rename legacy=enable to legacy=default and related changes; add ca-legacy man page; handle absent configuration in ca-legacy

ca-certificates.spec

@@ -2,7 +2,7 @@
 %define catrustdir %{_sysconfdir}/pki/ca-trust
 %define classic_tls_bundle ca-bundle.crt
 %define trusted_all_bundle ca-bundle.trust.crt
-%define legacy_enable_bundle ca-bundle.legacy.enable.crt
+%define legacy_default_bundle ca-bundle.legacy.default.crt
 %define legacy_disable_bundle ca-bundle.legacy.disable.crt
 %define neutral_bundle ca-bundle.neutral-trust.crt
 %define bundle_supplement ca-bundle.supplement.p11-kit
@@ -39,7 +39,7 @@ Name: ca-certificates
 Version: 2015.2.3
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: Public Domain
 
 Group: System Environment/Base
@@ -53,6 +53,7 @@ Source3: trust-fixes
 Source4: certdata2pem.py
 Source5: ca-legacy.conf
 Source6: ca-legacy
+Source9: ca-legacy.8.txt
 Source10: update-ca-trust.8.txt
 Source11: README.usr
 Source12: README.etc
@@ -82,7 +83,7 @@ Mozilla Foundation for use with the Internet PKI.
 rm -rf %{name}
 mkdir %{name}
 mkdir %{name}/certs
-mkdir %{name}/certs/legacy-enable
+mkdir %{name}/certs/legacy-default
 mkdir %{name}/certs/legacy-disable
 mkdir %{name}/java
 
@@ -142,7 +143,7 @@ EOF
    fi
  done
 
- for f in certs/legacy-enable/*.crt; do 
+ for f in certs/legacy-default/*.crt; do 
    echo "processing $f"
    tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
    alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
@@ -153,8 +154,8 @@ EOF
       done
    fi
    if [ -n "$targs" ]; then
-      echo "legacy enable flags $targs for $f" >> info.trust
-      openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_enable_bundle}
+      echo "legacy default flags $targs for $f" >> info.trust
+      openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_default_bundle}
    fi
  done
 
@@ -189,6 +190,10 @@ cp %{SOURCE10} %{name}/update-ca-trust.8.txt
 asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
 xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
 
+cp %{SOURCE9} %{name}/ca-legacy.8.txt
+asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
+xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
+
 
 %install
 rm -rf $RPM_BUILD_ROOT
@@ -210,6 +215,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
 
 install -p -m 644 %{name}/update-ca-trust.8 $RPM_BUILD_ROOT%{_mandir}/man8
+install -p -m 644 %{name}/ca-legacy.8 $RPM_BUILD_ROOT%{_mandir}/man8
 install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/README
 install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README
 install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
@@ -222,7 +228,7 @@ install -p -m 644 %{name}/%{trusted_all_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/c
 install -p -m 644 %{name}/%{neutral_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
 install -p -m 644 %{name}/%{bundle_supplement} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
 
-install -p -m 644 %{name}/%{legacy_enable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
+install -p -m 644 %{name}/%{legacy_default_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
 install -p -m 644 %{name}/%{legacy_disable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
 
 install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf
@@ -231,7 +237,7 @@ touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all
 touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
 touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
 
-touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
+touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
 touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
 
 # TODO: consider to dynamically create the update-ca-trust script from within
@@ -335,6 +341,7 @@ fi
 %config(noreplace) %{catrustdir}/ca-legacy.conf
 
 %{_mandir}/man8/update-ca-trust.8.gz
+%{_mandir}/man8/ca-legacy.8.gz
 %{_datadir}/pki/ca-trust-source/README
 %{catrustdir}/README
 %{catrustdir}/extracted/README
@@ -354,7 +361,7 @@ fi
 %{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
 %{_datadir}/pki/ca-trust-source/%{neutral_bundle}
 %{_datadir}/pki/ca-trust-source/%{bundle_supplement}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
+%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
 %{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
 # update/extract tool
 %{_bindir}/update-ca-trust
@@ -369,6 +376,17 @@ fi
 
