Add code to pull in object signing certs from Common CA Database (ccadb.org).

Fix the updated merge scripts to handle this.
Prune Expired certificates from certdata.txt and the object signing cert list

Update to CKBI 2.48 from NSS 3.64

   Removing:
    # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
    # Certificate "GeoTrust Universal CA 2"
    # Certificate "QuoVadis Root CA"
    # Certificate "Sonera Class 2 Root CA"
    # Certificate "Taiwan GRCA"
    # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
    # Certificate "EE Certification Centre Root CA"
    # Certificate "LuxTrust Global Root 2"
    # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
    # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
   Adding:
    # Certificate "Microsoft ECC Root Certificate Authority 2017"
    # Certificate "Microsoft RSA Root Certificate Authority 2017"
    # Certificate "e-Szigno Root CA 2017"
    # Certificate "certSIGN Root CA G2"
    # Certificate "Trustwave Global Certification Authority"
    # Certificate "Trustwave Global ECC P256 Certification Authority"
    # Certificate "Trustwave Global ECC P384 Certification Authority"
    # Certificate "NAVER Global Root Certification Authority"
    # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
    # Certificate "GlobalSign Secure Mail Root R45"
    # Certificate "GlobalSign Secure Mail Root E45"
    # Certificate "GlobalSign Root R46"
    # Certificate "GlobalSign Root E46"
    # Certificate "Certum EC-384 CA"
    # Certificate "Certum Trusted Root CA"
    # Certificate "GlobalSign Code Signing Root R45"
    # Certificate "GlobalSign Code Signing Root E45"
    # Certificate "Halcom Root Certificate Authority"
    # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
    # Certificate "GLOBALTRUST"
    # Certificate "MULTICERT Root Certification Authority 01"
    # Certificate "Verizon Global Root CA"
    # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
    # Certificate "CAEDICOM Root"
    # Certificate "COMODO Certification Authority"
    # Certificate "Security Communication ECC RootCA1"
    # Certificate "Security Communication RootCA3"
    # Certificate "AC RAIZ DNIE"
    # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
    # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
    # Certificate "GLOBALTRUST 2015"
    # Certificate "emSign Root CA - G2"
    # Certificate "emSign Root CA - C2"
This commit is contained in:
Bob Relyea 2021-05-25 16:48:57 -07:00
parent 6d164aedd7
commit c4c1a32e95
5 changed files with 6915 additions and 3325 deletions

View File

@ -35,10 +35,10 @@ Name: ca-certificates
# to have increasing version numbers. However, the new scheme will work, # to have increasing version numbers. However, the new scheme will work,
# because all future versions will start with 2013 or larger.) # because all future versions will start with 2013 or larger.)
Version: 2020.2.41 Version: 2021.2.48
# for Rawhide, please always use release >= 2 # for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 7%{?dist} Release: 2%{?dist}
License: Public Domain License: Public Domain
URL: https://fedoraproject.org/wiki/CA-Certificates URL: https://fedoraproject.org/wiki/CA-Certificates
@ -399,6 +399,54 @@ fi
%changelog %changelog
*Tue May 25 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-2
- Update to CKBI 2.48 from NSS 3.64
- Removing:
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
- # Certificate "GeoTrust Universal CA 2"
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Taiwan GRCA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- # Certificate "EE Certification Centre Root CA"
- # Certificate "LuxTrust Global Root 2"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
- Adding:
- # Certificate "Microsoft ECC Root Certificate Authority 2017"
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
- # Certificate "e-Szigno Root CA 2017"
- # Certificate "certSIGN Root CA G2"
- # Certificate "Trustwave Global Certification Authority"
- # Certificate "Trustwave Global ECC P256 Certification Authority"
- # Certificate "Trustwave Global ECC P384 Certification Authority"
- # Certificate "NAVER Global Root Certification Authority"
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
- # Certificate "GlobalSign Secure Mail Root R45"
- # Certificate "GlobalSign Secure Mail Root E45"
- # Certificate "GlobalSign Root R46"
- # Certificate "GlobalSign Root E46"
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "GlobalSign Code Signing Root E45"
- # Certificate "Halcom Root Certificate Authority"
- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
- # Certificate "GLOBALTRUST"
- # Certificate "MULTICERT Root Certification Authority 01"
- # Certificate "Verizon Global Root CA"
- # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
- # Certificate "CAEDICOM Root"
- # Certificate "COMODO Certification Authority"
- # Certificate "Security Communication ECC RootCA1"
- # Certificate "Security Communication RootCA3"
- # Certificate "AC RAIZ DNIE"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
- # Certificate "GLOBALTRUST 2015"
- # Certificate "emSign Root CA - G2"
- # Certificate "emSign Root CA - C2"
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

