1*1c60b9acSAndroid Build Coastguard Worker#!/bin/bash 2*1c60b9acSAndroid Build Coastguard Worker 3*1c60b9acSAndroid Build Coastguard Worker# This script fetches the current list of trusted CAs blessed by Mozilla 4*1c60b9acSAndroid Build Coastguard Worker# for web tls validation, and processes it into two outputs 5*1c60b9acSAndroid Build Coastguard Worker# 6*1c60b9acSAndroid Build Coastguard Worker# - ./trust/webroot/* consisting of ./_trust/webroot/der a static, serveable set 7*1c60b9acSAndroid Build Coastguard Worker# of trusted DER certs, with symlinks in ./_trust/webroot/by-skid and 8*1c60b9acSAndroid Build Coastguard Worker# ./_trust/webroot/by-iss allowing serving the DER matching a given 9*1c60b9acSAndroid Build Coastguard Worker# SubjectKeyIdentifier or Issuer + serial combination (suitably encoded) 10*1c60b9acSAndroid Build Coastguard Worker# 11*1c60b9acSAndroid Build Coastguard Worker# - ./_trust/blob-XXXX.bin a single blob containing indexes and DER CA certs 12*1c60b9acSAndroid Build Coastguard Worker# 13*1c60b9acSAndroid Build Coastguard Worker# - ./_trust/trust_blob.h a C uint8_t array formatted copy of blob-XXXX.bin 14*1c60b9acSAndroid Build Coastguard Worker 15*1c60b9acSAndroid Build Coastguard Worker# The trust blob layout is currently 16*1c60b9acSAndroid Build Coastguard Worker# 17*1c60b9acSAndroid Build Coastguard Worker# 54 42 4c 42 Magic "TBLB" 18*1c60b9acSAndroid Build Coastguard Worker# 00 01 MSB-first trust blob layout version 19*1c60b9acSAndroid Build Coastguard Worker# XX XX MSB-first count of certificates 20*1c60b9acSAndroid Build Coastguard Worker# XX XX XX XX MSB-first trust blob generation unix time 21*1c60b9acSAndroid Build Coastguard Worker# XX XX XX XX MSB-first offset of cert length table (MSB-first 16-bit length-per-cert) 22*1c60b9acSAndroid Build Coastguard Worker# XX XX XX XX MSB-first offset of SKID length table (8-bit length-per-cert) 23*1c60b9acSAndroid Build Coastguard Worker# XX XX XX XX MSB-first offset of SKID table 24*1c60b9acSAndroid Build Coastguard Worker# XX XX XX XX MSB-first total blob length 25*1c60b9acSAndroid Build Coastguard Worker# 26*1c60b9acSAndroid Build Coastguard Worker# XX .. XX DER certs (start at +0x1c) 27*1c60b9acSAndroid Build Coastguard Worker# XX .. XX DER cert length table (MSB-first 16-bit per cert) 28*1c60b9acSAndroid Build Coastguard Worker# XX .. XX SKID length table (8-bit per cert) 29*1c60b9acSAndroid Build Coastguard Worker# XX .. XX SKID table (variable per cert) 30*1c60b9acSAndroid Build Coastguard Worker# 31*1c60b9acSAndroid Build Coastguard Worker 32*1c60b9acSAndroid Build Coastguard Workerecho "Mozilla trust bundle for TLS validation processing Andy Green <[email protected]>" 33*1c60b9acSAndroid Build Coastguard Workerecho 34*1c60b9acSAndroid Build Coastguard Worker 35*1c60b9acSAndroid Build Coastguard Workerrm -rf _trust 36*1c60b9acSAndroid Build Coastguard Workermkdir _trust 37*1c60b9acSAndroid Build Coastguard Worker 38*1c60b9acSAndroid Build Coastguard Workerwget -O _trust/trusted.txt "https://ccadb-public.secure.force.