* Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11

- adjust to changed and new functionality provided by p11-kit 0.17.3
- updated READMEs to describe the new directory-specific treatment of files
- ship a new file that contains certificates with neutral trust
- ship a new file that contains distrust objects, and also staple a
  basic constraint extension to one legacy root contained in the
  Mozilla CA list
- adjust the build script to dynamically produce most of above files
- add and own the anchors and blacklist subdirectories
- file generate-cacerts.pl is no longer required
This commit is contained in:
Kai Engert 2013-03-24 00:36:13 +01:00
parent d538ada99c
commit 34f352da5f
5 changed files with 250 additions and 74 deletions

View File

@ -1,27 +1,82 @@
This directory /etc/pki/ca-trust/source/ contains CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a high priority, higher than the ones found in
interpreted with a high priority - higher than the ones found in
/usr/share/pki/ca-trust-source/.
You may install additional certificates or bundles into this directory.
=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
list of CAs trusted on the system:
Each file may contain one or many certificates and trust flags in a
PEM file format, as documented in the x509(1) manual page.
Allowed formats are:
- The BEGIN/END CERTIFICATE file format.
Such certificates will be trusted for TLS server auth, only.
- The BEGIN/END TRUSTED CERTIFICATE file format.
Such certificates will be trusted or distrusted according to the
trust settings contained in the PEM format data blocks.
Copy it to the
/etc/pki/ca-trust/source/anchors/
subdirectory, and run the
update-ca-trust
command.
Applications that are able to use PKCS#11 modules can dynamically use
the merged set of certificates from
If your certificate is in the extended BEGIN TRUSTED file format,
then place it into the main source/ directory instead.
=============================================================================
Description of the source directory and its subdirectories:
-----------------------------------------------------------
In order to offer simplicity and flexibility, the way certificate files
are treated depend on the subdirectory they are installed to.
trust anchors subdirectory : /etc/pki/ca-trust/source/anchors/
extended format directory : /etc/pki/ca-trust/source/
blacklist subdirectory : /etc/pki/ca-trust/source/blacklist/
In the main directory /etc/pki/ca-trust/source/
you may install one or multiple files in the following file formats:
- certificate files that include trust flags,
in the BEGIN/END TRUSTED CERTIFICATE file format
(any file name), which have been created using the openssl x509 tool
and the -addreject -addtrust options.
Bundle files with multiple certificates are supported.
- files in the p11-kit file format using the .p11-kit file
extension, which can (e.g.) be used to distrust certificates
based on serial number and issuer name, without having the
full certificate available.
(This is currently an undocumented format, to be extended later.
For an example of a distrusted certificate, see the files
shipped with the ca-certificates package.)
- certificate files without trust flags in either the DER file format or in
the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
will be added with neutral trust, neither trusted nor distrusted.
They will simply be known to the system, which might be helpful to
assist cryptographic software in constructing chains of certificates.
(If you want a CA certificate in these file formats to be trusted, you
should remove it from this directory and copy it to the
./anchors subdirectory instead.)
In the anchors subdirectory: /etc/pki/ca-trust/source/anchors/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes.
In the blacklist subdirectory: /etc/pki/ca-trust/source/blacklist/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes.
Please refer to the x509(1) manual page for the documentation of the
BEGIN/END CERTIFICATE
and
BEGIN/END TRUSTED CERTIFICATE
file formats.
Purpose:
--------
Applications that are able to use PKCS#11 modules can load the
p11-kit-trust.so module and will benefit from the dynamically merged
set of certificates and trust information stored in the
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
by loading p11-kit-trust.so
directories.
Applications that rely on a static file for a list of trusted CAs
may load one of the files found in the /etc/pki/ca-trust/extracted
directory. After modifying the set of files stored in the
directory. After modifying any file stored in the
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
are modified, it is required to run the ca-update-trust command,
directories, it is required to run the ca-update-trust command,
in order to update the merged files in /etc/pki/ca-trust/extracted/ .

