[-]
[+]
|
Changed |
ca-certificates.changes
|
|
[-]
[+]
|
Changed |
ca-certificates.spec
^
|
|
[-]
[+]
|
Added |
README.etcssl
^
|
@@ -0,0 +1,20 @@
+This directory (/etc/ssl) is provided as a courtesy attempt to provide
+compatibility with software which assumes its existence. It is not a
+supported or canonical location. Software which assumes and relies on
+the existence and layout of this directory is making a wrong assumption
+(this directory is not any kind of 'standard', it is a configuration
+detail of Debian and its derivatives) and should be improved. No
+software packaged in this distribution should use this directory.
+
+An attempt is made to make the layout of /etc/ssl/certs match that
+provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
+of individual certificate files, and also contains a certificate bundle
+file named ca-certificates.crt, as Debian does. It also contains a
+bundle named ca-bundle.crt, as this distribution has long provided
+such a file, and it is possible some software has come to expect its
+existence.
+
+/etc/ssl/certs itself and the bundle files are in fact symlinks to
+some of the output of the 'update-ca-trust' script which forms a part
+of a system of consolidated CA certificates. Please refer to the
+update-ca-trust(8) manual page for additional information.
|
[-]
[+]
|
Changed |
certdata.txt
^
|
@@ -79,7 +79,7 @@
# Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
# Not Valid Before: Tue Sep 01 12:00:00 1998
# Not Valid After : Fri Jan 28 12:00:00 2028
-# Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
+# Fingerprint (SHA-256): EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99
# Fingerprint (SHA1): B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
@@ -169,13 +169,13 @@
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
-# Trust for Certificate "GlobalSign Root CA"
+# Trust for "GlobalSign Root CA"
# Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
# Serial Number:04:00:00:00:00:01:15:4b:5a:c3:94
# Subject: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
# Not Valid Before: Tue Sep 01 12:00:00 1998
# Not Valid After : Fri Jan 28 12:00:00 2028
-# Fingerprint (MD5): 3E:45:52:15:09:51:92:E1:B7:5D:37:9F:B1:87:29:8A
+# Fingerprint (SHA-256): EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99
# Fingerprint (SHA1): B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
@@ -202,142 +202,7 @@
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
-# Certificate "GlobalSign Root CA - R2"
-#
-# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
-# Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
-# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
-# Not Valid Before: Fri Dec 15 08:00:00 2006
-# Not Valid After : Wed Dec 15 08:00:00 2021
-# Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
-# Fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GlobalSign Root CA - R2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157
-\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040
-\055\040\122\062\061\023\060\021\006\003\125\004\012\023\012\107
-\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
-\004\003\023\012\107\154\157\142\141\154\123\151\147\156
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157
-\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040
-\055\040\122\062\061\023\060\021\006\003\125\004\012\023\012\107
-\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
-\004\003\023\012\107\154\157\142\141\154\123\151\147\156
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\013\004\000\000\000\000\001\017\206\046\346\015
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\003\272\060\202\002\242\240\003\002\001\002\002\013\004
-\000\000\000\000\001\017\206\046\346\015\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\060\114\061\040\060\036\006
-\003\125\004\013\023\027\107\154\157\142\141\154\123\151\147\156
