From d2c6d1568e85b97cf3a74437709c52885da6aab8 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Tue, 25 Oct 2016 03:17:26 -0400
Subject: mk-ca-bundle: Update the vbscript version

Bring the VBScript version more in line with the perl version:

- Change timestamp to UTC.

- Change URL retrieval to HTTPS-only by default.

- Comment out the options that disabled SSL cert checking by default.

- Assume OpenSSL is present, get SHA256. And add a flag to toggle it.

- Fix cert issuer name output.

The cert issuer output is now ansi, converted from UTF-8. Prior to this
it was corrupt UTF-8. It turns out though we can work with UTF-8 the
FSO object that writes ca-bundle can't write UTF-8, so there will have
to be some alternative if UTF-8 is needed (like an ADODB.Stream).

- Disable the certificate text info feature.

The certificate text info doesn't work properly with any recent OpenSSL.
---
 lib/mk-ca-bundle.pl  |   5 ++-
 lib/mk-ca-bundle.vbs | 114 +++++++++++++++++++++++++++++++++++++++++++--------
 2 files changed, 101 insertions(+), 18 deletions(-)

(limited to 'lib')

diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index 38e7ff73c..75278f168 100755
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -244,7 +244,8 @@ sub sha256 {
     close(FILE);
   } else {
     # Use OpenSSL command if Perl Digest::SHA modules not available
-    $result = (split(/ |\r|\n/,`$openssl dgst -sha256 $_[0]`))[1];
+    $result = `"$openssl" dgst -r -sha256 "$_[0]"`;
+    $result =~ s/^([0-9a-f]{64}) .+/$1/is;
   }
   return $result;
 }
@@ -392,7 +393,7 @@ print CRT <<EOT;
 ##
 ## Bundle of CA Root Certificates
 ##
-## Certificate data from Mozilla ${datesrc}: ${currentdate}
+## Certificate data from Mozilla ${datesrc}: ${currentdate} GMT
 ##
 ## This is a bundle of X.509 certificates of public Certificate Authorities
 ## (CA). These were automatically extracted from Mozilla's root certificates
diff --git a/lib/mk-ca-bundle.vbs b/lib/mk-ca-bundle.vbs
index b0d942779..38eb48aba 100755
--- a/lib/mk-ca-bundle.vbs
+++ b/lib/mk-ca-bundle.vbs
@@ -26,17 +26,20 @@
 '* Hacked by Guenter Knauf
 '***************************************************************************
 Option Explicit
-Const myVersion = "0.3.9"
+Const myVersion = "0.4.0"
 
-Const myUrl = "http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
+Const myUrl = "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
 Const myOpenssl = "openssl.exe"
 
-Const myCdSavF = FALSE       ' Flag: save downloaded data to file certdata.txt
+Const myUseOpenSSL = TRUE    ' Flag: set FALSE if openssl is not present
+Const myCdSavF = TRUE        ' Flag: save downloaded data to file certdata.txt
 Const myCaBakF = TRUE        ' Flag: backup existing ca-bundle certificate
 Const myAskLiF = TRUE        ' Flag: display certdata.txt license agreement
-Const myAskTiF = TRUE        ' Flag: ask to include certificate text info
 Const myWrapLe = 76          ' Default length of base64 output lines
 
+' cert info code doesn't work properly with any recent openssl, leave disabled.
+Const myAskTiF = FALSE       ' Flag: ask to include certificate text info
+
 '******************* Nothing to configure below! *******************
 Dim objShell, objNetwork, objFSO, objHttp
 Dim myBase, mySelf, myFh, myTmpFh, myCdData, myCdFile, myCaFile, myTmpName, myBakNum, myOptTxt, i
@@ -53,8 +56,12 @@ myTmpName = InputBox("Enter output filename:", mySelf, myCaFile)
 If Not (myTmpName = "") Then
   myCaFile = myTmpName
 End If
-' Lets ignore SSL invalid cert errors
-objHttp.Option(4) = 256 + 512 + 4096 + 8192
+If (myCdFile = "") Then
+  MsgBox("URL does not contain filename!"), vbCritical, mySelf
+  WScript.Quit 1
+End If
+' Uncomment the line below to ignore SSL invalid cert errors
+' objHttp.Option(4) = 256 + 512 + 4096 + 8192
 objHttp.SetTimeouts 0, 5000, 10000, 10000
 objHttp.Open "GET", myUrl, FALSE
 objHttp.setRequestHeader "User-Agent", WScript.ScriptName & "/" & myVersion
@@ -63,15 +70,13 @@ If Not (objHttp.Status = 200) Then
   MsgBox("Failed to download '" & myCdFile & "': " & objHttp.Status & " - " & objHttp.StatusText), vbCritical, mySelf
   WScript.Quit 1
 End If
-' Convert data from ResponseBody instead of using ResponseText because of UTF-8
-myCdData = ConvertBinaryData(objHttp.ResponseBody)
-Set objHttp = Nothing
 ' Write received data to file if enabled
 If (myCdSavF = TRUE) Then
-  Set myFh = objFSO.OpenTextFile(myCdFile, 2, TRUE)
-  myFh.Write myCdData
-  myFh.Close
+  Call SaveBinaryData(myCdFile, objHttp.ResponseBody)
 End If
+' Convert data from ResponseBody instead of using ResponseText because of UTF-8
+myCdData = ConvertBinaryData(objHttp.ResponseBody)
+Set objHttp = Nothing
 ' Backup exitsing ca-bundle certificate file
 If (myCaBakF = TRUE) Then
   If objFSO.FileExists(myCaFile) Then
@@ -104,20 +109,27 @@ myData = ""
 myLines = Split(myCdData, vbLf, -1)
 Set myFh = objFSO.OpenTextFile(myCaFile, 2, TRUE)
 myFh.Write "##" & vbLf
-myFh.Write "## " & myCaFile & " -- Bundle of CA Root Certificates" & vbLf
+myFh.Write "## Bundle of CA Root Certificates" & vbLf
 myFh.Write "##" & vbLf
-myFh.Write "## Converted at: " & Now & vbLf
+myFh.Write "## Certificate data from Mozilla as of: " & _
+  ConvertDateToString(LocalDateToUTC(Now)) & " GMT" & vbLf
 myFh.Write "##" & vbLf
 myFh.Write "## This is a bundle of X.509 certificates of public Certificate Authorities" & vbLf
 myFh.Write "## (CA). These were automatically extracted from Mozilla's root certificates" & vbLf
 myFh.Write "## file (certdata.txt).  This file can be found in the mozilla source tree:" & vbLf
-myFh.Write "## '/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt'" & vbLf
+myFh.Write "## " & myUrl & vbLf
 myFh.Write "##" & vbLf
 myFh.Write "## It contains the certificates in PEM format and therefore" & vbLf
 myFh.Write "## can be directly used with curl / libcurl / php_curl, or with" & vbLf
 myFh.Write "## an Apache+mod_ssl webserver for SSL client authentication." & vbLf
 myFh.Write "## Just configure this file as the SSLCACertificateFile." & vbLf
 myFh.Write "##" & vbLf
+myFh.Write "## Conversion done with mk-ca-bundle.vbs version " & myVersion & "." & vbLf
+If (myCdSavF = TRUE) And (myUseOpenSSL = TRUE) Then
+  myFh.Write "## SHA256: " & FileSHA256(myCdFile) & vbLf
+End If
+myFh.Write "##" & vbLf & vbLf
+
 myFh.Write vbLf
 For i = 0 To UBound(myLines)
   If InstrRev(myLines(i), "CKA_LABEL ") Then
@@ -216,11 +228,24 @@ Function ConvertBinaryData(arrBytes)
   objStream.Write arrBytes
   objStream.Position = 0
   objStream.Type = 2
-  objStream.Charset = "ascii"
+  objStream.Charset = "utf-8"
   ConvertBinaryData = objStream.ReadText
   Set objStream = Nothing
 End Function
 
