Author: dj
Date: 2010-09-09 01:11:15 -0600 (Thu, 09 Sep 2010)
New Revision: 8598
Added:
trunk/auxfiles/mkblfsca.sh
trunk/auxfiles/mkcert.pl
Removed:
trunk/auxfiles/makeblfscas.sh
trunk/auxfiles/mkcabundle.pl
Log:
Updated BLFS-CA scripts to account for untrusted CAs.
Deleted: trunk/auxfiles/makeblfscas.sh
===================================================================
--- trunk/auxfiles/makeblfscas.sh 2010-09-08 06:26:20 UTC (rev 8597)
+++ trunk/auxfiles/makeblfscas.sh 2010-09-09 07:11:15 UTC (rev 8598)
@@ -1,62 +0,0 @@
-#!/bin/bash
-# Begin mkblfscas.sh
-# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
-
-# Version number is obtained from the version of nss.
-if test -z "${1}"
-then
- VERSION="3.12.7.0"
-else
- VERSION="${1}"
-fi
-
-TEMPDIR=`mktemp -d`
-CAFILE="${TEMPDIR}/ca-bundle.crt"
-TARBALL="${PWD}/BLFS-ca-bundle-${VERSION}.tar.bz2"
-CASCRIPT="./mkcabundle.pl"
-
-"${CASCRIPT}" > "${CAFILE}"
-
-mkdir "${TEMPDIR}/certs"
-
-# Get a list of staring lines for each cert
-CERTLIST=`grep -n "^Certificate:$" "${CAFILE}" | cut -d ":" -f 1`
-
-# Get a list of ending lines for each cert
-ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
-
-# Start a loop
-for certbegin in `echo "${CERTLIST}"`
-do
- for certend in `echo "${ENDCERTLIST}"`
- do
- if test "${certend}" -gt "${certbegin}"
- then
- break
- fi
- done
- sed -n "${certbegin},${certend}p" "${CAFILE}" >
"${TEMPDIR}/certs/${certbegin}"
- object=`grep -m 1 -o "O=.*, " "${TEMPDIR}/certs/${certbegin}" | sed -e
's...@o=@@' -e 's@,.*@@'`
- keyhash=`openssl x509 -noout -in "${TEMPDIR}/certs/${certbegin}" -hash`
- if test -z "$object"
- then
- object="NO OBJECT PROVIDED IN DESCRIPTION"
- fi
- echo "generated PEM file with hash ${keyhash} for ${object}"
- mv "${TEMPDIR}/certs/${certbegin}" "${TEMPDIR}/certs/${keyhash}.pem"
-done
-
-# Remove expired CAs
-if test -f "${TEMPDIR}/certs/8f111d69.pem"; then
- rm "${TEMPDIR}/certs/8f111d69.pem"
-fi
-if test -f "${TEMPDIR}/certs/f2cce23a.pem"; then
- rm "${TEMPDIR}/certs/f2cce23a.pem"
-fi
-
-cd "${TEMPDIR}"
-tar -jcf "${TARBALL}" certs/
-cd ..
-rm -r "${TEMPDIR}"
-
-# End mkblfscas.sh
Added: trunk/auxfiles/mkblfsca.sh
===================================================================
--- trunk/auxfiles/mkblfsca.sh (rev 0)
+++ trunk/auxfiles/mkblfsca.sh 2010-09-09 07:11:15 UTC (rev 8598)
@@ -0,0 +1,82 @@
+#!/bin/bash
+# Begin mkblfscas.sh
+# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
+
+# Version number is obtained from the version of nss.
+if test -z "${1}"
+then
+ #rev 1.65
+ VERSION="3.12.8.0"
+else
+ VERSION="${1}"
+fi
+
+TEMPDIR=`mktemp -d`
+CERTDATA="certdata.txt"
+TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
+TARBALL="${PWD}/BLFS-ca-bundle-${VERSION}.tar.bz2"
+CONVERTSCRIPT="./mkcert.pl"
+
+mkdir "${TEMPDIR}/certs"
+
+# Get a list of staring lines for each cert
+CERTBEGINLIST=`grep -n "^# Certificate" "${CERTDATA}" | cut -d ":" -f 1`
+
+# Get a list of ending lines for each cert
+CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${CERTDATA}" | cut -d ":"
-f 1`
+# Start a loop
+for certbegin in ${CERTBEGINLIST}
+do
+ for certend in ${CERTENDLIST}
+ do
+ if test "${certend}" -gt "${certbegin}"
+ then
+ break
+ fi
+ done
+ # Dump to a temp file with the name of the file as the beginning line number
+ sed -n "${certbegin},${certend}p" "${CERTDATA}" >
"${TEMPDIR}/certs/${certbegin}.tmp"
+done
+unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
+
+mkdir -p certs
+
+for tempfile in ${TEMPDIR}/certs/*.tmp
+do
+ # Make sure that the cert is trusted...
+ grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
+ grep "CKT_NETSCAPE_TRUST_UNKNOWN" > /dev/null
+ if test "${?}" = "0"
+ then
+ # Thow a meaningful error and remove the file
+ cp "${tempfile}" tempfile.cer
+ "${CONVERTSCRIPT}" > tempfile.crt
+ keyhash=`openssl x509 -noout -in tempfile.crt -hash`
+ echo "Certificate ${keyhash} is not trusted! Removing..."
+ rm -f tempfile.cer tempfile.crt "${tempfile}"
+ continue
+ fi
+ # If execution made it to here in the loop, the temp cert is trusted
+ # Find the cert data and generate a cert file for it
+
+ cp "${tempfile}" tempfile.cer
+ "${CONVERTSCRIPT}" > tempfile.crt
+ keyhash=`openssl x509 -noout -in tempfile.crt -hash`
+ mv tempfile.crt "certs/${keyhash}.crt"
+ rm -f tempfile.cer "${tempfile}"
+ echo "Created ${keyhash}.crt"
+done
+
+# Remove blacklisted files
+# MD5 Collision Proof of Concept CA
+if test -f certs/8f111d69.crt
+then
+ echo "Certificate 8f111d69 is not trusted! Removing..."
+ rm -f certs/8f111d69.crt
+fi
+
+# Finally, generate the tarball and clean up.
+tar -jcf ${TARBALL} certs/
+rm -r certs/
+rm -r "${TEMPDIR}"
+
Property changes on: trunk/auxfiles/mkblfsca.sh
___________________________________________________________________
Added: svn:executable
+ *
Deleted: trunk/auxfiles/mkcabundle.pl
===================================================================
--- trunk/auxfiles/mkcabundle.pl 2010-09-08 06:26:20 UTC (rev 8597)
+++ trunk/auxfiles/mkcabundle.pl 2010-09-09 07:11:15 UTC (rev 8598)
@@ -1,47 +0,0 @@
-#!/usr/bin/perl -w
-#
-# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.
-# Run as ./mkcabundle.pl > ca-bundle.crt
-#
-# This script courtesy of RedHat. Latest version is avaliable from:
-# http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/devel/mkcabundle.pl
-#
-
-# This script modified to use a local copy of certdata.txt obtained from the
-# latest version of the firefox source tree. The certdata.txt file can be
-# found in mozilla-$version/security/nss/lib/ckfw/builtins/certdata.txt
-
-my $certdata = './certdata.txt';
-
-open(IN, "cat $certdata|")
- || die "could not open certdata.txt";
-
-my $incert = 0;
-
-print<<EOH;
-# This is a bundle of X.509 certificates of public Certificate
-# Authorities. It was generated from the Mozilla root CA list.
-#
-# Source: $certdata
-#
-EOH
-
-while (<IN>) {
- if (/^CKA_VALUE MULTILINE_OCTAL/) {
- $incert = 1;
- open(OUT, "|openssl x509 -text -inform DER -fingerprint")
- || die "could not pipe to openssl x509";
- } elsif (/^END/ && $incert) {
- close(OUT);
- $incert = 0;
- print "\n\n";
- } elsif ($incert) {
- my @bs = split(/\\/);
- foreach my $b (@bs) {
- chomp $b;
- printf(OUT "%c", oct($b)) unless $b eq '';
- }
- } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
- print "# Generated from certdata.txt RCS revision $1\n#\n";
- }
-}
Added: trunk/auxfiles/mkcert.pl
===================================================================
--- trunk/auxfiles/mkcert.pl (rev 0)
+++ trunk/auxfiles/mkcert.pl 2010-09-09 07:11:15 UTC (rev 8598)
@@ -0,0 +1,35 @@
+#!/usr/bin/perl -w
+#
+# Used to generate PEM encoded files from Mozilla certdata.txt.
+# Run as ./mkcrt.pl > certificate.crt
+#
+# Parts of this script courtesy of RedHat (mkcabundle.pl)
+#
+# This script modified for use with single file data (tempfile.cer) extracted
+# from certdata.txt, taken from the latest version in the Mozilla NSS source.
+# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+
+my $certdata = './tempfile.cer';
+
+open(IN, "cat $certdata|")
+ || die "could not open $certdata";
+
+my $incert = 0;
+
+while (<IN>) {
+ if (/^CKA_VALUE MULTILINE_OCTAL/) {
+ $incert = 1;
+ open(OUT, "|openssl x509 -text -inform DER -fingerprint")
+ || die "could not pipe to openssl x509";
+ } elsif (/^END/ && $incert) {
+ close(OUT);
+ $incert = 0;
+ print "\n\n";
+ } elsif ($incert) {
+ my @bs = split(/\\/);
+ foreach my $b (@bs) {
+ chomp $b;
+ printf(OUT "%c", oct($b)) unless $b eq '';
+ }
+ }
+}
Property changes on: trunk/auxfiles/mkcert.pl
___________________________________________________________________
Added: svn:executable
+ *
--
http://linuxfromscratch.org/mailman/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