-\040\122\157\157\164\040\103\101\040\055\040\122\062\061\023\060
-\021\006\003\125\004\012\023\012\107\154\157\142\141\154\123\151
-\147\156\061\023\060\021\006\003\125\004\003\023\012\107\154\157
-\142\141\154\123\151\147\156\060\036\027\015\060\066\061\062\061
-\065\060\070\060\060\060\060\132\027\015\062\061\061\062\061\065
-\060\070\060\060\060\060\132\060\114\061\040\060\036\006\003\125
-\004\013\023\027\107\154\157\142\141\154\123\151\147\156\040\122
-\157\157\164\040\103\101\040\055\040\122\062\061\023\060\021\006
-\003\125\004\012\023\012\107\154\157\142\141\154\123\151\147\156
-\061\023\060\021\006\003\125\004\003\023\012\107\154\157\142\141
-\154\123\151\147\156\060\202\001\042\060\015\006\011\052\206\110
-\206\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001
-\012\002\202\001\001\000\246\317\044\016\276\056\157\050\231\105
-\102\304\253\076\041\124\233\013\323\177\204\160\372\022\263\313
-\277\207\137\306\177\206\323\262\060\134\326\375\255\361\173\334
-\345\370\140\226\011\222\020\365\320\123\336\373\173\176\163\210
-\254\122\210\173\112\246\312\111\246\136\250\247\214\132\021\274
-\172\202\353\276\214\351\263\254\226\045\007\227\112\231\052\007
-\057\264\036\167\277\212\017\265\002\174\033\226\270\305\271\072
-\054\274\326\022\271\353\131\175\342\320\006\206\137\136\111\152
-\265\071\136\210\064\354\274\170\014\010\230\204\154\250\315\113
-\264\240\175\014\171\115\360\270\055\313\041\312\325\154\133\175
-\341\240\051\204\241\371\323\224\111\313\044\142\221\040\274\335
-\013\325\331\314\371\352\047\012\053\163\221\306\235\033\254\310
-\313\350\340\240\364\057\220\213\115\373\260\066\033\366\031\172
-\205\340\155\362\141\023\210\134\237\340\223\012\121\227\212\132
-\316\257\253\325\367\252\011\252\140\275\334\331\137\337\162\251
-\140\023\136\000\001\311\112\372\077\244\352\007\003\041\002\216
-\202\312\003\302\233\217\002\003\001\000\001\243\201\234\060\201
-\231\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
-\006\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
-\001\377\060\035\006\003\125\035\016\004\026\004\024\233\342\007
-\127\147\034\036\300\152\006\336\131\264\232\055\337\334\031\206
-\056\060\066\006\003\125\035\037\004\057\060\055\060\053\240\051
-\240\047\206\045\150\164\164\160\072\057\057\143\162\154\056\147
-\154\157\142\141\154\163\151\147\156\056\156\145\164\057\162\157
-\157\164\055\162\062\056\143\162\154\060\037\006\003\125\035\043
-\004\030\060\026\200\024\233\342\007\127\147\034\036\300\152\006
-\336\131\264\232\055\337\334\031\206\056\060\015\006\011\052\206
-\110\206\367\015\001\001\005\005\000\003\202\001\001\000\231\201
-\123\207\034\150\227\206\221\354\340\112\270\104\013\253\201\254
-\047\117\326\301\270\034\103\170\263\014\232\374\352\054\074\156
-\141\033\115\113\051\365\237\005\035\046\301\270\351\203\000\142
-\105\266\251\010\223\271\251\063\113\030\232\302\370\207\210\116
-\333\335\161\064\032\301\124\332\106\077\340\323\052\253\155\124
-\042\365\072\142\315\040\157\272\051\211\327\335\221\356\323\134
-\242\076\241\133\101\365\337\345\144\103\055\351\325\071\253\322
-\242\337\267\213\320\300\200\031\034\105\300\055\214\350\370\055
-\244\164\126\111\305\005\265\117\025\336\156\104\170\071\207\250
-\176\273\363\171\030\221\273\364\157\235\301\360\214\065\214\135
-\001\373\303\155\271\357\104\155\171\106\061\176\012\376\251\202
-\301\377\357\253\156\040\304\120\311\137\235\115\233\027\214\014
-\345\001\311\240\101\152\163\123\372\245\120\264\156\045\017\373
-\114\030\364\375\122\331\216\151\261\350\021\017\336\210\330\373
-\035\111\367\252\336\225\317\040\170\302\140\022\333\045\100\214
-\152\374\176\102\070\100\144\022\367\236\201\341\223\056
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
-CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
-CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
-
-# Trust for Certificate "GlobalSign Root CA - R2"
-# Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
