mk-ca-bundle.pl: switched to using hg.mozilla.org

... as mxr.mozilla.org is due to be retired. The new host doesn't support If-Modified-Since nor ETags, meaning that the script will now defer to download and do a post-transfer checksum check to see if a new output is to be generated. The new output format will hold the SHA1 checksum of the source file for that purpose. We call this version 1.22 Reported-by: Ed Morley Bug: http://curl.haxx.se/bug/view.cgi?id=1409
curl · Aug 13, 2014 · 57b5391 · 57b5391
1 parent fc5a5a4
commit 57b5391
Showing 1 changed file with 56 additions and 15 deletions.
diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
@@ -40,25 +40,23 @@
 
 my %urls = (
   'nss' =>
-    'http://mxr.mozilla.org/nss/source/lib/ckfw/builtins/certdata.txt?raw=1',
+    'http://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt',
   'central' =>
-    'http://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1',
+    'http://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt',
   'aurora' =>
-    'http://mxr.mozilla.org/mozilla-aurora/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1',
+    'http://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt',
   'beta' =>
-    'http://mxr.mozilla.org/mozilla-beta/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1',
+    'http://hg.mozilla.org/releases/mozilla-beta/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt',
   'release' =>
-    'http://mxr.mozilla.org/mozilla-release/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1',
-  'mozilla' =>
-    'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'
+    'http://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt',
 );
 
 $opt_d = 'release';
 
 # If the OpenSSL commandline is not in search path you can configure it here!
 my $openssl = 'openssl';
 
-my $version = '1.21';
+my $version = '1.22';
 
 $opt_w = 76; # default base64 encoded lines length
 
@@ -209,6 +207,28 @@ ($$@)
   return @values;
 }
 
+sub sha1 {
+    my ($txt)=@_;
+    my $sha1 = `$openssl dgst -sha1 $txt | cut '-d ' -f2`;
+    chomp $sha1;
+    return sha1;
+}
+
+sub oldsha1 {
+    my ($crt)=@_;
+    my $sha1="";
+    open(C, "<$crt");
+    while(<C>) {
+        chomp;
+        if($_ =~ /^\#\# SHA1: (.*)/) {
+            $sha1 = $1;
+            last;
+        }
+    }
+    close(C);
+    return $sha1;
+}
+
 if ( $opt_p !~ m/:/ ) {
   print "Error: Mozilla trust identifier list must include both purposes and levels\n";
   HELP_MESSAGE();
@@ -238,6 +258,10 @@ (%)
 my $resp;
 my $fetched;
 
+my $oldsha1= oldsha1($crt);
+
+print STDERR "SHA1 of old file: $oldsha1\n";
+
 unless ($opt_n and -e $txt) {
   print STDERR "Downloading '$txt' ...\n" if (!$opt_q);
   my $ua  = new LWP::UserAgent(agent => "$0/$version");
@@ -257,7 +281,25 @@ (%)
   }
 }
 
-my $currentdate = scalar gmtime($fetched ? $resp->last_modified : (stat($txt))[9]);
+my $filedate = $fetched ? $resp->last_modified : (stat($txt))[9];
+my $datesrc = "as of";
+if(!$filedate) {
+    # mxr.mozilla.org gave us a time, hg.mozilla.org does not!
+    $filedate = time();
+    $datesrc="downloaded on";
+}
+
+# get the hash from the download file
+my $newsha1= sha1($txt); 
+
+if($oldsha1 eq $newsha1) {
+    print STDERR "Downloaded file identical to previous run\'s source file. Exiting\n";
+    exit;
+}
+
+print STDERR "SHA1 of new file: $newsha1\n";
+
+my $currentdate = scalar gmtime($filedate);
 
 my $format = $opt_t ? "plain text and " : "";
 if( $stdout ) {
@@ -267,9 +309,9 @@ (%)
 }
 print CRT <<EOT;
 ##
-## $crt -- Bundle of CA Root Certificates
+## Bundle of CA Root Certificates
 ##
-## Certificate data from Mozilla as of: ${currentdate}
+## Certificate data from Mozilla ${datesrc}: ${currentdate}
 ##
 ## This is a bundle of X.509 certificates of public Certificate Authorities
 ## (CA). These were automatically extracted from Mozilla's root certificates
@@ -281,6 +323,9 @@ (%)
 ## an Apache+mod_ssl webserver for SSL client authentication.
 ## Just configure this file as the SSLCACertificateFile.
 ##
+## Conversion done with mk-ca-bundle.pl verison $version.
+## SHA1: $newsha1
+##
 
 EOT
 
@@ -415,7 +460,3 @@ (%)
 }
 unlink $txt if ($opt_u);
 print STDERR "Done ($certnum CA certs processed, $skipnum skipped).\n" if (!$opt_q);
-
-exit;
-
-