Date: Friday, November 14, 2014 @ 10:00:02 Author: heftig Revision: 226214
FS#41909 Added: ca-certificates/trunk/update-ca-trust ca-certificates/trunk/update-ca-trust.8.txt Modified: ca-certificates/trunk/PKGBUILD ca-certificates/trunk/ca-certificates-utils.install Deleted: ca-certificates/trunk/confd.patch -------------------------------+ PKGBUILD | 51 +++++--- ca-certificates-utils.install | 41 +++++- confd.patch | 28 ---- update-ca-trust | 22 +++ update-ca-trust.8.txt | 245 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 333 insertions(+), 54 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2014-11-14 05:05:22 UTC (rev 226213) +++ PKGBUILD 2014-11-14 09:00:02 UTC (rev 226214) @@ -3,35 +3,48 @@ pkgbase=ca-certificates pkgname=(ca-certificates-utils ca-certificates) -pkgver=20140325 -pkgrel=2 +pkgver=20140923 +pkgrel=4 pkgdesc='Common CA certificates' arch=('any') -url='http://packages.qa.debian.org/c/ca-certificates.html' -license=('MPL' 'GPL') -depends=('bash' 'run-parts' 'openssl' 'findutils' 'coreutils' 'sed') -makedepends=('python2') -source=("http://ftp.debian.org/debian/pool/main/c/${pkgbase}/${pkgbase}_${pkgver}.tar.xz" - confd.patch) -sha256sums=('c0e3d8c517995db2737f7f1a9b69d654b8823fa6d337871c6ce111fcf083454a' - '6a6efe688bd7f40dc57d07ad6bfdbb83f4853a1964c55e0620e833e6c2945dab') +url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git' +license=('GPL2') +depends=('sh' 'p11-kit') +makedepends=('asciidoc') +source=(update-ca-trust update-ca-trust.8.txt) +sha256sums=('c737236405320440665c9e7034585fde95d34495fc65789591a7ab76dc7568d5' + '52f7067ced3771bfa315e4b2a4d078ba0502b663ed4d87a9a18558e14d4ed99e') -prepare() { - cd "${srcdir}/${pkgbase}" - patch -Np1 -i ../confd.patch +_confdir=/etc/$pkgbase +_datadir=/usr/share/$pkgbase + +build() { + asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt + xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml } package_ca-certificates-utils() { pkgdesc+=" (utilities)" - backup=('etc/ca-certificates.conf') install=ca-certificates-utils.install - provides=(ca-certificates) + provides=(ca-certificates ca-certificates-java) + conflicts=(ca-certificates-java) + replaces=(ca-certificates-java) - cd "${srcdir}/${pkgbase}" + install -D update-ca-trust "${pkgdir}/usr/bin/update-ca-trust" + install -Dm644 update-ca-trust.8 "${pkgdir}/usr/share/man/man8/update-ca-trust.8" - install -d "${pkgdir}"/{etc/{ca-certificates/update.d,ssl/certs},usr/share/ca-certificates} - install -Dm644 sbin/update-ca-certificates.8 "${pkgdir}/usr/share/man/man8/update-ca-certificates.8" - install -D sbin/update-ca-certificates "${pkgdir}/usr/bin/update-ca-certificates" + install -d "${pkgdir}"{${_confdir},${_datadir}}/trust-source/{anchors,blacklist} + + _extractdir="${pkgdir}${_confdir}/extracted" + _ssldir="${pkgdir}/etc/ssl" + + install -d "${_ssldir}/certs/java" "${_extractdir}"/{openssl,pem,java} + ln -sr "${_extractdir}/openssl/ca-bundle.trust.crt" "${_ssldir}/certs/ca-bundle.trust.crt" + ln -sr "${_extractdir}/pem/tls-ca-bundle.pem" "${_ssldir}/cert.pem" + + # These are inverted (for now?) to ease upgrading + ln -sr "${_ssldir}/certs/ca-certificates.crt" "${_extractdir}/pem/tls-ca-bundle.pem" + ln -sr "${_ssldir}/certs/java/cacerts" "${_extractdir}/java/cacerts" } package_ca-certificates() { Modified: ca-certificates-utils.install =================================================================== --- ca-certificates-utils.install 2014-11-14 05:05:22 UTC (rev 226213) +++ ca-certificates-utils.install 2014-11-14 09:00:02 UTC (rev 226214) @@ -1,18 +1,45 @@ export LC_ALL=C post_install() { - usr/bin/update-ca-certificates --fresh >/dev/null 2>&1 + usr/bin/update-ca-trust } +pre_upgrade() { + if (( $(vercmp $2 20140923-2) < 0 )); then + find /etc/ssl/certs -type l -print | while read symlink; do + case $(readlink $symlink) in + /usr/share/ca-certificates*) rm -f $symlink;; + esac + done + find /etc/ssl/certs -type l -print | while read symlink; do + test -f $symlink || rm -f $symlink + done + fi +} + post_upgrade() { - usr/bin/update-ca-certificates --fresh >/dev/null 2>&1 + usr/bin/update-ca-trust + + if (( $(vercmp $2 20140923-2) < 0 )); then + cat <<MSG + The way local CA certificates are handled has changed. + If you have any: + + 1. Move /usr/local/share/ca-certificates/*.crt to + /etc/ca-certificates/trust-source/anchors/ + 2. Do the same with all manually-added /etc/ssl/certs/*.pem files + (and rename those to *.crt) + 3. Instead of \`update-ca-certificates\`, run \`update-ca-trust\` + 4. In programs that have settings like "ca_dir = /etc/ssl/certs", + change them to "ca_file = /etc/ssl/certs/ca-certificates.crt" + + Also see \`man 8 