rpms/ca-certificates
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c10s
Branches Tags
rpms:c8
rpms:c10s
rpms:c9
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:c8-beta
rpms:imports/c10s/ca-certificates-2024.2.69_v8.0.303-102.3.el10
rpms:imports/c10s/ca-certificates-2024.2.69_v8.0.303-101.3.el10
rpms:imports/c10s/ca-certificates-2024.2.69_v8.0.303-101.2.el10
rpms:imports/c8/ca-certificates-2024.2.69_v8.0.303-80.0.el8_10
rpms:imports/c9/ca-certificates-2024.2.69_v8.0.303-91.4.el9_4
rpms:imports/c10s/ca-certificates-2024.2.69_v8.0.303-101.1.el10
rpms:imports/c8/ca-certificates-2023.2.60_v7.0.306-80.0.el8_8
rpms:imports/c9/ca-certificates-2023.2.60_v7.0.306-90.1.el9_2
rpms:imports/c9-beta/ca-certificates-2022.2.54-90.2.el9_0
rpms:imports/c8-beta/ca-certificates-2022.2.54-80.2.el8_6
rpms:imports/c9/ca-certificates-2022.2.54-90.2.el9_0
rpms:imports/c8/ca-certificates-2022.2.54-80.2.el8_6
rpms:imports/c8s/ca-certificates-2022.2.54-80.2.el8_6
rpms:imports/c8s/ca-certificates-2022.2.54-80.0.el8_6
rpms:imports/c9/ca-certificates-2020.2.50-94.el9
rpms:imports/c9-beta/ca-certificates-2020.2.50-94.el9
rpms:imports/c9-beta/ca-certificates-2020.2.50-93.el9
rpms:imports/c8-beta/ca-certificates-2021.2.50-80.0.el8_4
rpms:imports/c8-beta/ca-certificates-2020.2.41-80.0.el8_2
rpms:imports/c8-beta/ca-certificates-2019.2.32-80.0.el8_1
rpms:imports/c8-beta/ca-certificates-2018.2.24-6.el8
rpms:imports/c8/ca-certificates-2021.2.50-80.0.el8_4
rpms:imports/c8s/ca-certificates-2021.2.50-82.el8
rpms:imports/c8s/ca-certificates-2021.2.50-80.0.el8_4
rpms:imports/c8s/ca-certificates-2020.2.41-80.0.el8_1
rpms:imports/c8/ca-certificates-2020.2.41-80.0.el8_2
rpms:imports/c8/ca-certificates-2019.2.32-80.0.el8_1
rpms:imports/c8/ca-certificates-2018.2.24-6.el8
...
pull from: rpms:c8
Branches Tags
rpms:c10s
rpms:c8
rpms:c9
rpms:c9s
rpms:c8s
rpms:c9-beta
rpms:c8-beta
rpms:imports/c10s/ca-certificates-2024.2.69_v8.0.303-102.3.el10
rpms:imports/c10s/ca-certificates-2024.2.69_v8.0.303-101.3.el10
rpms:imports/c10s/ca-certificates-2024.2.69_v8.0.303-101.2.el10
rpms:imports/c8/ca-certificates-2024.2.69_v8.0.303-80.0.el8_10
rpms:imports/c9/ca-certificates-2024.2.69_v8.0.303-91.4.el9_4
rpms:imports/c10s/ca-certificates-2024.2.69_v8.0.303-101.1.el10
rpms:imports/c8/ca-certificates-2023.2.60_v7.0.306-80.0.el8_8
rpms:imports/c9/ca-certificates-2023.2.60_v7.0.306-90.1.el9_2
rpms:imports/c9-beta/ca-certificates-2022.2.54-90.2.el9_0
rpms:imports/c8-beta/ca-certificates-2022.2.54-80.2.el8_6
rpms:imports/c9/ca-certificates-2022.2.54-90.2.el9_0
rpms:imports/c8/ca-certificates-2022.2.54-80.2.el8_6
rpms:imports/c8s/ca-certificates-2022.2.54-80.2.el8_6
rpms:imports/c8s/ca-certificates-2022.2.54-80.0.el8_6
rpms:imports/c9/ca-certificates-2020.2.50-94.el9
rpms:imports/c9-beta/ca-certificates-2020.2.50-94.el9
rpms:imports/c9-beta/ca-certificates-2020.2.50-93.el9
rpms:imports/c8-beta/ca-certificates-2021.2.50-80.0.el8_4
rpms:imports/c8-beta/ca-certificates-2020.2.41-80.0.el8_2
rpms:imports/c8-beta/ca-certificates-2019.2.32-80.0.el8_1
rpms:imports/c8-beta/ca-certificates-2018.2.24-6.el8
rpms:imports/c8/ca-certificates-2021.2.50-80.0.el8_4
rpms:imports/c8s/ca-certificates-2021.2.50-82.el8
rpms:imports/c8s/ca-certificates-2021.2.50-80.0.el8_4
rpms:imports/c8s/ca-certificates-2020.2.41-80.0.el8_1
rpms:imports/c8/ca-certificates-2020.2.41-80.0.el8_2
rpms:imports/c8/ca-certificates-2019.2.32-80.0.el8_1
rpms:imports/c8/ca-certificates-2018.2.24-6.el8

No commits in common. "c10s" and "c8" have entirely different histories.
c10s ... c8

32 changed files with 193 additions and 1462 deletions
Show Stats Expand all files Collapse all files

1
.ca-certificates.metadata Normal file
View File

@ -0,0 +1 @@
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc SOURCES/trust-fixes

1
.fmf/version
View File

@ -1 +0,0 @@
1

10
.gitignore vendored
View File

@ -1,9 +1 @@
*.rpm
noarch
clog
/.*build.log
/ca-certificates
certdata.txt.orig
codesign-release.txt
microsoft_sign_obj_ca.pem
SOURCES/trust-fixes

20
README.etcssl
View File

@ -1,20 +0,0 @@
This directory (/etc/ssl) is provided as a courtesy attempt to provide
compatibility with software which assumes its existence. It is not a
supported or canonical location. Software which assumes and relies on
the existence and layout of this directory is making a wrong assumption
(this directory is not any kind of 'standard', it is a configuration
detail of Debian and its derivatives) and should be improved. No
software packaged in this distribution should use this directory.
An attempt is made to make the layout of /etc/ssl/certs match that
provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
of individual certificate files, and also contains a certificate bundle
file named ca-certificates.crt, as Debian does. It also contains a
bundle named ca-bundle.crt, as this distribution has long provided
such a file, and it is possible some software has come to expect its
existence.
/etc/ssl/certs itself and the bundle files are in fact symlinks to
some of the output of the 'update-ca-trust' script which forms a part
of a system of consolidated CA certificates. Please refer to the
update-ca-trust(8) manual page for additional information.

