diff options
author | Daniel Stenberg <daniel@haxx.se> | 2012-09-04 23:21:15 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2012-09-04 23:21:15 +0200 |
commit | 3a0b64489f1ae721d6647fa4fc90b7dbb91dd387 (patch) | |
tree | 227bd0ba8211965ae2d5c969b8f10f2193178417 /lib | |
parent | ee3551e45e60856eb0b779aa6cd34d77f16208a5 (diff) |
mk-ca-bundle: detect start of trust section better
Each certificate section of the input certdata.txt file has a trust
section following it with details.
This script failed to detect the start of the trust for at least one
cert[*], which made the script continue pass that section into the next
one where it found an 'untrusted' marker and as a result that certficate
was not included in the output.
[*] = "Hellenic Academic and Research Institutions RootCA 2011"
Bug: http://curl.haxx.se/mail/lib-2012-09/0019.html
Diffstat (limited to 'lib')
-rwxr-xr-x | lib/mk-ca-bundle.pl | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl index 189ed01b6..8e75d6073 100755 --- a/lib/mk-ca-bundle.pl +++ b/lib/mk-ca-bundle.pl @@ -6,7 +6,7 @@ # * | (__| |_| | _ <| |___ # * \___|\___/|_| \_\_____| # * -# * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al. +# * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al. # * # * This software is licensed as described in the file COPYING, which # * you should have received as part of this distribution. The terms @@ -123,6 +123,8 @@ print "Processing '$txt' ...\n" if (!$opt_q); my $caname; my $certnum = 0; my $skipnum = 0; +my $start_of_cert = 0; + open(TXT,"$txt") or die "Couldn't open $txt: $!"; while (<TXT>) { if (/\*\*\*\*\* BEGIN LICENSE BLOCK \*\*\*\*\*/) { @@ -143,11 +145,16 @@ while (<TXT>) { print CRT "# $1\n"; close(CRT) or die "Couldn't close $crt: $!"; } - if (/^CKA_LABEL\s+[A-Z0-9]+\s+\"(.*)\"/) { + + # this is a match for the start of a certificate + if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { + $start_of_cert = 1 + } + if ($start_of_cert && /^CKA_LABEL UTF8 \"(.*)\"/) { $caname = $1; } my $untrusted = 0; - if (/^CKA_VALUE MULTILINE_OCTAL/) { + if ($start_of_cert && /^CKA_VALUE MULTILINE_OCTAL/) { my $data; while (<TXT>) { last if (/^END/); @@ -158,10 +165,18 @@ while (<TXT>) { $data .= chr(oct); } } + # scan forwards until the trust part while (<TXT>) { - last if (/^#$/); - $untrusted = 1 if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/ - or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/); + last if (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/); + chomp; + } + # now scan the trust part for untrusted certs + while (<TXT>) { + last if (/^#/); + if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/ + or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) { + $untrusted = 1; + } } if ($untrusted) { $skipnum ++; @@ -183,6 +198,7 @@ while (<TXT>) { } print "Parsing: $caname\n" if ($opt_v); $certnum ++; + $start_of_cert = 0; } } } |