* Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11

- adjust to changed and new functionality provided by p11-kit 0.17.3 - updated READMEs to describe the new directory-specific treatment of files - ship a new file that contains certificates with neutral trust - ship a new file that contains distrust objects, and also staple a basic constraint extension to one legacy root contained in the Mozilla CA list - adjust the build script to dynamically produce most of above files - add and own the anchors and blacklist subdirectories - file generate-cacerts.pl is no longer required
2013-03-24 00:36:13 +01:00 · 2013-03-24 00:36:13 +01:00 · 34f352da5f
commit 34f352da5f
parent d538ada99c
5 changed files with 250 additions and 74 deletions
--- a/README.src
+++ b/README.src
@ -1,27 +1,82 @@
 This directory /etc/pki/ca-trust/source/ contains CA certificates and 
 trust settings in the PEM file format. The trust settings found here will be
-interpreted with a high priority, higher than the ones found in 
+interpreted with a high priority - higher than the ones found in 
 /usr/share/pki/ca-trust-source/.
-You may install additional certificates or bundles into this directory.
+=============================================================================
 QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
            list of CAs trusted on the system:
-Each file may contain one or many certificates and trust flags in a 
+            Copy it to the
-PEM file format, as documented in the x509(1) manual page.
+                    /etc/pki/ca-trust/source/anchors/
-Allowed formats are:
+            subdirectory, and run the
- The BEGIN/END CERTIFICATE file format.
+                    update-ca-trust
-  Such certificates will be trusted for TLS server auth, only.
+            command.
 - The BEGIN/END TRUSTED CERTIFICATE file format.
  Such certificates will be trusted or distrusted according to the
  trust settings contained in the PEM format data blocks.
-Applications that are able to use PKCS#11 modules can dynamically use
+            If your certificate is in the extended BEGIN TRUSTED file format,
-the merged set of certificates from
+            then place it into the main source/ directory instead.
 =============================================================================
 Description of the source directory and its subdirectories:
 -----------------------------------------------------------
 In order to offer simplicity and flexibility, the way certificate files
 are treated depend on the subdirectory they are installed to.
  trust anchors subdirectory : /etc/pki/ca-trust/source/anchors/
  extended format directory  : /etc/pki/ca-trust/source/
  blacklist subdirectory     : /etc/pki/ca-trust/source/blacklist/
 In the main directory /etc/pki/ca-trust/source/
 you may install one or multiple files in the following file formats:
 - certificate files that include trust flags,
  in the BEGIN/END TRUSTED CERTIFICATE file format
  (any file name), which have been created using the openssl x509 tool
  and the -addreject -addtrust options.
  Bundle files with multiple certificates are supported.
 - files in the p11-kit file format using the .p11-kit file
  extension, which can (e.g.) be used to distrust certificates
  based on serial number and issuer name, without having the
  full certificate available.
  (This is currently an undocumented format, to be extended later.
   For an example of a distrusted certificate, see the files
   shipped with the ca-certificates package.)
 - certificate files without trust flags in either the DER file format or in
  the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files 
  will be added with neutral trust, neither trusted nor distrusted.
  They will simply be known to the system, which might be helpful to
  assist cryptographic software in constructing chains of certificates.
  (If you want a CA certificate in these file formats to be trusted, you 
   should remove it from this directory and copy it to the 
   ./anchors subdirectory instead.)
 In the anchors subdirectory: /etc/pki/ca-trust/source/anchors/
 you may install one or multiple certificates in either the DER file
 format or in the PEM (BEGIN/END CERTIFICATE) file format.
 Each certificate will be treated as *trusted* for all purposes.
 In the blacklist subdirectory: /etc/pki/ca-trust/source/blacklist/
 you may install one or multiple certificates in either the DER file
 format or in the PEM (BEGIN/END CERTIFICATE) file format.
 Each certificate will be treated as *distrusted* for all purposes.
 Please refer to the x509(1) manual page for the documentation of the
  BEGIN/END CERTIFICATE
 and 
  BEGIN/END TRUSTED CERTIFICATE
 file formats.
 Purpose:
 --------
 Applications that are able to use PKCS#11 modules can load the 
 p11-kit-trust.so module and will benefit from the dynamically merged
 set of certificates and trust information stored in the
 /usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
-by loading p11-kit-trust.so
+directories.
