Skip to content

Instantly share code, notes, and snippets.

@charles-dyfis-net
Created June 23, 2011 19:34
Show Gist options
  • Save charles-dyfis-net/1043423 to your computer and use it in GitHub Desktop.
Save charles-dyfis-net/1043423 to your computer and use it in GitHub Desktop.
Mozilla certdata.txt -> ca-bundle.crt parser
#!/bin/bash
#
# Parse Mozilla's certdata.txt and extract CA Root Certificates into PEM
# format.
#
# Based on http://curl.haxx.se/mail/lib-2004-07/0134.html; cleaned up to
# follow fewer worst practices for bash :)
#
# certdata.txt can be found in Mozilla's source tree:
# /mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
[[ $1 ]] && exec <"$1"
[[ $2 ]] && exec <"$2"
tmpdir=$(mktemp -t -d ca-bundle.d.XXXXXX)
trap 'rm -rf "$tmpdir"' 0
cd "$tmpdir"
echo "Processing $1" >&2
cat >"script.rb" <<'EOF'
certnum = 1
while line = $stdin.gets
next if line =~ /^#/
next if line =~ /^\s*$/
line.chomp!
if line =~ /CKA_LABEL/
label,type,val = line.split(' ',3)
val.sub!(/^"/, "")
val.sub!(/"$/, "")
next
end
if line =~ /CKA_VALUE MULTILINE_OCTAL/
data=''
fname = format("%d.crt", certnum)
while line = $stdin.gets
break if $_ =~ /^END/
line.chomp!
line.gsub(/\\([0-3][0-7][0-7])/) { data += $1.oct.chr }
end
open(fname, "w") do |fp|
fp.puts val
fp.puts "-----BEGIN CERTIFICATE-----"
fp.puts [data].pack("m*")
fp.puts "-----END CERTIFICATE-----"
end
$stderr.puts("Parsing: " + val)
certnum += 1
end
end
EOF
ruby script.rb
cat <<EOF
##
## ca-bundle.crt -- Bundle of CA Root Certificates
## Last Modified: `date`
##
## This is a bundle of X.509 certificates of public
## Certificate Authorities (CA). These were automatically
## extracted from Mozilla's root certificates file (certdata.txt).
## This file can be found in the mozilla source tree:
## '/mozilla/security/nss/lib/ckfw/builtins/certdata.txt'
##
EOF
shopt -s nullglob
files=( *.crt )
if (( ${#files} == 0 )) ; then
echo "ERROR: No certificates created by ruby script" >&2
exit 1
fi
for file in "${files[@]}"; do
read name <"$file"
printf '\n%s\n' "$name"
for (( n=0; n<${#name}; ++n )); do
printf '='
done
printf '\n\n'
openssl x509 -fingerprint -text -in "$file" -inform PEM
rm -f "$file"
done
echo "Done.." >&2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment