ca-certificates-mozilla/extractcerts.pl

#!/usr/bin/perl -w
# 
# ***** BEGIN LICENSE BLOCK *****
# Version: MPL 1.1/GPL 2.0/LGPL 2.1
#
# The contents of this file are subject to the Mozilla Public License Version
# 1.1 (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
# http://www.mozilla.org/MPL/
#
# Software distributed under the License is distributed on an "AS IS" basis,
# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
# for the specific language governing rights and limitations under the
# License.
#
# The Original Code is the Netscape security libraries.
#
# The Initial Developer of the Original Code is
# Netscape Communications Corporation.
# Portions created by the Initial Developer are Copyright (C) 1994-2000
# the Initial Developer. All Rights Reserved.
#
# Contributor(s):
#
# Alternatively, the contents of this file may be used under the terms of
# either the GNU General Public License Version 2 or later (the "GPL"), or
# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
# in which case the provisions of the GPL or the LGPL are applicable instead
# of those above. If you wish to allow use of your version of this file only
# under the terms of either the GPL or the LGPL, and not to allow others to
# use your version of this file under the terms of the MPL, indicate your
# decision by deleting the provisions above and replace them with the notice
# and other provisions required by the GPL or the LGPL. If you do not delete
# the provisions above, a recipient may use your version of this file under
# the terms of any one of the MPL, the GPL or the LGPL.
#
# ***** END LICENSE BLOCK *****
use strict;
use Encode;

my $count = 0;
my @certificates = ();
my %trusts = ();
my $object = undef;
my $output_trustbits;

my %trust_types = (
  "CKA_TRUST_DIGITAL_SIGNATURE" => "digital-signature",
  "CKA_TRUST_NON_REPUDIATION" => "non-repudiation",
  "CKA_TRUST_KEY_ENCIPHERMENT" => "key-encipherment",
  "CKA_TRUST_DATA_ENCIPHERMENT" => "data-encipherment",
  "CKA_TRUST_KEY_AGREEMENT" => "key-agreement",
  "CKA_TRUST_KEY_CERT_SIGN" => "cert-sign",
  "CKA_TRUST_CRL_SIGN" => "crl-sign",
  "CKA_TRUST_SERVER_AUTH" => "server-auth",
  "CKA_TRUST_CLIENT_AUTH" => "client-auth",
  "CKA_TRUST_CODE_SIGNING" => "code-signing",
  "CKA_TRUST_EMAIL_PROTECTION" => "email-protection",
  "CKA_TRUST_IPSEC_END_SYSTEM" => "ipsec-end-system",
  "CKA_TRUST_IPSEC_TUNNEL" => "ipsec-tunnel",
  "CKA_TRUST_IPSEC_USER" => "ipsec-user",
  "CKA_TRUST_TIME_STAMPING" => "time-stamping",
  "CKA_TRUST_STEP_UP_APPROVED" => "step-up-approved",
);

my %openssl_trust = (
  CKA_TRUST_SERVER_AUTH => 'serverAuth',
  CKA_TRUST_CLIENT_AUTH => 'clientAuth',
  CKA_TRUST_EMAIL_PROTECTION => 'emailProtection',
  CKA_TRUST_CODE_SIGNING => 'codeSigning',
);

if (@ARGV && $ARGV[0] eq '--trustbits') {
	shift @ARGV;
	$output_trustbits = 1;
}

sub handle_object($)
{
  my $object = shift;
  return unless $object;
  if($object->{'CKA_CLASS'} eq 'CKO_CERTIFICATE' && $object->{'CKA_CERTIFICATE_TYPE'} eq 'CKC_X_509') {
    push @certificates, $object;
  } elsif ($object->{'CKA_CLASS'} eq 'CKO_NETSCAPE_TRUST') {
    my $label = $object->{'CKA_LABEL'};
    die "$label exists" if exists($trusts{$label});
    $trusts{$label} = $object;
  } elsif ($object->{'CKA_CLASS'} eq 'CKO_NETSCAPE_BUILTIN_ROOT_LIST') {
    # ignore
  } else {
    print STDERR "class ", $object->{'CKA_CLASS'} ," not handled\n";
  }
}

while(<>) {
  my @fields = ();

