-
Notifications
You must be signed in to change notification settings - Fork 37
/
Copy pathupdate_dodo_crt.sh
executable file
·110 lines (99 loc) · 4.2 KB
/
update_dodo_crt.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/bin/bash
# Get a list (from the crt.sh DB) of the SHA-256 hashes of:
# - All of the roots that are currently "trusted" for server authentication, but with a "disabled from" date in the past or a "not before until" date more than 398 days ago, by one of the Microsoft, Mozilla, Chrome, Apple, or 360 Browser root programs.
# - All of the roots that are currently trusted (but not for the server authentication trust purpose) by one or more of the Microsoft, Mozilla, Chrome, Apple, and 360 Browser root programs.
# - All of the roots that are currently trusted (for any purpose) by the Java or Android root programs, but not trusted by Microsoft, Mozilla, Chrome, Apple, or 360 Browser.
# These roots will be accepted by Dodo but not by Mammoth or Sabre.
cd crt/dodo/trusted_but_not_for_serverauth
rm *.crt
TMPFILE=`mktemp`
ERRORFILE=`mktemp`
cat <<SQL | tr -d '\n' | psql -h crt.sh -p 5432 -U guest -d certwatch -v ON_ERROR_STOP=1 -X 2>$ERRORFILE
\COPY (
SELECT 'echo ' || upper(encode(c.CERTIFICATE, 'hex')) || ' | xxd -r -ps | openssl x509 -inform der -out ' || upper(encode(digest(c.CERTIFICATE, 'sha256'), 'hex')) || '.crt'
FROM root_trust_purpose rtp, ca_certificate cac, certificate c
WHERE rtp.TRUST_CONTEXT_ID IN (1, 5, 6, 12, 25)
AND rtp.TRUST_PURPOSE_ID = 1
AND rtp.CERTIFICATE_ID = cac.CERTIFICATE_ID
AND cac.CERTIFICATE_ID = c.ID
GROUP BY c.CERTIFICATE
HAVING (
'now' AT TIME ZONE 'UTC' >= max(coalesce(rtp.DISABLED_FROM, 'infinity'::timestamp))
OR 'now' AT TIME ZONE 'UTC' - interval '398 days' >= max(coalesce(rtp.NOTBEFORE_UNTIL, 'infinity'::timestamp))
)
ORDER BY min(get_ca_name_attribute(cac.CA_ID))
) TO $TMPFILE
SQL
RESULT=$?
if [ "$RESULT" -eq "0" ]; then
bash $TMPFILE
else
cat $ERRORFILE
fi
cat <<SQL | tr -d '\n' | psql -h crt.sh -p 5432 -U guest -d certwatch -v ON_ERROR_STOP=1 -X 2>$ERRORFILE
\COPY (
SELECT 'echo ' || upper(encode(c.CERTIFICATE, 'hex')) || ' | xxd -r -ps | openssl x509 -inform der -out ' || upper(encode(digest(c.CERTIFICATE, 'sha256'), 'hex')) || '.crt'
FROM root_trust_purpose rtp, ca_certificate cac, certificate c
WHERE rtp.TRUST_CONTEXT_ID IN (1, 5, 6, 12, 25)
AND rtp.CERTIFICATE_ID = cac.CERTIFICATE_ID
AND cac.CERTIFICATE_ID = c.ID
GROUP BY c.CERTIFICATE
HAVING min(TRUST_PURPOSE_ID) > 1
ORDER BY min(get_ca_name_attribute(cac.CA_ID))
) TO $TMPFILE
SQL
RESULT=$?
if [ "$RESULT" -eq "0" ]; then
bash $TMPFILE
else
cat $ERRORFILE
fi
cat <<SQL | tr -d '\n' | psql -h crt.sh -p 5432 -U guest -d certwatch -v ON_ERROR_STOP=1 -X 2>$ERRORFILE
\COPY (
SELECT 'echo ' || upper(encode(c.CERTIFICATE, 'hex')) || ' | xxd -r -ps | openssl x509 -inform der -out ' || upper(encode(digest(c.CERTIFICATE, 'sha256'), 'hex')) || '.crt'
FROM root_trust_purpose rtp, ca_certificate cac, certificate c
WHERE rtp.TRUST_CONTEXT_ID IN (17, 23)
AND NOT EXISTS (
SELECT 1
FROM root_trust_purpose rtp2
WHERE rtp2.CERTIFICATE_ID = rtp.CERTIFICATE_ID
AND rtp2.TRUST_CONTEXT_ID IN (1, 5, 6, 12, 25)
)
AND rtp.CERTIFICATE_ID = cac.CERTIFICATE_ID
AND cac.CERTIFICATE_ID = c.ID
GROUP BY c.CERTIFICATE
ORDER BY min(get_ca_name_attribute(cac.CA_ID))
) TO $TMPFILE
SQL
RESULT=$?
if [ "$RESULT" -eq "0" ]; then
bash $TMPFILE
else
cat $ERRORFILE
fi
# Get a list (from the crt.sh DB) of the SHA-256 hashes of:
# - All of the roots that are in the CCADB but are not trusted by any of the root programs mentioned previously.
# These roots will be accepted by Dodo but not by Mammoth or Sabre.
cd ../in_ccadb_but_not_trusted
rm *.crt
cat <<SQL | tr -d '\n' | psql -h crt.sh -p 5432 -U guest -d certwatch -v ON_ERROR_STOP=1 -X 2>$ERRORFILE
\COPY (
SELECT 'echo ' || upper(encode(c.CERTIFICATE, 'hex')) || ' | xxd -r -ps | openssl x509 -inform der -out ' || upper(encode(digest(c.CERTIFICATE, 'sha256'), 'hex')) || '.crt'
FROM ccadb_certificate cc, certificate c
WHERE cc.CERT_RECORD_TYPE = 'Root Certificate'
AND cc.CERTIFICATE_ID = c.ID
AND NOT EXISTS (
SELECT 1
FROM root_trust_purpose rtp
WHERE rtp.CERTIFICATE_ID = c.ID
AND rtp.TRUST_CONTEXT_ID IN (1, 5, 6, 12, 25, 17, 23)
)
) TO $TMPFILE
SQL
RESULT=$?
if [ "$RESULT" -eq "0" ]; then
bash $TMPFILE
else
cat $ERRORFILE
fi
rm $TMPFILE $ERRORFILE