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites" 39*1c60b9acSAndroid Build Coastguard Worker#cp ~/Downloads/IncludedRootsPEM.txt _trust/trusted.txt 40*1c60b9acSAndroid Build Coastguard Worker 41*1c60b9acSAndroid Build Coastguard Workerif [ $? -ne 0 ]; then 42*1c60b9acSAndroid Build Coastguard Worker echo "Failed to get current website trust bundle" 43*1c60b9acSAndroid Build Coastguard Worker exit 1 44*1c60b9acSAndroid Build Coastguard Workerfi 45*1c60b9acSAndroid Build Coastguard Worker 46*1c60b9acSAndroid Build Coastguard Workermkdir -p _trust/webroot/by-skid _trust/webroot/by-iss _trust/webroot/der 47*1c60b9acSAndroid Build Coastguard Worker 48*1c60b9acSAndroid Build Coastguard Workerecho 0 > _trust/ofs 49*1c60b9acSAndroid Build Coastguard Workerecho 0 > _trust/count 50*1c60b9acSAndroid Build Coastguard Workerecho 0 > _trust/skidtab 51*1c60b9acSAndroid Build Coastguard Worker 52*1c60b9acSAndroid Build Coastguard WorkerGT=`date +%s` 53*1c60b9acSAndroid Build Coastguard WorkerBN=_trust/blob-$GT.bin 54*1c60b9acSAndroid Build Coastguard Worker 55*1c60b9acSAndroid Build Coastguard Workercat _trust/trusted.txt | while read _line ; do 56*1c60b9acSAndroid Build Coastguard Worker line=`echo -n $_line | sed 's/\r$//g'` 57*1c60b9acSAndroid Build Coastguard Worker if [ "$line" == "-----BEGIN CERTIFICATE-----" ] ; then 58*1c60b9acSAndroid Build Coastguard Worker echo $line > _trust/single 59*1c60b9acSAndroid Build Coastguard Worker else 60*1c60b9acSAndroid Build Coastguard Worker echo $line >> _trust/single 61*1c60b9acSAndroid Build Coastguard Worker 62*1c60b9acSAndroid Build Coastguard Worker if [ "$line" == "-----END CERTIFICATE-----" ] ; then 63*1c60b9acSAndroid Build Coastguard Worker openssl x509 -in _trust/single -text -noout > _trust/c1 64*1c60b9acSAndroid Build Coastguard Worker if [ $? -ne 0 ] ; then 65*1c60b9acSAndroid Build Coastguard Worker echo "FAILED" 66*1c60b9acSAndroid Build Coastguard Worker exit 1 67*1c60b9acSAndroid Build Coastguard Worker fi 68*1c60b9acSAndroid Build Coastguard Worker 69*1c60b9acSAndroid Build Coastguard Worker ISS=`cat _trust/c1 | grep Issuer: | sed "s/.*://g" | sed "s/^\ *//g"` 70*1c60b9acSAndroid Build Coastguard Worker SER=`cat _trust/c1 | grep "Serial Number:" | sed "s/.*://g" | sed "s/^\ *//g" | sed "s/\ .*//g"` 71*1c60b9acSAndroid Build Coastguard Worker if [ -z "$SER" ] ; then 72*1c60b9acSAndroid Build Coastguard Worker SER=`cat _trust/c1 | sed -e "1,/.*Serial Number:/ d" | head -n 1 | sed "s/^\ *//g" | sed "s/\ .*//g"` 73*1c60b9acSAndroid Build Coastguard Worker fi 74*1c60b9acSAndroid Build Coastguard Worker SKID=`cat _trust/c1 | sed -e '1,/.*X509v3 Subject Key Identifier:/ d' | sed -n '/Signature.