From b60a535c0f7a017112bb5a35f01b6db0205e9680 Mon Sep 17 00:00:00 2001
From: phoeagon <phoeagon@gmail.com>
Date: Thu, 26 Feb 2015 23:50:06 +0800
Subject: [PATCH] add nss_revoke script

---
 Linux/nss_revoke.sh         | 13 +++++++++++++
 Linux/revoke-china-certs.sh | 26 ++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100755 Linux/nss_revoke.sh
 create mode 100755 Linux/revoke-china-certs.sh

diff --git a/Linux/nss_revoke.sh b/Linux/nss_revoke.sh
new file mode 100755
index 0000000..1a7887c
--- /dev/null
+++ b/Linux/nss_revoke.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+DBPATH=$1
+CERTS=$2
+
+echo "Revoking CAs in $DBPATH/cert9.db"
+
+for CERT in $CERTS;do
+    # p,p,p: prohibit all use
+    certutil -d sql:${DBPATH} -A -n "${CERT}" -t p,p,p -i ${CERT}
+done
+
+echo "Done"
diff --git a/Linux/revoke-china-certs.sh b/Linux/revoke-china-certs.sh
new file mode 100755
index 0000000..d587000
--- /dev/null
+++ b/Linux/revoke-china-certs.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -e
+
+if [ ${1:-extended} = 'all' ];then
+    echo "Generating ALL CRL set"
+    # TODO: Explicitly distinguish between CA & EE certificates.
+    CA_CERTS=`ls ../Windows/Certs/Online/*.crt`
+    EE_CERTS=`ls ../Windows/Certs/Online/\[Fake\]*.crt`
+    echo "all"
+elif [ ${1:-extended} = 'extended' ];then
+    echo "Generating EXTENDED CRL set"
+    CA_CERTS=`ls ../Windows/Certs/Online/CNNIC_*.crt ../Windows/Certs/Online/China_Internet_Network_Information_Center_EV_Certificates_Root.crt ../Windows/Certs/Online/[Suspicious]WaccBaiduCom.crt ../Windows/Certs/Online/GiantRootCA.crt ../Windows/Certs/Online/CFCA_*.crt  ../Windows/Certs/Online/UCA_*.crt  ../Windows/Certs/Online/[Suspicious]GoAgent_CA.crt`
+    EE_CERTS=`ls ../Windows/Certs/Online/\[Fake\]*.crt`
+elif [ ${1:-extended} = 'restore' ];then
+    echo "Generating RESTORE CRL set"
+    CA_CERTS=''
+    EE_CERTS=''
+else
+    echo "Generating Basic CRL set"
+    CA_CERTS=`ls ../Windows/Certs/Online/CNNIC_*.crt ../Windows/Certs/Online/China_Internet_Network_Information_Center_EV_Certificates_Root.crt ../Windows/Certs/Online/[Suspicious]WaccBaiduCom.crt ../Windows/Certs/Online/GiantRootCA.crt`
+    EE_CERTS=`ls ../Windows/Certs/Online/\[Fake\]*.crt`
+fi
+
+CERTS=`echo $CA_CERTS $EE_CERTS`
+./nss_revoke.sh ${2:-~/.pki/nssdb} "${CERTS}"
-- 
GitLab