result that certficate
was not included in the output.

[*] = "Hellenic Academic and Research Institutions RootCA 2011"

Bug: http://curl.haxx.se/mail/lib-2012-09/0019.html
This commit is contained in:
Daniel Stenberg
2012-09-04 23:21:15 +02:00
parent ee3551e45e
commit 3a0b64489f
1 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
lib/mk-ca-bundle.pl
View File

@@ -6,7 +6,7 @@
# * | (__| |_| | _ <| |___ # * | (__| |_| | _ <| |___
# * \___|\___/|_| \_\_____| # * \___|\___/|_| \_\_____|
# * # *
# * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. # * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
# * # *
# * This software is licensed as described in the file COPYING, which # * This software is licensed as described in the file COPYING, which
# * you should have received as part of this distribution. The terms # * you should have received as part of this distribution. The terms
@@ -123,6 +123,8 @@ print "Processing '$txt' ...\n" if (!$opt_q);
my $caname; my $caname;
my $certnum = 0; my $certnum = 0;
my $skipnum = 0; my $skipnum = 0;
my $start_of_cert = 0;
open(TXT,"$txt") or die "Couldn't open $txt: $!"; open(TXT,"$txt") or die "Couldn't open $txt: $!";
while (<TXT>) { while (<TXT>) {
if (/\*\*\*\*\* BEGIN LICENSE BLOCK \*\*\*\*\*/) { if (/\*\*\*\*\* BEGIN LICENSE BLOCK \*\*\*\*\*/) {
@@ -143,11 +145,16 @@ while (<TXT>) {
print CRT "# $1\n"; print CRT "# $1\n";
close(CRT) or die "Couldn't close $crt: $!"; close(CRT) or die "Couldn't close $crt: $!";
} }
if (/^CKA_LABEL\s+[A-Z0-9]+\s+\"(.*)\"/) {
# this is a match for the start of a certificate
if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
$start_of_cert = 1
}
if ($start_of_cert && /^CKA_LABEL UTF8 \"(.*)\"/) {
$caname = $1; $caname = $1;
} }
my $untrusted = 0; my $untrusted = 0;
if (/^CKA_VALUE MULTILINE_OCTAL/) { if ($start_of_cert && /^CKA_VALUE MULTILINE_OCTAL/) {
my $data; my $data;
while (<TXT>) { while (<TXT>) {
last if (/^END/); last if (/^END/);
@@ -158,10 +165,18 @@ while (<TXT>) {
$data .= chr(oct); $data .= chr(oct);
} }
} }
# scan forwards until the trust part
while (<TXT>) { while (<TXT>) {
last if (/^#$/); last if (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/);
$untrusted = 1 if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/ chomp;
or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/); }
# now scan the trust part for untrusted certs
while (<TXT>) {
last if (/^#/);
if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) {
$untrusted = 1;
}
} }
if ($untrusted) { if ($untrusted) {
$skipnum ++; $skipnum ++;
@@ -183,6 +198,7 @@ while (<TXT>) {
} }
print "Parsing: $caname\n" if ($opt_v); print "Parsing: $caname\n" if ($opt_v);
$certnum ++; $certnum ++;
$start_of_cert = 0;
} }
} }
} }