#!/usr/bin/perl

# Copyright (C) 2007, 2008 Red Hat, Inc.

#

# This program is free software; you can redistribute it and/or modify

# it under the terms of the GNU General Public License as published by

# the Free Software Foundation; either version 2 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

# generate-cacerts.pl generates a JKS keystore named 'cacerts' from

# OpenSSL's certificate bundle using OpenJDK's keytool.

# First extract each of OpenSSL's bundled certificates into its own

# aliased filename.

# Downloaded from http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/F-12/generate-cacerts.pl?revision=1.2

# Check and prevention of duplicate aliases added by Vlastimil Babka <caster@gentoo.org>

$file = $ARGV[1];

open(CERTS, $file);

@certs = <CERTS>;

close(CERTS);

$pem_file_count = 0;

$in_cert_block = 0;

$write_current_cert = 1;

foreach $cert (@certs)

{

    if ($cert =~ /Issuer: /)

    {

        $_ = $cert;

        if ($cert =~ /personal-freemail/)

        {

            $cert_alias = "thawtepersonalfreemailca";

        }

        elsif ($cert =~ /personal-basic/)

        {

            $cert_alias = "thawtepersonalbasicca";

        }

        elsif ($cert =~ /personal-premium/)

        {

            $cert_alias = "thawtepersonalpremiumca";

        }

        elsif ($cert =~ /server-certs/)

        {

            $cert_alias = "thawteserverca";

        }

        elsif ($cert =~ /premium-server/)

        {

            $cert_alias = "thawtepremiumserverca";

        }

        elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)

        {

            $cert_alias = "verisignclass1ca";

        }

        elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)

        {

            $cert_alias = "verisignclass1g2ca";

        }

        elsif ($cert =~

               /VeriSign Class 1 Public Primary Certification Authority - G3/)

        {

            $cert_alias = "verisignclass1g3ca";

        }

        elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)

        {

            $cert_alias = "verisignclass2ca";

        }

        elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)

        {

            $cert_alias = "verisignclass2g2ca";

        }

        elsif ($cert =~

               /VeriSign Class 2 Public Primary Certification Authority - G3/)

        {

            $cert_alias = "verisignclass2g3ca";

        }

        elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)

        {

            $cert_alias = "verisignclass3ca";

        }

        # Version 1 of Class 3 Public Primary Certification Authority

        # - G2 is added.  Version 3 is excluded.  See below.

        elsif ($cert =~

               /VeriSign Class 3 Public Primary Certification Authority - G3/)

        {

            $cert_alias = "verisignclass3g3ca";

        }

        elsif ($cert =~

               /RSA Data Security.*Secure Server Certification Authority/)

        {

            $cert_alias = "verisignserverca";

        }

        elsif ($cert =~ /GTE CyberTrust Global Root/)

        {

            $cert_alias = "gtecybertrustglobalca";

        }

        elsif ($cert =~ /Baltimore CyberTrust Root/)

        {

            $cert_alias = "baltimorecybertrustca";

        }

        elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)

        {

            $cert_alias = "entrustclientca";

        }

        elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)

        {

            $cert_alias = "entrustglobalclientca";

        }

        elsif ($cert =~ /www.entrust.net\/CPS_2048/)

        {

            $cert_alias = "entrust2048ca";

        }

        elsif ($cert =~ /www.entrust.net\/CPS /)

        {

            $cert_alias = "entrustsslca";

        }

        elsif ($cert =~ /www.entrust.net\/SSL_CPS/)

        {

            $cert_alias = "entrustgsslca";

        }

        elsif ($cert =~ /The Go Daddy Group/)

        {

            $cert_alias = "godaddyclass2ca";

        }

        elsif ($cert =~ /Starfield Class 2 Certification Authority/)

        {

            $cert_alias = "starfieldclass2ca";

        }

        elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)

        {

            $cert_alias = "valicertclass2ca";

        }

        elsif ($cert =~ /GeoTrust Global CA$/)

        {

            $cert_alias = "geotrustglobalca";

        }

        elsif ($cert =~ /Equifax Secure Certificate Authority/)

        {

            $cert_alias = "equifaxsecureca";

        }

        elsif ($cert =~ /Equifax Secure eBusiness CA-1/)

        {

            $cert_alias = "equifaxsecureebusinessca1";

        }

        elsif ($cert =~ /Equifax Secure eBusiness CA-2/)

        {

            $cert_alias = "equifaxsecureebusinessca2";

        }

        elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)

        {

            $cert_alias = "equifaxsecureglobalebusinessca1";

        }

        elsif ($cert =~ /Sonera Class1 CA/)

        {

            $cert_alias = "soneraclass1ca";

        }

        elsif ($cert =~ /Sonera Class2 CA/)

        {

            $cert_alias = "soneraclass2ca";

        }

        elsif ($cert =~ /AAA Certificate Services/)

        {

            $cert_alias = "comodoaaaca";

        }

        elsif ($cert =~ /AddTrust Class 1 CA Root/)

        {

            $cert_alias = "addtrustclass1ca";

        }

        elsif ($cert =~ /AddTrust External CA Root/)

        {

            $cert_alias = "addtrustexternalca";