View File

@ -1,27 +1,82 @@
This directory /usr/share/pki/ca-trust-source/ contains CA certificates and
trust settings in the PEM file format. The trust settings found here will be
interpreted with a low priority, lower than the ones found in
/etc/pki/ca-trust/source.
interpreted with a low priority - lower than the ones found in
/etc/pki/ca-trust/source/ .
You may install additional certificates or bundles into this directory.
=============================================================================
QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
list of CAs trusted on the system:
Each file may contain one or many certificates and trust flags in a
PEM file format, as documented in the x509(1) manual page.
Allowed formats are:
- The BEGIN/END CERTIFICATE file format.
Such certificates will be trusted for TLS server auth, only.
- The BEGIN/END TRUSTED CERTIFICATE file format.
Such certificates will be trusted or distrusted according to the
trust settings contained in the PEM format data blocks.
Copy it to the
/usr/share/pki/ca-trust-source/anchors/
subdirectory, and run the
update-ca-trust
command.
Applications that are able to use PKCS#11 modules can dynamically use
the merged set of certificates from
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source
by loading p11-kit-trust.so
If your certificate is in the extended BEGIN TRUSTED file format,
then place it into the main source/ directory instead.
=============================================================================
Description of the source directory and its subdirectories:
-----------------------------------------------------------
In order to offer simplicity and flexibility, the way certificate files
are treated depend on the subdirectory they are installed to.
trust anchors subdirectory : /usr/share/pki/ca-trust-source/anchors/
extended format directory : /usr/share/pki/ca-trust-source/
blacklist subdirectory : /usr/share/pki/ca-trust-source/blacklist/
In the main directory /usr/share/pki/ca-trust-source/
you may install one or multiple files in the following file formats:
- certificate files that include trust flags,
in the BEGIN/END TRUSTED CERTIFICATE file format
(any file name), which have been created using the openssl x509 tool
and the -addreject -addtrust options.
Bundle files with multiple certificates are supported.
- files in the p11-kit file format using the .p11-kit file
extension, which can (e.g.) be used to distrust certificates
based on serial number and issuer name, without having the
full certificate available.
(This is currently an undocumented format, to be extended later.
For an example of a distrusted certificate, see the files
shipped with the ca-certificates package.)
- certificate files without trust flags in either the DER file format or in
the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files
will be added with neutral trust, neither trusted nor distrusted.
They will simply be known to the system, which might be helpful to
assist cryptographic software in constructing chains of certificates.
(If you want a CA certificate in these file formats to be trusted, you
should remove it from this directory and copy it to the
./anchors subdirectory instead.)
In the anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes.
In the blacklist subdirectory: /usr/share/pki/ca-trust-source/blacklist/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes.
Please refer to the x509(1) manual page for the documentation of the
BEGIN/END CERTIFICATE
and
BEGIN/END TRUSTED CERTIFICATE
file formats.
Purpose:
--------
Applications that are able to use PKCS#11 modules can load the
p11-kit-trust.so module and will benefit from the dynamically merged
set of certificates and trust information stored in the
/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
directories.
Applications that rely on a static file for a list of trusted CAs
may load one of the files found in the /etc/pki/ca-trust/extracted
directory. After modifying the set of files stored in the
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source
are modified, it is required to run the ca-update-trust command,
in order to update the merged files in /etc/pki/ca-trust/extracted .
directory. After modifying any file stored in the
/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
directories, it is required to run the ca-update-trust command,
in order to update the merged files in /etc/pki/ca-trust/extracted/ .

