- Introduce the ca-legacy utility and a ca-legacy.conf configuration file.

By default, legacy roots required for OpenSSL/GnuTLS compatibility
  are kept enabled. Using the ca-legacy utility, the legacy roots can be
  disabled. If disabled, the system will use the trust set as provided
  by the upstream Mozilla CA list. (See also: rhbz#1158197)
This commit is contained in:
Kai Engert 2014-10-28 20:54:15 +01:00
parent f81c301d27
commit e24bfeb6b0
5 changed files with 235 additions and 37 deletions

View File

@ -2,6 +2,8 @@
%define catrustdir %{_sysconfdir}/pki/ca-trust
%define classic_tls_bundle ca-bundle.crt
%define trusted_all_bundle ca-bundle.trust.crt
%define legacy_enable_bundle ca-bundle.legacy.enable.crt
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
%define neutral_bundle ca-bundle.neutral-trust.crt
%define bundle_supplement ca-bundle.supplement.p11-kit
%define java_bundle java/cacerts
@ -37,7 +39,7 @@ Name: ca-certificates
Version: 2014.2.1
# for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 3%{?dist}
Release: 4%{?dist}
License: Public Domain
Group: System Environment/Base
@ -49,6 +51,8 @@ Source1: nssckbi.h
Source2: update-ca-trust
Source3: trust-fixes
Source4: certdata2pem.py
Source5: ca-legacy.conf
Source6: ca-legacy
Source10: update-ca-trust.8.txt
Source11: README.usr
Source12: README.etc
@ -76,6 +80,8 @@ Mozilla Foundation for use with the Internet PKI.
rm -rf %{name}
mkdir %{name}
mkdir %{name}/certs
mkdir %{name}/certs/legacy-enable
mkdir %{name}/certs/legacy-disable
mkdir %{name}/java
%build
@ -103,6 +109,7 @@ EOF
cat %{SOURCE1} |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
echo '#';
) > %{trusted_all_bundle}
touch %{neutral_bundle}
for f in certs/*.crt; do
echo "processing $f"
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
@ -132,9 +139,45 @@ EOF
openssl x509 -text -in "$f" >> %{neutral_bundle}
fi
done
for p in certs/*.p11-kit; do
cat "$p" >> %{bundle_supplement}
for f in certs/legacy-enable/*.crt; do
echo "processing $f"
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
targs=""
if [ -n "$tbits" ]; then
for t in $tbits; do
targs="${targs} -addtrust $t"
done
fi
if [ -n "$targs" ]; then
echo "legacy enable flags $targs for $f" >> info.trust
openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_enable_bundle}
fi
done
for f in certs/legacy-disable/*.crt; do
echo "processing $f"
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
targs=""
if [ -n "$tbits" ]; then
for t in $tbits; do
targs="${targs} -addtrust $t"
done
fi
if [ -n "$targs" ]; then
echo "legacy disable flags $targs for $f" >> info.trust
openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle}
fi
done
P11FILES=`find certs -name *.p11-kit | wc -l`
if [ $P11FILES -ne 0 ]; then
for p in certs/*.p11-kit; do
cat "$p" >> %{bundle_supplement}
done
fi
# Append our trust fixes
cat %{SOURCE3} >> %{bundle_supplement}
popd
@ -160,6 +203,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@ -175,14 +219,25 @@ install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
install -p -m 644 %{name}/%{trusted_all_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
install -p -m 644 %{name}/%{neutral_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
install -p -m 644 %{name}/%{bundle_supplement} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
install -p -m 644 %{name}/%{legacy_enable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
install -p -m 644 %{name}/%{legacy_disable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
# TODO: consider to dynamically create the update-ca-trust script from within
# this .spec file, in order to have the output file+directory names at once place only.
install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/update-ca-trust
install -p -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/ca-legacy
# touch ghosted files that will be extracted dynamically
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
@ -250,6 +305,7 @@ fi
#if [ $1 -gt 1 ] ; then
# # when upgrading or downgrading
#fi
%{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust
@ -272,6 +328,9 @@ fi
%dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blacklist
%dir %{_datadir}/pki/ca-trust-legacy
%config(noreplace) %{catrustdir}/ca-legacy.conf
%{_mandir}/man8/update-ca-trust.8.gz
%{_datadir}/pki/ca-trust-source/README
@ -293,8 +352,12 @@ fi
%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
# update/extract tool
%{_bindir}/update-ca-trust
%{_bindir}/ca-legacy
%ghost %{catrustdir}/source/ca-bundle.legacy.crt
# files extracted files
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
@ -304,6 +367,13 @@ fi
%changelog
* Tue Oct 28 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-4
- Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
By default, legacy roots required for OpenSSL/GnuTLS compatibility
are kept enabled. Using the ca-legacy utility, the legacy roots can be
disabled. If disabled, the system will use the trust set as provided
by the upstream Mozilla CA list. (See also: rhbz#1158197)
* Sun Sep 21 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-3
- Temporarily re-enable several legacy root CA certificates because of
compatibility issues with software based on OpenSSL/GnuTLS,