 Applications that rely on a static file for a list of trusted CAs
 may load one of the files found in the /etc/pki/ca-trust/extracted
-directory. After modifying the set of files stored in the
+directory. After modifying any file stored in the
 /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
-are modified, it is required to run the ca-update-trust command,
+directories, it is required to run the ca-update-trust command,
 in order to update the merged files in /etc/pki/ca-trust/extracted/ .
--- a/README.usr
+++ b/README.usr
@ -1,27 +1,82 @@
 This directory /usr/share/pki/ca-trust-source/ contains CA certificates and 
 trust settings in the PEM file format. The trust settings found here will be
-interpreted with a low priority, lower than the ones found in 
+interpreted with a low priority - lower than the ones found in 
-/etc/pki/ca-trust/source.
+/etc/pki/ca-trust/source/ .
-You may install additional certificates or bundles into this directory.
+=============================================================================
 QUICK HELP: To add a certificate in the simple PEM or DER file formats to the
            list of CAs trusted on the system:
-Each file may contain one or many certificates and trust flags in a 
+            Copy it to the
-PEM file format, as documented in the x509(1) manual page.
+                    /usr/share/pki/ca-trust-source/anchors/
-Allowed formats are:
+            subdirectory, and run the
- The BEGIN/END CERTIFICATE file format.
+                    update-ca-trust
-  Such certificates will be trusted for TLS server auth, only.
+            command.
 - The BEGIN/END TRUSTED CERTIFICATE file format.
  Such certificates will be trusted or distrusted according to the
  trust settings contained in the PEM format data blocks.
-Applications that are able to use PKCS#11 modules can dynamically use
+            If your certificate is in the extended BEGIN TRUSTED file format,
-the merged set of certificates from
+            then place it into the main source/ directory instead.
-/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source 
+=============================================================================
-by loading p11-kit-trust.so
+
 Description of the source directory and its subdirectories:
 -----------------------------------------------------------
 In order to offer simplicity and flexibility, the way certificate files
 are treated depend on the subdirectory they are installed to.
  trust anchors subdirectory : /usr/share/pki/ca-trust-source/anchors/
  extended format directory  : /usr/share/pki/ca-trust-source/
  blacklist subdirectory     : /usr/share/pki/ca-trust-source/blacklist/
 In the main directory /usr/share/pki/ca-trust-source/
 you may install one or multiple files in the following file formats:
 - certificate files that include trust flags,
  in the BEGIN/END TRUSTED CERTIFICATE file format
  (any file name), which have been created using the openssl x509 tool
  and the -addreject -addtrust options.
  Bundle files with multiple certificates are supported.
 - files in the p11-kit file format using the .p11-kit file
  extension, which can (e.g.) be used to distrust certificates
  based on serial number and issuer name, without having the
  full certificate available.
  (This is currently an undocumented format, to be extended later.
   For an example of a distrusted certificate, see the files
   shipped with the ca-certificates package.)
 - certificate files without trust flags in either the DER file format or in
  the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files 
  will be added with neutral trust, neither trusted nor distrusted.
  They will simply be known to the system, which might be helpful to
  assist cryptographic software in constructing chains of certificates.
  (If you want a CA certificate in these file formats to be trusted, you 
   should remove it from this directory and copy it to the 
   ./anchors subdirectory instead.)
 In the anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/
 you may install one or multiple certificates in either the DER file
 format or in the PEM (BEGIN/END CERTIFICATE) file format.
 Each certificate will be treated as *trusted* for all purposes.
 In the blacklist subdirectory: /usr/share/pki/ca-trust-source/blacklist/
 you may install one or multiple certificates in either the DER file
 format or in the PEM (BEGIN/END CERTIFICATE) file format.
 Each certificate will be treated as *distrusted* for all purposes.
 Please refer to the x509(1) manual page for the documentation of the
  BEGIN/END CERTIFICATE
 and 
  BEGIN/END TRUSTED CERTIFICATE
 file formats.
 Purpose:
 --------
 Applications that are able to use PKCS#11 modules can load the 
 p11-kit-trust.so module and will benefit from the dynamically merged
 set of certificates and trust information stored in the
 /usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
 directories.
 Applications that rely on a static file for a list of trusted CAs
 may load one of the files found in the /etc/pki/ca-trust/extracted
-directory. After modifying the set of files stored in the
+directory. After modifying any file stored in the
-/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source
+/usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
-are modified, it is required to run the ca-update-trust command,
+directories, it is required to run the ca-update-trust command,
-in order to update the merged files in /etc/pki/ca-trust/extracted .
+in order to update the merged files in /etc/pki/ca-trust/extracted/ .