+Function SaveBinaryData(filename, data)
+  Const adTypeBinary = 1
+  Const adSaveCreateOverWrite = 2
+  Dim objStream
+  Set objStream = CreateObject("ADODB.Stream")
+  objStream.Type = adTypeBinary
+  objStream.Open
+  objStream.Write data
+  objStream.SaveToFile filename, adSaveCreateOverWrite
+  objStream.Close
+  Set objStream = Nothing
+End Function
+
 Function RegExprFirst(SearchPattern, TheString)
   Dim objRegExp, Matches                        ' create variables.
   Set objRegExp = New RegExp                    ' create a regular expression.
@@ -283,4 +308,61 @@ Function MyASC(OneChar)
   If OneChar = "" Then MyASC = 0 Else MyASC = Asc(OneChar)
 End Function
 
+' Return the date in the same format as perl to match mk-ca-bundle.pl output:
+' Wed Sep  7 03:12:05 2016
+Function ConvertDateToString(input)
+  Dim output
+  output = WeekDayName(WeekDay(input), TRUE) & " " & _
+           MonthName(Month(input), TRUE) & " "
+  If (Len(Day(input)) = 1) Then
+    output = output & " "
+  End If
+  output = output & _
+           Day(input) & " " & _
+           FormatDateTime(input, vbShortTime) & ":"
+  If (Len(Second(input)) = 1) Then
+    output = output & "0"
+  End If
+  output = output & _
+           Second(input) & " " & _
+           Year(input)
+  ConvertDateToString = output
+End Function
+
+' Convert local Date to UTC. Microsoft says:
+' Use Win32_ComputerSystem CurrentTimeZone property, because it automatically
+' adjusts the Time Zone bias for daylight saving time; Win32_Time Zone Bias
+' property does not.
+' https://msdn.microsoft.com/en-us/library/windows/desktop/ms696015.aspx
+Function LocalDateToUTC(localdate)
+  Dim item, offset
+  For Each item In GetObject("winmgmts:").InstancesOf("Win32_ComputerSystem")
+    offset = item.CurrentTimeZone ' the offset in minutes
+  Next
+  If (offset < 0) Then
+    LocalDateToUTC = DateAdd("n",  ABS(offset), localdate)
+  Else
+    LocalDateToUTC = DateAdd("n", -ABS(offset), localdate)
+  End If
+  'objShell.PopUp LocalDateToUTC
+End Function
 
+Function FileSHA256(filename)
+  Dim cmd, rval, tmpOut, tmpFh
+  if (myUseOpenSSL = TRUE) Then
+    tmpOut = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
+    cmd = """" & myOpenssl & """ dgst -r -sha256 -out """ & tmpOut & """ """ & filename & """"
+    rval = objShell.Run(cmd, 0, TRUE)
+    If Not (rval = 0) Then
+      MsgBox("Failed to get sha256 of """ & filename & """ with OpenSSL commandline!"), vbCritical, mySelf
+      objFSO.DeleteFile tmpOut, TRUE
+      WScript.Quit 3
+    End If
+    Set tmpFh = objFSO.OpenTextFile(tmpOut, 1)
+    FileSHA256 = RegExprFirst("^([0-9a-f]{64}) .+", tmpFh.ReadAll)
+    tmpFh.Close
+    objFSO.DeleteFile tmpOut, TRUE
+  Else
+    FileSHA256 = ""
+  End If
+End Function
-- 
cgit v1.2.3