From 3a0b64489f1ae721d6647fa4fc90b7dbb91dd387 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 4 Sep 2012 23:21:15 +0200
Subject: [PATCH] mk-ca-bundle: detect start of trust section better

Each certificate section of the input certdata.txt file has a trust
section following it with details.

This script failed to detect the start of the trust for at least one
cert[*], which made the script continue pass that section into the next
one where it found an 'untrusted' marker and as a result that certficate
was not included in the output.

[*] = "Hellenic Academic and Research Institutions RootCA 2011"

Bug: http://curl.haxx.se/mail/lib-2012-09/0019.html
---
 lib/mk-ca-bundle.pl | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index 189ed01b6..8e75d6073 100755
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -6,7 +6,7 @@
 # *                            | (__| |_| |  _ <| |___
 # *                             \___|\___/|_| \_\_____|
 # *
-# * Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
+# * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
 # *
 # * This software is licensed as described in the file COPYING, which
 # * you should have received as part of this distribution. The terms
@@ -123,6 +123,8 @@ print "Processing  '$txt' ...\n" if (!$opt_q);
 my $caname;
 my $certnum = 0;
 my $skipnum = 0;
+my $start_of_cert = 0;
+
 open(TXT,"$txt") or die "Couldn't open $txt: $!";
 while (<TXT>) {
   if (/\*\*\*\*\* BEGIN LICENSE BLOCK \*\*\*\*\*/) {
@@ -143,11 +145,16 @@ while (<TXT>) {
     print CRT "# $1\n";
     close(CRT) or die "Couldn't close $crt: $!";
   }
-  if (/^CKA_LABEL\s+[A-Z0-9]+\s+\"(.*)\"/) {
+
+  # this is a match for the start of a certificate
+  if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
+    $start_of_cert = 1
+  }
+  if ($start_of_cert && /^CKA_LABEL UTF8 \"(.*)\"/) {
     $caname = $1;
   }
   my $untrusted = 0;
-  if (/^CKA_VALUE MULTILINE_OCTAL/) {
+  if ($start_of_cert && /^CKA_VALUE MULTILINE_OCTAL/) {
     my $data;
     while (<TXT>) {
       last if (/^END/);
@@ -158,10 +165,18 @@ while (<TXT>) {
         $data .= chr(oct);
       }
     }
+    # scan forwards until the trust part
     while (<TXT>) {
-      last if (/^#$/);
-      $untrusted = 1 if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
-                     or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/);
+      last if (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/);
+      chomp;
+    }
+    # now scan the trust part for untrusted certs
+    while (<TXT>) {
+      last if (/^#/);
+      if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
+          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) {
+          $untrusted = 1;
+      }
     }
     if ($untrusted) {
       $skipnum ++;
@@ -183,6 +198,7 @@ while (<TXT>) {
       }
       print "Parsing: $caname\n" if ($opt_v);
       $certnum ++;
+      $start_of_cert = 0;
     }
   }
 }