aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authormandree <mandree@FreeBSD.org>2013-02-20 16:07:13 +0800
committermandree <mandree@FreeBSD.org>2013-02-20 16:07:13 +0800
commit087e74a6d2e30f68beb1996645cc7489eb5c9e1c (patch)
tree745c31daba66942a6688b6b26afd4d4ae4d3f564 /security
parent0716e80fa7fdb8310e20c6619424b62b3cc4d5a4 (diff)
downloadfreebsd-ports-gnome-087e74a6d2e30f68beb1996645cc7489eb5c9e1c.tar.gz
freebsd-ports-gnome-087e74a6d2e30f68beb1996645cc7489eb5c9e1c.tar.zst
freebsd-ports-gnome-087e74a6d2e30f68beb1996645cc7489eb5c9e1c.zip
Support WITH_DEBUG=yes to get more debug output from the bundle
creation, to verbosely print omitted and included certificates. Approved by: flo@ on "as long as you fix it if it breaks" condition
Diffstat (limited to 'security')
-rw-r--r--security/ca_root_nss/files/MAca-bundle.pl.in27
1 files changed, 19 insertions, 8 deletions
diff --git a/security/ca_root_nss/files/MAca-bundle.pl.in b/security/ca_root_nss/files/MAca-bundle.pl.in
index ae6952452fc7..f0e97cd6cd20 100644
--- a/security/ca_root_nss/files/MAca-bundle.pl.in
+++ b/security/ca_root_nss/files/MAca-bundle.pl.in
@@ -4,7 +4,7 @@
## Rewritten in September 2011 by Matthias Andree to heed untrust
##
-## Copyright (c) 2011, Matthias Andree
+## Copyright (c) 2011, 2013 Matthias Andree <mandree@FreeBSD.org>
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
@@ -49,7 +49,10 @@ print <<EOH;
## with $VERSION
##
EOH
-my $debug = 1;
+my $debug = 0;
+$debug++
+ if defined $ENV{'WITH_DEBUG'}
+ and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/;
my %certs;
my %trusts;
@@ -146,29 +149,36 @@ sub grabtrust() {
while (<>) {
if (/^CKA_CLASS .* CKO_CERTIFICATE/) {
my ($serial, $label, $certdata) = grabcert();
- if (defined $certs{$serial.$label}) {
+ if (defined $certs{$label."\0".$serial}) {
warn "Certificate $label duplicated!\n";
}
- $certs{$serial.$label} = $certdata;
+ $certs{$label."\0".$serial} = $certdata;
} elsif (/^CKA_CLASS .* CKO_(NSS|NETSCAPE)_TRUST/) {
my ($serial, $label, $trust) = grabtrust();
- if (defined $trusts{$serial.$label}) {
+ if (defined $trusts{$label."\0".$serial}) {
warn "Trust for $label duplicated!\n";
}
- $trusts{$serial.$label} = $trust;
+ $trusts{$label."\0".$serial} = $trust;
} elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n";
}
}
+sub printlabel(@) {
+ my @res = @_;
+ map { s/\0.*//; s/[^[:print:]]/_/g; $_ = "\"$_\""; } @res;
+ return wantarray ? @res : $res[0];
+}
+
# weed out untrusted certificates
my $untrusted = 0;
foreach my $it (keys %trusts) {
if (!$trusts{$it}) {
if (!exists($certs{$it})) {
- warn "Found trust for nonexistent certificate\n";
+ warn "Found trust for nonexistent certificate ".printlabel($it)."\n" if $debug;
} else {
delete $certs{$it};
+ warn "Skipping untrusted ".printlabel($it)."\n" if $debug;
$untrusted++;
}
}
@@ -177,13 +187,14 @@ foreach my $it (keys %trusts) {
print "## Untrusted certificates omitted from this bundle: $untrusted\n\n";
my $certcount = 0;
-foreach my $it (keys %certs) {
+foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) {
if (!exists($trusts{$it})) {
die "Found certificate without trust block,\naborting";
}
printcert("", $certs{$it});
print "\n\n\n";
$certcount++;
+ print STDERR "Trusting $certcount: ".printlabel($it)."\n" if $debug;
}
print "## Number of certificates: $certcount\n";