0
README.edk2 → SOURCES/README.edk2
View File

0
README.etc → SOURCES/README.etc
View File

0
README.extr → SOURCES/README.extr
View File

0
README.java → SOURCES/README.java
View File

0
README.openssl → SOURCES/README.openssl
View File

0
README.pem → SOURCES/README.pem
View File

0
README.src → SOURCES/README.src
View File

0
README.usr → SOURCES/README.usr
View File

0
ca-legacy → SOURCES/ca-legacy
View File

0
ca-legacy.8.txt → SOURCES/ca-legacy.8.txt
View File

0
ca-legacy.conf → SOURCES/ca-legacy.conf
View File

0
certdata.txt → SOURCES/certdata.txt
View File

15
certdata2pem.py → SOURCES/certdata2pem.py
View File

@ -177,11 +177,6 @@ openssl_trust = {
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
}
cert_distrust_types = {
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
}
for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -374,16 +369,6 @@ for tobj in objects:
f.write("nss-mozilla-ca-policy: true\n")
f.write("modifiable: false\n");
# requires p11-kit >= 0.23.19
for t in list(cert_distrust_types.keys()):
if t in obj:
value = obj[t]
if value == 'CK_FALSE':
value = bytearray(1)
f.write(cert_distrust_types[t] + ": \"")
f.write(urllib.parse.quote(value));
f.write("\"\n")
f.write("-----BEGIN CERTIFICATE-----\n")
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)

0
nssckbi.h → SOURCES/nssckbi.h
View File

22
SOURCES/update-ca-trust Normal file
View File

@ -0,0 +1,22 @@
#!/bin/sh
#set -vx
# At this time, while this script is trivial, we ignore any parameters given.
# However, for backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST.
DEST=/etc/pki/ca-trust/extracted
# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin

34
update-ca-trust.8.txt → SOURCES/update-ca-trust.8.txt
View File

@ -27,7 +27,7 @@ certificates and associated trust
SYNOPSIS
--------
*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
*update-ca-trust* ['COMMAND']
DESCRIPTION
@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/
* run 'update-ca-trust extract'
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
* add it as a new file to directory /etc/pki/ca-trust/source/
* run 'update-ca-trust extract'
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes.
In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes.
@ -214,25 +214,16 @@ server authentication.
COMMANDS
--------
(absent/empty command)
~~~~~~~~~~~~~~~~~~~~~~
Same as the *extract* command described below. (However, the command may print
fewer warnings, as this command is being run during rpm package installation,
where non-fatal status output is undesired.)
(absent/empty command)::
Same as the *extract* command described below. (However, the command may
print fewer warnings, as this command is being run during rpm package
installation, where non-fatal status output is undesired.)
extract
~~~~~~~
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
produce updated versions of the consolidated configuration files stored below
*extract*::
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
updated versions of the consolidated configuration files stored below
the /etc/pki/ca-trust/extracted directory hierarchy.
EXTRACT OPTIONS
^^^^^^^^^^^^^^^
*-o DIR*, *--output=DIR*::
Write the extracted trust store into the given directory instead of
updating /etc/pki/ca-trust/extracted. (Note: This option will not
populate the ../pki/tls/certs with the directory-hash symbolic links.)
FILES
-----
/etc/pki/tls/certs/ca-bundle.crt::
@ -258,9 +249,6 @@ FILES
which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
/etc/pki/tls/certs::
Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command.
AUTHOR
------
Written by Kai Engert and Stef Walter.

