- adopt Python certdata.txt parsing script from Debian

This commit is contained in:
jorton 2010-01-15 17:11:52 +00:00
parent 18698abf9f
commit 5f392b3f7e
4 changed files with 21582 additions and 9 deletions

5
blacklist.txt Normal file
View File

@ -0,0 +1,5 @@
# One blacklist entry per line, corresponding to the label in certdata.txt.
# MD5 Collision Proof of Concept CA
"MD5 Collisions Forged Rogue CA 25c3"

View File

@ -6,16 +6,17 @@
Summary: The Mozilla CA root certificate bundle
Name: ca-certificates
Version: 2009
Release: 2%{?dist}
Version: 2010
Release: 1%{?dist}
License: Public Domain
Group: System Environment/Base
URL: http://www.mozilla.org/
Source0: ca-bundle.crt
Source1: generate-cacerts.pl
Source2: mkcabundle.pl
Source0: certdata.txt
Source1: blacklist.txt
Source2: generate-cacerts.pl
Source3: certdata2pem.py
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
BuildRequires: perl, java-openjdk
BuildRequires: perl, java-openjdk, python
BuildArch: noarch
%description
@ -24,11 +25,30 @@ Mozilla Foundation for use with the Internet PKI.
%prep
rm -rf %{name}
mkdir %{name}
mkdir %{name} %{name}/certs
%build
pushd %{name}/certs
cp %{SOURCE0} %{SOURCE1} .
python %{SOURCE3}
popd
pushd %{name}
%{__perl} %{SOURCE1} %{_bindir}/keytool %{SOURCE0}
(
cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities. It was generated from the Mozilla root CA list.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
#
# Generated from:
EOF
ident -q %{SOURCE0} | sed '1d;s/^/#/';
echo '#';
for f in certs/*.crt; do
openssl x509 -text -in "$f"
done;
) > ca-bundle.crt
%{__perl} %{SOURCE2} %{_bindir}/keytool ca-bundle.crt
touch -r %{SOURCE0} cacerts
popd
@ -37,8 +57,9 @@ rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java}
install -p -m 644 %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
install -p -m 644 ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
ln -s certs/ca-bundle.crt $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
# Install Java cacerts file.
mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
@ -57,6 +78,9 @@ rm -rf $RPM_BUILD_ROOT
%{pkidir}/tls/cert.pem
%changelog
* Mon Jan 11 2010 Joe Orton <jorton@redhat.com> - 2010-1
- adopt Python certdata.txt parsing script from Debian
* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2009-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

21415
certdata.txt Normal file

File diff suppressed because it is too large Load Diff

129
certdata2pem.py Normal file
View File

@ -0,0 +1,129 @@
#!/usr/bin/python
# vim:set et sw=4:
#
# certdata2pem.py - splits certdata.txt into multiple files
#
# Copyright (C) 2009 Philipp Kern <pkern@debian.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
# USA.
import base64
import os.path
import re
import sys
import textwrap
objects = []
# Dirty file parser.
in_data, in_multiline, in_obj = False, False, False
field, type, value, obj = None, None, None, dict()
for line in open('certdata.txt', 'r'):
# Ignore the file header.
if not in_data:
if line.startswith('BEGINDATA'):
in_data = True
continue
# Ignore comment lines.
if line.startswith('#'):
continue
# Empty lines are significant if we are inside an object.
if in_obj and len(line.strip()) == 0:
objects.append(obj)
obj = dict()
in_obj = False
continue
if len(line.strip()) == 0:
continue
if in_multiline:
if not line.startswith('END'):
if type == 'MULTILINE_OCTAL':
line = line.strip()
for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
value += chr(int(i.group(1), 8))
else:
value += line
continue
obj[field] = value
in_multiline = False
continue
if line.startswith('CKA_CLASS'):
in_obj = True
line_parts = line.strip().split(' ', 2)
if len(line_parts) > 2:
field, type = line_parts[0:2]
value = ' '.join(line_parts[2:])
elif len(line_parts) == 2:
field, type = line_parts
value = None
else:
raise NotImplementedError, 'line_parts < 2 not supported.'
if type == 'MULTILINE_OCTAL':
in_multiline = True
value = ""
continue
obj[field] = value
if len(obj.items()) > 0:
objects.append(obj)
# Read blacklist.
blacklist = []
if os.path.exists('blacklist.txt'):
for line in open('blacklist.txt', 'r'):
line = line.strip()
if line.startswith('#') or len(line) == 0:
continue
item = line.split('#', 1)[0].strip()
blacklist.append(item)
# Build up trust database.
trust = dict()
for obj in objects:
if obj['CKA_CLASS'] != 'CKO_NETSCAPE_TRUST':
continue
if obj['CKA_LABEL'] in blacklist:
print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']
elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR':
trust[obj['CKA_LABEL']] = True
elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR':
trust[obj['CKA_LABEL']] = True
elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_UNTRUSTED':
print '!'*74
print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
print '!'*74
else:
print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \
(obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
obj['CKA_TRUST_EMAIL_PROTECTION'])
def label_to_filename(label):
label = label.replace('/', '_')\
.replace(' ', '_')\
.replace('(', '=')\
.replace(')', '=')\
.replace(',', '_') + '.crt'
return re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label)
for obj in objects:
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
continue
fname = label_to_filename(obj['CKA_LABEL'][1:-1])
f = open(fname, 'w')
f.write("-----BEGIN CERTIFICATE-----\n")
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
f.write("\n-----END CERTIFICATE-----\n")