*/q;p' | \ 75*1c60b9acSAndroid Build Coastguard Worker grep ':' | grep -v ': ' | grep -v ':$' | grep -v U | grep -v k | grep -v T | grep -v "i" | \ 76*1c60b9acSAndroid Build Coastguard Worker grep -v "S" | grep -v "V" | sed "s/^\ *//g"` 77*1c60b9acSAndroid Build Coastguard Worker SKID_NO_COLONS=`echo -n $SKID | sed "s/://g"` 78*1c60b9acSAndroid Build Coastguard Worker 79*1c60b9acSAndroid Build Coastguard Worker na=`cat _trust/c1 | grep "Not\ After\ :" | sed "s/.*\ :\ //g"` 80*1c60b9acSAndroid Build Coastguard Worker ct=`date +%s` 81*1c60b9acSAndroid Build Coastguard Worker ts=`date --date="$na" +%s` 82*1c60b9acSAndroid Build Coastguard Worker life_days=`echo -n "$(( ( $ts - $ct ) / 86400 ))"` 83*1c60b9acSAndroid Build Coastguard Worker 84*1c60b9acSAndroid Build Coastguard Worker echo "$life_days $safe" >> _trust/life 85*1c60b9acSAndroid Build Coastguard Worker if [ $life_days -lt 1095 ] ; then 86*1c60b9acSAndroid Build Coastguard Worker echo "$life_days $safe" >> _trust/life_lt_3y 87*1c60b9acSAndroid Build Coastguard Worker fi 88*1c60b9acSAndroid Build Coastguard Worker 89*1c60b9acSAndroid Build Coastguard Worker echo "issuer=\"$ISS\", serial=\"${SER^^}\", skid=\"${SKID_NO_COLONS^^}\", life_days=\"${life_days}\"" 90*1c60b9acSAndroid Build Coastguard Worker 91*1c60b9acSAndroid Build Coastguard Worker issname=`echo -n "$ISS"_"$SER" | tr -cd '[a-zA-Z0-9]_'` 92*1c60b9acSAndroid Build Coastguard Worker skidname=`echo -n "$SKID_NO_COLONS" | tr -cd '[a-zA-Z0-9]_'` 93*1c60b9acSAndroid Build Coastguard Worker safe=$issname"_"$skidname 94*1c60b9acSAndroid Build Coastguard Worker 95*1c60b9acSAndroid Build Coastguard Worker cat _trust/single | grep -v -- '---' | base64 -d > _trust/webroot/der/$safe 96*1c60b9acSAndroid Build Coastguard Worker cd _trust/webroot/by-skid 97*1c60b9acSAndroid Build Coastguard Worker ln -sf ../der/$safe $SKID_NO_COLONS 98*1c60b9acSAndroid Build Coastguard Worker cd ../../.. 99*1c60b9acSAndroid Build Coastguard Worker cd _trust/webroot/by-iss 100*1c60b9acSAndroid Build Coastguard Worker ln -sf ../der/$safe $issname 101*1c60b9acSAndroid Build Coastguard Worker cd ../../.. 102*1c60b9acSAndroid Build Coastguard Worker 103*1c60b9acSAndroid Build Coastguard Worker DERSIZ=`cat _trust/single | grep -v -- '---' | base64 -d | wc -c | cut -d' ' -f1` 104*1c60b9acSAndroid Build Coastguard Worker 105*1c60b9acSAndroid Build Coastguard Worker cat _trust/single | grep -v -- '---' | base64 -d | hexdump -C | tr -s ' ' | sed 's/\ $//g' | \ 106*1c60b9acSAndroid Build Coastguard Worker cut -d' ' -f 2-17 | cut -d'|' -f1 | grep -v 000 | sed "s/\ //g" | sed ':a;N;$!ba;s/\n//g' | xxd -r -p >> _trust/_ders 107*1c60b9acSAndroid Build Coastguard Worker 108*1c60b9acSAndroid Build Coastguard Worker printf "%04x" $DERSIZ | xxd -r -p >> _trust/_derlens 109*1c60b9acSAndroid Build Coastguard Worker 110*1c60b9acSAndroid Build Coastguard Workerecho $SKID 111*1c60b9acSAndroid Build Coastguard Worker 112*1c60b9acSAndroid Build Coastguard Worker if [ ! -z "$SKID" ] ; then 