View File

@ -1,20 +1,9 @@
# certdata.txt is generated by extracting it from Mozilla CVS.
# This is done by running:
#
# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot \
# co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt \
# > certdata.txt
#
# Keep the RCS version in sync with the spec Version.
#
# Note: This will give us the experimental version, not one that
# Firefox deems "stable". For that, we should check a firefox
# release branch for the certdata.txt version.
%define pkidir %{_sysconfdir}/pki
%define catrustdir %{_sysconfdir}/pki/ca-trust
%define classic_tls_bundle ca-bundle.crt
%define trusted_all_bundle ca-bundle.trust.crt
%define neutral_bundle ca-bundle.neutral-trust.crt
%define bundle_supplement ca-bundle.supplement.p11-kit
%define java_bundle java/cacerts
Summary: The Mozilla CA root certificate bundle
@ -38,7 +27,7 @@ Name: ca-certificates
# because all future versions will start with 2013 or larger.)
Version: 2012.87
Release: 9%{?dist}
Release: 11%{?dist}
License: Public Domain
Group: System Environment/Base
@ -46,7 +35,7 @@ URL: http://www.mozilla.org/
Source0: certdata.txt
Source1: update-ca-trust
Source2: generate-cacerts.pl
Source2: trust-fixes
Source3: certdata2pem.py
Source11: README.usr
Source12: README.etc
@ -58,8 +47,8 @@ Source17: README.src
BuildArch: noarch
Requires: p11-kit >= 0.16.3
Requires: p11-kit-trust >= 0.16.3
Requires: p11-kit >= 0.17.3
Requires: p11-kit-trust >= 0.17.3
BuildRequires: perl
BuildRequires: java-openjdk
BuildRequires: python
@ -77,8 +66,9 @@ mkdir %{name}/java
%build
pushd %{name}/certs
pwd
cp %{SOURCE0} .
python %{SOURCE3}
python %{SOURCE3} >c2p.log 2>c2p.err
popd
pushd %{name}
(
@ -96,6 +86,7 @@ EOF
echo '#';
) > %{trusted_all_bundle}
for f in certs/*.crt; do
echo "processing $f"
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f`
targs=""
@ -110,9 +101,18 @@ EOF
done
fi
if [ -n "$targs" ]; then
echo "trust flags $targs for $f" >> info.trust
openssl x509 -text -in "$f" -trustout $targs >> %{trusted_all_bundle}
else
echo "no trust flags for $f" >> info.notrust
openssl x509 -text -in "$f" >> %{neutral_bundle}
fi
done
for p in certs/*.p11-kit; do
cat "$p" >> %{bundle_supplement}
done
# Append our trust fixes
cat %{SOURCE2} >> %{bundle_supplement}
popd
@ -122,11 +122,15 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/tls/certs
mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/README
@ -138,7 +142,11 @@ install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
install -p -m 644 %{name}/%{trusted_all_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
install -p -m 644 %{name}/%{neutral_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
install -p -m 644 %{name}/%{bundle_supplement} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
# TODO: consider to dynamically create the update-ca-trust script from within
# this .spec file, in order to have the output file+directory names at once place only.
@ -223,11 +231,15 @@ fi
%dir %{pkidir}/java
%dir %{catrustdir}
%dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/blacklist
%dir %{catrustdir}/extracted
%dir %{catrustdir}/extracted/pem
%dir %{catrustdir}/extracted/openssl
%dir %{catrustdir}/extracted/java
%dir %{_datadir}/pki/ca-trust-source/
%dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blacklist
%{_datadir}/pki/ca-trust-source/README
%{catrustdir}/README
@ -246,6 +258,8 @@ fi
%{_sysconfdir}/ssl/certs
# master bundle file with trust
%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
# update/extract tool
%{_bindir}/update-ca-trust
# files extracted files
@ -257,6 +271,17 @@ fi
%changelog
* Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11
- adjust to changed and new functionality provided by p11-kit 0.17.3
- updated READMEs to describe the new directory-specific treatment of files
- ship a new file that contains certificates with neutral trust
- ship a new file that contains distrust objects, and also staple a
basic constraint extension to one legacy root contained in the
Mozilla CA list
- adjust the build script to dynamically produce most of above files
- add and own the anchors and blacklist subdirectories
- file generate-cacerts.pl is no longer required
* Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9
- Major rework for the Fedora SharedSystemCertificates feature.
- Only ship a PEM bundle file using the BEGIN TRUSTED CERTIFICATE file format.