-# Serial Number:04:00:00:00:00:01:0f:86:26:e6:0d
-# Subject: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2
-# Not Valid Before: Fri Dec 15 08:00:00 2006
-# Not Valid After : Wed Dec 15 08:00:00 2021
-# Fingerprint (MD5): 94:14:77:7E:3E:5E:FD:8F:30:BD:41:B0:CF:E7:D0:30
-# Fingerprint (SHA1): 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "GlobalSign Root CA - R2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\165\340\253\266\023\205\022\047\034\004\370\137\335\336\070\344
-\267\044\056\376
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\224\024\167\176\076\136\375\217\060\275\101\260\317\347\320\060
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\114\061\040\060\036\006\003\125\004\013\023\027\107\154\157
-\142\141\154\123\151\147\156\040\122\157\157\164\040\103\101\040
-\055\040\122\062\061\023\060\021\006\003\125\004\012\023\012\107
-\154\157\142\141\154\123\151\147\156\061\023\060\021\006\003\125
-\004\003\023\012\107\154\157\142\141\154\123\151\147\156
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\013\004\000\000\000\000\001\017\206\046\346\015
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@@ -348,8 +213,9 @@
# Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
# Not Valid Before: Fri Oct 01 00:00:00 1999
# Not Valid After : Wed Jul 16 23:59:59 2036
-# Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
+# Fingerprint (SHA-256): CB:B5:AF:18:5E:94:2A:24:02:F9:EA:CB:C0:ED:5B:B8:76:EE:A3:C1:22:36:23:D0:04:47:E4:F3:BA:55:4B:65
# Fingerprint (SHA1): 20:42:85:DC:F7:EB:76:41:95:57:8E:13:6B:D4:B7:D1:E9:8E:46:A5
+# For Email Distrust After: Wed Aug 31 00:00:00 2022
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
@@ -461,18 +327,17 @@
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
-# For Email Distrust After: Wed Aug 31 00:00:00 2022
CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
\062\062\060\070\063\061\060\060\060\060\060\060\132
END
-# Trust for Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
+# Trust for "Verisign Class 1 Public Primary Certification Authority - G3"
# Issuer: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
# Serial Number:00:8b:5b:75:56:84:54:85:0b:00:cf:af:38:48:ce:b1:a4
# Subject: CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
# Not Valid Before: Fri Oct 01 00:00:00 1999
# Not Valid After : Wed Jul 16 23:59:59 2036
-# Fingerprint (MD5): B1:47:BC:18:57:D1:18:A0:78:2D:EC:71:E8:2A:95:73
+# Fingerprint (SHA-256): CB:B5:AF:18:5E:94:2A:24:02:F9:EA:CB:C0:ED:5B:B8:76:EE:A3:C1:22:36:23:D0:04:47:E4:F3:BA:55:4B:65
# Fingerprint (SHA1): 20:42:85:DC:F7:EB:76:41:95:57:8E:13:6B:D4:B7:D1:E9:8E:46:A5
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
[-]
[+]
|
Changed |
fetch.sh
^
|
@@ -94,6 +94,21 @@
else
release="1.0"
fi
+
+
+# fetch the codesigning certs now so we can get
+# the code signing version number
+if [ ${skip_signed_obj} -eq 0 ]; then
+ ./fetch_objsign.sh
+ if [ -f codesign-release.txt ]; then
+ mcs_version=$(cat codesign-release.txt)
+ if [[ $ms_version != "unknown" ]]; then
+ ckbi_version="${ckbi_version}_${mcs_version}"
+ fi
+ signobjects="and Microsoft Signed Objects version $ms_version"
+ fi
+fi
+
version=${year}.${ckbi_version}
#make sure the the current version is newer than what is already there
@@ -113,13 +128,15 @@
exit 1;
fi
+# merge the signing certs into the normal certdata.txt file.
if [ ${skip_signed_obj} -eq 0 ]; then
- ./fetch_objsign.sh
+ cp certdata.txt certdata.txt.orig
+ python3 ./mergepem2certdata.py -c "certdata.txt.orig" -p "microsoft_sign_obj_ca.pem" -o "certdata.txt" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate" -x "NEVER"
fi
# Verify everything is good with the user
echo -e "Upgrading ${current_version} -> ${version}:"
-echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
+echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}${sign_objects}"
./check_certs.sh
echo ""
|
[-]
[+]