113*1c60b9acSAndroid Build Coastguard Worker echo -n "$SKID_NO_COLONS" | xxd -r -p >> _trust/_skid 114*1c60b9acSAndroid Build Coastguard Worker fi 115*1c60b9acSAndroid Build Coastguard Worker SKIDSIZ=`echo -n $SKID_NO_COLONS | xxd -r -p | wc -c | cut -d' ' -f1` 116*1c60b9acSAndroid Build Coastguard Worker printf "%02x" $SKIDSIZ | xxd -r -p >> _trust/_skidlens 117*1c60b9acSAndroid Build Coastguard Worker 118*1c60b9acSAndroid Build Coastguard Worker OFS=`cat _trust/ofs` 119*1c60b9acSAndroid Build Coastguard Worker echo -n $(( $OFS + $DERSIZ )) > _trust/ofs 120*1c60b9acSAndroid Build Coastguard Worker COUNT=`cat _trust/count` 121*1c60b9acSAndroid Build Coastguard Worker echo -n $(( $COUNT +1 )) > _trust/count 122*1c60b9acSAndroid Build Coastguard Worker ST=`cat _trust/skidtab` 123*1c60b9acSAndroid Build Coastguard Worker echo -n $(( $ST + ( `echo -n $skidname | wc -c | cut -d' ' -f1` / 2 ) )) > _trust/skidtab 124*1c60b9acSAndroid Build Coastguard Worker 125*1c60b9acSAndroid Build Coastguard Worker rm -f _trust/single 126*1c60b9acSAndroid Build Coastguard Worker 127*1c60b9acSAndroid Build Coastguard Worker fi 128*1c60b9acSAndroid Build Coastguard Worker fi 129*1c60b9acSAndroid Build Coastguard Worker 130*1c60b9acSAndroid Build Coastguard Workerdone 131*1c60b9acSAndroid Build Coastguard Worker 132*1c60b9acSAndroid Build Coastguard Worker COUNT=`cat _trust/count` 133*1c60b9acSAndroid Build Coastguard Worker OFS=`cat _trust/ofs` 134*1c60b9acSAndroid Build Coastguard Worker ST=`cat _trust/skidtab` 135*1c60b9acSAndroid Build Coastguard Worker 136*1c60b9acSAndroid Build Coastguard Worker # everything in the layout framing is MSB-first 137*1c60b9acSAndroid Build Coastguard Worker 138*1c60b9acSAndroid Build Coastguard Worker # magic 139*1c60b9acSAndroid Build Coastguard Worker echo -n "TBLB" > $BN 140*1c60b9acSAndroid Build Coastguard Worker # blob layout version 141*1c60b9acSAndroid Build Coastguard Worker echo -n 0001 | xxd -r -p >> $BN 142*1c60b9acSAndroid Build Coastguard Worker # number of certs in the blob 143*1c60b9acSAndroid Build Coastguard Worker printf "%04x" $COUNT | xxd -r -p >> $BN 144*1c60b9acSAndroid Build Coastguard Worker # unix time blob was created 145*1c60b9acSAndroid Build Coastguard Worker printf "%08x" $GT | xxd -r -p >> $BN 146*1c60b9acSAndroid Build Coastguard Worker 147*1c60b9acSAndroid Build Coastguard Worker POS=28 148*1c60b9acSAndroid Build Coastguard Worker POS=$(( $POS + `cat _trust/_ders | wc -c | cut -d' ' -f1` )) 149*1c60b9acSAndroid Build Coastguard Worker 150*1c60b9acSAndroid Build Coastguard Worker # blob offset of start of cert length table 151*1c60b9acSAndroid Build Coastguard Worker printf "%08x" $POS | xxd -r -p >> $BN 152*1c60b9acSAndroid Build Coastguard Worker 153*1c60b9acSAndroid Build Coastguard Worker POS=$(( $POS + `cat _trust/_derlens | wc -c | cut -d' ' -f1` )) 154*1c60b9acSAndroid Build Coastguard Worker 