From b60a535c0f7a017112bb5a35f01b6db0205e9680 Mon Sep 17 00:00:00 2001 From: phoeagon <phoeagon@gmail.com> Date: Thu, 26 Feb 2015 23:50:06 +0800 Subject: [PATCH] add nss_revoke script --- Linux/nss_revoke.sh | 13 +++++++++++++ Linux/revoke-china-certs.sh | 26 ++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100755 Linux/nss_revoke.sh create mode 100755 Linux/revoke-china-certs.sh diff --git a/Linux/nss_revoke.sh b/Linux/nss_revoke.sh new file mode 100755 index 0000000..1a7887c --- /dev/null +++ b/Linux/nss_revoke.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +DBPATH=$1 +CERTS=$2 + +echo "Revoking CAs in $DBPATH/cert9.db" + +for CERT in $CERTS;do + # p,p,p: prohibit all use + certutil -d sql:${DBPATH} -A -n "${CERT}" -t p,p,p -i ${CERT} +done + +echo "Done" diff --git a/Linux/revoke-china-certs.sh b/Linux/revoke-china-certs.sh new file mode 100755 index 0000000..d587000 --- /dev/null +++ b/Linux/revoke-china-certs.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +set -e + +if [ ${1:-extended} = 'all' ];then + echo "Generating ALL CRL set" + # TODO: Explicitly distinguish between CA & EE certificates. + CA_CERTS=`ls ../Windows/Certs/Online/*.crt` + EE_CERTS=`ls ../Windows/Certs/Online/\[Fake\]*.crt` + echo "all" +elif [ ${1:-extended} = 'extended' ];then + echo "Generating EXTENDED CRL set" + CA_CERTS=`ls ../Windows/Certs/Online/CNNIC_*.crt ../Windows/Certs/Online/China_Internet_Network_Information_Center_EV_Certificates_Root.crt ../Windows/Certs/Online/[Suspicious]WaccBaiduCom.crt ../Windows/Certs/Online/GiantRootCA.crt ../Windows/Certs/Online/CFCA_*.crt ../Windows/Certs/Online/UCA_*.crt ../Windows/Certs/Online/[Suspicious]GoAgent_CA.crt` + EE_CERTS=`ls ../Windows/Certs/Online/\[Fake\]*.crt` +elif [ ${1:-extended} = 'restore' ];then + echo "Generating RESTORE CRL set" + CA_CERTS='' + EE_CERTS='' +else + echo "Generating Basic CRL set" + CA_CERTS=`ls ../Windows/Certs/Online/CNNIC_*.crt ../Windows/Certs/Online/China_Internet_Network_Information_Center_EV_Certificates_Root.crt ../Windows/Certs/Online/[Suspicious]WaccBaiduCom.crt ../Windows/Certs/Online/GiantRootCA.crt` + EE_CERTS=`ls ../Windows/Certs/Online/\[Fake\]*.crt` +fi + +CERTS=`echo $CA_CERTS $EE_CERTS` +./nss_revoke.sh ${2:-~/.pki/nssdb} "${CERTS}" -- GitLab