|
Changed |
fetch_objsign.sh
^
|
@@ -3,16 +3,62 @@
# This script fetches the object signing list from the Microsoft list. It then
# mergest that list into the fetched certdata.txt.
#
-baseurl="https://ccadb-public.secure.force.com/microsoft/IncludedRootsPEMTxtForMSFT?TrustBitsInclude=Code%20Signing"
-target="microsoft_code_siging.pem"
+giturl="https://github.com/dotnet/sdk"
+gitrawurl="https://raw.githubusercontent.com/dotnet/sdk"
+release="latest"
+treedir="src/Layout/redist/trustedroots/codesignctl.pem"
+target="microsoft_sign_obj_ca.pem"
certdata="./certdata.txt"
+baseurl=""
merge=1
diff=0
+
+function getlatest
+{
+ local url=$1
+ local latest="0"
+ local tags=($(git ls-remote --tags ${url}))
+ for tag in "${tags[@]}"
+ do
+ if [[ ! ${tag} =~ refs/.* ]]; then
+ continue # skip hashes
+ fi
+ if [[ ${tag} =~ .*preview.* ]]; then
+ continue # skip preview tags, we only want release tags
+ fi
+ if [[ ${tag} =~ .*rc.* ]]; then
+ continue # skip release candidate tags, we only want release tags
+ fi
+ if [[ ${latest} < ${tag} ]]; then
+ latest=$tag
+ fi
+ done
+ latest=${latest##refs/tags/}
+ echo $latest
+}
+
while [ -n "$1" ]; do
case $1 in
+ "-g")
+ shift
+ giturl=$1
+ ;;
+ "-r")
+ shift
+ gitrawurl=$1
+ ;;
+ "-t")
+ shift
+ treedir=$1
+ ;;
+ "-r")
+ shift
+ release=$1
+ ;;
"-u")
shift
baseurl=$1
+ release="unknown"
;;
"-o")
shift
@@ -26,11 +72,16 @@
merge=0
;;
"-d")
+ shift
diff=1
difffile=$1
;;
*)
echo "usage: $0 [-u URL] [-o target] [-c certdata] [-n]"
+ echo "-g URL git URL to fetch code signing list"
+ echo "-r URL raw git URL to fetch code signing list"
+ echo "-t URL git tree directory to fetch code signing list"
+ echo "-r release code signing list release version"
echo "-u URL base URL to fetch code signing list"
echo "-o target name of the codesigning target"
echo "-c certdata patch to certdata.txt to merge with"
@@ -42,6 +93,17 @@
shift
done
+if [ "${release}" = "latest" ]; then
+ release=$(getlatest ${giturl} )
+fi
+
+if [ "${baseurl}" = "" ]; then
+ baseurl="${gitrawurl}/${release}/${treedir}"
+fi
+
+echo $release > "./codesign-release.txt"
+
+echo "Fetching release=${release}, ${target} from ${baseurl}"
wget ${baseurl} -O ${target}
@@ -53,7 +115,6 @@
if [ ${diff} -eq 1 ]; then
out=${certdata}.out
fi
-
python3 ./mergepem2certdata.py -c "${certdata}" -p "${target}" -o "${out}" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate"
if [ ${diff} -eq 1 ]; then
|
[-]
[+]
|
Changed |
mergepem2certdata.py
^
|
@@ -30,7 +30,7 @@
import getopt
import asn1
from cryptography import x509
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
from datetime import datetime
from dateutil.parser import parse
@@ -118,6 +118,40 @@
return False
return obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'
+
+def stripQuotes(label) :
+ if label[:1] == "\"" :
+ label=label[1:]
+ if label[-1] == "\"" :
+ label = label[:-1]
+ return label
+
+# another object of the same class has the same label
+def labelExists(objlist, obj) :
+ for iobj in objlist:
+ if obj['CKA_CLASS'] == iobj['CKA_CLASS'] and obj['CKA_LABEL'] == iobj['CKA_LABEL']:
+ return True
+ return False
+
+# add an object, make sure that label is unique
+def addObj(objlist, newObj, specialLabel, drop) :
+ label = stripQuotes(newObj['CKA_LABEL'])
+ count=1
+ if specialLabel != None :
+ count=0
+ label=label+' '+specialLabel
+ # make sure the label is unique
+ while labelExists(objlist, newObj) :
+ if drop :
+ return 'DROPPED'
+ if count != 0 :
+ newObj['CKA_LABEL'] = "\"%s %d\""%(label,count)
+ else :
+ newObj['CKA_LABEL'] = "\"%s\""%label
+ count=count+1
+ objlist.append(obj)
+ return stripQuotes(newObj['CKA_LABEL'])
+
try:
opts, args = getopt.getopt(sys.argv[1:],"c:o:p:t:l:x:",)
except getopt.GetoptError as err:
@@ -146,11 +180,13 @@
dateString = arg
# parse dateString
+print ("datastring=",dateString)
verifyDate = True
if dateString.upper() == "NEVER":
verifyDate = False
else:
date = getdate(dateString)
+print ("verifyDate=",verifyDate)
# read the pem file
@@ -193,7 +229,7 @@
# collect all the inline comments in this object
obj['Comment'] += comment
comment = ""
- objects.append(obj)
+ addObj(objects, obj, None, False)
obj = dict()
in_obj = False
continue
@@ -232,14 +268,15 @@
