aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2012-09-04 23:21:15 +0200
committerDaniel Stenberg <daniel@haxx.se>2012-09-04 23:21:15 +0200
commit3a0b64489f1ae721d6647fa4fc90b7dbb91dd387 (patch)
tree227bd0ba8211965ae2d5c969b8f10f2193178417 /lib
parentee3551e45e60856eb0b779aa6cd34d77f16208a5 (diff)
mk-ca-bundle: detect start of trust section better
Each certificate section of the input certdata.txt file has a trust section following it with details. This script failed to detect the start of the trust for at least one cert[*], which made the script continue pass that section into the next one where it found an 'untrusted' marker and as a result that certficate was not included in the output. [*] = "Hellenic Academic and Research Institutions RootCA 2011" Bug: http://curl.haxx.se/mail/lib-2012-09/0019.html
Diffstat (limited to 'lib')
-rwxr-xr-xlib/mk-ca-bundle.pl28
1 files changed, 22 insertions, 6 deletions
diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index 189ed01b6..8e75d6073 100755
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -6,7 +6,7 @@
# * | (__| |_| | _ <| |___
# * \___|\___/|_| \_\_____|
# *
-# * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+# * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
# *
# * This software is licensed as described in the file COPYING, which
# * you should have received as part of this distribution. The terms
@@ -123,6 +123,8 @@ print "Processing '$txt' ...\n" if (!$opt_q);
my $caname;
my $certnum = 0;
my $skipnum = 0;
+my $start_of_cert = 0;
+
open(TXT,"$txt") or die "Couldn't open $txt: $!";
while (<TXT>) {
if (/\*\*\*\*\* BEGIN LICENSE BLOCK \*\*\*\*\*/) {
@@ -143,11 +145,16 @@ while (<TXT>) {
print CRT "# $1\n";
close(CRT) or die "Couldn't close $crt: $!";
}
- if (/^CKA_LABEL\s+[A-Z0-9]+\s+\"(.*)\"/) {
+
+ # this is a match for the start of a certificate
+ if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
+ $start_of_cert = 1
+ }
+ if ($start_of_cert && /^CKA_LABEL UTF8 \"(.*)\"/) {
$caname = $1;
}
my $untrusted = 0;
- if (/^CKA_VALUE MULTILINE_OCTAL/) {
+ if ($start_of_cert && /^CKA_VALUE MULTILINE_OCTAL/) {
my $data;
while (<TXT>) {
last if (/^END/);
@@ -158,10 +165,18 @@ while (<TXT>) {
$data .= chr(oct);
}
}
+ # scan forwards until the trust part
while (<TXT>) {
- last if (/^#$/);
- $untrusted = 1 if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
- or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/);
+ last if (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/);
+ chomp;
+ }
+ # now scan the trust part for untrusted certs
+ while (<TXT>) {
+ last if (/^#/);
+ if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
+ or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) {
+ $untrusted = 1;
+ }
}
if ($untrusted) {
$skipnum ++;
@@ -183,6 +198,7 @@ while (<TXT>) {
}
print "Parsing: $caname\n" if ($opt_v);
$certnum ++;
+ $start_of_cert = 0;
}
}
}