ca-certificates/mergepem2certdata.py

377 lines
13 KiB
Python
Raw Normal View History

#!/usr/bin/python
# vim:set et sw=4:
#
# certdata2pem.py - splits certdata.txt into multiple files
#
# Copyright (C) 2009 Philipp Kern <pkern@debian.org>
# Copyright (C) 2013 Kai Engert <kaie@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
# USA.
import base64
import os.path
import re
import sys
import textwrap
import subprocess
import getopt
import asn1
from cryptography import x509
from cryptography.hazmat.primitives import hashes
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
from datetime import datetime
from dateutil.parser import parse
objects = []
pemcerts = []
certdata='./certdata.txt'
pem='./cert.pem'
output='./certdata_out.txt'
trust='CKA_TRUST_CODE_SIGNING'
merge_label="Non-Mozilla Object Signing Only Certificate"
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
dateString='thisyear'
trust_types = {
"CKA_TRUST_SERVER_AUTH",
"CKA_TRUST_EMAIL_PROTECTION",
"CKA_TRUST_CODE_SIGNING"
}
attribute_types = {
"CKA_CLASS" : "CK_OBJECT_CLASS",
"CKA_TOKEN" : "CK_BBOOL",
"CKA_PRIVATE" : "CK_BBOOL",
"CKA_MODIFIABLE" : "CK_BBOOL",
"CKA_LABEL" : "UTF8",
"CKA_CERTIFICATE_TYPE" : "CK_CERTIFICATE_TYPE",
"CKA_SUBJECT" : "MULTILINE_OCTAL",
"CKA_ID" : "UTF8",
"CKA_CERT_SHA1_HASH" : "MULTILINE_OCTAL",
"CKA_CERT_MD5_HASH" : "MULTILINE_OCTAL",
"CKA_ISSUER" : "MULTILINE_OCTAL",
"CKA_SERIAL_NUMBER" : "MULTILINE_OCTAL",
"CKA_VALUE" : "MULTILINE_OCTAL",
"CKA_NSS_MOZILLA_CA_POLICY" : "CK_BBOOL",
"CKA_NSS_SERVER_DISTRUST_AFTER" : "Distrust",
"CKA_NSS_EMAIL_DISTRUST_AFTER" : "Distrust",
"CKA_TRUST_SERVER_AUTH" : "CK_TRUST",
"CKA_TRUST_EMAIL_PROTECTION" : "CK_TRUST",
"CKA_TRUST_CODE_SIGNING" : "CK_TRUST",
"CKA_TRUST_STEP_UP_APPROVED" : "CK_BBOOL"
}
def printable_serial(obj):
return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])
def getSerial(cert):
encoder = asn1.Encoder()
encoder.start()
encoder.write(cert.serial_number)
return encoder.output()
def dumpOctal(f,value):
for i in range(len(value)) :
if i % 16 == 0 :
f.write("\n")
f.write("\\%03o"%int.from_bytes(value[i:i+1],sys.byteorder))
f.write("\nEND\n")
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
# in python 3.8 this can be replaced with return byteval.hex(':',1)
def formatHex(byteval) :
string=byteval.hex()
string_out=""
for i in range(0,len(string)-2,2) :
string_out += string[i:i+2] + ':'
string_out += string[-2:]
return string_out
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
def getdate(dateString):
print("dateString= %s"%dateString)
if dateString.upper() == "THISYEAR":
return datetime(datetime.today().year,12,31,11,59,59,9999)
if dateString.upper() == "TODAY":
return datetime.today()
return parse(dateString, fuzzy=True);
def getTrust(objlist, serial, issuer) :
for obj in objlist:
if obj['CKA_CLASS'] == 'CKO_NSS_TRUST' and obj['CKA_SERIAL_NUMBER'] == serial and obj['CKA_ISSUER'] == issuer:
return obj
return None
def isDistrusted(obj) :
if (obj == None):
return False
return obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'
try:
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
opts, args = getopt.getopt(sys.argv[1:],"c:o:p:t:l:x:",)
except getopt.GetoptError as err:
print(err)
print(sys.argv[0] + ' [-c certdata] [-p pem] [-o certdata_target] [-t trustvalue] [-l merge_label]')
print('-c certdata certdata file to merge to (default="'+certdata+'")');
print('-p pem pem file with CAs to merge from (default="'+pem+'")');
print('-o certdata_target resulting output file (default="'+output+'")');
print('-t trustvalue what these CAs are trusted for (default="'+trust+'")');
print('-l merge_label what label CAs that aren\'t in certdata (default="'+merge_label+'")');
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
print('-x date remove all certs that expire before data (default='+dateString+')');
sys.exit(2)
for opt, arg in opts:
if opt == '-c' :
certdata = arg
elif opt == '-p' :
pem = arg
elif opt == '-o' :
output = arg
elif opt == '-t' :
trust = arg
elif opt == '-l' :
merge_label = arg
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
elif opt == '-x' :
dateString = arg
# parse dateString
verifyDate = True
if dateString.upper() == "NEVER":
verifyDate = False
else:
date = getdate(dateString)
# read the pem file
in_cert, certvalue = False, ""
for line in open(pem, 'r'):
if not in_cert:
if line.find("BEGIN CERTIFICATE") != -1:
in_cert = True;