update-ca-trust\`. +MSG + fi } pre_remove() { - usr/bin/update-ca-certificates --fresh >/dev/null 2>&1 + usr/bin/update-ca-trust } -post_remove() { - # remove the cert file if it is empty - [[ -s etc/ssl/certs/ca-certificates.crt ]] || rm -f etc/ssl/certs/ca-certificates.crt -} +# vim:set noet ts=8 sw=8: Deleted: confd.patch =================================================================== --- confd.patch 2014-11-14 05:05:22 UTC (rev 226213) +++ confd.patch 2014-11-14 09:00:02 UTC (rev 226214) @@ -1,28 +0,0 @@ -diff -u -Nwr ca-certificates/sbin/update-ca-certificates ca-certificates.confd/sbin/update-ca-certificates ---- ca-certificates/sbin/update-ca-certificates 2014-03-13 13:43:00.000000000 +0100 -+++ ca-certificates.confd/sbin/update-ca-certificates 2014-08-24 13:36:19.264068119 +0200 -@@ -37,7 +37,7 @@ - shift - done - --CERTSCONF=/etc/ca-certificates.conf -+CERTSCONFS=/etc/ca-certificates/conf.d/*.conf - CERTSDIR=/usr/share/ca-certificates - LOCALCERTSDIR=/usr/local/share/ca-certificates - CERTBUNDLE=ca-certificates.crt -@@ -101,6 +101,7 @@ - - echo -n "Updating certificates in $ETCCERTSDIR... " - -+for CERTSCONF in $CERTSCONFS; do - # Handle certificates that should be removed. This is an explicit act - # by prefixing lines in the configuration files with exclamation marks (!). - sed -n -e '/^$/d' -e 's/^!//p' $CERTSCONF | while read crt -@@ -117,6 +118,7 @@ - fi - add "$CERTSDIR/$crt" - done -+done - - # Now process certificate authorities installed by the local system - # administrator. Added: update-ca-trust =================================================================== --- update-ca-trust (rev 0) +++ update-ca-trust 2014-11-14 09:00:02 UTC (rev 226214) @@ -0,0 +1,22 @@ +#!/bin/sh + +#set -vx + +# At this time, while this script is trivial, we ignore any parameters given. +# However, for backwards compatibility reasons, future versions of this script must +# support the syntax "update-ca-trust extract" trigger the generation of output +# files in $DEST. + +DEST=/etc/ca-certificates/extracted + +# OpenSSL PEM bundle that includes trust flags +# (BEGIN TRUSTED CERTIFICATE) +/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite $DEST/openssl/ca-bundle.trust.crt +#/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/tls-ca-bundle.pem +/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose email $DEST/pem/email-ca-bundle.pem +/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose code-signing $DEST/pem/objsign-ca-bundle.pem +#/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts + +# Make upgrade on Arch smooth, by inverting some locations +/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth /etc/ssl/certs/ca-certificates.crt +/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth /etc/ssl/certs/java/cacerts Added: update-ca-trust.8.txt =================================================================== --- update-ca-trust.8.txt (rev 0) +++ update-ca-trust.8.txt 2014-11-14 09:00:02 UTC (rev 226214) @@ -0,0 +1,245 @@ +//// +Copyright (C) 2013 Red Hat, Inc. + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. +//// + + +update-ca-trust(8) +================== +:doctype: manpage +:man source: update-ca-trust + + +NAME +---- +update-ca-trust - manage consolidated and dynamic configuration of CA +certificates and associated trust + + +SYNOPSIS +-------- +*update-ca-trust* ['COMMAND'] + + +DESCRIPTION +----------- +update-ca-trust(8) is used to manage a consolidated and dynamic configuration +feature of Certificate Authority (CA) certificates and associated trust. + +The feature is available for new applications that read the +consolidated configuration files found in the /etc/ca-certificates/extracted directory +or that load the PKCS#11 module p11-kit-trust.so + +Parts of the new feature are also provided in a way to make it useful +for legacy applications. + +Many legacy applications expect CA certificates and trust configuration +in a fixed location, contained in files with particular path and name, +or by referring to a classic PKCS#11 trust module provided by the +NSS cryptographic library. + +The dynamic configuration feature provides functionally compatible replacements +for classic configuration files and for the classic NSS trust module named libnssckbi. + +In order to enable legacy applications, that read the classic files or +access the classic module, to make use of the new consolidated and dynamic configuration +feature, the classic filenames have been changed to symbolic links. +The symbolic links refer to dynamically created and consolidated +output stored below the /etc/ca-certificates/extracted directory hierarchy. + +The output is produced