502
ca-certificates.spec → SPECS/ca-certificates.spec
View File

@ -1,6 +1,7 @@
%define pkidir %{_sysconfdir}/pki
%define catrustdir %{_sysconfdir}/pki/ca-trust
%define classic_tls_bundle ca-bundle.crt
%define openssl_format_trust_bundle ca-bundle.trust.crt
%define p11_format_bundle ca-bundle.trust.p11-kit
%define legacy_default_bundle ca-bundle.legacy.default.crt
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
@ -35,11 +36,13 @@ Name: ca-certificates
# because all future versions will start with 2013 or larger.)
Version: 2024.2.69_v8.0.303
# for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 102.3%{?dist}
License: MIT AND GPL-2.0-or-later
# On RHEL 8.x, please keep the release version >= 80
# When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
Release: 80.0%{?dist}
License: Public Domain
Group: System Environment/Base
URL: https://fedoraproject.org/wiki/CA-Certificates
#Please always update both certdata.txt and nssckbi.h
@ -60,26 +63,26 @@ Source15: README.openssl
Source16: README.pem
Source17: README.edk2
Source18: README.src
Source19: README.etcssl
BuildArch: noarch
Requires(post): bash
Requires(post): findutils
Requires(post): grep
Requires(post): sed
Requires(post): coreutils
Requires: bash
Requires: grep
Requires: sed
Requires(post): p11-kit-trust >= 0.24
Requires: p11-kit-trust >= 0.24
Requires(post): p11-kit >= 0.23.12
Requires(post): p11-kit-trust >= 0.23.12
Requires: p11-kit >= 0.23.12
Requires: p11-kit-trust >= 0.23.12
BuildRequires: perl-interpreter
BuildRequires: python3
BuildRequires: python3-devel
BuildRequires: openssl
BuildRequires: asciidoc
BuildRequires: xmlto
BuildRequires: libxslt
%description
This package contains the set of CA certificates chosen by the
@ -97,7 +100,7 @@ mkdir %{name}/java
pushd %{name}/certs
pwd
cp %{SOURCE0} .
python3 %{SOURCE4} >c2p.log 2>c2p.err
%{__python3} %{SOURCE4} >c2p.log 2>c2p.err
popd
pushd %{name}
(
@ -168,12 +171,12 @@ popd
#manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xmlto -v -o %{name} man %{name}/ca-legacy.8.xml
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
%install
@ -183,16 +186,15 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@ -207,7 +209,6 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/REA
install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README
install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
@ -235,84 +236,29 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
# Populate %%{catrustdir}/extracted/pem/directory-hash.
#
# First direct p11-kit-trust.so to the generated bundle (not the one
# already present on the build system) with an overriding module
# config. Note that we have to use a different config path based on
# the current user: if root, ~/.config/pkcs11/modules/* are not read,
# while if a regular user, she can't write to /etc.
if test "$(id -u)" -eq 0; then
trust_module_dir=/etc/pkcs11/modules
else
trust_module_dir=$HOME/.config/pkcs11/modules
fi
mkdir -p "$trust_module_dir"
# It is unlikely that the directory would contain any files on a build system,
# but let's make sure just in case.
if [ -n "$(ls -A "$trust_module_dir")" ]; then
echo "Directory $trust_module_dir is not empty. Aborting build!"
exit 1
fi
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
cat >"$trust_module_config" <<EOF
module: p11-kit-trust.so
trust-policy: yes
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
EOF
# Extract the trust anchors to the directory-hash format.
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
--purpose server-auth \
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
# Clean up the temporary module config.
rm -f "$trust_module_config"
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
-regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
-exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
-regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
# /etc/ssl is provided in a Debian compatible form for (bad) code that
# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
ln -s %{pkidir}/tls/certs \
# /etc/ssl/certs symlink for 3rd-party tools
ln -s ../pki/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
ln -s /etc/pki/tls/openssl.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
ln -s /etc/pki/tls/ct_log_list.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
# legacy filenames
ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
$RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
%clean
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
rm -rf $RPM_BUILD_ROOT
%pre
if [ $1 -gt 1 ] ; then
# Remove the old symlinks
rm -f %{pkidir}/tls/cert.pem
rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
# Upgrade or Downgrade.
# If the classic filename is a regular file, then we are upgrading
# from an old package and we will move it to an .rpmsave backup file.
@ -344,8 +290,18 @@ if [ $1 -gt 1 ] ; then
fi
fi
fi
fi
if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
# no backup yet
if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
# a file exists
if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
# it's an old regular file, not a link
mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
fi
fi
fi
fi
%post
#if [ $1 -gt 1 ] ; then
@ -372,8 +328,9 @@ fi
%{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust
# The file .files.txt contains the list of (%ghost )files in the directory-hash
%files -f .files.txt
%files
%defattr(-,root,root,-)
%dir %{_sysconfdir}/ssl
%dir %{pkidir}/tls
%dir %{pkidir}/tls/certs
@ -381,7 +338,7 @@ fi
%dir %{catrustdir}
%dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/blocklist
%dir %{catrustdir}/source/blacklist
%dir %{catrustdir}/extracted
%dir %{catrustdir}/extracted/pem
%dir %{catrustdir}/extracted/openssl
@ -389,9 +346,8 @@ fi
%dir %{_datadir}/pki
%dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blocklist
%dir %{_datadir}/pki/ca-trust-source/blacklist
%dir %{_datadir}/pki/ca-trust-legacy
%dir %{catrustdir}/extracted/pem/directory-hash
%config(noreplace) %{catrustdir}/ca-legacy.conf
@ -407,17 +363,14 @@ fi
%{catrustdir}/source/README
# symlinks for old locations
%{pkidir}/tls/cert.pem
%{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/%{java_bundle}
# Hybrid hash directory with bundle file for Debian compatibility
# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
# symlink directory
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/README
%{_sysconfdir}/ssl/cert.pem
%{_sysconfdir}/ssl/openssl.cnf
%{_sysconfdir}/ssl/ct_log_list.cnf
# primary bundle file with trust
# master bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@ -430,53 +383,41 @@ fi
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
%changelog
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2024.2.69_v8.0.303-102.3
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
*Fri Sep 27 2024 Michel Lind <salimma@centosproject.org> - 2024.2.69_v8.0.303-101.3
- Add missing Requires(post) on findutils for update-ca-trust
- Resolves: RHEL-60723
*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.2
- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
- update-ca-trust: return warnings on a unsupported argument instead of error
*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
- Temporarily generate the directory-hash files in %%install ...(next item)
- Add list of ghost files from directory-hash to %%files
*Mon Aug 19 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
- remove base-ci.* tests from gating.yaml
*Thu Jul 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
- Remove blacklist use blocklist-only.
- add gating.yaml
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-101
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
- Removing:
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
- # Certificate "Security Communication Root CA"
- # Certificate "Camerfirma Chambers of Commerce Root"
- # Certificate "Hongkong Post Root CA 1"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
- # Certificate "TrustCor RootCert CA-1"
- # Certificate "TrustCor RootCert CA-2"
- # Certificate "TrustCor ECA-1"
- # Certificate "FNMT-RCM"
- Adding:
- # Certificate "LAWtrust Root CA2 (4096)"
- # Certificate "Sectigo Public Email Protection Root E46"
- # Certificate "Sectigo Public Email Protection Root R46"
- # Certificate "Sectigo Public Server Authentication Root E46"
- # Certificate "Sectigo Public Server Authentication Root R46"
- # Certificate "SSL.com TLS RSA Root CA 2022"
- # Certificate "SSL.com TLS ECC Root CA 2022"
- # Certificate "SSL.com Client ECC Root CA 2022"
- # Certificate "SSL.com Client RSA Root CA 2022"
- # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
- # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
- # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
- # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
- # Certificate "TrustAsia Global Root CA G3"
- # Certificate "TrustAsia Global Root CA G4"
- # Certificate "CommScope Public Trust ECC Root-01"
@ -491,56 +432,16 @@ Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-1
- # Certificate "Telekom Security TLS RSA Root 2023"
- # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
- # Certificate "SECOM Trust.net"
- # Certificate "Chambers of Commerce Root"
- # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
- # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022"
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2023.2.62_v7.0.401-7
- Bump release for June 2024 mass rebuild
* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-4
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2023.2.62_v7.0.401-3
- Skip %post if getopt is missing (recent change made update-ca-trust use it)
*Wed Oct 04 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-2
- Update to CKBI 2.62_v7.0.401 from NSS 3.93
Removing:
# Certificate "Camerfirma Chambers of Commerce Root"
# Certificate "Hongkong Post Root CA 1"
# Certificate "FNMT-RCM"
Adding:
# Certificate "LAWtrust Root CA2 (4096)"
# Certificate "Sectigo Public Email Protection Root E46"
# Certificate "Sectigo Public Email Protection Root R46"
# Certificate "Sectigo Public Server Authentication Root E46"
# Certificate "Sectigo Public Server Authentication Root R46"
# Certificate "SSL.com TLS RSA Root CA 2022"
# Certificate "SSL.com TLS ECC Root CA 2022"
# Certificate "SSL.com Client ECC Root CA 2022"
# Certificate "SSL.com Client RSA Root CA 2022"
# Certificate "Atos TrustedRoot Root CA ECC G2 2020"
# Certificate "Atos TrustedRoot Root CA RSA G2 2020"
# Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
# Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
# Certificate "Chambers of Commerce Root"
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2023.2.60_v7.0.306-4
- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-3
- update License: field to SPDX
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-2
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
- Update to CKBI 2.60_v7.0.306 from NSS 3.91
- Removing:
- # Certificate "Camerfirma Global Chambersign Root"
- # Certificate "Staat der Nederlanden EV Root CA"
- # Certificate "OpenTrust Root CA G1"
- # Certificate "Swedish Government Root Authority v1"
- # Certificate "DigiNotar Root CA G2"
@ -575,6 +476,16 @@ Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-1
- # Certificate "Entrust.net Secure Server Certification Authority"
- # Certificate "ePKI EV SSL Certification Authority - G1"
- Adding:
