- adopt Python certdata.txt parsing script from Debian
This commit is contained in:
parent
18698abf9f
commit
5f392b3f7e
5
blacklist.txt
Normal file
5
blacklist.txt
Normal file
@ -0,0 +1,5 @@
|
||||
# One blacklist entry per line, corresponding to the label in certdata.txt.
|
||||
|
||||
# MD5 Collision Proof of Concept CA
|
||||
"MD5 Collisions Forged Rogue CA 25c3"
|
||||
|
@ -6,16 +6,17 @@
|
||||
|
||||
Summary: The Mozilla CA root certificate bundle
|
||||
Name: ca-certificates
|
||||
Version: 2009
|
||||
Release: 2%{?dist}
|
||||
Version: 2010
|
||||
Release: 1%{?dist}
|
||||
License: Public Domain
|
||||
Group: System Environment/Base
|
||||
URL: http://www.mozilla.org/
|
||||
Source0: ca-bundle.crt
|
||||
Source1: generate-cacerts.pl
|
||||
Source2: mkcabundle.pl
|
||||
Source0: certdata.txt
|
||||
Source1: blacklist.txt
|
||||
Source2: generate-cacerts.pl
|
||||
Source3: certdata2pem.py
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
BuildRequires: perl, java-openjdk
|
||||
BuildRequires: perl, java-openjdk, python
|
||||
BuildArch: noarch
|
||||
|
||||
%description
|
||||
@ -24,11 +25,30 @@ Mozilla Foundation for use with the Internet PKI.
|
||||
|
||||
%prep
|
||||
rm -rf %{name}
|
||||
mkdir %{name}
|
||||
mkdir %{name} %{name}/certs
|
||||
|
||||
%build
|
||||
pushd %{name}/certs
|
||||
cp %{SOURCE0} %{SOURCE1} .
|
||||
python %{SOURCE3}
|
||||
popd
|
||||
pushd %{name}
|
||||
%{__perl} %{SOURCE1} %{_bindir}/keytool %{SOURCE0}
|
||||
(
|
||||
cat <<EOF
|
||||
# This is a bundle of X.509 certificates of public Certificate
|
||||
# Authorities. It was generated from the Mozilla root CA list.
|
||||
#
|
||||
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
|
||||
#
|
||||
# Generated from:
|
||||
EOF
|
||||
ident -q %{SOURCE0} | sed '1d;s/^/#/';
|
||||
echo '#';
|
||||
for f in certs/*.crt; do
|
||||
openssl x509 -text -in "$f"
|
||||
done;
|
||||
) > ca-bundle.crt
|
||||
%{__perl} %{SOURCE2} %{_bindir}/keytool ca-bundle.crt
|
||||
touch -r %{SOURCE0} cacerts
|
||||
popd
|
||||
|
||||
@ -37,8 +57,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java}
|
||||
|
||||
install -p -m 644 %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
|
||||
install -p -m 644 ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
|
||||
ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
|
||||
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
|
||||
|
||||
# Install Java cacerts file.
|
||||
mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
|
||||
@ -57,6 +78,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{pkidir}/tls/cert.pem
|
||||
|
||||
%changelog
|
||||
* Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
|
||||
- adopt Python certdata.txt parsing script from Debian
|
||||
|
||||
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
|
||||
|
||||
|
21415
certdata.txt
Normal file
21415
certdata.txt
Normal file
File diff suppressed because it is too large
Load Diff
129
certdata2pem.py
Normal file
129
certdata2pem.py
Normal file
@ -0,0 +1,129 @@
|
||||
#!/usr/bin/python
|
||||
# vim:set et sw=4:
|
||||
#
|
||||
# certdata2pem.py - splits certdata.txt into multiple files
|
||||
#
|
||||
# Copyright (C) 2009 Philipp Kern <pkern@debian.org>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
|
||||
# USA.
|
||||
|
||||
import base64
|
||||
import os.path
|
||||
import re
|
||||
import sys
|
||||
import textwrap
|
||||
|
||||
objects = []
