--- debian/blacklist.txt | 5 ++ debian/ca-certificates-nss.dirs | 1 + debian/certdata2pem.py | 129 +++++++++++++++++++++++++++++++++++++++ debian/control | 9 +++- debian/rules | 18 +++++- 5 files changed, 159 insertions(+), 3 deletions(-) create mode 100644 debian/blacklist.txt create mode 100644 debian/ca-certificates-nss.dirs create mode 100644 debian/certdata2pem.py
diff --git a/debian/blacklist.txt b/debian/blacklist.txt new file mode 100644 index 0000000..8d57b86 --- /dev/null +++ b/debian/blacklist.txt @@ -0,0 +1,5 @@ +# One blacklist entry per line, corresponding to the label in certdata.txt. + +# MD5 Collision Proof of Concept CA +"MD5 Collisions Forged Rogue CA 25c3" + diff --git a/debian/ca-certificates-nss.dirs b/debian/ca-certificates-nss.dirs new file mode 100644 index 0000000..f5baa81 --- /dev/null +++ b/debian/ca-certificates-nss.dirs @@ -0,0 +1 @@ +usr/share/ca-certificates/nss diff --git a/debian/certdata2pem.py b/debian/certdata2pem.py new file mode 100644 index 0000000..10b340a --- /dev/null +++ b/debian/certdata2pem.py @@ -0,0 +1,129 @@ +#!/usr/bin/python +# vim:set et sw=4: +# +# certdata2pem.py - splits certdata.txt into multiple files +# +# Copyright (C) 2009 Philipp Kern <[email protected]> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, +# USA. + +import base64 +import os.path +import re +import sys +import textwrap + +certdata_fn = sys.argv[1] +blacklist_fn = sys.argv[2] +target_dir = sys.argv[3] + +objects = [] + +# Dirty file parser. +in_data, in_multiline, in_obj = False, False, False +field, type, value, obj = None, None, None, dict() +for line in open(certdata_fn, 'r'): + # Ignore the file header. + if not in_data: + if line.startswith('BEGINDATA'): + in_data = True + continue + # Ignore comment lines. + if line.startswith('#'): + continue + # Empty lines are significant if we are inside an object. + if in_obj and len(line.strip()) == 0: + objects.append(obj) + obj = dict() + in_obj = False + continue + if len(line.strip()) == 0: + continue + if in_multiline: + if not line.startswith('END'): + if type == 'MULTILINE_OCTAL': + line = line.strip() + for i in re.finditer(r'\\([0-3][0-7][0-7])', line): + value += chr(int(i.group(1), 8)) + else: + value += line + continue + obj[field] = value + in_multiline = False + continue + if line.startswith('CKA_CLASS'): + in_obj = True + line_parts = line.strip().split(' ', 2) + if len(line_parts) > 2: + field, type = line_parts[0:2] + value = ' '.join(line_parts[2:]) + elif len(line_parts) == 2: + field, type = line_parts + value = None + else: + raise NotImplementedError, 'line_parts < 2 not supported.' + if type == 'MULTILINE_OCTAL': + in_multiline = True + value = "" + continue + obj[field] = value +if len(obj.items()) > 0: + objects.append(obj) + +# Read blacklist. +blacklist = [] +if os.path.exists(blacklist_fn): + for line in open(blacklist_fn, 'r'): + line = line.strip() + if line.startswith('#') or len(line) == 0: + continue + item = line.split('#', 1)[0].strip() + blacklist.append(item) + +# Build up trust database. +trust = dict() +for obj in objects: + if obj['CKA_CLASS'] != 'CKO_NETSCAPE_TRUST': + continue + if obj['CKA_LABEL'] in blacklist: + print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'] + elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR': + trust[obj['CKA_LABEL']] = True + elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR': + trust[obj['CKA_LABEL']] = True + elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_UNTRUSTED': + print '!'*74 + print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'] + print '!'*74 + else: + print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ + (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'], + obj['CKA_TRUST_EMAIL_PROTECTION']) + +for obj in objects: + if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': + if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]: + continue + fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\ + .replace(' ', '_')\ + .replace('(', '=')\ + .replace(')', '=')\ + .replace(',', '_') + '.crt' + f = open(os.path.join(target_dir, fname), 'w') + f.write("-----BEGIN CERTIFICATE-----\n") + f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) + f.write("\n-----END CERTIFICATE-----\n") + diff --git a/debian/control b/debian/control index 75e5ae8..25d2b5e 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: libs Priority: optional Maintainer: Maintainers of Mozilla-related packages <[email protected]> Uploaders: Mike Hommey <[email protected]> -Build-Depends: debhelper (>= 6.0.7~), autotools-dev, dpatch, dpkg-dev (>= 1.13.19), libnspr4-dev (>= 4.7.0), zlib1g-dev, libsqlite3-dev (>= 3.3.9) +Build-Depends: debhelper (>= 6.0.7~), autotools-dev, dpatch, dpkg-dev (>= 1.13.19), libnspr4-dev (>= 4.7.0), zlib1g-dev, libsqlite3-dev (>= 3.3.9), python Standards-Version: 3.8.1.0 Homepage: http://www.mozilla.org/projects/security/pki/nss/ Vcs-Git: git://git.debian.org/git/pkg-mozilla/nss.git @@ -64,3 +64,10 @@ Description: Debugging symbols for the Network Security Service libraries other security standards. . This package provides the debugging symbols for the library. + +Package: ca-certificates-nss +Section: misc +Architecture: all +Description: Network Security Service CA certificates + This package includes PEM files of the CA certificates included in the + Network Security Service library. diff --git a/debian/rules b/debian/rules index 3647294..d0a2c69 100755 --- a/debian/rules +++ b/debian/rules @@ -95,9 +95,23 @@ install-stamp: build-stamp $(foreach bin,certutil modutil pk12util shlibsign signtool ssltap pwdecrypt, \ $(DISTDIR)/bin/$(bin)) + python debian/certdata2pem.py \ + mozilla/security/nss/lib/ckfw/builtins/certdata.txt \ + debian/blacklist.txt \ + debian/ca-certificates-nss/usr/share/ca-certificates/nss + touch install-stamp -binary-indep: +binary-indep: install-stamp + dh_testdir + dh_testroot + dh_installchangelogs -i + dh_compress -i + dh_fixperms -i + dh_installdeb -i + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i binary-arch: install-stamp dh_testdir @@ -119,6 +133,6 @@ binary-arch: install-stamp dh_md5sums -a dh_builddeb -a -binary: binary-arch +binary: binary-indep binary-arch .PHONY: clean install build clean-patched binary-indep binary-arch binary -- 1.6.5 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