binval = bytearray()
continue
obj[field] = value
+
if len(list(obj.items())) > 0:
- objects.append(obj)
+ addObj(objects, obj, None, False)
# strip out expired certificates from certdata.txt
if verifyDate :
for obj in objects:
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE' :
- cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
+ cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
if (cert.not_valid_after <= date) :
trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])
# we don't remove distrusted expired certificates
@@ -265,11 +302,12 @@
label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value
except:
label="Unknown Certificate"
- if cert.not_valid_after <= date:
- print(" Skipping code signing cert %s"%label)
- print(" Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
- print(" Prune time %s: "%date.strftime("%m/%d/%Y"))
- continue
+ if verifyDate :
+ if cert.not_valid_after <= date:
+ print(" Skipping code signing cert %s"%label)
+ print(" Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
+ print(" Prune time %s: "%date.strftime("%m/%d/%Y"))
+ continue
certhashsha1 = cert.fingerprint(hashes.SHA1())
certhashmd5 = cert.fingerprint(hashes.MD5())
@@ -292,6 +330,32 @@
break
if found :
continue
+
+ # check for almost duplicates, certs with the same subject and key, but
+ # different values. If they exist, treat them as the same certificate
+ for obj in objects:
+ if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
+ continue
+ # do they have the same subject?
+ if obj['CKA_SUBJECT'] != cert.subject.public_bytes():
+ continue
+ # do they have the same public key?
+ cert2 = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+ if cert2.public_key().public_bytes(serialization.Encoding.DER,serialization.PublicFormat.SubjectPublicKeyInfo) != cert.public_key().public_bytes(serialization.Encoding.DER,serialization.PublicFormat.SubjectPublicKeyInfo) :
+ continue
+ #found now update trust record
+ trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])
+ if trust_obj is None :
+ print('Couldn\'t find trust object for "'+obj['CKA_LABEL']);
+ exit
+ trust_obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR'
+ found = True
+ print('Updating sister certificate "'+obj['CKA_LABEL']+'" with code signing based on Microsoft "'+label+'"');
+ break
+ if found :
+ break
+ if found :
+ continue
# append this certificate
obj=dict()
time='%a %b %d %H:%M:%S %Y'
@@ -323,7 +387,9 @@
obj['CKA_NSS_MOZILLA_CA_POLICY'] = 'CK_FALSE'
obj['CKA_NSS_SERVER_DISTRUST_AFTER'] = 'CK_FALSE'
obj['CKA_NSS_EMAIL_DISTRUST_AFTER'] = 'CK_FALSE'
- objects.append(obj)
+ label = addObj(objects, obj, 'CodeSigning', True)
+ if label == 'DROPPED' :
+ continue
# append the trust values
obj=dict()
@@ -343,7 +409,7 @@
else:
obj[t] = 'CKT_NSS_MUST_VERIFY_TRUST'
obj['CKA_TRUST_STEP_UP_APPROVED'] = 'CK_FALSE'
- objects.append(obj)
+ label = addObj(objects, obj, 'CodeSigning', True)
print('Adding code signing cert "'+label+'"');
# now dump the results
|
[-]
[+]
|
Changed |
nssckbi.h
^
|
@@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 50
-#define NSS_BUILTINS_LIBRARY_VERSION "2.50"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
+#define NSS_BUILTINS_LIBRARY_VERSION "2.60"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
|
[-]
[+]
|
Changed |
update-ca-trust
^
|
@@ -1,10 +1,10 @@
#!/bin/sh
#set -vx
+set -eu
-# At this time, while this script is trivial, we ignore any parameters given.
-# However, for backwards compatibility reasons, future versions of this script must
-# support the syntax "update-ca-trust extract" trigger the generation of output
+# For backwards compatibility reasons, future versions of this script must
+# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST.
DEST=/etc/pki/ca-trust/extracted
@@ -12,11 +12,109 @@
# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1
-# OpenSSL PEM bundle that includes trust flags
-# (BEGIN TRUSTED CERTIFICATE)
-/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
-/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
-/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
+usage() {
+ fold -s -w 76 >&2 <<-EOF
+ Usage: $0 [extract] [-o DIR|--output=DIR]
+
+ Update the system trust store in $DEST.