using the 'update-ca-trust' command (without parameters), +or using the 'update-ca-trust extract' command. +In order to produce the output, a flexible set of source configuration +is read, as described in section <<sourceconf,SOURCE CONFIGURATION>>. + +In addition, the classic PKCS#11 module +is replaced with a new PKCS#11 module (p11-kit-trust.so) that dynamically +reads the same source configuration. + + +[[sourceconf]] +SOURCE CONFIGURATION +-------------------- +The dynamic configuration feature uses several source directories that +will be scanned for any number of source files. *It is important to select +the correct subdirectory for adding files, as the subdirectory defines how +contained certificates will be trusted or distrusted, and which file formats are read.* + +Files in *subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/* contain CA certificates and +trust settings in the PEM file format. The trust settings found here will be +interpreted with a *low priority*. + +Files in *subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/* contain CA certificates and +trust settings in the PEM file format. The trust settings found here will be +interpreted with a *high priority*. + +.You may use the following rules of thumb to decide, whether your configuration files should be added to the /etc or rather to the /usr directory hierarchy: +* If you are manually adding a configuration file to a system, you probably +want it to override any other default configuration, and you most likely should +add it to the respective subdirectory in the /etc hierarchy. +* If you are creating a package that provides additional root CA certificates, +that is intended for distribution to several computer systems, but you still +want to allow the administrator to override your list, then your package should +add your files to the respective subdirectory in the /usr hierarchy. +* If you are creating a package that is supposed to override the default system +trust settings, that is intended for distribution to several computer systems, then your package should install the files to the respective +subdirectory in the /etc hierarchy. + +.*QUICK HELP 1*: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system: +* add it as a new file to directory /etc/ca-certificates/trust-source/anchors/ +* run 'update-ca-trust extract' + +.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then: +* add it as a new file to directory /etc/ca-certificates/trust-source/ +* run 'update-ca-trust extract' + +.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. +* simple trust anchors subdirectory: /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/ +* simple blacklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/ +* extended format directory: /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ + +.In the main directories /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ you may install one or multiple files in the following file formats: +* certificate files that include trust flags, + in the BEGIN/END TRUSTED CERTIFICATE file format + (any file name), which have been created using the openssl x509 tool + and the -addreject -addtrust options. + Bundle files with multiple certificates are supported. +* files in the p11-kit file format using the .p11-kit file name + extension, which can (e.g.) be used to distrust certificates + based on serial number and issuer name, without having the + full certificate available. + (This is currently an undocumented format, to be extended later. + For examples of the supported formats, see the files + shipped with the ca-certificates package.) +* certificate files without trust flags in either the DER file format or in + the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files + will be added with neutral trust, neither trusted nor distrusted. + They will simply be known to the system, which might be helpful to + assist cryptographic software in constructing chains of certificates. + (If you want a CA certificate in these file formats to be trusted, you + should remove it from this directory and move it to the + ./anchors subdirectory instead.) + +In the anchors subdirectories /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/ +you may install one or multiple certificates in either the DER file +format or in the PEM (BEGIN/END CERTIFICATE) file format. +Each certificate will be treated as *trusted* for all purposes. + +In the blacklist subdirectories /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/ +you may install one or multiple certificates in either the DER file +format or in the PEM (BEGIN/END CERTIFICATE) file format. +Each certificate will