|
||||
|
||||
# Dirty file parser.
|
||||
in_data, in_multiline, in_obj = False, False, False
|
||||
field, type, value, obj = None, None, None, dict()
|
||||
for line in open('certdata.txt', 'r'):
|
||||
# Ignore the file header.
|
||||
if not in_data:
|
||||
if line.startswith('BEGINDATA'):
|
||||
in_data = True
|
||||
continue
|
||||
# Ignore comment lines.
|
||||
if line.startswith('#'):
|
||||
continue
|
||||
# Empty lines are significant if we are inside an object.
|
||||
if in_obj and len(line.strip()) == 0:
|
||||
objects.append(obj)
|
||||
obj = dict()
|
||||
in_obj = False
|
||||
continue
|
||||
if len(line.strip()) == 0:
|
||||
continue
|
||||
if in_multiline:
|
||||
if not line.startswith('END'):
|
||||
if type == 'MULTILINE_OCTAL':
|
||||
line = line.strip()
|
||||
for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
|
||||
value += chr(int(i.group(1), 8))
|
||||
else:
|
||||
value += line
|
||||
continue
|
||||
obj[field] = value
|
||||
in_multiline = False
|
||||
continue
|
||||
if line.startswith('CKA_CLASS'):
|
||||
in_obj = True
|
||||
line_parts = line.strip().split(' ', 2)
|
||||
if len(line_parts) > 2:
|
||||
field, type = line_parts[0:2]
|
||||
value = ' '.join(line_parts[2:])
|
||||
elif len(line_parts) == 2:
|
||||
field, type = line_parts
|
||||
value = None
|
||||
else:
|
||||
raise NotImplementedError, 'line_parts < 2 not supported.'
|
||||
if type == 'MULTILINE_OCTAL':
|
||||
in_multiline = True
|
||||
value = ""
|
||||
continue
|
||||
obj[field] = value
|
||||
if len(obj.items()) > 0:
|
||||
objects.append(obj)
|
||||
|
||||
# Read blacklist.
|
||||
blacklist = []
|
||||
if os.path.exists('blacklist.txt'):
|
||||
for line in open('blacklist.txt', 'r'):
|
||||
line = line.strip()
|
||||
if line.startswith('#') or len(line) == 0:
|
||||
continue
|
||||
item = line.split('#', 1)[0].strip()
|
||||
blacklist.append(item)
|
||||
|
||||
# Build up trust database.
|
||||
trust = dict()
|
||||
for obj in objects:
|
||||
if obj['CKA_CLASS'] != 'CKO_NETSCAPE_TRUST':
|
||||
continue
|
||||
if obj['CKA_LABEL'] in blacklist:
|
||||
print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']
|
||||
elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR':
|
||||
trust[obj['CKA_LABEL']] = True
|
||||
elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR':
|
||||
trust[obj['CKA_LABEL']] = True
|
||||
elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_UNTRUSTED':
|
||||
print '!'*74
|
||||
print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
|
||||
print '!'*74
|
||||
else:
|
||||
print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \
|
||||
(obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
|
||||
obj['CKA_TRUST_EMAIL_PROTECTION'])
|
||||
|
||||
def label_to_filename(label):
|
||||
label = label.replace('/', '_')\
|
||||
.replace(' ', '_')\
|
||||
.replace('(', '=')\
|
||||
.replace(')', '=')\
|
||||
.replace(',', '_') + '.crt'
|
||||
return re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label)
|
||||
|
||||
for obj in objects:
|
||||
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
|
||||
if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
|
||||
continue
|
||||
fname = label_to_filename(obj['CKA_LABEL'][1:-1])
|
||||
f = open(fname, 'w')
|
||||
f.write("-----BEGIN CERTIFICATE-----\n")
|
||||
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
|
||||
f.write("\n-----END CERTIFICATE-----\n")
|
||||
|
Loading…
Reference in New Issue
Block a user