+
+ COMMANDS
+ (absent/empty command): Same as the extract command described below.
+
+ extract: Instruct update-ca-trust to scan the source configuration in
+ /usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
+ updated versions of the consolidated configuration files stored below
+ the $DEST directory hierarchy.
+
+ EXTRACT OPTIONS
+ -o DIR, --output=DIR: Write the extracted trust store into the given
+ directory instead of updating $DEST.
+ EOF
+}
+
+extract() {
+ USER_DEST=
+
+ # can't use getopt here. ca-certificates can't depend on a lot
+ # of other libraries since openssl depends on ca-certificates
+ # just fail when we hand parse
+
+ while [ $# -ne 0 ]; do
+ case "$1" in
+ "-o"|"--output")
+ USER_DEST=$2
+ shift 2
+ continue
+ ;;
+ "--")
+ shift
+ break
+ ;;
+ *)
+ usage
+ exit 1
+ ;;
+ esac
+ done
+
+ if [ -n "$USER_DEST" ]; then
+ DEST=$USER_DEST
+ # Attempt to create the directories if they do not exist
+ # yet (rhbz#2241240)
+ /usr/bin/mkdir -p \
+ "$DEST"/openssl \
+ "$DEST"/pem \
+ "$DEST"/java \
+ "$DEST"/edk2
+ fi
+
+ # OpenSSL PEM bundle that includes trust flags
+ # (BEGIN TRUSTED CERTIFICATE)
+ /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
+ /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
+ /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
+ /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
+ /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
+ /usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
+ # Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
+ # by GnuTLS)
+ /usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
+
+ # p11-kit extract will have made this directory unwritable; when run with
+ # CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
+ # not be the case. See rhbz#2241240.
+ if [ -n "$USER_DEST" ]; then
+ /usr/bin/chmod u+w "$DEST/pem/directory-hash"
+ fi
+
+ # Debian compatibility: their /etc/ssl/certs has this bundle
+ /usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
+ # Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
+ # since https://bugzilla.redhat.com/show_bug.cgi?id=572725
+ /usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
+
+ # Remove write permissions again
+ if [ -n "$USER_DEST" ]; then
+ /usr/bin/chmod u-w "$DEST/pem/directory-hash"
+ fi
+}
+if [ $# -lt 1 ]; then
+ set -- extract
+fi
+
+case "$1" in
+ "extract")
+ shift
+ extract $@
+ ;;
+ "--"*|"-"*)
+ # First parameter seems to be an option, assume the command is 'extract'
+ extract $@
+ ;;
+ *)
+ echo >&2 "Error: Unknown command: $1"
+ echo >&2
+ usage
+ exit 1
+ ;;
+esac
|
[-]
[+]
|
Changed |
update-ca-trust.8.txt
^
|
@@ -27,7 +27,7 @@
SYNOPSIS
--------
-*update-ca-trust* ['COMMAND']
+*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
DESCRIPTION
@@ -98,13 +98,13 @@
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/
* run 'update-ca-trust extract'
-.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
+.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
* add it as a new file to directory /etc/pki/ca-trust/source/
* run 'update-ca-trust extract'
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
-* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
+* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@@ -134,7 +134,7 @@
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes.
-In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
+In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes.
@@ -214,15 +214,23 @@
COMMANDS
--------
-(absent/empty command)::
- Same as the *extract* command described below. (However, the command may
- print fewer warnings, as this command is being run during rpm package
- installation, where non-fatal status output is undesired.)
-
-*extract*::
- Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
- updated versions of the consolidated configuration files stored below
- the /etc/pki/ca-trust/extracted directory hierarchy.
+(absent/empty command)
+~~~~~~~~~~~~~~~~~~~~~~
+Same as the *extract* command described below. (However, the command may print
+fewer warnings, as this command is being run during rpm package installation,
+where non-fatal status output is undesired.)
+
+extract
+~~~~~~~
+Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
+produce updated versions of the consolidated configuration files stored below
+the /etc/pki/ca-trust/extracted directory hierarchy.
+
+EXTRACT OPTIONS
+^^^^^^^^^^^^^^^
+*-o DIR*, *--output=DIR*::
+ Write the extracted trust store into the given directory instead of
+ updating /etc/pki/ca-trust/extracted.
FILES
-----
|