83
ca-legacy Normal file
View File

@ -0,0 +1,83 @@
#!/bin/sh
#set -vx
LCFILE=/etc/pki/ca-trust/ca-legacy.conf
LLINK=/etc/pki/ca-trust/source/ca-bundle.legacy.crt
LENABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.enable.crt
LDISABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
do_grep()
{
grep -i "^legacy *= *enable *$" $LCFILE >/dev/null 2>&1
}
do_check()
{
do_grep
if [ $? -eq 0 ]; then
echo "Legacy CAs are set to ENABLED in file $LCFILE (affects install/upgrade)"
LEXPECT=$LENABLE
else
echo "Legacy CAs are set to DISABLED in file $LCFILE (affects install/upgrade)"
LEXPECT=$LDISABLE
fi
echo "Status of symbolic link $LLINK:"
readlink -v $LLINK
}
do_install()
{
do_grep
if [ $? -eq 0 ]; then
# expression was found, legacy is enabled
ln -sf $LENABLE $LLINK
else
# not found, legacy is disabled
ln -sf $LDISABLE $LLINK
fi
}
do_enable()
{
sed -i 's/^legacy *=.*$/legacy=enable/' $LCFILE
do_install
/usr/bin/update-ca-trust
}
do_disable()
{
sed -i 's/^legacy *=.*$/legacy=disable/' $LCFILE
do_install
/usr/bin/update-ca-trust
}
do_help()
{
echo "usage: $0 [check | enable | disable | install]"
}
if [[ $# -eq 0 ]]; then
# no parameters
do_help
exit $?
fi
if [[ "$1" = "install" ]]; then
do_install
exit $?
fi
if [[ "$1" = "enable" ]]; then
do_enable
exit $?
fi
if [[ "$1" = "disable" ]]; then
do_disable
exit $?
fi
if [[ "$1" = "check" ]]; then
do_check
exit $?
fi

9
ca-legacy.conf Normal file
View File

@ -0,0 +1,9 @@
# legacy=enable :
# Certain legacy certs, that have been removed by upstream Mozilla,
# are still marked as trusted, if required for backwards compatibility
# with cryptographic libraries like openssl or gnutls.
#
# legacy=disable :
# Follow all removal decisions of upstream Mozilla CA maintainers
#
legacy=enable

View File

@ -992,11 +992,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
\272\277
END
#temporarily re-enabled
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@ -1288,10 +1289,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160
\154\212\257
END
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@ -1839,12 +1842,9 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
#temporarily re-enabled
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@ -1982,12 +1982,9 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
#temporarily re-enabled
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@ -2125,12 +2122,9 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
#temporarily re-enabled
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@ -3070,12 +3064,9 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\004\067\112\322\103
END
#temporarily re-enabled
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@ -18516,11 +18507,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277
\022\276
END
#temporarily re-enabled
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
#temporarily re-enabled
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#

View File

@ -132,6 +132,18 @@ trust_types = {
"CKA_TRUST_STEP_UP_APPROVED": "step-up-approved",
}
legacy_trust_types = {
"LEGACY_CKA_TRUST_SERVER_AUTH": "server-auth",
"LEGACY_CKA_TRUST_CODE_SIGNING": "code-signing",
"LEGACY_CKA_TRUST_EMAIL_PROTECTION": "email-protection",
}
legacy_to_real_trust_types = {
"LEGACY_CKA_TRUST_SERVER_AUTH": "CKA_TRUST_SERVER_AUTH",
"LEGACY_CKA_TRUST_CODE_SIGNING": "CKA_TRUST_CODE_SIGNING",
"LEGACY_CKA_TRUST_EMAIL_PROTECTION": "CKA_TRUST_EMAIL_PROTECTION",
}
openssl_trust = {
"CKA_TRUST_SERVER_AUTH": "serverAuth",
"CKA_TRUST_CLIENT_AUTH": "clientAuth",
@ -147,6 +159,8 @@ for tobj in objects:
distrustbits = []
openssl_trustflags = []
openssl_distrustflags = []
legacy_trustbits = []
legacy_openssl_trustflags = []
for t in trust_types.keys():
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
trustbits.append(t)
@ -157,6 +171,15 @@ for tobj in objects:
if t in openssl_trust:
openssl_distrustflags.append(openssl_trust[t])
for t in legacy_trust_types.keys():
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
real_t = legacy_to_real_trust_types[t]
legacy_trustbits.append(real_t)
if real_t in openssl_trust:
legacy_openssl_trustflags.append(openssl_trust[real_t])
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
raise NotImplementedError, 'legacy distrust not supported.\n' + line
fname = obj_to_filename(tobj)
try:
obj = certmap[key]
@ -168,6 +191,26 @@ for tobj in objects:
else:
fname += ".p11-kit"
is_legacy = 0
if tobj.has_key('LEGACY_CKA_TRUST_SERVER_AUTH') or tobj.has_key('LEGACY_CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('LEGACY_CKA_TRUST_CODE_SIGNING'):
is_legacy = 1
if obj == None:
raise NotImplementedError, 'found legacy trust without certificate.\n' + line
legacy_fname = "legacy-enable/" + fname
f = open(legacy_fname, 'w')
f.write("# alias=%s\n"%tobj['CKA_LABEL'])
f.write("# trust=" + " ".join(legacy_trustbits) + "\n")
if legacy_openssl_trustflags:
f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n")
f.write("-----BEGIN CERTIFICATE-----\n")
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
f.write("\n-----END CERTIFICATE-----\n")
f.close()
if tobj.has_key('CKA_TRUST_SERVER_AUTH') or tobj.has_key('CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('CKA_TRUST_CODE_SIGNING'):
fname = "legacy-disable/" + fname
else:
continue
f = open(fname, 'w')
if obj != None:
f.write("# alias=%s\n"%tobj['CKA_LABEL'])
@ -196,4 +239,5 @@ for tobj in objects:
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
f.write("x-distrusted: true\n")
f.write("\n\n")
f.close()
print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)