 
 %changelog
+* Tue Mar 31 2015 Kai Engert <kaie@redhat.com> - 2015.2.3-3
+- Don't use "enable" as a value for the legacy configuration, instead
+  of the value "default", to make it clear that this preference isn't
+  a promise to keep certificates enabled, but rather that we only
+  keep them enabled as long as it's considered necessary.
+- Changed the configuration file, the ca-legacy utility and filenames
+  to use the term "default" (instead of the term "enable").
+- Added a manual page for the ca-legacy utility.
+- Fixed the ca-legacy utility to handle absence of the configuration
+  setting and treat absence as the default setting.
+
 * Fri Mar 20 2015 Kai Engert <kaie@redhat.com> - 2015.2.3-2
 - Update to CKBI 2.3 from NSS 3.18 with legacy modifications
 - Fixed a mistake in the legacy handling of the upstream 2.2 release:

ca-legacy

@@ -4,23 +4,24 @@
 
 LCFILE=/etc/pki/ca-trust/ca-legacy.conf
 LLINK=/etc/pki/ca-trust/source/ca-bundle.legacy.crt
-LENABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.enable.crt
+LDEFAULT=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
 LDISABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
 
-do_grep()
+# An absent value, or any unexpected value, is treated as "default".
+is_disabled()
 {
-    grep -i "^legacy *= *enable *$" $LCFILE >/dev/null 2>&1
+    grep -i "^legacy *= *disable *$" $LCFILE >/dev/null 2>&1
 }
 
 do_check()
 {
-    do_grep
+    is_disabled
     if [ $? -eq 0 ]; then
-        echo "Legacy CAs are set to ENABLED in file $LCFILE (affects install/upgrade)"
-        LEXPECT=$LENABLE
-    else
         echo "Legacy CAs are set to DISABLED in file $LCFILE (affects install/upgrade)"
         LEXPECT=$LDISABLE
+    else
+        echo "Legacy CAs are set to DEFAULT in file $LCFILE (affects install/upgrade)"
+        LEXPECT=$LDEFAULT
     fi
     echo "Status of symbolic link $LLINK:"
     readlink -v $LLINK
@@ -28,19 +29,19 @@ do_check()
 
 do_install()
 {
-    do_grep
+    is_disabled
     if [ $? -eq 0 ]; then
-        # expression was found, legacy is enabled
-        ln -sf $LENABLE $LLINK
-    else
-        # not found, legacy is disabled
+        # found, legacy is disabled
         ln -sf $LDISABLE $LLINK
+    else
+        # expression not found, legacy is set to default
+        ln -sf $LDEFAULT $LLINK
     fi
 }
 
-do_enable()
+do_default()
 {
-    sed -i 's/^legacy *=.*$/legacy=enable/' $LCFILE
+    sed -i 's/^legacy *=.*$/legacy=default/' $LCFILE
     do_install
     /usr/bin/update-ca-trust
 }
@@ -54,7 +55,7 @@ do_disable()
 
 do_help()
 {
-    echo "usage: $0 [check | enable | disable | install]"
+    echo "usage: $0 [check | default | disable | install]"
 }
 
 if [[ $# -eq 0 ]]; then
@@ -68,8 +69,8 @@ if [[ "$1" = "install" ]]; then
   exit $?
 fi
 
