Jonathan Oksman wrote: > On Sun, Oct 16, 2011 at 3:59 PM, Bruce Dubbs <[email protected]> wrote: >> There are two scripts used now: Â mkblfsca.sh and mkcert.pl. Â They total >> 125 lines. >> >> I'm not sure how to present this. Â I could put the scripts in a tarball, >> but that seems like overkill for about 3K of scripts. >> > > That's not too long, I think having it as part of the book sounds like > a good thing. > >> My inclination is to just put the scripts in the book and tell the user >> to place them in /root, fetch the certdata, and run the scripts. Â We >> might want to do an install of of the directory /etc/ssl/certs to make >> sure it exists. >> >> Placing the scripts in /root is a bit unusual, but really, only root >> should be touching CA Certificates. >> > > From your description I get the idea that these scripts are meant as a > one-shot setup of the certificates after calling a wget for the > certdata.txt. If I haven't misinterpreted then there really isn't a > better spot for these and /root is probably a good place to stash them > for the time being. > > If these scripts were capable of updating the certificates then maybe > /usr/sbin would be a sane location.
I think the certificates should be updated once in a while, but not very often, What I had in mind was something like: bash export certhost='http://mxr.mozilla.org' && export certdir='/mozilla/source/security/nss/lib/ckfw/builtins' && export url="$certhost$certdir/certdata.txt?raw=1" && wget --output-document certdata.txt $url && ./make-ca-bundle > ca-bundle.crt && install -d -m755 /etc/ssl && install ca-bundle.crt /etc/ssl exit We could script this out a bit more, but I don't want to hide too many details. -- Bruce ---------- The make-ca-bundle is a short perl script: #!/usr/bin/perl -w # Used to regenerate ca-bundle.crt from the Mozilla certdata.txt. # Run as ./make-ca-bundle > ca-bundle.crt $certhost = 'http://mxr.mozilla.org'; $certdir = '/mozilla/source/security/nss/lib/ckfw/builtins'; $certdata = $certhost . $certdir . "certdata.txt?raw=1"; open( IN, "certdata.txt" ) || die "could not read certdata.txt"; my $incert = 0; print <<EOH; # This is a bundle of X.509 certificates of public Certificate # Authorities. It was generated from the Mozilla root CA list. # # Source: $certdata # EOH while ( <IN> ) { if ( /^CKA_VALUE MULTILINE_OCTAL/ ) { $incert = 1; open( OUT, "|openssl x509 -text -inform DER -fingerprint") || die "could not pipe to openssl x509"; } elsif ( /^END/ && $incert ) { close( OUT ); $incert = 0; print "\n\n"; } elsif ( $incert ) { my @bs = split(/\\/); foreach my $b (@bs) { chomp $b; printf( OUT "%c", oct($b) ) unless $b eq ''; } } elsif ( /^CVS_ID.*Revision: ([^ ]*).*/ ) { print "# Generated from certdata.txt RCS revision $1\n#\n"; } } -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
