* Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11
- adjust to changed and new functionality provided by p11-kit 0.17.3 - updated READMEs to describe the new directory-specific treatment of files - ship a new file that contains certificates with neutral trust - ship a new file that contains distrust objects, and also staple a basic constraint extension to one legacy root contained in the Mozilla CA list - adjust the build script to dynamically produce most of above files - add and own the anchors and blacklist subdirectories - file generate-cacerts.pl is no longer required
This commit is contained in:
parent
d538ada99c
commit
34f352da5f
85
README.src
85
README.src
@ -1,27 +1,82 @@
|
||||
This directory /etc/pki/ca-trust/source/ contains CA certificates and
|
||||
trust settings in the PEM file format. The trust settings found here will be
|
||||
interpreted with a high priority, higher than the ones found in
|
||||
interpreted with a high priority - higher than the ones found in
|
||||
/usr/share/pki/ca-trust-source/.
|
||||
|
||||
You may install additional certificates or bundles into this directory.
|
||||
=============================================================================
|
||||
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
|
||||
list of CAs trusted on the system:
|
||||
|
||||
Each file may contain one or many certificates and trust flags in a
|
||||
PEM file format, as documented in the x509(1) manual page.
|
||||
Allowed formats are:
|
||||
- The BEGIN/END CERTIFICATE file format.
|
||||
Such certificates will be trusted for TLS server auth, only.
|
||||
- The BEGIN/END TRUSTED CERTIFICATE file format.
|
||||
Such certificates will be trusted or distrusted according to the
|
||||
trust settings contained in the PEM format data blocks.
|
||||
Copy it to the
|
||||
/etc/pki/ca-trust/source/anchors/
|
||||
subdirectory, and run the
|
||||
update-ca-trust
|
||||
command.
|
||||
|
||||
Applications that are able to use PKCS#11 modules can dynamically use
|
||||
the merged set of certificates from
|
||||
If your certificate is in the extended BEGIN TRUSTED file format,
|
||||
then place it into the main source/ directory instead.
|
||||
=============================================================================
|
||||
|
||||
Description of the source directory and its subdirectories:
|
||||
-----------------------------------------------------------
|
||||
In order to offer simplicity and flexibility, the way certificate files
|
||||
are treated depend on the subdirectory they are installed to.
|
||||
|
||||
trust anchors subdirectory : /etc/pki/ca-trust/source/anchors/
|
||||
extended format directory : /etc/pki/ca-trust/source/
|
||||
blacklist subdirectory : /etc/pki/ca-trust/source/blacklist/
|
||||
|
||||
In the main directory /etc/pki/ca-trust/source/
|
||||
you may install one or multiple files in the following file formats:
|
||||
- certificate files that include trust flags,
|
||||
in the BEGIN/END TRUSTED CERTIFICATE file format
|
||||
(any file name), which have been created using the openssl x509 tool
|
||||
and the -addreject -addtrust options.
|
||||
Bundle files with multiple certificates are supported.
|
||||
- files in the p11-kit file format using the .p11-kit file
|
||||
extension, which can (e.g.) be used to distrust certificates
|
||||
based on serial number and issuer name, without having the
|
||||
full certificate available.
|
||||
(This is currently an undocumented format, to be extended later.
|
||||
For an example of a distrusted certificate, see the files
|
||||
shipped with the ca-certificates package.)
|
||||
- certificate files without trust flags in either the DER file format or in
|
||||
the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
|
||||
will be added with neutral trust, neither trusted nor distrusted.
|
||||
They will simply be known to the system, which might be helpful to
|
||||
assist cryptographic software in constructing chains of certificates.
|
||||
(If you want a CA certificate in these file formats to be trusted, you
|
||||
should remove it from this directory and copy it to the
|
||||
./anchors subdirectory instead.)
|
||||
|
||||
In the anchors subdirectory: /etc/pki/ca-trust/source/anchors/
|
||||
you may install one or multiple certificates in either the DER file
|
||||
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
||||
Each certificate will be treated as *trusted* for all purposes.
|
||||
|
||||
In the blacklist subdirectory: /etc/pki/ca-trust/source/blacklist/
|
||||
you may install one or multiple certificates in either the DER file
|
||||
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
||||
Each certificate will be treated as *distrusted* for all purposes.
|
||||
|
||||
Please refer to the x509(1) manual page for the documentation of the
|
||||
BEGIN/END CERTIFICATE
|
||||
and
|
||||
BEGIN/END TRUSTED CERTIFICATE
|
||||
file formats.
