[ca-certificates/f19] - Introduce the ca-legacy utility and a ca-legacy.conf configuration file. By default, legacy root
Kai Engert
kengert at fedoraproject.org
Thu Nov 20 17:21:00 UTC 2014
commit 7c4340c7716dbe04b37ab90d75d5809af7f86d25
Author: Kai Engert <kaie at redhat.com>
Date: Thu Nov 20 18:20:37 2014 +0100
- Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
By default, legacy roots required for OpenSSL/GnuTLS compatibility
are kept enabled. Using the ca-legacy utility, the legacy roots can be
disabled. If disabled, the system will use the trust set as provided
by the upstream Mozilla CA list. (See also: rhbz#1158197)
- Includes the fixes for rhbz#1158343
- remove the obsolete blacklist.txt file
- remove the unnecessary entry in trust-fixes, because we no longer ship the old entrust root (it got replaced with one that contains the basic constraints extension)
blacklist.txt | 30 ------------------
ca-certificates.spec | 79 +++++++++++++++++++++++++++++++++++++++++++++--
ca-legacy | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++
ca-legacy.conf | 9 +++++
certdata.txt | 60 +++++++++++++++--------------------
certdata2pem.py | 44 ++++++++++++++++++++++++++
trust-fixes | 8 -----
7 files changed, 238 insertions(+), 75 deletions(-)
---
diff --git a/ca-certificates.spec b/ca-certificates.spec
index 5407141..538c941 100644
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -2,6 +2,8 @@
%define catrustdir %{_sysconfdir}/pki/ca-trust
%define classic_tls_bundle ca-bundle.crt
%define trusted_all_bundle ca-bundle.trust.crt
+%define legacy_enable_bundle ca-bundle.legacy.enable.crt
+%define legacy_disable_bundle ca-bundle.legacy.disable.crt
%define neutral_bundle ca-bundle.neutral-trust.crt
%define bundle_supplement ca-bundle.supplement.p11-kit
%define java_bundle java/cacerts
@@ -37,7 +39,7 @@ Name: ca-certificates
Version: 2014.2.1
# for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 1.1%{?dist}
+Release: 1.5%{?dist}
License: Public Domain
Group: System Environment/Base
@@ -49,6 +51,8 @@ Source1: nssckbi.h
Source2: update-ca-trust
Source3: trust-fixes
Source4: certdata2pem.py
+Source5: ca-legacy.conf
+Source6: ca-legacy
Source10: update-ca-trust.8.txt
Source11: README.usr
Source12: README.etc
@@ -62,6 +66,8 @@ BuildArch: noarch
Requires: p11-kit >= 0.17.3
Requires: p11-kit-trust >= 0.17.3
+Requires: coreutils
+Requires(post): coreutils
BuildRequires: perl
BuildRequires: python
BuildRequires: openssl
@@ -76,6 +82,8 @@ Mozilla Foundation for use with the Internet PKI.
rm -rf %{name}
mkdir %{name}
mkdir %{name}/certs
+mkdir %{name}/certs/legacy-enable
+mkdir %{name}/certs/legacy-disable
mkdir %{name}/java
%build
@@ -103,6 +111,7 @@ EOF
cat %{SOURCE1} |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
echo '#';
) > %{trusted_all_bundle}
+ touch %{neutral_bundle}
for f in certs/*.crt; do
echo "processing $f"
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
@@ -132,9 +141,45 @@ EOF
openssl x509 -text -in "$f" >> %{neutral_bundle}
fi
done
- for p in certs/*.p11-kit; do
- cat "$p" >> %{bundle_supplement}
+
+ for f in certs/legacy-enable/*.crt; do
+ echo "processing $f"
+ tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
+ alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
+ targs=""
+ if [ -n "$tbits" ]; then
+ for t in $tbits; do
+ targs="${targs} -addtrust $t"
+ done
+ fi
+ if [ -n "$targs" ]; then
+ echo "legacy enable flags $targs for $f" >> info.trust
+ openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_enable_bundle}
+ fi
done
+
+ for f in certs/legacy-disable/*.crt; do
+ echo "processing $f"
+ tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
+ alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
+ targs=""
+ if [ -n "$tbits" ]; then
+ for t in $tbits; do
+ targs="${targs} -addtrust $t"
+ done
+ fi
+ if [ -n "$targs" ]; then
+ echo "legacy disable flags $targs for $f" >> info.trust
+ openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle}
+ fi
+ done
+
+ P11FILES=`find certs -name *.p11-kit | wc -l`
+ if [ $P11FILES -ne 0 ]; then
+ for p in certs/*.p11-kit; do
+ cat "$p" >> %{bundle_supplement}
+ done
+ fi
# Append our trust fixes
cat %{SOURCE3} >> %{bundle_supplement}
popd
@@ -160,6 +205,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
+mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@@ -175,14 +221,25 @@ install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
install -p -m 644 %{name}/%{trusted_all_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
install -p -m 644 %{name}/%{neutral_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
install -p -m 644 %{name}/%{bundle_supplement} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
+
+install -p -m 644 %{name}/%{legacy_enable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
+install -p -m 644 %{name}/%{legacy_disable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