155*1c60b9acSAndroid Build Coastguard Worker # blob offset of start of SKID length table 156*1c60b9acSAndroid Build Coastguard Worker printf "%08x" $POS | xxd -r -p >> $BN 157*1c60b9acSAndroid Build Coastguard Worker 158*1c60b9acSAndroid Build Coastguard Worker POS=$(( $POS + `cat _trust/_skidlens | wc -c | cut -d' ' -f1` )) 159*1c60b9acSAndroid Build Coastguard Worker 160*1c60b9acSAndroid Build Coastguard Worker # blob offset of start of SKID table 161*1c60b9acSAndroid Build Coastguard Worker printf "%08x" $POS | xxd -r -p >> $BN 162*1c60b9acSAndroid Build Coastguard Worker 163*1c60b9acSAndroid Build Coastguard Worker POS=$(( $POS + `cat _trust/_skid | wc -c | cut -d' ' -f1` )) 164*1c60b9acSAndroid Build Coastguard Worker 165*1c60b9acSAndroid Build Coastguard Worker # blob total length 166*1c60b9acSAndroid Build Coastguard Worker printf "%08x" $POS | xxd -r -p >> $BN 167*1c60b9acSAndroid Build Coastguard Worker 168*1c60b9acSAndroid Build Coastguard Worker 169*1c60b9acSAndroid Build Coastguard Worker # the DER table, start at +0x1c 170*1c60b9acSAndroid Build Coastguard Worker cat _trust/_ders >> $BN 171*1c60b9acSAndroid Build Coastguard Worker # the DER length table 172*1c60b9acSAndroid Build Coastguard Worker cat _trust/_derlens >> $BN 173*1c60b9acSAndroid Build Coastguard Worker # the SKID length table 174*1c60b9acSAndroid Build Coastguard Worker cat _trust/_skidlens >> $BN 175*1c60b9acSAndroid Build Coastguard Worker # the SKID table 176*1c60b9acSAndroid Build Coastguard Worker cat _trust/_skid >> $BN 177*1c60b9acSAndroid Build Coastguard Worker 178*1c60b9acSAndroid Build Coastguard Worker# produce a C-friendly version of the blob 179*1c60b9acSAndroid Build Coastguard Worker 180*1c60b9acSAndroid Build Coastguard Worker cat $BN | hexdump -v -C | tr -s ' ' | sed 's/\ $//g' | \ 181*1c60b9acSAndroid Build Coastguard Worker cut -d' ' -f 2-17 | cut -d'|' -f1 | grep -v 000 | sed "s/\ /,\ 0x/g" | sed "s/^/0x/g" | \ 182*1c60b9acSAndroid Build Coastguard Worker sed 's/\, 0x$//g' | sed 's/$/,/g' >> _trust/trust_blob.h 183*1c60b9acSAndroid Build Coastguard Worker 184*1c60b9acSAndroid Build Coastguard Worker 185*1c60b9acSAndroid Build Coastguard Worker echo 186*1c60b9acSAndroid Build Coastguard Worker echo "$COUNT CA certs, $POS byte blob" 187*1c60b9acSAndroid Build Coastguard Worker echo 188*1c60b9acSAndroid Build Coastguard Worker echo "CAs expiring in less than 3 years (days left):" 189*1c60b9acSAndroid Build Coastguard Worker sort -h _trust/life_lt_3y 190*1c60b9acSAndroid Build Coastguard Worker 191*1c60b9acSAndroid Build Coastguard Worker rm -f _trust/count _trust/_idx _trust/_idx_skid _trust/ofs _trust/_skid _trust/skidtab _trust/life _trust/life_lt_3y _trust/c1 _trust/single _trust/_derlens _trust/_ders _trust/_skid _trust/_skidlens 192*1c60b9acSAndroid Build Coastguard Worker 193*1c60b9acSAndroid Build Coastguard Workerexit 0 194*1c60b9acSAndroid Build Coastguard Worker 195