- # Certificate "DigiCert TLS ECC P384 Root G5"
- # Certificate "DigiCert TLS RSA4096 Root G5"
- # Certificate "DigiCert SMIME ECC P384 Root G5"
- # Certificate "DigiCert SMIME RSA4096 Root G5"
- # Certificate "Certainly Root R1"
- # Certificate "Certainly Root E1"
- # Certificate "E-Tugra Global Root CA RSA v3"
- # Certificate "E-Tugra Global Root CA ECC v3"
- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
- # Certificate "BJCA Global Root CA1"
- # Certificate "BJCA Global Root CA2"
- # Certificate "Symantec Enterprise Mobile Root for Microsoft"
@ -591,6 +502,7 @@ Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-1
- # Certificate "ComSign CA"
- # Certificate "ComSign Secured CA"
- # Certificate "ComSign Advanced Security CA"
- # Certificate "Global Chambersign Root"
- # Certificate "Sonera Class2 CA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
- # Certificate "VeriSign, Inc."
@ -605,31 +517,7 @@ Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-1
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
*Tue Jul 25 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60-3
- Fedora mass rebuild
*Fri Jan 20 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2023.2.60-2
- Update to CKBI 2.60 from NSS 3.86
- Removing:
- # Certificate "Camerfirma Global Chambersign Root"
- # Certificate "Staat der Nederlanden EV Root CA"
- Adding:
- # Certificate "DigiCert TLS ECC P384 Root G5"
- # Certificate "DigiCert TLS RSA4096 Root G5"
- # Certificate "DigiCert SMIME ECC P384 Root G5"
- # Certificate "DigiCert SMIME RSA4096 Root G5"
- # Certificate "Certainly Root R1"
- # Certificate "Certainly Root E1"
- # Certificate "E-Tugra Global Root CA RSA v3"
- # Certificate "E-Tugra Global Root CA ECC v3"
- # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
- # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
- # Certificate "Global Chambersign Root"
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-5
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
- Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "TrustCor ECA-1"
@ -650,27 +538,12 @@ Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-1
- # Certificate "Government Root Certification Authority"
- # Certificate "AC Raíz Certicámara S.A."
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-4
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1
- Update to CKBI 2.54 from NSS 3.79
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-2
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0
- Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding:
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
- # Certificate "CAEDICOM Root"
- # Certificate "I.CA Root CA/RSA"
- # Certificate "MULTICERT Root Certification Authority 01"
@ -812,6 +685,7 @@ Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-1
- # Certificate "Certipost E-Trust TOP Root CA"
- # Certificate "Certipost E-Trust Primary Qualified CA"
- # Certificate "Certipost E-Trust Primary Normalised CA"
- # Certificate "Cybertrust Global Root"
- # Certificate "GlobalSign"
- # Certificate "IGC/A"
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@ -885,72 +759,60 @@ Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-1
- # Certificate "HARICA Code Signing ECC Root CA 2021"
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.52-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
*Mon Dec 13 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.52-2
- Update to CKBI 2.52 from NSS 3.72
*Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
- Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Cybertrust Global Root"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
*Mon Dec 6 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-5
- integrate Adam William's /etc/ssl/certs with Debian-compatibility
- back out blocklist change since p11-kit .24 is not yet available on rawhide
*Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-4
- remove blacklist directory now that pk11-kit is using blocklist
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.50-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-2
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
- Update to CKBI 2.50 from NSS 3.67
- version number update only
*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
- Update to CKBI 2.48 from NSS 3.66
- Removing:
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Trustis FPS Root CA"
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "GlobalSign Code Signing Root E45"
- # Certificate "Halcom Root Certificate Authority"
- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
- # Certificate "GLOBALTRUST"
- # Certificate "MULTICERT Root Certification Authority 01"
- # Certificate "Verizon Global Root CA"
- # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
- # Certificate "CAEDICOM Root"
- # Certificate "COMODO Certification Authority"
- # Certificate "Security Communication ECC RootCA1"
- # Certificate "Security Communication RootCA3"
- # Certificate "AC RAIZ DNIE"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
- # Certificate "VeriSign Universal Root Certification Authority"
- # Certificate "GeoTrust Global CA"
- # Certificate "GeoTrust Primary Certification Authority"
- # Certificate "thawte Primary Root CA"
- # Certificate "thawte Primary Root CA - G2"
- # Certificate "thawte Primary Root CA - G3"
- # Certificate "GeoTrust Primary Certification Authority - G3"
- # Certificate "GeoTrust Primary Certification Authority - G2"
- # Certificate "GeoTrust Universal CA"
- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
- # Certificate "GLOBALTRUST 2015"
- # Certificate "emSign Root CA - G2"
- # Certificate "emSign Root CA - C2"
- Adding:
- # Certificate "GLOBALTRUST 2020"
- # Certificate "ANF Secure Server Root CA"
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
*Tue May 25 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-2
*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
- Update to CKBI 2.48 from NSS 3.64
- Removing:
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
- # Certificate "GeoTrust Global CA"
- # Certificate "GeoTrust Universal CA"
- # Certificate "GeoTrust Universal CA 2"
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Taiwan GRCA"
- # Certificate "GeoTrust Primary Certification Authority"
- # Certificate "thawte Primary Root CA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
- # Certificate "GeoTrust Primary Certification Authority - G3"
- # Certificate "thawte Primary Root CA - G2"
- # Certificate "thawte Primary Root CA - G3"
- # Certificate "GeoTrust Primary Certification Authority - G2"
- # Certificate "VeriSign Universal Root Certification Authority"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- # Certificate "EE Certification Centre Root CA"
- # Certificate "LuxTrust Global Root 2"
@ -970,108 +832,56 @@ Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-1
- # Certificate "GlobalSign Secure Mail Root E45"
- # Certificate "GlobalSign Root R46"
- # Certificate "GlobalSign Root E46"
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "GlobalSign Code Signing Root E45"
- # Certificate "Halcom Root Certificate Authority"
- # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
- # Certificate "GLOBALTRUST"
- # Certificate "MULTICERT Root Certification Authority 01"
- # Certificate "Verizon Global Root CA"
- # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
- # Certificate "CAEDICOM Root"
- # Certificate "COMODO Certification Authority"
- # Certificate "Security Communication ECC RootCA1"
- # Certificate "Security Communication RootCA3"
- # Certificate "AC RAIZ DNIE"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
- # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
- # Certificate "GLOBALTRUST 2015"
- # Certificate "emSign Root CA - G2"
- # Certificate "emSign Root CA - C2"
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
- fix post issues
* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
- remove unnecessarily divisive terms, take 1.
- in ca-certificates there are 3 cases:
- 1) master refering to the fedora master branch in the fetch.sh script.
- This can only be changed once fedora changes the master branch name.
- 2) a reference to the 'master bundle' in this file: this has been changed
- to 'primary bundle'.
- 3) a couple of blacklist directories owned by this package, but used to
- p11-kit. New 'blocklist' directories have been created, but p11-kit
- needs to be updated before the old blacklist directories can be removed
- and the man pages corrected.
* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
- Fix up broken %post and %postinstall scriptlet changes from -2
* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
- Update to CKBI 2.41 from NSS 3.53.0
- Removing:
- # Certificate "AddTrust Low-Value Services Root"
- # Certificate "AddTrust External Root"
- # Certificate "Staat der Nederlanden Root CA - G2"
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
- Update versioned dependency on p11-kit
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
- Update to CKBI 2.40 from NSS 3.48
- Removing:
- # Certificate "UTN USERFirst Email Root CA"
- # Certificate "Certplus Class 2 Primary CA"
- # Certificate "Deutsche Telekom Root CA 2"
- # Certificate "Staat der Nederlanden Root CA - G2"
- # Certificate "Swisscom Root CA 2"
- # Certificate "Certinomis - Root CA"
- Adding:
- # Certificate "Entrust Root Certification Authority - G4"
- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
- Update to CKBI 2.32 from NSS 3.44
Removing:
# Certificate "Visa eCommerce Root"
# Certificate "AC Raiz Certicamara S.A."
# Certificate "Certplus Root CA G1"
# Certificate "Certplus Root CA G2"
# Certificate "OpenTrust Root CA G1"
# Certificate "OpenTrust Root CA G2"
# Certificate "OpenTrust Root CA G3"
Adding:
# Certificate "GTS Root R1"
# Certificate "GTS Root R2"
# Certificate "GTS Root R3"
# Certificate "GTS Root R4"
# Certificate "UCA Global G2 Root"
# Certificate "UCA Extended Validation Root"
# Certificate "Certigna Root CA"
# Certificate "emSign Root CA - G1"
# Certificate "emSign ECC Root CA - G3"
# Certificate "emSign Root CA - C1"
# Certificate "emSign ECC Root CA - C3"
# Certificate "Hongkong Post Root CA 3"
- Removing:
- # Certificate "Visa eCommerce Root"
- # Certificate "AC Raiz Certicamara S.A."
- # Certificate "ComSign CA"
- # Certificate "Certplus Root CA G1"
- # Certificate "Certplus Root CA G2"
- # Certificate "OpenTrust Root CA G1"
- # Certificate "OpenTrust Root CA G2"
- # Certificate "OpenTrust Root CA G3"
- Adding:
- # Certificate "GlobalSign Root CA - R6"
- # Certificate "OISTE WISeKey Global Root GC CA"
- # Certificate "GTS Root R1"
- # Certificate "GTS Root R2"
- # Certificate "GTS Root R3"
- # Certificate "GTS Root R4"
- # Certificate "UCA Global G2 Root"
- # Certificate "UCA Extended Validation Root"
- # Certificate "Certigna Root CA"
- # Certificate "emSign Root CA - G1"
- # Certificate "emSign ECC Root CA - G3"
- # Certificate "emSign Root CA - C1"
- # Certificate "emSign ECC Root CA - C3"
- # Certificate "Hongkong Post Root CA 3"
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
- Test gating
* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2
- Update to CKBI 2.26 from NSS 3.39
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
- Use __python3 macro when invoking Python
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
- Ported scripts to python3

