- Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
By default, legacy roots required for OpenSSL/GnuTLS compatibility are kept enabled. Using the ca-legacy utility, the legacy roots can be disabled. If disabled, the system will use the trust set as provided by the upstream Mozilla CA list. (See also: rhbz#1158197)
This commit is contained in:
parent
f81c301d27
commit
e24bfeb6b0
@ -2,6 +2,8 @@
|
||||
%define catrustdir %{_sysconfdir}/pki/ca-trust
|
||||
%define classic_tls_bundle ca-bundle.crt
|
||||
%define trusted_all_bundle ca-bundle.trust.crt
|
||||
%define legacy_enable_bundle ca-bundle.legacy.enable.crt
|
||||
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
|
||||
%define neutral_bundle ca-bundle.neutral-trust.crt
|
||||
%define bundle_supplement ca-bundle.supplement.p11-kit
|
||||
%define java_bundle java/cacerts
|
||||
@ -37,7 +39,7 @@ Name: ca-certificates
|
||||
Version: 2014.2.1
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: Public Domain
|
||||
|
||||
Group: System Environment/Base
|
||||
@ -49,6 +51,8 @@ Source1: nssckbi.h
|
||||
Source2: update-ca-trust
|
||||
Source3: trust-fixes
|
||||
Source4: certdata2pem.py
|
||||
Source5: ca-legacy.conf
|
||||
Source6: ca-legacy
|
||||
Source10: update-ca-trust.8.txt
|
||||
Source11: README.usr
|
||||
Source12: README.etc
|
||||
@ -76,6 +80,8 @@ Mozilla Foundation for use with the Internet PKI.
|
||||
rm -rf %{name}
|
||||
mkdir %{name}
|
||||
mkdir %{name}/certs
|
||||
mkdir %{name}/certs/legacy-enable
|
||||
mkdir %{name}/certs/legacy-disable
|
||||
mkdir %{name}/java
|
||||
|
||||
%build
|
||||
@ -103,6 +109,7 @@ EOF
|
||||
cat %{SOURCE1} |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
|
||||
echo '#';
|
||||
) > %{trusted_all_bundle}
|
||||
touch %{neutral_bundle}
|
||||
for f in certs/*.crt; do
|
||||
echo "processing $f"
|
||||
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
|
||||
@ -132,9 +139,45 @@ EOF
|
||||
openssl x509 -text -in "$f" >> %{neutral_bundle}
|
||||
fi
|
||||
done
|
||||
for p in certs/*.p11-kit; do
|
||||
cat "$p" >> %{bundle_supplement}
|
||||
|
||||
for f in certs/legacy-enable/*.crt; do
|
||||
echo "processing $f"
|
||||
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
|
||||
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
|
||||
targs=""
|
||||
if [ -n "$tbits" ]; then
|
||||
for t in $tbits; do
|
||||
targs="${targs} -addtrust $t"
|
||||
done
|
||||
fi
|
||||
if [ -n "$targs" ]; then
|
||||
echo "legacy enable flags $targs for $f" >> info.trust
|
||||
openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_enable_bundle}
|
||||
fi
|
||||
done
|
||||
|
||||
for f in certs/legacy-disable/*.crt; do
|
||||
echo "processing $f"
|
||||
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
|
||||
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
|
||||
targs=""
|
||||
if [ -n "$tbits" ]; then
|
||||
for t in $tbits; do
|
||||
targs="${targs} -addtrust $t"
|
||||
done
|
||||
fi
|
||||
if [ -n "$targs" ]; then
|
||||
echo "legacy disable flags $targs for $f" >> info.trust
|
||||
openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle}
|
||||
fi
|
||||
done
|
||||
|
||||
P11FILES=`find certs -name *.p11-kit | wc -l`
|
||||
if [ $P11FILES -ne 0 ]; then
|
||||
for p in certs/*.p11-kit; do
|
||||
cat "$p" >> %{bundle_supplement}
|
||||
done
|
||||
fi
|
||||
# Append our trust fixes
|
||||
cat %{SOURCE3} >> %{bundle_supplement}
|
||||
popd
|
||||
@ -160,6 +203,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
|
||||
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
|
||||
|
||||
@ -175,14 +219,25 @@ install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
|
||||
install -p -m 644 %{name}/%{trusted_all_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
|
||||
install -p -m 644 %{name}/%{neutral_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
|
||||
install -p -m 644 %{name}/%{bundle_supplement} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
|
||||
|
||||
install -p -m 644 %{name}/%{legacy_enable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
|
||||
install -p -m 644 %{name}/%{legacy_disable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