continue
# Ignore comment lines and blank lines.
if line.startswith('#'):
continue
if len(line.strip()) == 0:
continue
if line.find("END CERTIFICATE") != -1 :
pemcerts.append(certvalue);
certvalue = "";
in_cert = False;
continue
certvalue += line;
# read the certdata.txt file
in_data, in_multiline, in_obj = False, False, False
field, ftype, value, binval, obj = None, None, None, bytearray(), dict()
header, comment = "", ""
for line in open(certdata, 'r'):
# Ignore the file header.
if not in_data:
header += line
if line.startswith('BEGINDATA'):
in_data = True
continue
# Ignore comment lines.
if line.startswith('#'):
comment += line
continue
# Empty lines are significant if we are inside an object.
if in_obj and len(line.strip()) == 0:
# collect all the inline comments in this object
obj['Comment'] += comment
comment = ""
objects.append(obj)
obj = dict()
in_obj = False
continue
if len(line.strip()) == 0:
continue
if in_multiline:
if not line.startswith('END'):
if ftype == 'MULTILINE_OCTAL':
line = line.strip()
for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
integ = int(i.group(1), 8)
binval.extend((integ).to_bytes(1, sys.byteorder))
obj[field] = binval
else:
value += line
obj[field] = value
continue
in_multiline = False
continue
if line.startswith('CKA_CLASS'):
in_obj = True
obj['Comment'] = comment
comment = ""
line_parts = line.strip().split(' ', 2)
if len(line_parts) > 2:
field, ftype = line_parts[0:2]
value = ' '.join(line_parts[2:])
elif len(line_parts) == 2:
field, ftype = line_parts
value = None
else:
raise NotImplementedError('line_parts < 2 not supported.\n' + line)
if ftype == 'MULTILINE_OCTAL':
in_multiline = True
value = ""
binval = bytearray()
continue
obj[field] = value
if len(list(obj.items())) > 0:
objects.append(obj)
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
# strip out expired certificates from certdata.txt
if verifyDate :
for obj in objects:
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE' :
cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
if (cert.not_valid_after <= date) :
trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])
# we don't remove distrusted expired certificates
if not isDistrusted(trust_obj) :
print(" Remove cert %s"%obj['CKA_LABEL'])
print(" Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
print(" Prune time %s: "%date.strftime("%m/%d/%Y"))
obj['Comment'] = None;
if (trust_obj != None):
trust_obj['Comment'] = None;
# now merge the results
for certval in pemcerts:
certder = base64.b64decode(certval)
cert = x509.load_der_x509_certificate(certder)
try:
label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value
except:
try:
label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_UNIT_NAME)[0].value
except:
try:
label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value
except:
label="Unknown Certificate"
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
if cert.not_valid_after <= date:
print(" Skipping code signing cert %s"%label)
print(" Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
print(" Prune time %s: "%date.strftime("%m/%d/%Y"))
continue
certhashsha1 = cert.fingerprint(hashes.SHA1())
certhashmd5 = cert.fingerprint(hashes.MD5())
found = False
# see if it exists in certdata.txt
for obj in objects:
# we only need to check the trust objects, because
# that is the object we would modify if it exists
if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
continue
# explicitly distrusted certs don't have a hash value
if not 'CKA_CERT_SHA1_HASH' in obj:
continue
if obj['CKA_CERT_SHA1_HASH'] != certhashsha1:
continue
obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR'
found = True
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
print('Updating "'+label+'" with code signing');
break
if found :
continue
# append this certificate
obj=dict()
time='%a %b %d %H:%M:%S %Y'
comment = '# ' + merge_label + '\n# %s "'+label+'"\n'
comment += '# Issuer: ' + cert.issuer.rfc4514_string() + '\n'
comment += '# Serial Number:'
sn=cert.serial_number
if sn < 0x100000:
comment += ' %d (0x%x)\n'%(sn,sn)
else:
comment += formatHex(sn.to_bytes((sn.bit_length()+7)//8,"big")) + '\n'
comment += '# Subject: ' + cert.subject.rfc4514_string() + '\n'
comment += '# Not Valid Before: ' + cert.not_valid_before.strftime(time) + '\n'
comment += '# Not Valid After: ' + cert.not_valid_after.strftime(time) + '\n'
comment += '# Fingerprint (MD5): ' + formatHex(certhashmd5) + '\n'