|
||||
|
||||
|
||||
Purpose:
|
||||
--------
|
||||
Applications that are able to use PKCS#11 modules can load the
|
||||
p11-kit-trust.so module and will benefit from the dynamically merged
|
||||
set of certificates and trust information stored in the
|
||||
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
|
||||
by loading p11-kit-trust.so
|
||||
directories.
|
||||
|
||||
Applications that rely on a static file for a list of trusted CAs
|
||||
may load one of the files found in the /etc/pki/ca-trust/extracted
|
||||
directory. After modifying the set of files stored in the
|
||||
directory. After modifying any file stored in the
|
||||
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
||||
are modified, it is required to run the ca-update-trust command,
|
||||
directories, it is required to run the ca-update-trust command,
|
||||
in order to update the merged files in /etc/pki/ca-trust/extracted/ .
|
||||
|
93
README.usr
93
README.usr
@ -1,27 +1,82 @@
|
||||
This directory /usr/share/pki/ca-trust-source/ contains CA certificates and
|
||||
trust settings in the PEM file format. The trust settings found here will be
|
||||
interpreted with a low priority, lower than the ones found in
|
||||
/etc/pki/ca-trust/source.
|
||||
interpreted with a low priority - lower than the ones found in
|
||||
/etc/pki/ca-trust/source/ .
|
||||
|
||||
You may install additional certificates or bundles into this directory.
|
||||
=============================================================================
|
||||
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
|
||||
list of CAs trusted on the system:
|
||||
|
||||
Each file may contain one or many certificates and trust flags in a
|
||||
PEM file format, as documented in the x509(1) manual page.
|
||||
Allowed formats are:
|
||||
- The BEGIN/END CERTIFICATE file format.
|
||||
Such certificates will be trusted for TLS server auth, only.
|
||||
- The BEGIN/END TRUSTED CERTIFICATE file format.
|
||||
Such certificates will be trusted or distrusted according to the
|
||||
trust settings contained in the PEM format data blocks.
|
||||
Copy it to the
|
||||
/usr/share/pki/ca-trust-source/anchors/
|
||||
subdirectory, and run the
|
||||
update-ca-trust
|
||||
command.
|
||||
|
||||
Applications that are able to use PKCS#11 modules can dynamically use
|
||||
the merged set of certificates from
|
||||
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source
|
||||
by loading p11-kit-trust.so
|
||||
If your certificate is in the extended BEGIN TRUSTED file format,
|
||||
then place it into the main source/ directory instead.
|
||||
=============================================================================
|
||||
|
||||
Description of the source directory and its subdirectories:
|
||||
-----------------------------------------------------------
|
||||
In order to offer simplicity and flexibility, the way certificate files
|
||||
are treated depend on the subdirectory they are installed to.
|
||||
|
||||
trust anchors subdirectory : /usr/share/pki/ca-trust-source/anchors/
|
||||
extended format directory : /usr/share/pki/ca-trust-source/
|
||||
blacklist subdirectory : /usr/share/pki/ca-trust-source/blacklist/
|
||||
|
||||
In the main directory /usr/share/pki/ca-trust-source/
|
||||
you may install one or multiple files in the following file formats:
|
||||
- certificate files that include trust flags,
|
||||
in the BEGIN/END TRUSTED CERTIFICATE file format
|
||||
(any file name), which have been created using the openssl x509 tool
|
||||
and the -addreject -addtrust options.
|
||||
Bundle files with multiple certificates are supported.
|
||||
- files in the p11-kit file format using the .p11-kit file
|
||||
extension, which can (e.g.) be used to distrust certificates
|
||||
based on serial number and issuer name, without having the
|
||||
full certificate available.
|
||||
(This is currently an undocumented format, to be extended later.
|
||||
For an example of a distrusted certificate, see the files
|
||||
shipped with the ca-certificates package.)
|
||||
- certificate files without trust flags in either the DER file format or in
|
||||
the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
|
||||
will be added with neutral trust, neither trusted nor distrusted.
|
||||
They will simply be known to the system, which might be helpful to
|
||||
assist cryptographic software in constructing chains of certificates.
|
||||
(If you want a CA certificate in these file formats to be trusted, you
|
||||
should remove it from this directory and copy it to the
|
||||
./anchors subdirectory instead.)
|
||||
|
||||
In the anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/
|
||||
you may install one or multiple certificates in either the DER file
|
||||
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
||||
Each certificate will be treated as *trusted* for all purposes.