118
check_certs.sh
View File

@ -1,118 +0,0 @@
#!/bin/perl
sub adjust {
my $newLine = $_[0];
my @neg = @{$_[1]};
my @pos = @{$_[2]};
my $found = 0;
my @newneg = ();
foreach my $cline (@neg) {
if ($cline eq $newLine) {
$found = 1;
} else {
push(@newneg ,$cline );
}
}
if (! $found ) {
push(@pos, $newLine);
}
@neg=@newneg;
}
sub removeLine {
my $newLine = $_[0];
my @neg = @{$_[1]};
my $found = 0;
my @newneg = ();
foreach my $cline (@neg) {
if ($found) {
push(@newneg ,$cline );
} elsif ($cline eq $newLine) {
$found = 1;
} else {
push(@newneg ,$cline );
}
}
return @newneg;
}
sub filter {
my @list = @{$_[0]};
my $string = $_[1];
my @filteredList = ();
foreach my $cline (@list) {
if ($cline =~ m/$string/) {
push(@filteredList ,$cline );
}
}
return @filteredList;
}
sub lineExists {
my $newLine = $_[0];
my @neg = @{$_[1]};
foreach my $cline (@neg) {
if ($cline eq $newLine) {
return 1;
}
}
return 0;
}
sub lineExists {
my $newLine = $_[0];
my @neg = @{$_[1]};
foreach my $cline (@neg) {
if ($cline eq $newLine) {
return 1;
}
}
return 0;
}
sub printeach {
my @args = @{$_[0]};
foreach my $arg (@args) {
chomp $arg;
print " $arg\n";
}
}
open my $handle, "git diff certdata.txt|";
my @diff_lines = <$handle>;
close $handle;
my @adds = ();
my @subs = ();
foreach my $line (@diff_lines) {
$type = substr $line,0,1;
$lline = substr $line,1;
if ($type eq "+") {
if (lineExists($lline, \@subs)) {
@subs = removeLine($lline,\@subs);
} else {
push(@adds, $lline);
}
};
if ($type eq "-") {
if (lineExists($lline, \@adds)) {
@adds = removeLine($lline,\@adds);
} else {
push(@subs, $lline);
}
};
}
my @tmp = filter(\@subs, "# Certificate");
if (@tmp) {
print " Removing: \n";
printeach(\@tmp);
}
my @tmp = filter(\@adds, "# Certificate");
if (@tmp) {
print " Adding: \n";
printeach(\@tmp);
}

1
ci.fmf
View File

@ -1 +0,0 @@
resultsdb-testcase: separate

185
fetch.sh
View File

@ -1,185 +0,0 @@
#!/bin/sh
#
# This script fetches the latest released certdata.txt and updates the
# ca-certificates.spec file
#
baseurl="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib"
force=0
skip_signed_obj=0
release_type="RTM"
release="3_65"
while [ -n "$1" ]; do
case $1 in
"-d")
baseurl="https://hg.mozilla.org/projects/nss/raw-file/default/lib"
;;
-t*)
release_type=`echo $1 | sed -e 's;-t;;'`
if [ "${release_type}" = "" ]; then
shift
release_type=$1
fi
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
;;
-n*)
release=`echo $1 | sed -e 's;-n;;'`
if [ "${release}" = "" ]; then
shift
release=$1
fi
release=`echo ${release} | sed -e 's;\\.;_;g'`
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
;;
"-f")
force=1
;;
"-s")
skip_signed_obj=1
;;
*)
echo "usage: $0 [-r] [-n release] [-f]"
echo "-d use the development tip rather than the latest release"
echo "-n release fetch a specific nss release"
echo "-f skip the verify check"
echo "-s skip fetching signed objects"
exit 1
;;
esac
shift
done
# get the current certdata version number
# nss version number
# user making the change
# email of user
#
# versions from the latest nss code in mozilla
echo "Getting CKBI version number"
ckbi_version=`wget ${baseurl}/ckfw/builtins/nssckbi.h -O - | grep "NSS_BUILTINS_LIBRARY_VERSION " | awk '{print $NF}' | sed -e "s;\";;g" `
if [ "${ckbi_version}" = "" ]; then
echo "Didn't find ckbi version from ${baseurl}"
exit 1;
fi
echo "Getting NSS version number"
nss_version=`wget ${baseurl}/nss/nss.h -O - | grep "NSS_VERSION" | awk '{print $3}' | sed -e "s;\";;g" `
if [ "${nss_version}" = "" ]; then
echo "Didn't find nss version from ${baseurl}"
exit 1;
fi
# date from the current system date on this machine
echo "Creating change log"
export LANG=C
year=`date +%Y`
log_date=`date +"%a %b %d %Y"`
# user name from the environment, fallback to git, fallback to the current user
username=`whoami`
name=${NAME}
if [ "${name}" = "" ]; then
name=`git config user.name`
fi
if [ "${name}" = "" ]; then
name=`getent passwd $username`
fi
email=${EMAIL}
if [ "${email}" = "" ]; then
email=`git config user.email`
fi
if [ "${email}" = "" ]; then
email=$username@`hostname`
fi
# rawhide >=2, branches 1.x
cwd=$(pwd)
if [ `basename ${cwd}` = rawhide ]; then
release="2"
else
release="1.0"
fi
# fetch the codesigning certs now so we can get
# the code signing version number
if [ ${skip_signed_obj} -eq 0 ]; then
./fetch_objsign.sh
if [ -f codesign-release.txt ]; then
mcs_version=$(cat codesign-release.txt)
if [[ $ms_version != "unknown" ]]; then
ckbi_version="${ckbi_version}_${mcs_version}"
fi
signobjects="and Microsoft Signed Objects version $ms_version"
fi
fi
version=${year}.${ckbi_version}
#make sure the the current version is newer than what is already there
current_version=`grep ^Version: ca-certificates.spec | awk '{ print $NF }'`
if [ ${current_version} \> ${version} -o ${current_version} = ${version} ]; then
echo "Can't downgrade current version: ${current_version} new version: ${version}"
exit 1;
fi
# now get our new certdata.txt
echo "Fetching new certdata.txt"
wget ${baseurl}/ckfw/builtins/certdata.txt -O certdata.txt
if [ $? -ne 0 ]; then
echo fetching certdata.text from ${baseurl} failed!
echo " To restore the old certdata.txt use:"
echo " git checkout -- certdata.txt"
exit 1;
fi
# merge the signing certs into the normal certdata.txt file.
if [ ${skip_signed_obj} -eq 0 ]; then
cp certdata.txt certdata.txt.orig
python3 ./mergepem2certdata.py -c "certdata.txt.orig" -p "microsoft_sign_obj_ca.pem" -o "certdata.txt" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate" -x "NEVER"
fi
# Verify everything is good with the user
echo -e "Upgrading ${current_version} -> ${version}:"
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}${sign_objects}"
./check_certs.sh
echo ""
yn=""
if [ ! ${force} ]; then
echo -n "Do you want to continue (Y/N default Y)? "
read yn
echo ""
fi
if [ "${yn}" != "" -a "${yn}" != "y" -a "${yn}" != "Y" -a "${yn}" != "yes" -a "${yn}" != "YES" ]; then
echo "Skipping ca-certificate.spec upgrade."
echo " NOTE: certdata.txt has been upgraded."
echo " To restore the old certdata.txt use:"
echo " git checkout -- certdata.txt"
exit 1;
fi
echo "Updating .spec file"
cat ca-certificates.spec | while IFS= read -r line
do
echo $line | grep "^Version: " 1>&2
if [ $? -eq 0 ]; then
echo "Version: ${version}"
echo "New Version: ${version}" 1>&2
continue
fi
echo $line | grep "^Release: " 1>&2
if [ $? -eq 0 ]; then
echo "Release: ${release}%{?dist}"
echo "New Release: ${release}%{?dist}" 1>&2
continue
fi
echo $line | grep "^%changelog" 1>&2
if [ $? -eq 0 ]; then
echo "$line"
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}" 1>&2
./check_certs.sh
echo ""
continue
fi
echo "$line"
done > /tmp/ca-certificates.spec.$$
mv /tmp/ca-certificates.spec.$$ ca-certificates.spec
git status
exit 0

