#!/usr/bin/env python
"""
Small utility to download the Mozilla-format certificates
(/mozilla/security/nss/lib/ckfw/builtins/certdata.txt in the Mozilla CVS)
and convert them into PEM.
Original version:
http://svn.osafoundation.org/m2crypto/trunk/demo/x509/certdata2pem.py
Based on the idea from:
http://curl.haxx.se/docs/parse-certs.txt.
Copyright (c) 2007 Open Source Applications Foundation.
"""
import array
import urllib
from M2Crypto import X509
certdata_url = ("http://mxr.mozilla.org/seamonkey/source/security/nss" +
"/lib/ckfw/builtins/certdata.txt?raw=1")
def download_and_convert():
certdata = urllib.urlopen(certdata_url)
try:
with open('cacert.pem', 'wb') as out:
for block in certdata_to_pem(certdata):
out.write(block)
finally:
certdata.close()
def certdata_to_pem(certdata):
counter = 0
value = None
name = None
for line in certdata:
line = line.strip()
if line.startswith('CKA_LABEL'):
assert value is None
label_encoding, name, dummy = line.split('"')
label, encoding = label_encoding.split()
assert encoding == 'UTF8'
elif line == 'CKA_VALUE MULTILINE_OCTAL':
assert name is not None
value = array.array('c')
elif value is not None and line == 'END':
assert name is not None
print 'Writing ' + name
x509 = X509.load_cert_string(value.tostring(), X509.FORMAT_DER)
if not x509.verify():
print ' Skipping ' + name + ' since it does not verify'
name = None
value = None
continue
counter += 1
yield (name + '\n' + '=' * len(name) + '\n\n' +
'SHA1 Fingerprint=' + x509.get_fingerprint('sha1') + '\n' +
x509.as_text() +
x509.as_pem() +
'\n')
name = None
value = None
elif value is not None:
assert name is not None
for number in line.split('\\'):
if not number:
continue
value.append(chr(int(number, 8)))
print 'Wrote %d certificates' % counter
if __name__ == '__main__':
download_and_convert()