|
||||
|
||||
In the blacklist subdirectory: /usr/share/pki/ca-trust-source/blacklist/
|
||||
you may install one or multiple certificates in either the DER file
|
||||
format or in the PEM (BEGIN/END CERTIFICATE) file format.
|
||||
Each certificate will be treated as *distrusted* for all purposes.
|
||||
|
||||
Please refer to the x509(1) manual page for the documentation of the
|
||||
BEGIN/END CERTIFICATE
|
||||
and
|
||||
BEGIN/END TRUSTED CERTIFICATE
|
||||
file formats.
|
||||
|
||||
|
||||
Purpose:
|
||||
--------
|
||||
Applications that are able to use PKCS#11 modules can load the
|
||||
p11-kit-trust.so module and will benefit from the dynamically merged
|
||||
set of certificates and trust information stored in the
|
||||
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
|
||||
directories.
|
||||
|
||||
Applications that rely on a static file for a list of trusted CAs
|
||||
may load one of the files found in the /etc/pki/ca-trust/extracted
|
||||
directory. After modifying the set of files stored in the
|
||||
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source
|
||||
are modified, it is required to run the ca-update-trust command,
|
||||
in order to update the merged files in /etc/pki/ca-trust/extracted .
|
||||
directory. After modifying any file stored in the
|
||||
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
|
||||
directories, it is required to run the ca-update-trust command,
|
||||
in order to update the merged files in /etc/pki/ca-trust/extracted/ .
|
||||
|
@ -1,20 +1,9 @@
|
||||
# certdata.txt is generated by extracting it from Mozilla CVS.
|
||||
# This is done by running:
|
||||
#
|
||||
# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot \
|
||||
# co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt \
|
||||
# > certdata.txt
|
||||
#
|
||||
# Keep the RCS version in sync with the spec Version.
|
||||
#
|
||||
# Note: This will give us the experimental version, not one that
|
||||
# Firefox deems "stable". For that, we should check a firefox
|
||||
# release branch for the certdata.txt version.
|
||||
|
||||
%define pkidir %{_sysconfdir}/pki
|
||||
%define catrustdir %{_sysconfdir}/pki/ca-trust
|
||||
%define classic_tls_bundle ca-bundle.crt
|
||||
%define trusted_all_bundle ca-bundle.trust.crt
|
||||
%define neutral_bundle ca-bundle.neutral-trust.crt
|
||||
%define bundle_supplement ca-bundle.supplement.p11-kit
|
||||
%define java_bundle java/cacerts
|
||||
|
||||
Summary: The Mozilla CA root certificate bundle
|
||||
@ -38,7 +27,7 @@ Name: ca-certificates
|
||||
# because all future versions will start with 2013 or larger.)
|
||||
|
||||
Version: 2012.87
|
||||
Release: 9%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: Public Domain
|
||||
|
||||
Group: System Environment/Base
|
||||
@ -46,7 +35,7 @@ URL: http://www.mozilla.org/
|
||||
|
||||
Source0: certdata.txt
|
||||
Source1: update-ca-trust
|
||||
Source2: generate-cacerts.pl
|
||||
Source2: trust-fixes
|
||||
Source3: certdata2pem.py
|
||||
Source11: README.usr
|
||||
Source12: README.etc
|
||||
@ -58,8 +47,8 @@ Source17: README.src
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: p11-kit >= 0.16.3
|
||||
Requires: p11-kit-trust >= 0.16.3
|
||||
Requires: p11-kit >= 0.17.3
|
||||
Requires: p11-kit-trust >= 0.17.3
|
||||
BuildRequires: perl
|
||||
BuildRequires: java-openjdk
|
||||
BuildRequires: python
|
||||
@ -77,8 +66,9 @@ mkdir %{name}/java
|
||||
|
||||
%build
|
||||
pushd %{name}/certs
|
||||
pwd
|
||||
cp %{SOURCE0} .