123
fetch_objsign.sh
View File

@ -1,123 +0,0 @@
#!/bin/sh
#
# This script fetches the object signing list from the Microsoft list. It then
# mergest that list into the fetched certdata.txt.
#
giturl="https://github.com/dotnet/sdk"
gitrawurl="https://raw.githubusercontent.com/dotnet/sdk"
release="latest"
treedir="src/Layout/redist/trustedroots/codesignctl.pem"
target="microsoft_sign_obj_ca.pem"
certdata="./certdata.txt"
baseurl=""
merge=1
diff=0
function getlatest
{
local url=$1
local latest="0"
local tags=($(git ls-remote --tags ${url}))
for tag in "${tags[@]}"
do
if [[ ! ${tag} =~ refs/.* ]]; then
continue # skip hashes
fi
if [[ ${tag} =~ .*preview.* ]]; then
continue # skip preview tags, we only want release tags
fi
if [[ ${tag} =~ .*rc.* ]]; then
continue # skip release candidate tags, we only want release tags
fi
if [[ ${latest} < ${tag} ]]; then
latest=$tag
fi
done
latest=${latest##refs/tags/}
echo $latest
}
while [ -n "$1" ]; do
case $1 in
"-g")
shift
giturl=$1
;;
"-r")
shift
gitrawurl=$1
;;
"-t")
shift
treedir=$1
;;
"-r")
shift
release=$1
;;
"-u")
shift
baseurl=$1
release="unknown"
;;
"-o")
shift
target=$1
;;
"-c")
shift
certdata=$1
;;
"-n")
merge=0
;;
"-d")
shift
diff=1
difffile=$1
;;
*)
echo "usage: $0 [-u URL] [-o target] [-c certdata] [-n]"
echo "-g URL git URL to fetch code signing list"
echo "-r URL raw git URL to fetch code signing list"
echo "-t URL git tree directory to fetch code signing list"
echo "-r release code signing list release version"
echo "-u URL base URL to fetch code signing list"
echo "-o target name of the codesigning target"
echo "-c certdata patch to certdata.txt to merge with"
echo "-d diff optional diff file"
echo "-n don't merge"
exit 1
;;
esac
shift
done
if [ "${release}" = "latest" ]; then
release=$(getlatest ${giturl} )
fi
if [ "${baseurl}" = "" ]; then
baseurl="${gitrawurl}/${release}/${treedir}"
fi
echo $release > "./codesign-release.txt"
echo "Fetching release=${release}, ${target} from ${baseurl}"
wget ${baseurl} -O ${target}
if [ ${merge} -eq 0 ]; then
exit 0;
fi
out=${certdata}
if [ ${diff} -eq 1 ]; then
out=${certdata}.out
fi
python3 ./mergepem2certdata.py -c "${certdata}" -p "${target}" -o "${out}" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate"
if [ ${diff} -eq 1 ]; then
diff -u ${certdata} ${out} > ${difffile}
mv ${out} ${certdata}
fi

8
gating.yaml
View File

@ -1,8 +0,0 @@
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: manual.sst_security_crypto.ca-certificates.streamspreadprevent}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/buildroot-enabled.functional}
- !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/buildroot-disabled.functional}

