I've been working on a few enhancements to cURL's mk-ca-bundle Perl
script and would like to solicit functionality feedback before
submitting a patch.
== Main change ==
Today, mk-ca-bundle outputs all certificates within Mozilla's certdata
file containing the purpose CKA_TRUST_SERVER_AUTH at trust level
CKT_NSS_TRUSTED_DELEGATOR, i.e. CAs trusted to issue SSL server certs.
At NCR, we need the ability to generate a bundle containing the
explicitly untrusted certs (for a blacklist) as well as CAs trusted
for other purposes, such as code signing. Therefore, I have enhanced
mk-ca-bundle to take a list of trust purposes and trust levels on the
command line. It'll then output all certificates which are trusted for
at least one of the requested purposes at one of the requested trust
levels.
Example (using y and z as placeholders for the TBD parameter flags):
perl mk-ca-bundle -y SERVER_AUTH,CODE_SIGNING -z NOT_TRUSTED
This would generate a bundle containing all certificates which are not
trusted for either SSL server auth or for code signing.
** Does anyone have an opinion on which flags are used for these
command line parameters? -p could be used for the purpose list, but an
intuitive letter for the trust level isn't available since both -t and
-l are already used.
** The default behavior remains as before: output only SSL server trusted CAs.
** Are there any objections to this change?
== Auxiliary changes ==
(Plain text mode example attached for a single cert)
When outputting in plain text mode (flag -t), I've added the ability
to output several different cert hashes. I did this because the
previous output was MD5, which is inconvenient since Windows normally
displays the certificate "thumbprint" using SHA1. I wanted to maintain
compatibility with any applications/processes out there that still use
the MD5 hash, so I just added SHA1 and SHA256 outputs. However, this
slows down the generation process since we go from creating 1 hash to
creating 3.
** Is this acceptable to everyone? If need be, we could add a command
line parameter to allow picking a hash algorithm.
When outputting the certificate, I also write out the certificate
trust information. I find this to be useful for troubleshooting.
** Is this acceptable to everyone?
** Should this be output only in plain text mode (flag -t)? I
currently output it in both modes since it cannot be recovered from
the certificate PEM encoding.
** Do you have an opinion on if this is output before or after the
==== line? I currently output before the ==== line since I want to
conceptually separate it from the certificate itself. After all, the
trust we place in the cert is not an attribute of the cert itself.
Patrick Watson, CISSP
Senior Software Engineer
NCR Corporation
Verisign Class 2 Public Primary Certification Authority - G2
MUST_VERIFY_TRUST: SERVER_AUTH
TRUSTED_DELEGATOR: EMAIL_PROTECTION, CODE_SIGNING
============================================================
MD5 Fingerprint=2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
SHA1 Fingerprint=B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
SHA256
Fingerprint=3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F:D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=Class 2 Public Primary Certification
Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only,
OU=VeriSign Trust Network
Validity
Not Before: May 18 00:00:00 1998 GMT
Not After : Aug 1 23:59:59 2028 GMT
Subject: C=US, O=VeriSign, Inc., OU=Class 2 Public Primary
Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use
only, OU=VeriSign Trust Network
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:a7:88:01:21:74:2c:e7:1a:03:f0:98:e1:97:3c:
0f:21:08:f1:9c:db:97:e9:9a:fc:c2:04:06:13:be:
5f:52:c8:cc:1e:2c:12:56:2c:b8:01:69:2c:cc:99:
1f:ad:b0:96:ae:79:04:f2:13:39:c1:7b:98:ba:08:
2c:e8:c2:84:13:2c:aa:69:e9:09:f4:c7:a9:02:a4:
42:c2:23:4f:4a:d8:f0:0e:a2:fb:31:6c:c9:e6:6f:
99:27:07:f5:e6:f4:4c:78:9e:6d:eb:46:86:fa:b9:
86:c9:54:f2:b2:c4:af:d4:46:1c:5a:c9:15:30:ff:
0d:6c:f5:2d:0e:6d:ce:7f:77
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
72:2e:f9:7f:d1:f1:71:fb:c4:9e:f6:c5:5e:51:8a:40:98:b8:
68:f8:9b:1c:83:d8:e2:9d:bd:ff:ed:a1:e6:66:ea:2f:09:f4:
ca:d7:ea:a5:2b:95:f6:24:60:86:4d:44:2e:83:a5:c4:2d:a0:
d3:ae:78:69:6f:72:da:6c:ae:08:f0:63:92:37:e6:bb:c4:30:
17:ad:77:cc:49:35:aa:cf:d8:8f:d1:be:b7:18:96:47:73:6a:
54:22:34:64:2d:b6:16:9b:59:5b:b4:51:59:3a:b3:0b:14:f4:
12:df:67:a0:f4:ad:32:64:5e:b1:46:72:27:8c:12:7b:c5:44:
b4:ae
-----BEGIN CERTIFICATE-----
MIIDAzCCAmwCEQC5L2DMiJ+hekYJuFtwbIqvMA0GCSqGSIb3DQEBBQUAMIHBMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0Ns
YXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH
MjE6MDgGA1UECxMxKGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9y
aXplZCB1c2Ugb25seTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazAe
Fw05ODA1MTgwMDAwMDBaFw0yODA4MDEyMzU5NTlaMIHBMQswCQYDVQQGEwJVUzEX
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0NsYXNzIDIgUHVibGlj
IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjE6MDgGA1UECxMx
KGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s
eTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAp4gBIXQs5xoD8JjhlzwPIQjxnNuX6Zr8wgQGE75fUsjM
HiwSViy4AWkszJkfrbCWrnkE8hM5wXuYuggs6MKEEyyqaekJ9MepAqRCwiNPStjw
DqL7MWzJ5m+ZJwf15vRMeJ5t60aG+rmGyVTyssSv1EYcWskVMP8NbPUtDm3Of3cC
AwEAATANBgkqhkiG9w0BAQUFAAOBgQByLvl/0fFx+8Se9sVeUYpAmLho+Jscg9ji
nb3/7aHmZuovCfTK1+qlK5X2JGCGTUQug6XELaDTrnhpb3LabK4I8GOSN+a7xDAX
rXfMSTWqz9iP0b63GJZHc2pUIjRkLbYWm1lbtFFZOrMLFPQS32eg9K0yZF6xRnIn
jBJ7xUS0rg==
-----END CERTIFICATE-----
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