10108
certdata.txt

File diff suppressed because it is too large Load Diff

View File

@ -22,7 +22,7 @@ while [ -n "$1" ]; do
shift shift
certdata=$1 certdata=$1
;; ;;
"-u") "-n")
merge=0 merge=0
;; ;;
"-d") "-d")
@ -50,7 +50,7 @@ if [ ${merge} -eq 0 ]; then
fi fi
out=${certdata} out=${certdata}
if [ ${diff} -eq 1]; then if [ ${diff} -eq 1 ]; then
out=${certdata}.out out=${certdata}.out
fi fi

View File

@ -31,6 +31,8 @@ import getopt
import asn1 import asn1
from cryptography import x509 from cryptography import x509
from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives import hashes
from datetime import datetime
from dateutil.parser import parse
objects = [] objects = []
@ -41,6 +43,7 @@ pem='./cert.pem'
output='./certdata_out.txt' output='./certdata_out.txt'
trust='CKA_TRUST_CODE_SIGNING' trust='CKA_TRUST_CODE_SIGNING'
merge_label="Non-Mozilla Object Signing Only Certificate" merge_label="Non-Mozilla Object Signing Only Certificate"
dateString='thisyear'
trust_types = { trust_types = {
"CKA_TRUST_SERVER_AUTH", "CKA_TRUST_SERVER_AUTH",
@ -87,7 +90,7 @@ def dumpOctal(f,value):
f.write("\\%03o"%int.from_bytes(value[i:i+1],sys.byteorder)) f.write("\\%03o"%int.from_bytes(value[i:i+1],sys.byteorder))
f.write("\nEND\n") f.write("\nEND\n")
# in python 3.8 this can be replaces with return byteval.hex(':',1) # in python 3.8 this can be replaced with return byteval.hex(':',1)
def formatHex(byteval) : def formatHex(byteval) :
string=byteval.hex() string=byteval.hex()
string_out="" string_out=""
@ -96,8 +99,27 @@ def formatHex(byteval) :
string_out += string[-2:] string_out += string[-2:]
return string_out return string_out
def getdate(dateString):
print("dateString= %s"%dateString)
if dateString.upper() == "THISYEAR":
return datetime(datetime.today().year,12,31,11,59,59,9999)
if dateString.upper() == "TODAY":
return datetime.today()
return parse(dateString, fuzzy=True);
def getTrust(objlist, serial, issuer) :
for obj in objlist:
if obj['CKA_CLASS'] == 'CKO_NSS_TRUST' and obj['CKA_SERIAL_NUMBER'] == serial and obj['CKA_ISSUER'] == issuer:
return obj
return None
def isDistrusted(obj) :
if (obj == None):
return False
return obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'
try: try:
opts, args = getopt.getopt(sys.argv[1:],"c:o:p:t:l:",) opts, args = getopt.getopt(sys.argv[1:],"c:o:p:t:l:x:",)
except getopt.GetoptError as err: except getopt.GetoptError as err:
print(err) print(err)
print(sys.argv[0] + ' [-c certdata] [-p pem] [-o certdata_target] [-t trustvalue] [-l merge_label]') print(sys.argv[0] + ' [-c certdata] [-p pem] [-o certdata_target] [-t trustvalue] [-l merge_label]')
@ -106,6 +128,7 @@ except getopt.GetoptError as err:
print('-o certdata_target resulting output file (default="'+output+'")'); print('-o certdata_target resulting output file (default="'+output+'")');
print('-t trustvalue what these CAs are trusted for (default="'+trust+'")'); print('-t trustvalue what these CAs are trusted for (default="'+trust+'")');
print('-l merge_label what label CAs that aren\'t in certdata (default="'+merge_label+'")'); print('-l merge_label what label CAs that aren\'t in certdata (default="'+merge_label+'")');
print('-x date remove all certs that expire before data (default='+dateString+')');
sys.exit(2) sys.exit(2)
for opt, arg in opts: for opt, arg in opts:
@ -119,6 +142,16 @@ for opt, arg in opts:
trust = arg trust = arg
elif opt == '-l' : elif opt == '-l' :
merge_label = arg merge_label = arg
elif opt == '-x' :
dateString = arg
# parse dateString
verifyDate = True
if dateString.upper() == "NEVER":
verifyDate = False
else:
date = getdate(dateString)
# read the pem file # read the pem file
in_cert, certvalue = False, "" in_cert, certvalue = False, ""
@ -138,7 +171,6 @@ for line in open(pem, 'r'):
in_cert = False; in_cert = False;
continue continue
certvalue += line; certvalue += line;