442
mergepem2certdata.py
View File

@ -1,442 +0,0 @@
#!/usr/bin/python
# vim:set et sw=4:
#
# certdata2pem.py - splits certdata.txt into multiple files
#
# Copyright (C) 2009 Philipp Kern <pkern@debian.org>
# Copyright (C) 2013 Kai Engert <kaie@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
# USA.
import base64
import os.path
import re
import sys
import textwrap
import subprocess
import getopt
import asn1
from cryptography import x509
from cryptography.hazmat.primitives import hashes, serialization
from datetime import datetime
from dateutil.parser import parse
objects = []
pemcerts = []
certdata='./certdata.txt'
pem='./cert.pem'
output='./certdata_out.txt'
trust='CKA_TRUST_CODE_SIGNING'
merge_label="Non-Mozilla Object Signing Only Certificate"
dateString='thisyear'
trust_types = {
"CKA_TRUST_SERVER_AUTH",
"CKA_TRUST_EMAIL_PROTECTION",
"CKA_TRUST_CODE_SIGNING"
}
attribute_types = {
"CKA_CLASS" : "CK_OBJECT_CLASS",
"CKA_TOKEN" : "CK_BBOOL",
"CKA_PRIVATE" : "CK_BBOOL",
"CKA_MODIFIABLE" : "CK_BBOOL",
"CKA_LABEL" : "UTF8",
"CKA_CERTIFICATE_TYPE" : "CK_CERTIFICATE_TYPE",
"CKA_SUBJECT" : "MULTILINE_OCTAL",
"CKA_ID" : "UTF8",
"CKA_CERT_SHA1_HASH" : "MULTILINE_OCTAL",
"CKA_CERT_MD5_HASH" : "MULTILINE_OCTAL",
"CKA_ISSUER" : "MULTILINE_OCTAL",
"CKA_SERIAL_NUMBER" : "MULTILINE_OCTAL",
"CKA_VALUE" : "MULTILINE_OCTAL",
"CKA_NSS_MOZILLA_CA_POLICY" : "CK_BBOOL",
"CKA_NSS_SERVER_DISTRUST_AFTER" : "Distrust",
"CKA_NSS_EMAIL_DISTRUST_AFTER" : "Distrust",
"CKA_TRUST_SERVER_AUTH" : "CK_TRUST",
"CKA_TRUST_EMAIL_PROTECTION" : "CK_TRUST",
"CKA_TRUST_CODE_SIGNING" : "CK_TRUST",
"CKA_TRUST_STEP_UP_APPROVED" : "CK_BBOOL"
}
def printable_serial(obj):
return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])
def getSerial(cert):
encoder = asn1.Encoder()
encoder.start()
encoder.write(cert.serial_number)
return encoder.output()
def dumpOctal(f,value):
for i in range(len(value)) :
if i % 16 == 0 :
f.write("\n")
f.write("\\%03o"%int.from_bytes(value[i:i+1],sys.byteorder))
f.write("\nEND\n")
# in python 3.8 this can be replaced with return byteval.hex(':',1)
def formatHex(byteval) :
string=byteval.hex()
string_out=""
for i in range(0,len(string)-2,2) :
string_out += string[i:i+2] + ':'
string_out += string[-2:]
return string_out
def getdate(dateString):
print("dateString= %s"%dateString)
if dateString.upper() == "THISYEAR":
return datetime(datetime.today().year,12,31,11,59,59,9999)
if dateString.upper() == "TODAY":
return datetime.today()
return parse(dateString, fuzzy=True);
def getTrust(objlist, serial, issuer) :
for obj in objlist:
if obj['CKA_CLASS'] == 'CKO_NSS_TRUST' and obj['CKA_SERIAL_NUMBER'] == serial and obj['CKA_ISSUER'] == issuer:
return obj
return None
def isDistrusted(obj) :
if (obj == None):
return False
return obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'
def stripQuotes(label) :
if label[:1] == "\"" :
label=label[1:]
if label[-1] == "\"" :
label = label[:-1]
return label
# another object of the same class has the same label
def labelExists(objlist, obj) :
for iobj in objlist:
if obj['CKA_CLASS'] == iobj['CKA_CLASS'] and obj['CKA_LABEL'] == iobj['CKA_LABEL']:
return True
return False
# add an object, make sure that label is unique
def addObj(objlist, newObj, specialLabel, drop) :
label = stripQuotes(newObj['CKA_LABEL'])
count=1
if specialLabel != None :
count=0
label=label+' '+specialLabel
# make sure the label is unique
while labelExists(objlist, newObj) :
if drop :
return 'DROPPED'
if count != 0 :
newObj['CKA_LABEL'] = "\"%s %d\""%(label,count)
else :
newObj['CKA_LABEL'] = "\"%s\""%label
count=count+1
objlist.append(obj)
return stripQuotes(newObj['CKA_LABEL'])
try:
opts, args = getopt.getopt(sys.argv[1:],"c:o:p:t:l:x:",)
except getopt.GetoptError as err:
print(err)
print(sys.argv[0] + ' [-c certdata] [-p pem] [-o certdata_target] [-t trustvalue] [-l merge_label]')
print('-c certdata certdata file to merge to (default="'+certdata+'")');
print('-p pem pem file with CAs to merge from (default="'+pem+'")');
print('-o certdata_target resulting output file (default="'+output+'")');
print('-t trustvalue what these CAs are trusted for (default="'+trust+'")');
print('-l merge_label what label CAs that aren\'t in certdata (default="'+merge_label+'")');
print('-x date remove all certs that expire before data (default='+dateString+')');
sys.exit(2)
for opt, arg in opts:
if opt == '-c' :
certdata = arg
elif opt == '-p' :
pem = arg
elif opt == '-o' :
output = arg
elif opt == '-t' :
trust = arg
elif opt == '-l' :
merge_label = arg
elif opt == '-x' :
dateString = arg
# parse dateString
print ("datastring=",dateString)
verifyDate = True
if dateString.upper() == "NEVER":
verifyDate = False
else:
date = getdate(dateString)
print ("verifyDate=",verifyDate)
# read the pem file
in_cert, certvalue = False, ""
for line in open(pem, 'r'):
if not in_cert:
if line.find("BEGIN CERTIFICATE") != -1:
in_cert = True;
continue
# Ignore comment lines and blank lines.
if line.startswith('#'):
continue
if len(line.strip()) == 0:
continue
if line.find("END CERTIFICATE") != -1 :
pemcerts.append(certvalue);
certvalue = "";
in_cert = False;
continue
certvalue += line;
# read the certdata.txt file
in_data, in_multiline, in_obj = False, False, False
field, ftype, value, binval, obj = None, None, None, bytearray(), dict()
header, comment = "", ""
for line in open(certdata, 'r'):
# Ignore the file header.
if not in_data:
header += line
if line.startswith('BEGINDATA'):
in_data = True
continue
# Ignore comment lines.
if line.startswith('#'):
comment += line
continue
# Empty lines are significant if we are inside an object.
if in_obj and len(line.strip()) == 0:
# collect all the inline comments in this object
obj['Comment'] += comment
comment = ""
addObj(objects, obj, None, False)
obj = dict()
in_obj = False
continue
if len(line.strip()) == 0:
continue
if in_multiline:
if not line.startswith('END'):
if ftype == 'MULTILINE_OCTAL':
line = line.strip()
for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
integ = int(i.group(1), 8)
binval.extend((integ).to_bytes(1, sys.byteorder))
obj[field] = binval
else:
value += line
obj[field] = value
continue
in_multiline = False
continue
if line.startswith('CKA_CLASS'):
in_obj = True
obj['Comment'] = comment
comment = ""
line_parts = line.strip().split(' ', 2)
if len(line_parts) > 2:
field, ftype = line_parts[0:2]
value = ' '.join(line_parts[2:])
elif len(line_parts) == 2:
field, ftype = line_parts
value = None
else:
raise NotImplementedError('line_parts < 2 not supported.\n' + line)
if ftype == 'MULTILINE_OCTAL':
in_multiline = True
value = ""
binval = bytearray()
continue
obj[field] = value
if len(list(obj.items())) > 0:
addObj(objects, obj, None, False)
# strip out expired certificates from certdata.txt
if verifyDate :
for obj in objects:
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE' :
cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
if (cert.not_valid_after <= date) :
trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])
# we don't remove distrusted expired certificates
if not isDistrusted(trust_obj) :
print(" Remove cert %s"%obj['CKA_LABEL'])
print(" Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
print(" Prune time %s: "%date.strftime("%m/%d/%Y"))
obj['Comment'] = None;
if (trust_obj != None):
trust_obj['Comment'] = None;
# now merge the results
for certval in pemcerts:
certder = base64.b64decode(certval)
cert = x509.load_der_x509_certificate(certder)
try:
label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value
except:
try:
label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_UNIT_NAME)[0].value
except:
try:
label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value
except:
label="Unknown Certificate"
if verifyDate :
if cert.not_valid_after <= date:
print(" Skipping code signing cert %s"%label)
print(" Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
print(" Prune time %s: "%date.strftime("%m/%d/%Y"))
continue
certhashsha1 = cert.fingerprint(hashes.SHA1())
certhashmd5 = cert.fingerprint(hashes.MD5())
found = False
# see if it exists in certdata.txt
for obj in objects:
# we only need to check the trust objects, because
# that is the object we would modify if it exists
if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
continue
# explicitly distrusted certs don't have a hash value
if not 'CKA_CERT_SHA1_HASH' in obj:
continue
if obj['CKA_CERT_SHA1_HASH'] != certhashsha1:
continue
obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR'
found = True
print('Updating "'+label+'" with code signing');
break
if found :
continue
# check for almost duplicates, certs with the same subject and key, but
# different values. If they exist, treat them as the same certificate
for obj in objects:
if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
continue
# do they have the same subject?
if obj['CKA_SUBJECT'] != cert.subject.public_bytes():
continue
# do they have the same public key?
cert2 = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
if cert2.public_key().public_bytes(serialization.Encoding.DER,serialization.PublicFormat.SubjectPublicKeyInfo) != cert.public_key().public_bytes(serialization.Encoding.DER,serialization.PublicFormat.SubjectPublicKeyInfo) :
continue
#found now update trust record
trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])
if trust_obj is None :
print('Couldn\'t find trust object for "'+obj['CKA_LABEL']);
exit
trust_obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR'
found = True
print('Updating sister certificate "'+obj['CKA_LABEL']+'" with code signing based on Microsoft "'+label+'"');
break
if found :
break
if found :
continue
# append this certificate
obj=dict()
time='%a %b %d %H:%M:%S %Y'
comment = '# ' + merge_label + '\n# %s "'+label+'"\n'
comment += '# Issuer: ' + cert.issuer.rfc4514_string() + '\n'
comment += '# Serial Number:'
sn=cert.serial_number
if sn < 0x100000:
comment += ' %d (0x%x)\n'%(sn,sn)
else:
comment += formatHex(sn.to_bytes((sn.bit_length()+7)//8,"big")) + '\n'
comment += '# Subject: ' + cert.subject.rfc4514_string() + '\n'
comment += '# Not Valid Before: ' + cert.not_valid_before.strftime(time) + '\n'
comment += '# Not Valid After: ' + cert.not_valid_after.strftime(time) + '\n'
comment += '# Fingerprint (MD5): ' + formatHex(certhashmd5) + '\n'
comment += '# Fingerprint (SHA1): ' + formatHex(certhashsha1) + '\n'
obj['Comment']= comment%"Certificate"
obj['CKA_CLASS'] = 'CKO_CERTIFICATE'
obj['CKA_TOKEN'] = 'CK_TRUE'
obj['CKA_PRIVATE'] = 'CK_FALSE'
obj['CKA_MODIFIABLE'] = 'CK_FALSE'
obj['CKA_LABEL'] = '"' + label + '"'
obj['CKA_CERTIFICATE_TYPE'] = 'CKC_X_509'
obj['CKA_SUBJECT'] = cert.subject.public_bytes()
obj['CKA_ID'] = '"0"'
obj['CKA_ISSUER'] = cert.issuer.public_bytes()
obj['CKA_SERIAL_NUMBER'] = getSerial(cert)
obj['CKA_VALUE'] = certder
obj['CKA_NSS_MOZILLA_CA_POLICY'] = 'CK_FALSE'
obj['CKA_NSS_SERVER_DISTRUST_AFTER'] = 'CK_FALSE'
obj['CKA_NSS_EMAIL_DISTRUST_AFTER'] = 'CK_FALSE'
label = addObj(objects, obj, 'CodeSigning', True)
if label == 'DROPPED' :
continue
# append the trust values
obj=dict()
obj['Comment']= comment%"Trust for"
obj['CKA_CLASS'] = 'CKO_NSS_TRUST'
obj['CKA_TOKEN'] = 'CK_TRUE'
obj['CKA_PRIVATE'] = 'CK_FALSE'
obj['CKA_MODIFIABLE'] = 'CK_FALSE'
obj['CKA_LABEL'] = '"' + label + '"'
obj['CKA_CERT_SHA1_HASH'] = certhashsha1
obj['CKA_CERT_MD5_HASH'] = certhashmd5
obj['CKA_ISSUER'] = cert.issuer.public_bytes()
obj['CKA_SERIAL_NUMBER'] = getSerial(cert)
for t in list(trust_types):
if t == trust:
obj[t] = 'CKT_NSS_TRUSTED_DELEGATOR'
else:
obj[t] = 'CKT_NSS_MUST_VERIFY_TRUST'
obj['CKA_TRUST_STEP_UP_APPROVED'] = 'CK_FALSE'
label = addObj(objects, obj, 'CodeSigning', True)
print('Adding code signing cert "'+label+'"');
# now dump the results
f = open(output, 'w')
f.write(header)
for obj in objects:
if 'Comment' in obj:
# if comment is None, we've deleted the entry above
if obj['Comment'] == None:
continue
f.write(obj['Comment'])
else:
print("Object with no comment!!")
print(obj)
for field in list(attribute_types.keys()):
if not field in obj:
continue
ftype = attribute_types[field];
if ftype == 'Distrust':
if obj[field] == 'CK_FALSE':
ftype = 'CK_BBOOL'
else:
ftype = 'MULTILINE_OCTAL'
f.write("%s %s"%(field,ftype));
if ftype == 'MULTILINE_OCTAL':
dumpOctal(f,obj[field])
else:
f.write(" %s\n"%obj[field])
f.write("\n")
f.close