|
||||
python %{SOURCE3}
|
||||
python %{SOURCE3} >c2p.log 2>c2p.err
|
||||
popd
|
||||
pushd %{name}
|
||||
(
|
||||
@ -96,6 +86,7 @@ EOF
|
||||
echo '#';
|
||||
) > %{trusted_all_bundle}
|
||||
for f in certs/*.crt; do
|
||||
echo "processing $f"
|
||||
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
|
||||
distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f`
|
||||
targs=""
|
||||
@ -110,9 +101,18 @@ EOF
|
||||
done
|
||||
fi
|
||||
if [ -n "$targs" ]; then
|
||||
echo "trust flags $targs for $f" >> info.trust
|
||||
openssl x509 -text -in "$f" -trustout $targs >> %{trusted_all_bundle}
|
||||
else
|
||||
echo "no trust flags for $f" >> info.notrust
|
||||
openssl x509 -text -in "$f" >> %{neutral_bundle}
|
||||
fi
|
||||
done
|
||||
for p in certs/*.p11-kit; do
|
||||
cat "$p" >> %{bundle_supplement}
|
||||
done
|
||||
# Append our trust fixes
|
||||
cat %{SOURCE2} >> %{bundle_supplement}
|
||||
popd
|
||||
|
||||
|
||||
@ -122,11 +122,15 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/tls/certs
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
|
||||
|
||||
install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/README
|
||||
@ -138,7 +142,11 @@ install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
|
||||
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
|
||||
|
||||
install -p -m 644 %{name}/%{trusted_all_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
|
||||
install -p -m 644 %{name}/%{neutral_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
|
||||
install -p -m 644 %{name}/%{bundle_supplement} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
|
||||
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
|
||||
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
|
||||
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
|
||||
|
||||
# TODO: consider to dynamically create the update-ca-trust script from within
|
||||
# this .spec file, in order to have the output file+directory names at once place only.
|
||||
@ -223,11 +231,15 @@ fi
|
||||
%dir %{pkidir}/java
|
||||
%dir %{catrustdir}
|
||||
%dir %{catrustdir}/source
|
||||
%dir %{catrustdir}/source/anchors
|
||||
%dir %{catrustdir}/source/blacklist
|
||||
%dir %{catrustdir}/extracted
|
||||
%dir %{catrustdir}/extracted/pem
|
||||
%dir %{catrustdir}/extracted/openssl
|
||||
%dir %{catrustdir}/extracted/java
|
||||
%dir %{_datadir}/pki/ca-trust-source/
|
||||
%dir %{_datadir}/pki/ca-trust-source
|
||||
%dir %{_datadir}/pki/ca-trust-source/anchors
|
||||
%dir %{_datadir}/pki/ca-trust-source/blacklist
|
||||
|
||||
%{_datadir}/pki/ca-trust-source/README
|
||||
%{catrustdir}/README
|
||||
@ -246,6 +258,8 @@ fi
|
||||
%{_sysconfdir}/ssl/certs
|
||||
# master bundle file with trust
|
||||
%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
|
||||
%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
|
||||
%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
|
||||
# update/extract tool
|
||||
%{_bindir}/update-ca-trust
|
||||
# files extracted files
|
||||
@ -257,6 +271,17 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11
|
||||
- adjust to changed and new functionality provided by p11-kit 0.17.3
|
||||
- updated READMEs to describe the new directory-specific treatment of files
|
||||
- ship a new file that contains certificates with neutral trust
|
||||
- ship a new file that contains distrust objects, and also staple a
|
||||
basic constraint extension to one legacy root contained in the
|
||||
Mozilla CA list
|
||||
- adjust the build script to dynamically produce most of above files
|
||||
- add and own the anchors and blacklist subdirectories
|
||||
- file generate-cacerts.pl is no longer required
|
||||
|
||||
* Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9
|
||||
- Major rework for the Fedora SharedSystemCertificates feature.
|
||||
- Only ship a PEM bundle file using the BEGIN TRUSTED CERTIFICATE file format.
|
||||
|
@ -25,6 +25,7 @@ import os.path
|
||||
import re
|
||||
import sys
|
||||
import textwrap
|
||||
import urllib
|
||||
|
||||
objects = []
|
||||
|
||||
@ -70,7 +71,7 @@ for line in open('certdata.txt', 'r'):
|
||||
field, type = line_parts
|
||||
value = None
|
||||
else:
|
||||
raise NotImplementedError, 'line_parts < 2 not supported.'