comment += '# Fingerprint (SHA1): ' + formatHex(certhashsha1) + '\n'
obj['Comment']= comment%"Certificate"
obj['CKA_CLASS'] = 'CKO_CERTIFICATE'
obj['CKA_TOKEN'] = 'CK_TRUE'
obj['CKA_PRIVATE'] = 'CK_FALSE'
obj['CKA_MODIFIABLE'] = 'CK_FALSE'
obj['CKA_LABEL'] = '"' + label + '"'
obj['CKA_CERTIFICATE_TYPE'] = 'CKC_X_509'
obj['CKA_SUBJECT'] = cert.subject.public_bytes()
obj['CKA_ID'] = '"0"'
obj['CKA_ISSUER'] = cert.issuer.public_bytes()
obj['CKA_SERIAL_NUMBER'] = getSerial(cert)
obj['CKA_VALUE'] = certder
obj['CKA_NSS_MOZILLA_CA_POLICY'] = 'CK_FALSE'
obj['CKA_NSS_SERVER_DISTRUST_AFTER'] = 'CK_FALSE'
obj['CKA_NSS_EMAIL_DISTRUST_AFTER'] = 'CK_FALSE'
objects.append(obj)
# append the trust values
obj=dict()
obj['Comment']= comment%"Trust for"
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
obj['CKA_CLASS'] = 'CKO_NSS_TRUST'
obj['CKA_TOKEN'] = 'CK_TRUE'
obj['CKA_PRIVATE'] = 'CK_FALSE'
obj['CKA_MODIFIABLE'] = 'CK_FALSE'
obj['CKA_LABEL'] = '"' + label + '"'
obj['CKA_CERT_SHA1_HASH'] = certhashsha1
obj['CKA_CERT_MD5_HASH'] = certhashmd5
obj['CKA_ISSUER'] = cert.issuer.public_bytes()
obj['CKA_SERIAL_NUMBER'] = getSerial(cert)
for t in list(trust_types):
if t == trust:
obj[t] = 'CKT_NSS_TRUSTED_DELEGATOR'
else:
obj[t] = 'CKT_NSS_MUST_VERIFY_TRUST'
obj['CKA_TRUST_STEP_UP_APPROVED'] = 'CK_FALSE'
objects.append(obj)
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
print('Adding code signing cert "'+label+'"');
# now dump the results
f = open(output, 'w')
f.write(header)
for obj in objects:
if 'Comment' in obj:
Add code to pull in object signing certs from Common CA Database (ccadb.org). Fix the updated merge scripts to handle this. Prune Expired certificates from certdata.txt and the object signing cert list Update to CKBI 2.48 from NSS 3.64 Removing: # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" # Certificate "GeoTrust Universal CA 2" # Certificate "QuoVadis Root CA" # Certificate "Sonera Class 2 Root CA" # Certificate "Taiwan GRCA" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4" # Certificate "EE Certification Centre Root CA" # Certificate "LuxTrust Global Root 2" # Certificate "Symantec Class 1 Public Primary Certification Authority - G4" # Certificate "Symantec Class 2 Public Primary Certification Authority - G4" Adding: # Certificate "Microsoft ECC Root Certificate Authority 2017" # Certificate "Microsoft RSA Root Certificate Authority 2017" # Certificate "e-Szigno Root CA 2017" # Certificate "certSIGN Root CA G2" # Certificate "Trustwave Global Certification Authority" # Certificate "Trustwave Global ECC P256 Certification Authority" # Certificate "Trustwave Global ECC P384 Certification Authority" # Certificate "NAVER Global Root Certification Authority" # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS" # Certificate "GlobalSign Secure Mail Root R45" # Certificate "GlobalSign Secure Mail Root E45" # Certificate "GlobalSign Root R46" # Certificate "GlobalSign Root E46" # Certificate "Certum EC-384 CA" # Certificate "Certum Trusted Root CA" # Certificate "GlobalSign Code Signing Root R45" # Certificate "GlobalSign Code Signing Root E45" # Certificate "Halcom Root Certificate Authority" # Certificate "Symantec Class 3 Public Primary Certification Authority - G6" # Certificate "GLOBALTRUST" # Certificate "MULTICERT Root Certification Authority 01" # Certificate "Verizon Global Root CA" # Certificate "Tunisian Root Certificate Authority - TunRootCA2" # Certificate "CAEDICOM Root" # Certificate "COMODO Certification Authority" # Certificate "Security Communication ECC RootCA1" # Certificate "Security Communication RootCA3" # Certificate "AC RAIZ DNIE" # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3" # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány" # Certificate "GLOBALTRUST 2015" # Certificate "emSign Root CA - G2" # Certificate "emSign Root CA - C2"
2021-05-25 23:48:57 +00:00
# if comment is None, we've deleted the entry above
if obj['Comment'] == None:
continue
f.write(obj['Comment'])
else:
print("Object with no comment!!")
print(obj)
for field in list(attribute_types.keys()):
if not field in obj:
continue
ftype = attribute_types[field];
if ftype == 'Distrust':
if obj[field] == 'CK_FALSE':
ftype = 'CK_BBOOL'
else:
ftype = 'MULTILINE_OCTAL'
f.write("%s %s"%(field,ftype));
if ftype == 'MULTILINE_OCTAL':
dumpOctal(f,obj[field])
else:
f.write(" %s\n"%obj[field])
f.write("\n")
f.close