|
||||
|
||||
install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf
|
||||
|
||||
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
|
||||
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
|
||||
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
|
||||
|
||||
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
|
||||
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
|
||||
|
||||
# TODO: consider to dynamically create the update-ca-trust script from within
|
||||
# this .spec file, in order to have the output file+directory names at once place only.
|
||||
install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/update-ca-trust
|
||||
|
||||
install -p -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/ca-legacy
|
||||
|
||||
# touch ghosted files that will be extracted dynamically
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem
|
||||
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
|
||||
@ -250,6 +305,7 @@ fi
|
||||
#if [ $1 -gt 1 ] ; then
|
||||
# # when upgrading or downgrading
|
||||
#fi
|
||||
%{_bindir}/ca-legacy install
|
||||
%{_bindir}/update-ca-trust
|
||||
|
||||
|
||||
@ -272,6 +328,9 @@ fi
|
||||
%dir %{_datadir}/pki/ca-trust-source
|
||||
%dir %{_datadir}/pki/ca-trust-source/anchors
|
||||
%dir %{_datadir}/pki/ca-trust-source/blacklist
|
||||
%dir %{_datadir}/pki/ca-trust-legacy
|
||||
|
||||
%config(noreplace) %{catrustdir}/ca-legacy.conf
|
||||
|
||||
%{_mandir}/man8/update-ca-trust.8.gz
|
||||
%{_datadir}/pki/ca-trust-source/README
|
||||
@ -293,8 +352,12 @@ fi
|
||||
%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
|
||||
%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
|
||||
%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
|
||||
%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
|
||||
%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
|
||||
# update/extract tool
|
||||
%{_bindir}/update-ca-trust
|
||||
%{_bindir}/ca-legacy
|
||||
%ghost %{catrustdir}/source/ca-bundle.legacy.crt
|
||||
# files extracted files
|
||||
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
|
||||
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
|
||||
@ -304,6 +367,13 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Oct 28 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-4
|
||||
- Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
|
||||
By default, legacy roots required for OpenSSL/GnuTLS compatibility
|
||||
are kept enabled. Using the ca-legacy utility, the legacy roots can be
|
||||
disabled. If disabled, the system will use the trust set as provided
|
||||
by the upstream Mozilla CA list. (See also: rhbz#1158197)
|
||||
|
||||
* Sun Sep 21 2014 Kai Engert <kaie@redhat.com> - 2014.2.1-3
|
||||
- Temporarily re-enable several legacy root CA certificates because of
|
||||
compatibility issues with software based on OpenSSL/GnuTLS,
|
||||
|
83
ca-legacy
Normal file
83
ca-legacy
Normal file
@ -0,0 +1,83 @@
|
||||
#!/bin/sh
|
||||
|
||||
#set -vx
|
||||
|
||||
LCFILE=/etc/pki/ca-trust/ca-legacy.conf
|
||||
LLINK=/etc/pki/ca-trust/source/ca-bundle.legacy.crt
|
||||
LENABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.enable.crt
|
||||
LDISABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
|
||||
|
||||
do_grep()
|
||||