11
plans/ci.fmf
View File

@ -1,11 +0,0 @@
/buildroot-disabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/ca-certificates
name: /plans/ci/buildroot-disabled
/buildroot-enabled:
plan:
import:
url: https://pkgs.devel.redhat.com/git/tests/ca-certificates
name: /plans/ci/buildroot-enabled

34
sort-blocks.py
View File

@ -1,34 +0,0 @@
#!/usr/bin/python3
# Expected input is a file, where blocks of lines are separated by newline.
# Blocks will be sorted.
# Intention is to prepare files for comparison, were lines inside each block are
# in stable order, but the order of blocks is random.
import sys
import string
if (len(sys.argv) != 2):
print("syntax: " + sys.argv[0] + " input-filename")
sys.exit(1)
filename = sys.argv[1]
block = []
block_list = []
with open(filename, 'r') as f:
for line in f:
if (len(line) == 1):
if len(block) == 0:
continue
else:
combined_string = string.join(block, '')
block_list.append(combined_string)
block = []
else:
block.append(line)
block_list.sort()
for block in block_list:
print(block)

0
sources
View File

1
trust-fixes
View File

@ -1 +0,0 @@

123
update-ca-trust
View File

@ -1,123 +0,0 @@
#!/bin/sh
#set -vx
set -eu
# For backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST.
DEST=/etc/pki/ca-trust/extracted
DEST_CERTS=/etc/pki/tls/certs
# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1
usage() {
fold -s -w 76 >&2 <<-EOF
Usage: $0 [extract] [-o DIR|--output=DIR]
Update the system trust store in $DEST.
COMMANDS
(absent/empty command): Same as the extract command without arguments.
extract: Instruct update-ca-trust to scan the source configuration in
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
updated versions of the consolidated configuration files stored below
the $DEST directory hierarchy.
EXTRACT OPTIONS
-o DIR, --output=DIR: Write the extracted trust store into the given
directory instead of updating $DEST. (Note: This option will not
populate the ../pki/tls/certs with the directory-hash symbolic links.)
EOF
}
extract() {
USER_DEST=
# can't use getopt here. ca-certificates can't depend on a lot
# of other libraries since openssl depends on ca-certificates
# just fail when we hand parse
while [ $# -ne 0 ]; do
case "$1" in
"-o"|"--output")
if [ $# -lt 2 ]; then
echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
fi
USER_DEST=$2
shift 2
continue
;;
"--")
shift
break
;;
*)
echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
exit 1
;;
esac
done
if [ -n "$USER_DEST" ]; then
DEST=$USER_DEST
# Attempt to create the directories if they do not exist
# yet (rhbz#2241240)
/usr/bin/mkdir -p \
"$DEST"/openssl \
"$DEST"/pem \
"$DEST"/java \
"$DEST"/edk2
fi
# Delete all directory hash symlinks from the cert directory
if [ -z "$USER_DEST" ]; then
find "$DEST_CERTS" -type l -regextype posix-extended \
-regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \;
fi
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
# by GnuTLS)
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
if [ -z "$USER_DEST" ]; then
find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
-regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
target=$(readlink -f "$link")
new_link="$DEST_CERTS/$(basename "$link")"
ln -s "$target" "$new_link"
done
fi
}
if [ $# -lt 1 ]; then
set -- extract
fi
case "$1" in
"extract")
shift
extract "$@"
;;
"--help")
usage
exit 0
;;
*)
echo >&2 "Error: unknown command: '$1', see 'update-ca-trust --help' for usage."
exit 1
;;
esac