# read the certdata.txt file # read the certdata.txt file
in_data, in_multiline, in_obj = False, False, False in_data, in_multiline, in_obj = False, False, False
@ -203,12 +235,26 @@ for line in open(certdata, 'r'):
if len(list(obj.items())) > 0: if len(list(obj.items())) > 0:
objects.append(obj) objects.append(obj)
# strip out expired certificates from certdata.txt
if verifyDate :
for obj in objects:
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE' :
cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
if (cert.not_valid_after <= date) :
trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])
# we don't remove distrusted expired certificates
if not isDistrusted(trust_obj) :
print(" Remove cert %s"%obj['CKA_LABEL'])
print(" Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
print(" Prune time %s: "%date.strftime("%m/%d/%Y"))
obj['Comment'] = None;
if (trust_obj != None):
trust_obj['Comment'] = None;
# now merge the results # now merge the results
for certval in pemcerts: for certval in pemcerts:
certder = base64.b64decode(certval) certder = base64.b64decode(certval)
cert = x509.load_der_x509_certificate(certder) cert = x509.load_der_x509_certificate(certder)
certhashsha1 = cert.fingerprint(hashes.SHA1())
certhashmd5 = cert.fingerprint(hashes.MD5())
try: try:
label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value
except: except:
@ -219,6 +265,13 @@ for certval in pemcerts:
label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value
except: except:
label="Unknown Certificate" label="Unknown Certificate"
if cert.not_valid_after <= date:
print(" Skipping code signing cert %s"%label)
print(" Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
print(" Prune time %s: "%date.strftime("%m/%d/%Y"))
continue
certhashsha1 = cert.fingerprint(hashes.SHA1())
certhashmd5 = cert.fingerprint(hashes.MD5())
found = False found = False
@ -235,7 +288,7 @@ for certval in pemcerts:
continue continue
obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR' obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR'
found = True found = True
print('Found "'+label+'"'); print('Updating "'+label+'" with code signing');
break break
if found : if found :
continue continue
@ -275,7 +328,7 @@ for certval in pemcerts:
# append the trust values # append the trust values
obj=dict() obj=dict()
obj['Comment']= comment%"Trust for" obj['Comment']= comment%"Trust for"
obj['CKA_CLASS'] = 'CKO_TRUST' obj['CKA_CLASS'] = 'CKO_NSS_TRUST'
obj['CKA_TOKEN'] = 'CK_TRUE' obj['CKA_TOKEN'] = 'CK_TRUE'
obj['CKA_PRIVATE'] = 'CK_FALSE' obj['CKA_PRIVATE'] = 'CK_FALSE'
obj['CKA_MODIFIABLE'] = 'CK_FALSE' obj['CKA_MODIFIABLE'] = 'CK_FALSE'
@ -291,13 +344,16 @@ for certval in pemcerts:
obj[t] = 'CKT_NSS_MUST_VERIFY_TRUST' obj[t] = 'CKT_NSS_MUST_VERIFY_TRUST'
obj['CKA_TRUST_STEP_UP_APPROVED'] = 'CK_FALSE' obj['CKA_TRUST_STEP_UP_APPROVED'] = 'CK_FALSE'
objects.append(obj) objects.append(obj)
print('Added "'+label+'"'); print('Adding code signing cert "'+label+'"');
# now dump the results # now dump the results
f = open(output, 'w') f = open(output, 'w')
f.write(header) f.write(header)
for obj in objects: for obj in objects:
if 'Comment' in obj: if 'Comment' in obj:
# if comment is None, we've deleted the entry above
if obj['Comment'] == None:
continue
f.write(obj['Comment']) f.write(obj['Comment'])
else: else:
print("Object with no comment!!") print("Object with no comment!!")

View File

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99. * It's recommend to switch back to 0 after having reached version 98/99.
*/ */
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 41 #define NSS_BUILTINS_LIBRARY_VERSION_MINOR 48
#define NSS_BUILTINS_LIBRARY_VERSION "2.41" #define NSS_BUILTINS_LIBRARY_VERSION "2.48"
/* These version numbers detail the semantic changes to the ckfw engine. */ /* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1