{
|
||||
grep -i "^legacy *= *enable *$" $LCFILE >/dev/null 2>&1
|
||||
}
|
||||
|
||||
do_check()
|
||||
{
|
||||
do_grep
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "Legacy CAs are set to ENABLED in file $LCFILE (affects install/upgrade)"
|
||||
LEXPECT=$LENABLE
|
||||
else
|
||||
echo "Legacy CAs are set to DISABLED in file $LCFILE (affects install/upgrade)"
|
||||
LEXPECT=$LDISABLE
|
||||
fi
|
||||
echo "Status of symbolic link $LLINK:"
|
||||
readlink -v $LLINK
|
||||
}
|
||||
|
||||
do_install()
|
||||
{
|
||||
do_grep
|
||||
if [ $? -eq 0 ]; then
|
||||
# expression was found, legacy is enabled
|
||||
ln -sf $LENABLE $LLINK
|
||||
else
|
||||
# not found, legacy is disabled
|
||||
ln -sf $LDISABLE $LLINK
|
||||
fi
|
||||
}
|
||||
|
||||
do_enable()
|
||||
{
|
||||
sed -i 's/^legacy *=.*$/legacy=enable/' $LCFILE
|
||||
do_install
|
||||
/usr/bin/update-ca-trust
|
||||
}
|
||||
|
||||
do_disable()
|
||||
{
|
||||
sed -i 's/^legacy *=.*$/legacy=disable/' $LCFILE
|
||||
do_install
|
||||
/usr/bin/update-ca-trust
|
||||
}
|
||||
|
||||
do_help()
|
||||
{
|
||||
echo "usage: $0 [check | enable | disable | install]"
|
||||
}
|
||||
|
||||
if [[ $# -eq 0 ]]; then
|
||||
# no parameters
|
||||
do_help
|
||||
exit $?
|
||||
fi
|
||||
|
||||
if [[ "$1" = "install" ]]; then
|
||||
do_install
|
||||
exit $?
|
||||
fi
|
||||
|
||||
if [[ "$1" = "enable" ]]; then
|
||||
do_enable
|
||||
exit $?
|
||||
fi
|
||||
if [[ "$1" = "disable" ]]; then
|
||||
do_disable
|
||||
exit $?
|
||||
fi
|
||||
|
||||
if [[ "$1" = "check" ]]; then
|
||||
do_check
|
||||
exit $?
|
||||
fi
|
9
ca-legacy.conf
Normal file
9
ca-legacy.conf
Normal file
@ -0,0 +1,9 @@
|
||||
# legacy=enable :
|
||||
# Certain legacy certs, that have been removed by upstream Mozilla,
|
||||
# are still marked as trusted, if required for backwards compatibility
|
||||
# with cryptographic libraries like openssl or gnutls.
|
||||
#
|
||||
# legacy=disable :
|
||||
# Follow all removal decisions of upstream Mozilla CA maintainers
|
||||
#
|
||||
legacy=enable
|
60
certdata.txt
60
certdata.txt
@ -992,11 +992,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
|
||||
\272\277
|
||||
END
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
@ -1288,10 +1289,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160
|
||||
\154\212\257
|
||||
END
|
||||
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
@ -1839,12 +1842,9 @@ END
|
||||
CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
\002\001\001
|
||||
END
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
@ -1982,12 +1982,9 @@ END
|
||||
CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
\002\001\001
|
||||
END
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
@ -2125,12 +2122,9 @@ END
|
||||
CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
\002\001\001
|
||||
END
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
@ -3070,12 +3064,9 @@ END
|
||||
CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
\002\004\067\112\322\103
|
||||
END
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
@ -18516,11 +18507,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
\002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277
|
||||
\022\276
|
||||
END
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