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@ -1,20 +1,9 @@
 # certdata.txt is generated by extracting it from Mozilla CVS.
 # This is done by running:
 #
 #   cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot   \
 #     co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt \
 #     > certdata.txt
 # 
 # Keep the RCS version in sync with the spec Version.
 #
 # Note: This will give us the experimental version, not one that
 #       Firefox deems "stable". For that, we should check a firefox
 #       release branch for the certdata.txt version.
 %define pkidir %{_sysconfdir}/pki
 %define catrustdir %{_sysconfdir}/pki/ca-trust
 %define classic_tls_bundle ca-bundle.crt
 %define trusted_all_bundle ca-bundle.trust.crt
 %define neutral_bundle ca-bundle.neutral-trust.crt
 %define bundle_supplement ca-bundle.supplement.p11-kit
 %define java_bundle java/cacerts
 Summary: The Mozilla CA root certificate bundle
@ -38,7 +27,7 @@ Name: ca-certificates
 # because all future versions will start with 2013 or larger.)
 Version: 2012.87
-Release: 9%{?dist}
+Release: 11%{?dist}
 License: Public Domain
 Group: System Environment/Base
@ -46,7 +35,7 @@ URL: http://www.mozilla.org/
 Source0: certdata.txt
 Source1: update-ca-trust
-Source2: generate-cacerts.pl
+Source2: trust-fixes
 Source3: certdata2pem.py
 Source11: README.usr
 Source12: README.etc
@ -58,8 +47,8 @@ Source17: README.src
 BuildArch: noarch
-Requires: p11-kit >= 0.16.3
+Requires: p11-kit >= 0.17.3
-Requires: p11-kit-trust >= 0.16.3
+Requires: p11-kit-trust >= 0.17.3
 BuildRequires: perl
 BuildRequires: java-openjdk
 BuildRequires: python
@ -77,8 +66,9 @@ mkdir %{name}/java
 %build
 pushd %{name}/certs
 pwd
 cp %{SOURCE0} .
- python %{SOURCE3} 
+ python %{SOURCE3} >c2p.log 2>c2p.err
 popd
 pushd %{name}
 (
@ -96,6 +86,7 @@ EOF
   echo '#';
 ) > %{trusted_all_bundle}
 for f in certs/*.crt; do 
   echo "processing $f"
   tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
   distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f`
   targs=""
@ -110,9 +101,18 @@ EOF
      done
   fi
   if [ -n "$targs" ]; then
      echo "trust flags $targs for $f" >> info.trust
      openssl x509 -text -in "$f" -trustout $targs >> %{trusted_all_bundle}
   else
      echo "no trust flags for $f" >> info.notrust
      openssl x509 -text -in "$f" >> %{neutral_bundle}
   fi
 done
 for p in certs/*.p11-kit; do 
   cat "$p" >> %{bundle_supplement}
 done
 # Append our trust fixes
 cat %{SOURCE2} >> %{bundle_supplement}
 popd
@ -122,11 +122,15 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/tls/certs
 mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
 install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/README
@ -138,7 +142,11 @@ install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
 install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
 install -p -m 644 %{name}/%{trusted_all_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
 install -p -m 644 %{name}/%{neutral_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
 install -p -m 644 %{name}/%{bundle_supplement} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
 touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
 touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
 touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
 # TODO: consider to dynamically create the update-ca-trust script from within
 #       this .spec file, in order to have the output file+directory names at once place only.
@ -223,11 +231,15 @@ fi
 %dir %{pkidir}/java
 %dir %{catrustdir}
 %dir %{catrustdir}/source
 %dir %{catrustdir}/source/anchors
 %dir %{catrustdir}/source/blacklist
 %dir %{catrustdir}/extracted
 %dir %{catrustdir}/extracted/pem
 %dir %{catrustdir}/extracted/openssl
 %dir %{catrustdir}/extracted/java
-%dir %{_datadir}/pki/ca-trust-source/
+%dir %{_datadir}/pki/ca-trust-source
 %dir %{_datadir}/pki/ca-trust-source/anchors
 %dir %{_datadir}/pki/ca-trust-source/blacklist
 %{_datadir}/pki/ca-trust-source/README
 %{catrustdir}/README
@ -246,6 +258,8 @@ fi
 %{_sysconfdir}/ssl/certs
 # master bundle file with trust
 %{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
 %{_datadir}/pki/ca-trust-source/%{neutral_bundle}
 %{_datadir}/pki/ca-trust-source/%{bundle_supplement}
 # update/extract tool
 %{_bindir}/update-ca-trust
 # files extracted files
@ -257,6 +271,17 @@ fi
 %changelog
 * Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11
 - adjust to changed and new functionality provided by p11-kit 0.17.3
 - updated READMEs to describe the new directory-specific treatment of files
 - ship a new file that contains certificates with neutral trust
 - ship a new file that contains distrust objects, and also staple a 
  basic constraint extension to one legacy root contained in the
  Mozilla CA list
 - adjust the build script to dynamically produce most of above files
 - add and own the anchors and blacklist subdirectories
 - file generate-cacerts.pl is no longer required
 * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 2012.87-9
 - Major rework for the Fedora SharedSystemCertificates feature.