View File

@ -25,6 +25,7 @@ import os.path
import re
import sys
import textwrap
import urllib
objects = []
@ -70,7 +71,7 @@ for line in open('certdata.txt', 'r'):
field, type = line_parts
value = None
else:
raise NotImplementedError, 'line_parts < 2 not supported.'
raise NotImplementedError, 'line_parts < 2 not supported.\n' + line
if type == 'MULTILINE_OCTAL':
in_multiline = True
value = ""
@ -82,11 +83,19 @@ if len(obj.items()) > 0:
# Build up trust database.
trustmap = dict()
for obj in objects:
if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
continue
label = obj['CKA_LABEL']
trustmap[label] = obj
print " added trust", label
# Build up cert database.
certmap = dict()
for obj in objects:
if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
continue
label = obj['CKA_LABEL']
certmap[label] = obj
print " added cert", label
def obj_to_filename(obj):
@ -98,7 +107,7 @@ def obj_to_filename(obj):
.replace(',', '_')
label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label)
serial = ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER']))
return label + ":" + serial + ".crt"
return label + ":" + serial
trust_types = {
"CKA_TRUST_DIGITAL_SIGNATURE": "digital-signature",
@ -126,16 +135,13 @@ openssl_trust = {
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
}
for obj in objects:
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
print "producing cert file for " + obj['CKA_LABEL']
fname = obj_to_filename(obj)
f = open(fname, 'w')
for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
print "producing trust for " + tobj['CKA_LABEL']
trustbits = []
distrustbits = []
openssl_trustflags = []
openssl_distrustflags = []
tobj = trustmap[obj['CKA_LABEL']]
for t in trust_types.keys():
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
trustbits.append(t)
@ -145,16 +151,43 @@ for obj in objects:
distrustbits.append(t)
if t in openssl_trust:
openssl_distrustflags.append(openssl_trust[t])
f.write("# trust=" + " ".join(trustbits) + "\n")
f.write("# distrust=" + " ".join(distrustbits) + "\n")
if openssl_trustflags:
f.write("# openssl-trust=" + " ".join(openssl_trustflags) + "\n")
if openssl_distrustflags:
f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n")
f.write("-----BEGIN CERTIFICATE-----\n")
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
f.write("\n-----END CERTIFICATE-----\n")
fname = obj_to_filename(tobj)
try:
obj = certmap[tobj['CKA_LABEL']]
except:
obj = None
if obj != None:
fname += ".crt"
else:
fname += ".p11-kit"
f = open(fname, 'w')
if obj != None:
f.write("# trust=" + " ".join(trustbits) + "\n")
f.write("# distrust=" + " ".join(distrustbits) + "\n")
if openssl_trustflags:
f.write("# openssl-trust=" + " ".join(openssl_trustflags) + "\n")
if openssl_distrustflags:
f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n")
f.write("-----BEGIN CERTIFICATE-----\n")
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
f.write("\n-----END CERTIFICATE-----\n")
else:
f.write("[p11-kit-object-v1]\n")
f.write("label: ");
f.write(tobj['CKA_LABEL']);
f.write("\n")
f.write("class: certificate\n")
f.write("certificate-type: x-509\n")
f.write("issuer: \"");
f.write(urllib.quote(tobj['CKA_ISSUER']));
f.write("\"\n")
f.write("serial-number: \"");
f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER']));
f.write("\"\n")
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
f.write("x-distrusted: true\n")
f.write("\n\n")
print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)

8
trust-fixes Normal file
View File

@ -0,0 +1,8 @@
[p11-kit-object-v1]
label: "Add missing BasicConstraints for Entrust root"
id: "%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70"
class: x-certificate-extension
object-id: 2.5.29.19
x-critical: true
value: "%30%03%01%01%FF"