diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2014-08-13 23:42:53 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2014-08-13 23:42:53 +0200 |
| commit | 57b53918d1139bff572d84e5e0a71ae4c514d3c2 (patch) | |
| tree | 2a8bf658ca5ddc17f988884df782bdcc393b1fbc /lib/mk-ca-bundle.pl | |
| parent | fc5a5a4f073eda85ead58c5b36f88eddcffba749 (diff) | |
mk-ca-bundle.pl: switched to using hg.mozilla.org
... as mxr.mozilla.org is due to be retired.
The new host doesn't support If-Modified-Since nor ETags, meaning that
the script will now defer to download and do a post-transfer checksum
check to see if a new output is to be generated. The new output format
will hold the SHA1 checksum of the source file for that purpose.
We call this version 1.22
Reported-by: Ed Morley
Bug: http://curl.haxx.se/bug/view.cgi?id=1409
Diffstat (limited to 'lib/mk-ca-bundle.pl')
| -rwxr-xr-x | lib/mk-ca-bundle.pl | 71 |
1 files changed, 56 insertions, 15 deletions
diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl index 232c36e4f..9c86cc208 100755 --- a/lib/mk-ca-bundle.pl +++ b/lib/mk-ca-bundle.pl @@ -40,17 +40,15 @@ use Text::Wrap; my %urls = ( 'nss' => - 'http://mxr.mozilla.org/nss/source/lib/ckfw/builtins/certdata.txt?raw=1', + 'http://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt', 'central' => - 'http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1', + 'http://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt', 'aurora' => - 'http://mxr.mozilla.org/mozilla-aurora/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1', + 'http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt', 'beta' => - 'http://mxr.mozilla.org/mozilla-beta/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1', + 'http://hg.mozilla.org/releases/mozilla-beta/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt', 'release' => - 'http://mxr.mozilla.org/mozilla-release/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1', - 'mozilla' => - 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1' + 'http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt', ); $opt_d = 'release'; @@ -58,7 +56,7 @@ $opt_d = 'release'; # If the OpenSSL commandline is not in search path you can configure it here! my $openssl = 'openssl'; -my $version = '1.21'; +my $version = '1.22'; $opt_w = 76; # default base64 encoded lines length @@ -209,6 +207,28 @@ sub PARSE_CSV_PARAM($$@) { return @values; } +sub sha1 { + my ($txt)=@_; + my $sha1 = `$openssl dgst -sha1 $txt | cut '-d ' -f2`; + chomp $sha1; + return sha1; +} + +sub oldsha1 { + my ($crt)=@_; + my $sha1=""; + open(C, "<$crt"); + while(<C>) { + chomp; + if($_ =~ /^\#\# SHA1: (.*)/) { + $sha1 = $1; + last; + } + } + close(C); + return $sha1; +} + if ( $opt_p !~ m/:/ ) { print "Error: Mozilla trust identifier list must include both purposes and levels\n"; HELP_MESSAGE(); @@ -238,6 +258,10 @@ my $stdout = $crt eq '-'; my $resp; my $fetched; +my $oldsha1= oldsha1($crt); + +print STDERR "SHA1 of old file: $oldsha1\n"; + unless ($opt_n and -e $txt) { print STDERR "Downloading '$txt' ...\n" if (!$opt_q); my $ua = new LWP::UserAgent(agent => "$0/$version"); @@ -257,7 +281,25 @@ unless ($opt_n and -e $txt) { } } -my $currentdate = scalar gmtime($fetched ? $resp->last_modified : (stat($txt))[9]); +my $filedate = $fetched ? $resp->last_modified : (stat($txt))[9]; +my $datesrc = "as of"; +if(!$filedate) { + # mxr.mozilla.org gave us a time, hg.mozilla.org does not! + $filedate = time(); + $datesrc="downloaded on"; +} + +# get the hash from the download file +my $newsha1= sha1($txt); + +if($oldsha1 eq $newsha1) { + print STDERR "Downloaded file identical to previous run\'s source file. Exiting\n"; + exit; +} + +print STDERR "SHA1 of new file: $newsha1\n"; + +my $currentdate = scalar gmtime($filedate); my $format = $opt_t ? "plain text and " : ""; if( $stdout ) { @@ -267,9 +309,9 @@ if( $stdout ) { } print CRT <<EOT; ## -## $crt -- Bundle of CA Root Certificates +## Bundle of CA Root Certificates ## -## Certificate data from Mozilla as of: ${currentdate} +## Certificate data from Mozilla ${datesrc}: ${currentdate} ## ## This is a bundle of X.509 certificates of public Certificate Authorities ## (CA). These were automatically extracted from Mozilla's root certificates @@ -281,6 +323,9 @@ print CRT <<EOT; ## an Apache+mod_ssl webserver for SSL client authentication. ## Just configure this file as the SSLCACertificateFile. ## +## Conversion done with mk-ca-bundle.pl verison $version. +## SHA1: $newsha1 +## EOT @@ -415,7 +460,3 @@ unless( $stdout ) { } unlink $txt if ($opt_u); print STDERR "Done ($certnum CA certs processed, $skipnum skipped).\n" if (!$opt_q); - -exit; - - |