be treated as *distrusted* for all purposes. + +Please refer to the x509(1) manual page for the documentation of the +BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats. + +Applications that rely on a static file for a list of trusted CAs +may load one of the files found in the /etc/ca-certificates/extracted +directory. After modifying any file in the +/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ +directories or in any of their subdirectories, or after adding a file, +it is necessary to run the 'update-ca-trust extract' command, +in order to update the consolidated files in /etc/ca-certificates/extracted/ . + +Applications that load the classic PKCS#11 module using filename libnssckbi.so +(which has been converted into a symbolic link pointing to the new module) +and any application capable of +loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from +the dynamically merged set of certificates and trust information stored in the +/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/ directories. + + +[[extractconf]] +EXTRACTED CONFIGURATION +----------------------- +The directory /etc/ca-certificates/extracted/ contains generated CA certificate +bundle files which are created and updated, based on the <<sourceconf,SOURCE CONFIGURATION>> +by running the 'update-ca-trust extract' command. + +If your application isn't able to load the PKCS#11 module p11-kit-trust.so, +then you can use these files in your application to load a list of global +root CA certificates. + +Please never manually edit the files stored in this directory, +because your changes will be lost and the files automatically overwritten, +each time the 'update-ca-trust extract' command gets executed. + +In order to install new trusted or distrusted certificates, +please rather install them in the respective subdirectory below the +/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ +directories, as described in the <<sourceconf,SOURCE CONFIGURATION>> section. + +The directory /etc/ca-certificates/extracted/java/ contains +a CA certificate bundle in the java keystore file format. +Distrust information cannot be represented in this file format, +and distrusted certificates are missing from these files. +File cacerts contains CA certificates trusted for TLS server authentication. + +The directory /etc/ca-certificates/extracted/openssl/ contains +CA certificate bundle files in the extended BEGIN/END TRUSTED CERTIFICATE file format, +as described in the x509(1) manual page. +File ca-bundle.trust.crt contains the full set of all trusted +or distrusted certificates, including the associated trust flags. + +The directory /etc/ca-certificates/extracted/pem/ contains +CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, +as decribed in the x509(1) manual page. +Distrust information cannot be represented in this file format, +and distrusted certificates are missing from these files. +File tls-ca-bundle.pem contains CA certificates +trusted for TLS server authentication. +File email-ca-bundle.pem contains CA certificates +trusted for E-Mail protection. +File objsign-ca-bundle.pem contains CA certificates +trusted for code signing. + + +COMMANDS +-------- +(absent/empty command):: + Same as the *extract* command described below. (However, the command may + print fewer warnings, as this command is being run during package + installation, where non-fatal status output is undesired.) + +*extract*:: + Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce + updated versions of the consolidated configuration files stored below + the /etc/ca-certificates/extracted directory hierarchy. + +FILES +----- +/etc/ssl/certs/ca-certificates.crt:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/etc/ssl/certs/ca-bundle.trust.crt:: + Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/etc/ssl/java/cacerts:: + Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. + This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command. + +/usr/share/ca-certificates/trust-source:: + Contains multiple, low priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories. + +/etc/ca-certificates/trust-source:: + Contains multiple, high priority source configuration files as explained in section <<sourceconf,SOURCE CONFIGURATION>>. Please pay attention to the specific meanings of the respective subdirectories. + +/etc/ca-certificates/extracted:: + Contains consolidated and automatically generated configuration files for consumption by applications, + which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. + See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details. + +AUTHOR +------ +Written by Kai Engert and Stef Walter.