|
||||
raise NotImplementedError, 'line_parts < 2 not supported.\n' + line
|
||||
if type == 'MULTILINE_OCTAL':
|
||||
in_multiline = True
|
||||
value = ""
|
||||
@ -82,11 +83,19 @@ if len(obj.items()) > 0:
|
||||
# Build up trust database.
|
||||
trustmap = dict()
|
||||
for obj in objects:
|
||||
|
||||
if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
|
||||
continue
|
||||
label = obj['CKA_LABEL']
|
||||
trustmap[label] = obj
|
||||
print " added trust", label
|
||||
|
||||
# Build up cert database.
|
||||
certmap = dict()
|
||||
for obj in objects:
|
||||
if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
|
||||
continue
|
||||
label = obj['CKA_LABEL']
|
||||
certmap[label] = obj
|
||||
print " added cert", label
|
||||
|
||||
def obj_to_filename(obj):
|
||||
@ -98,7 +107,7 @@ def obj_to_filename(obj):
|
||||
.replace(',', '_')
|
||||
label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label)
|
||||
serial = ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER']))
|
||||
return label + ":" + serial + ".crt"
|
||||
return label + ":" + serial
|
||||
|
||||
trust_types = {
|
||||
"CKA_TRUST_DIGITAL_SIGNATURE": "digital-signature",
|
||||
@ -126,16 +135,13 @@ openssl_trust = {
|
||||
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
|
||||
}
|
||||
|
||||
for obj in objects:
|
||||
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
|
||||
print "producing cert file for " + obj['CKA_LABEL']
|
||||
fname = obj_to_filename(obj)
|
||||
f = open(fname, 'w')
|
||||
for tobj in objects:
|
||||
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
|
||||
print "producing trust for " + tobj['CKA_LABEL']
|
||||
trustbits = []
|
||||
distrustbits = []
|
||||
openssl_trustflags = []
|
||||
openssl_distrustflags = []
|
||||
tobj = trustmap[obj['CKA_LABEL']]
|
||||
for t in trust_types.keys():
|
||||
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
|
||||
trustbits.append(t)
|
||||
@ -145,16 +151,43 @@ for obj in objects:
|
||||
distrustbits.append(t)
|
||||
if t in openssl_trust:
|
||||
openssl_distrustflags.append(openssl_trust[t])
|
||||
f.write("# trust=" + " ".join(trustbits) + "\n")
|
||||
f.write("# distrust=" + " ".join(distrustbits) + "\n")
|
||||
if openssl_trustflags:
|
||||
f.write("# openssl-trust=" + " ".join(openssl_trustflags) + "\n")
|
||||
if openssl_distrustflags:
|
||||
f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n")
|
||||
f.write("-----BEGIN CERTIFICATE-----\n")
|
||||
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
|
||||
f.write("\n-----END CERTIFICATE-----\n")
|
||||
|
||||
fname = obj_to_filename(tobj)
|
||||
try:
|
||||
obj = certmap[tobj['CKA_LABEL']]
|
||||
except:
|
||||
obj = None
|
||||
|
||||
if obj != None:
|
||||
fname += ".crt"
|
||||
else:
|
||||
fname += ".p11-kit"
|
||||
|
||||
f = open(fname, 'w')
|
||||
if obj != None:
|
||||
f.write("# trust=" + " ".join(trustbits) + "\n")
|
||||
f.write("# distrust=" + " ".join(distrustbits) + "\n")
|
||||
if openssl_trustflags:
|
||||
f.write("# openssl-trust=" + " ".join(openssl_trustflags) + "\n")
|
||||
if openssl_distrustflags:
|
||||
f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n")
|
||||
f.write("-----BEGIN CERTIFICATE-----\n")
|
||||
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
|
||||
f.write("\n-----END CERTIFICATE-----\n")
|
||||
else:
|
||||
f.write("[p11-kit-object-v1]\n")
|
||||
f.write("label: ");
|
||||
f.write(tobj['CKA_LABEL']);
|
||||
f.write("\n")
|
||||
f.write("class: certificate\n")
|
||||
f.write("certificate-type: x-509\n")
|
||||
f.write("issuer: \"");
|
||||
f.write(urllib.quote(tobj['CKA_ISSUER']));
|
||||
f.write("\"\n")
|
||||
f.write("serial-number: \"");
|
||||
f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER']));
|
||||
f.write("\"\n")
|
||||
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
|
||||
f.write("x-distrusted: true\n")
|
||||
f.write("\n\n")
|
||||
print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)
|
||||
|
||||
|
||||
|
||||
|
8
trust-fixes
Normal file
8
trust-fixes
Normal file
@ -0,0 +1,8 @@
|
||||
[p11-kit-object-v1]
|
||||
label: "Add missing BasicConstraints for Entrust root"
|
||||
id: "%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70"
|
||||
class: x-certificate-extension
|
||||
object-id: 2.5.29.19
|
||||
x-critical: true
|
||||
value: "%30%03%01%01%FF"
|
||||
|
Loading…
Reference in New Issue
Block a user