 - Only ship a PEM bundle file using the BEGIN TRUSTED CERTIFICATE file format.
--- a/certdata2pem.py
+++ b/certdata2pem.py
@ -25,6 +25,7 @@ import os.path
 import re
 import sys
 import textwrap
 import urllib
 objects = []
@ -70,7 +71,7 @@ for line in open('certdata.txt', 'r'):
        field, type = line_parts
        value = None
    else:
-        raise NotImplementedError, 'line_parts < 2 not supported.'
+        raise NotImplementedError, 'line_parts < 2 not supported.\n' + line
    if type == 'MULTILINE_OCTAL':
        in_multiline = True
        value = ""
@ -82,11 +83,19 @@ if len(obj.items()) > 0:
 # Build up trust database.
 trustmap = dict()
 for obj in objects:
    if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
        continue
    label = obj['CKA_LABEL']
    trustmap[label] = obj
    print " added trust", label
 # Build up cert database.
 certmap = dict()
 for obj in objects:
    if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
        continue
    label = obj['CKA_LABEL']
    certmap[label] = obj
    print " added cert", label
 def obj_to_filename(obj):
@ -98,7 +107,7 @@ def obj_to_filename(obj):
        .replace(',', '_')
    label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label)
    serial = ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER']))
-    return label + ":" + serial + ".crt"
+    return label + ":" + serial
 trust_types = {
  "CKA_TRUST_DIGITAL_SIGNATURE": "digital-signature",
@ -126,16 +135,13 @@ openssl_trust = {
  "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
 }
-for obj in objects:
+for tobj in objects:
-    if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+    if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
-        print "producing cert file for " + obj['CKA_LABEL']
+        print "producing trust for " + tobj['CKA_LABEL']
        fname = obj_to_filename(obj)
        f = open(fname, 'w')
        trustbits = []
        distrustbits = []
        openssl_trustflags = []
        openssl_distrustflags = []
        tobj = trustmap[obj['CKA_LABEL']]
        for t in trust_types.keys():
            if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
                trustbits.append(t)
@ -145,6 +151,20 @@ for obj in objects:
                distrustbits.append(t)
                if t in openssl_trust:
                    openssl_distrustflags.append(openssl_trust[t])
        fname = obj_to_filename(tobj)
        try:
            obj = certmap[tobj['CKA_LABEL']]
        except:
            obj = None
        if obj != None:
            fname += ".crt"
        else:
            fname += ".p11-kit"
        f = open(fname, 'w')
        if obj != None:
            f.write("# trust=" + " ".join(trustbits) + "\n")
            f.write("# distrust=" + " ".join(distrustbits) + "\n")
            if openssl_trustflags:
@ -154,7 +174,20 @@ for obj in objects:
            f.write("-----BEGIN CERTIFICATE-----\n")
            f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
            f.write("\n-----END CERTIFICATE-----\n")
        else:
            f.write("[p11-kit-object-v1]\n")
            f.write("label: ");
            f.write(tobj['CKA_LABEL']);
            f.write("\n")
            f.write("class: certificate\n")
            f.write("certificate-type: x-509\n")
            f.write("issuer: \"");
            f.write(urllib.quote(tobj['CKA_ISSUER']));
            f.write("\"\n")
            f.write("serial-number: \"");
            f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER']));
            f.write("\"\n")
            if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
              f.write("x-distrusted: true\n")
            f.write("\n\n")
        print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)
--- a/8
+++ b/8
@ -0,0 +1,8 @@
 [p11-kit-object-v1]
 label: "Add missing BasicConstraints for Entrust root"
 id: "%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70"
 class: x-certificate-extension
 object-id: 2.5.29.19
 x-critical: true
 value: "%30%03%01%01%FF"