        }

        elsif ($cert =~ /AddTrust Qualified CA Root/)

        {

            $cert_alias = "addtrustqualifiedca";

        }

        elsif ($cert =~ /UTN-USERFirst-Hardware/)

        {

            $cert_alias = "utnuserfirsthardwareca";

        }

        elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)

        {

            $cert_alias = "utnuserfirstclientauthemailca";

        }

        elsif ($cert =~ /UTN - DATACorp SGC/)

        {

            $cert_alias = "utndatacorpsgcca";

        }

        elsif ($cert =~ /UTN-USERFirst-Object/)

        {

            $cert_alias = "utnuserfirstobjectca";

        }

        elsif ($cert =~ /America Online Root Certification Authority 1/)

        {

            $cert_alias = "aolrootca1";

        }

        elsif ($cert =~ /DigiCert Assured ID Root CA/)

        {

            $cert_alias = "digicertassuredidrootca";

        }

        elsif ($cert =~ /DigiCert Global Root CA/)

        {

            $cert_alias = "digicertglobalrootca";

        }

        elsif ($cert =~ /DigiCert High Assurance EV Root CA/)

        {

            $cert_alias = "digicerthighassuranceevrootca";

        }

        elsif ($cert =~ /GlobalSign Root CA$/)

        {

            $cert_alias = "globalsignca";

        }

        elsif ($cert =~ /GlobalSign Root CA - R2/)

        {

            $cert_alias = "globalsignr2ca";

        }

        elsif ($cert =~ /Elektronik.*Kas.*2005/)

        {

            $cert_alias = "extra-elektronikkas2005";

        }

        elsif ($cert =~ /Elektronik/)

        {

            $cert_alias = "extra-elektronik2005";

        }

        # Mozilla does not provide these certificates:

        #   baltimorecodesigningca

        #   gtecybertrust5ca

        #   trustcenterclass2caii

        #   trustcenterclass4caii

        #   trustcenteruniversalcai

        else

        {

            # Generate an alias using the OU and CN attributes of the

            # Issuer field if both are present, otherwise use only the

            # CN attribute.  The Issuer field must have either the OU

            # or the CN attribute.

            $_ = $cert;

            if ($cert =~ /OU=/)

            {

                s/Issuer:.*?OU=//;

                # Remove other occurrences of OU=.

                s/OU=.*CN=//;

                # Remove CN= if there were not other occurrences of OU=.

                s/CN=//;

                s/\/emailAddress.*//;

                s/Certificate Authority/ca/g;

                s/Certification Authority/ca/g;

            }

            elsif ($cert =~ /CN=/)

            {

                s/Issuer:.*CN=//;

                s/\/emailAddress.*//;

                s/Certificate Authority/ca/g;

                s/Certification Authority/ca/g;

            }

            s/\W//g;

            tr/A-Z/a-z/;

            $cert_alias = "extra-$_";

        }

        while (-e "$cert_alias.pem")

        {

            $cert_alias = "$cert_alias" . "_";

        }

    }

    # When it attempts to parse:

    #

    # Class 3 Public Primary Certification Authority - G2, Version 3

    #

    # keytool says:

    #

    # #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

    # Unparseable AuthorityInfoAccess extension due to

    # java.io.IOException: Invalid encoding of URI

    #

    # If we do not exclude this file

    # openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails

    # on this cert, printing:

    #

    # Couldn't verify: java.security.SignatureException: Signature

    # does not match.

    #

    elsif ($cert =~

           /A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)

    {

        $write_current_cert = 0;

        $pem_file_count--;

    }

    elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")

    {

        if ($in_cert_block != 0)

        {

            die "$file is malformed.";

        }

        $in_cert_block = 1;

        if ($write_current_cert == 1)

        {

            $pem_file_count++;

            if (-e "$cert_alias.pem")

            {

                print "$cert_alias";

                die "already exists"

            }

            open(PEM, ">$cert_alias.pem");

            print PEM $cert;

        }

    }

    elsif ($cert eq "-----END CERTIFICATE-----\n")

    {

        $in_cert_block = 0;

        if ($write_current_cert == 1)

        {

            print PEM $cert;

            close(PEM);

        }

        $write_current_cert = 1

    }

    else

    {

        if ($in_cert_block == 1 && $write_current_cert == 1)

        {

            print PEM $cert;

        }

    }

}

# Check that the correct number of .pem files were produced.

@pem_files = <*.pem>;

if (@pem_files != $pem_file_count)

{

    print "$pem_file_count";

    die "Number of .pem files produced does not match".

        " number of certs read from $file.";

}

# Now store each cert in the 'cacerts' file using keytool.

$certs_written_count = 0;

foreach $pem_file (@pem_files)

{

    system "$ARGV[0] -noprompt -import".

        " -alias `basename $pem_file .pem`".

        " -keystore cacerts -storepass 'changeit' -file $pem_file";

    unlink($pem_file);

    $certs_written_count++;

}

# Check that the correct number of certs were added to the keystore.

if ($certs_written_count != $pem_file_count)

{

    die "Number of certs added to keystore does not match".

        " number of certs read from $file.";

}