#temporarily re-enabled
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
|
@ -132,6 +132,18 @@ trust_types = {
|
||||
"CKA_TRUST_STEP_UP_APPROVED": "step-up-approved",
|
||||
}
|
||||
|
||||
legacy_trust_types = {
|
||||
"LEGACY_CKA_TRUST_SERVER_AUTH": "server-auth",
|
||||
"LEGACY_CKA_TRUST_CODE_SIGNING": "code-signing",
|
||||
"LEGACY_CKA_TRUST_EMAIL_PROTECTION": "email-protection",
|
||||
}
|
||||
|
||||
legacy_to_real_trust_types = {
|
||||
"LEGACY_CKA_TRUST_SERVER_AUTH": "CKA_TRUST_SERVER_AUTH",
|
||||
"LEGACY_CKA_TRUST_CODE_SIGNING": "CKA_TRUST_CODE_SIGNING",
|
||||
"LEGACY_CKA_TRUST_EMAIL_PROTECTION": "CKA_TRUST_EMAIL_PROTECTION",
|
||||
}
|
||||
|
||||
openssl_trust = {
|
||||
"CKA_TRUST_SERVER_AUTH": "serverAuth",
|
||||
"CKA_TRUST_CLIENT_AUTH": "clientAuth",
|
||||
@ -147,6 +159,8 @@ for tobj in objects:
|
||||
distrustbits = []
|
||||
openssl_trustflags = []
|
||||
openssl_distrustflags = []
|
||||
legacy_trustbits = []
|
||||
legacy_openssl_trustflags = []
|
||||
for t in trust_types.keys():
|
||||
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
|
||||
trustbits.append(t)
|
||||
@ -157,6 +171,15 @@ for tobj in objects:
|
||||
if t in openssl_trust:
|
||||
openssl_distrustflags.append(openssl_trust[t])
|
||||
|
||||
for t in legacy_trust_types.keys():
|
||||
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
|
||||
real_t = legacy_to_real_trust_types[t]
|
||||
legacy_trustbits.append(real_t)
|
||||
if real_t in openssl_trust:
|
||||
legacy_openssl_trustflags.append(openssl_trust[real_t])
|
||||
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
|
||||
raise NotImplementedError, 'legacy distrust not supported.\n' + line
|
||||
|
||||
fname = obj_to_filename(tobj)
|
||||
try:
|
||||
obj = certmap[key]
|
||||
@ -168,6 +191,26 @@ for tobj in objects:
|
||||
else:
|
||||
fname += ".p11-kit"
|
||||
|
||||
is_legacy = 0
|
||||
if tobj.has_key('LEGACY_CKA_TRUST_SERVER_AUTH') or tobj.has_key('LEGACY_CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('LEGACY_CKA_TRUST_CODE_SIGNING'):
|
||||
is_legacy = 1
|
||||
if obj == None:
|
||||
raise NotImplementedError, 'found legacy trust without certificate.\n' + line
|
||||
legacy_fname = "legacy-enable/" + fname
|
||||
f = open(legacy_fname, 'w')
|
||||
f.write("# alias=%s\n"%tobj['CKA_LABEL'])
|
||||
f.write("# trust=" + " ".join(legacy_trustbits) + "\n")
|
||||
if legacy_openssl_trustflags:
|
||||
f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n")
|
||||
f.write("-----BEGIN CERTIFICATE-----\n")
|
||||
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
|
||||
f.write("\n-----END CERTIFICATE-----\n")
|
||||
f.close()
|
||||
if tobj.has_key('CKA_TRUST_SERVER_AUTH') or tobj.has_key('CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('CKA_TRUST_CODE_SIGNING'):
|
||||
fname = "legacy-disable/" + fname
|
||||
else:
|
||||
continue
|
||||
|
||||
f = open(fname, 'w')
|
||||
if obj != None:
|
||||
f.write("# alias=%s\n"%tobj['CKA_LABEL'])
|
||||
@ -196,4 +239,5 @@ for tobj in objects:
|
||||
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
|
||||
f.write("x-distrusted: true\n")
|
||||
f.write("\n\n")
|
||||
f.close()
|
||||
print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)
|
||||
|
Loading…
Reference in New Issue
Block a user