Fix to skip untrusted certs.

2011-11-08 05:46:46 +01:00 · 2011-11-08 05:46:46 +01:00 · fd765c627f
parent c8ffb4049a
commit fd765c627f
1 changed files with 48 additions and 33 deletions
--- a/lib/mk-ca-bundle.vbs
+++ b/lib/mk-ca-bundle.vbs
@ -26,7 +26,7 @@
 '* Hacked by Guenter Knauf
 '***************************************************************************
 Option Explicit
-Const myVersion = "0.3.5"
+Const myVersion = "0.3.6"

 Const myUrl = "http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"

@ -96,8 +96,10 @@ If (myAskTiF = TRUE) Then
  End If
 End If
 ' Process the received data
-Dim myLines, myPattern, myInsideCert, myInsideLicense, myLicenseText, myNumCerts
-Dim myLabel, myOctets, myData, myPem, myRev, j
+Dim myLines, myPattern, myInsideCert, myInsideLicense, myLicenseText, myNumCerts, myNumSkipped
+Dim myLabel, myOctets, myData, myPem, myRev, myUntrusted, j
+myNumSkipped = 0
+myNumCerts = 0
 myData = ""
 myLines = Split(myCdData, vbLf, -1)
 Set myFh = objFSO.OpenTextFile(myCaFile, 2, TRUE)
@ -109,7 +111,7 @@ myFh.Write "##" & vbLf
 myFh.Write "## This is a bundle of X.509 certificates of public Certificate Authorities" & vbLf
 myFh.Write "## (CA). These were automatically extracted from Mozilla's root certificates" & vbLf
 myFh.Write "## file (certdata.txt).  This file can be found in the mozilla source tree:" & vbLf
-myFh.Write "## '/mozilla/security/nss/lib/ckfw/builtins/certdata.txt'" & vbLf
+myFh.Write "## '/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt'" & vbLf
 myFh.Write "##" & vbLf
 myFh.Write "## It contains the certificates in PEM format and therefore" & vbLf
 myFh.Write "## can be directly used with curl / libcurl / php_curl, or with" & vbLf
@ -125,36 +127,46 @@ For i = 0 To UBound(myLines)
  If (myInsideCert = TRUE) Then
    If InstrRev(myLines(i), "END") Then
      myInsideCert = FALSE
-      myFh.Write myLabel & vbLf
-      myFh.Write String(Len(myLabel), "=") & vbLf
-      myPem = "-----BEGIN CERTIFICATE-----" & vbLf & _
-              Base64Encode(myData) & vbLf & _
-              "-----END CERTIFICATE-----" & vbLf
-      If (myOptTxt = FALSE) Then
-        myFh.Write myPem & vbLf
-      Else
-        Dim myCmd, myRval, myTmpIn, myTmpOut
-        myTmpIn = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
-        myTmpOut = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
-        Set myTmpFh = objFSO.OpenTextFile(myTmpIn, 2, TRUE)
-        myTmpFh.Write myPem
-        myTmpFh.Close
-        myCmd = myOpenssl & " x509 -md5 -fingerprint -text -inform PEM" & _
-                " -in " & myTmpIn & " -out " & myTmpOut
-        myRval = objShell.Run (myCmd, 0, TRUE)
-        objFSO.DeleteFile myTmpIn, TRUE
-        If Not (myRval = 0) Then
-          MsgBox("Failed to process PEM cert with OpenSSL commandline!"), vbCritical, mySelf
-          objFSO.DeleteFile myTmpOut, TRUE
-          WScript.Quit 3
+      While (i < UBound(myLines)) And Not (myLines(i) = "#")
+        i = i + 1
+        If (InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED") Or _
+           InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN")) Then
+          myUntrusted = TRUE
        End If
-        Set myTmpFh = objFSO.OpenTextFile(myTmpOut, 1)
-        myFh.Write myTmpFh.ReadAll & vbLf
-        myTmpFh.Close
-        objFSO.DeleteFile myTmpOut, TRUE
+      Wend
+      If (myUntrusted = TRUE) Then
+        myNumSkipped = myNumSkipped + 1
+      Else
+        myFh.Write myLabel & vbLf
+        myFh.Write String(Len(myLabel), "=") & vbLf
+        myPem = "-----BEGIN CERTIFICATE-----" & vbLf & _
+                Base64Encode(myData) & vbLf & _
+                "-----END CERTIFICATE-----" & vbLf
+        If (myOptTxt = FALSE) Then
+          myFh.Write myPem & vbLf
+        Else
+          Dim myCmd, myRval, myTmpIn, myTmpOut
+          myTmpIn = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
+          myTmpOut = objFSO.GetSpecialFolder(2).Path & "\" & objFSO.GetTempName
+          Set myTmpFh = objFSO.OpenTextFile(myTmpIn, 2, TRUE)
+          myTmpFh.Write myPem
+          myTmpFh.Close
+          myCmd = myOpenssl & " x509 -md5 -fingerprint -text -inform PEM" & _
+                  " -in " & myTmpIn & " -out " & myTmpOut
+          myRval = objShell.Run (myCmd, 0, TRUE)
+          objFSO.DeleteFile myTmpIn, TRUE
+          If Not (myRval = 0) Then
+            MsgBox("Failed to process PEM cert with OpenSSL commandline!"), vbCritical, mySelf
+            objFSO.DeleteFile myTmpOut, TRUE
+            WScript.Quit 3
+          End If
+          Set myTmpFh = objFSO.OpenTextFile(myTmpOut, 1)
+          myFh.Write myTmpFh.ReadAll & vbLf
+          myTmpFh.Close
+          objFSO.DeleteFile myTmpOut, TRUE
+        End If
+        myNumCerts = myNumCerts + 1
      End If
-      myData = ""
-      myNumCerts = myNumCerts + 1
    Else
      myOctets = Split(myLines(i), "\")
      For j = 1 To UBound(myOctets)
@ -169,6 +181,8 @@ For i = 0 To UBound(myLines)
  End If
  If InstrRev(myLines(i), "CKA_VALUE MULTILINE_OCTAL") Then
    myInsideCert = TRUE
+    myUntrusted = FALSE
+    myData = ""
  End If
  If InstrRev(myLines(i), "***** BEGIN LICENSE BLOCK *****") Then
    myInsideLicense = TRUE
@ -191,7 +205,8 @@ For i = 0 To UBound(myLines)
  End If
 Next
 myFh.Close
-objShell.PopUp "Done (" & myNumCerts & " CA certs processed).", 20, mySelf, vbInformation
+objShell.PopUp "Done (" & myNumCerts & " CA certs processed, " & myNumSkipped & _
+               " untrusted skipped).", 20, mySelf, vbInformation
 WScript.Quit 0

 Function ConvertBinaryData(arrBytes)