-if [[ "$1" = "enable" ]]; then
-  do_enable
+if [[ "$1" = "default" ]]; then
+  do_default
   exit $?
 fi
 if [[ "$1" = "disable" ]]; then
@@ -81,3 +82,6 @@ if [[ "$1" = "check" ]]; then
   do_check
   exit $?
 fi
+
+echo "$0: Unsupported command $1"
+do_help

ca-legacy.8.txt

@@ -0,0 +1,85 @@
+////
+Copyright (C) 2013 Red Hat, Inc.
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+////
+
+
+ca-legacy(8)
+============
+:doctype: manpage
+:man source: ca-legacy
+
+
+NAME
+----
+ca-legacy - Manage the system configuration for legacy CA certificates
+
+
+SYNOPSIS
+--------
+*ca-legacy* ['COMMAND']
+
+
+DESCRIPTION
+-----------
+ca-legacy(8) is used to include or exclude a set of legacy Certificate Authority (CA)
+certificates in the system's list of trusted CA certificates.
+
+The list of CA certificates and trust flags included in the ca-certificates package
+are based on the decisions made by Mozilla.org according to the Mozilla CA policy.
+
+Occassionally, removal or distrust decisions made by Mozilla.org might be incompatible with the requirements
+or limitations of some applications that also use the CA certificates list in the Linux environment.
+
+The ca-certificates package might keep some CA certificates included and trusted by default,
+as long as it is seen necessary by the maintainers, despite the fact that they have
+been removed by Mozilla. These certificates are called legacy CA certificates.
+
+The general requirements to keep legacy CA certificates included and trusted might change over time,
+for example if functional limitations of software packages have been resolved.
+Future versions of the ca-certificates package might reduce the set of legacy CA certificates
+that are included and trusted by default.
+
+The ca-legacy(8) command can be used to override the default behaviour.
+
+The mechanisms to individually trust or distrust CA certificates as described in update-ca-trust(8) still apply.
+
+
+COMMANDS
+--------
+*check*::
+    The current configuration will be shown.
+
+*default*::
+    Configure the system to use the default configuration, as recommended
+    by the package maintainers.
+
+*disable*::
+    Configure the system to explicitly disable legacy CA certificates.
+    Using this configuration, the system will use the set of
+    included and trusted CA certificates as released by Mozilla.
+
+*install*::
+    The configuration file will be read and the system configuration
+    will be set accordingly. This command is executed automatically during
+    upgrades of the ca-certificates package.
+
+
+FILES
+-----
+/etc/pki/ca-trust/ca-legacy.conf::
+	A configuration file that will be used and modified by the ca-legacy command.
+    The contents of the configuration file will be read on package upgrades.
+
+AUTHOR
+------
+Written by Kai Engert.

ca-legacy.conf

@@ -1,9 +1,24 @@
-# legacy=enable :
-#   Certain legacy certs, that have been removed by upstream Mozilla,
-#   are still marked as trusted, if required for backwards compatibility
-#   with cryptographic libraries like openssl or gnutls.
+# The upstream Mozilla.org project tests all changes to the root CA
+# list with the NSS (Network Security Services) library.
+#
+# Occassionally, changes might cause compatibility issues with
+# other cryptographic libraries, such as openssl or gnutls.
+#
+# The package maintainers of the CA certificates package might decide
+# to temporarily keep certain (legacy) root CA certificates trusted,
+# until incompatibility issues can be resolved.
+# 
+# Using this configuration file it is possible to opt-out of the
+# compatibility choices made by the package maintainer.
+#
+# legacy=default :
+#   This configuration uses the choices made by the package maintainer.
+#   It may keep root CA certificate as trusted, which the upstream 
+#   Mozilla.org project has already marked as no longer trusted.
+#   The set of CA certificates that are being kept enabled may change
+#   between package versions.
 #
 # legacy=disable :
-#   Follow all removal decisions of upstream Mozilla CA maintainers
+#   Follow all removal decisions made by Mozilla.org
 #
-legacy=enable
+legacy=default

certdata2pem.py

@@ -196,7 +196,7 @@ for tobj in objects:
             is_legacy = 1
             if obj == None:
                 raise NotImplementedError, 'found legacy trust without certificate.\n' + line
-            legacy_fname = "legacy-enable/" + fname
+            legacy_fname = "legacy-default/" + fname
             f = open(legacy_fname, 'w')
             f.write("# alias=%s\n"%tobj['CKA_LABEL'])
             f.write("# trust=" + " ".join(legacy_trustbits) + "\n")