  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
  next if (/^\s*$/);

  if( /(^CVS_ID\s+)(.*)/ ) {
    next;
  }

  # This was taken from the perl faq #4.
  my $text = $_;
  push(@fields, $+) while $text =~ m{
      "([^\"\\]*(?:\\.[^\"\\]*)*)"\s?  # groups the phrase inside the quotes
    | ([^\s]+)\s?
    | \s
  }gx;
  push(@fields, undef) if substr($text,-1,1) eq '\s';

  if( $fields[0] =~ /BEGINDATA/ ) {
    next;
  }

  if( $fields[1] =~ /MULTILINE/ ) {
    $fields[2] = "";
    while(<>) {
      last if /END/;
      chomp;
      $fields[2] .= $_;
    }
  }

  if( $fields[0] =~ /CKA_CLASS/ ) {
    $count++;
    handle_object($object);
    $object = {};
  }

  $object->{$fields[0]} = $fields[2];
}
handle_object($object);

use MIME::Base64;
for my $cert (@certificates) {
  my $alias = $cert->{'CKA_LABEL'};
  if(!exists($trusts{$alias})) {
    print STDERR "NO TRUST: $alias\n";
    next;
  }
  # check trust. We only include certificates that are trusted for identifying
  # web sites
  my $trust = $trusts{$alias};
  my @addtrust;
  my @addtrust_openssl;
  my $trusted;
  if ($output_trustbits) {
	  for my $type (keys %trust_types) {
		  if (exists $trust->{$type}
		  && $trust->{$type} eq 'CKT_NETSCAPE_TRUSTED_DELEGATOR') {
			  push @addtrust, $trust_types{$type};
			  if (exists $openssl_trust{$type}) {
				  push @addtrust_openssl, $openssl_trust{$type};
			  }
			  $trusted = 1;
		  }
	  }
  } else {
	  if($trust->{'CKA_TRUST_SERVER_AUTH'} eq 'CKT_NETSCAPE_TRUSTED_DELEGATOR') {
		  $trusted = 1;
	  }
  }

  if (!$trusted) {
	  my $t = $trust->{'CKA_TRUST_SERVER_AUTH'};
	  $t =~ s/CKT_NETSCAPE_//;
	  print STDERR "$t: $alias\n";
	  next;
  }

  if ($alias =~ /\\x[0-9a-fA-F]{2}/) {
	  $alias =~ s/\\x([0-9a-fA-F]{2})/chr(hex($1))/ge; # thanks mls!
	  $alias = Encode::decode("UTF-8", $alias);
  }
  my $file = $alias;
  $alias =~ s/'/-/g;
  $file =~ s/[^[:alnum:]\\]+/_/g;
  $file .= '.pem';
  $file = Encode::encode("UTF-8", $file);
  if (!open(O, '>', $file)) {
	  print STDERR "$file: $!\n";
	  next;
  }
  print "$file\n" if $ENV{'VERBOSE'};
  my $value = $cert->{'CKA_VALUE'};
  my $enc = '';
  $enc .= pack("C", oct($+)) while $value =~ /\G\\([0-3][0-7][0-7])/g;
  if ($output_trustbits) {
	  print O "# alias=",Encode::encode("UTF-8", $alias),"\n";
	  print O "# trust=",join(" ", @addtrust),"\n";
	  if (@addtrust_openssl) {
		  print O "# openssl-trust=",join(" ", @addtrust_openssl),"\n";
	  }
  }
  print O "-----BEGIN CERTIFICATE-----\n";
  print O encode_base64($enc);
  print O "-----END CERTIFICATE-----\n";
  close O;
}