forked from flathub/org.freedesktop.Sdk.Extension.openjdk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
extract_cacerts.sh
executable file
·44 lines (37 loc) · 1.51 KB
/
extract_cacerts.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/bin/bash
# Tool to generate a Java-style "cacerts" keystore from the installed
# system certificates
set -e
jdk=${1:-/app/jdk}
function get_alias() {
local alias=""
local issuer="${1// /},"
# Determine which attribute to use for the alias
if [[ $issuer =~ CN= ]] ; then
# Use the "Common Name" if available
alias=$(echo "$issuer" | sed -e 's/.*CN=\([^,]*\),.*/\1/')
# Unless it's GlobalSign, because of non-uniqueness
if [[ $alias == GlobalSign ]] ; then
# In which case use the "Organisational Unit" instead
alias=$(echo "$issuer" | sed -e 's/.*OU=\([^,]*\),.*/\1/')
fi
elif [[ $issuer =~ OU= ]] ; then
# Use the "Organisational Unit" if CN is unavailable
alias=$(echo "$issuer" | sed -e 's/.*OU=\([^,]*\),.*/\1/')
else
# Use the "Organisation" if CN and OU are unavailable
alias=$(echo "$issuer" | sed -e 's/.*O=\([^,]*\),.*/\1/')
fi
# Return only acsii chars, all lowercase, all one word, just to be consistent with what p11-kit would do
echo "$alias" | tr '[:upper:]' '[:lower:]' | sed -e 's/[^a-z0-9()._-]//g'
}
for certificate in $(ls /etc/ssl/certs/*.pem) ; do
cert=$($jdk/bin/keytool -printcert -file $certificate)
issuer=$(echo "$cert" | grep '^Issuer' | cut -d' ' -f1 --complement)
fprint=$(echo "$cert" | grep 'SHA1:' | cut -d' ' -f3)
alias=$(get_alias "$issuer")
echo "Adding $fprint ($alias)"
$jdk/bin/keytool -importcert -noprompt -alias $alias -storepass changeit -storetype JKS -keystore cacerts -file $certificate
done
rm $jdk/lib/security/cacerts
mv cacerts $jdk/lib/security/cacerts