+
+install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf
+
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
+touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
+touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
+
# TODO: consider to dynamically create the update-ca-trust script from within
# this .spec file, in order to have the output file+directory names at once place only.
install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/update-ca-trust
+install -p -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/ca-legacy
+
# touch ghosted files that will be extracted dynamically
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
@@ -250,6 +307,7 @@ fi
#if [ $1 -gt 1 ] ; then
# # when upgrading or downgrading
#fi
+%{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust
@@ -271,6 +329,9 @@ fi
%dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blacklist
+%dir %{_datadir}/pki/ca-trust-legacy
+
+%config(noreplace) %{catrustdir}/ca-legacy.conf
%{_mandir}/man8/update-ca-trust.8.gz
%{_datadir}/pki/ca-trust-source/README
@@ -292,8 +353,12 @@ fi
%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle}
%{_datadir}/pki/ca-trust-source/%{neutral_bundle}
%{_datadir}/pki/ca-trust-source/%{bundle_supplement}
+%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle}
+%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
# update/extract tool
%{_bindir}/update-ca-trust
+%{_bindir}/ca-legacy
+%ghost %{catrustdir}/source/ca-bundle.legacy.crt
# files extracted files
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
@@ -303,6 +368,14 @@ fi
%changelog
+* Thu Nov 20 2014 Kai Engert <kaie at redhat.com> - 2014.2.1-1.5
+- Introduce the ca-legacy utility and a ca-legacy.conf configuration file.
+ By default, legacy roots required for OpenSSL/GnuTLS compatibility
+ are kept enabled. Using the ca-legacy utility, the legacy roots can be
+ disabled. If disabled, the system will use the trust set as provided
+ by the upstream Mozilla CA list. (See also: rhbz#1158197)
+- Includes the fixes for rhbz#1158343
+
* Sun Sep 21 2014 Kai Engert <kaie at redhat.com> - 2014.2.1-1.1
- Temporarily re-enable several legacy root CA certificates because of
compatibility issues with software based on OpenSSL/GnuTLS,
diff --git a/ca-legacy b/ca-legacy
new file mode 100644
index 0000000..4b57fd8
--- /dev/null
+++ b/ca-legacy
@@ -0,0 +1,83 @@
+#!/bin/sh
+
+#set -vx
+
+LCFILE=/etc/pki/ca-trust/ca-legacy.conf
+LLINK=/etc/pki/ca-trust/source/ca-bundle.legacy.crt
+LENABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.enable.crt
+LDISABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
+
+do_grep()
+{
+ grep -i "^legacy *= *enable *$" $LCFILE >/dev/null 2>&1
+}
+
+do_check()
+{
+ do_grep
+ if [ $? -eq 0 ]; then
+ echo "Legacy CAs are set to ENABLED in file $LCFILE (affects install/upgrade)"
+ LEXPECT=$LENABLE
+ else
+ echo "Legacy CAs are set to DISABLED in file $LCFILE (affects install/upgrade)"
+ LEXPECT=$LDISABLE
+ fi
+ echo "Status of symbolic link $LLINK:"
+ readlink -v $LLINK
+}
+
+do_install()
+{
+ do_grep
+ if [ $? -eq 0 ]; then
+ # expression was found, legacy is enabled
+ ln -sf $LENABLE $LLINK
+ else
+ # not found, legacy is disabled
+ ln -sf $LDISABLE $LLINK
+ fi
+}
+
+do_enable()
+{
+ sed -i 's/^legacy *=.*$/legacy=enable/' $LCFILE
+ do_install
+ /usr/bin/update-ca-trust
+}
+
+do_disable()
+{
+ sed -i 's/^legacy *=.*$/legacy=disable/' $LCFILE
+ do_install
+ /usr/bin/update-ca-trust
+}
+
+do_help()
+{
+ echo "usage: $0 [check | enable | disable | install]"
+}
+
+if [[ $# -eq 0 ]]; then
+ # no parameters
+ do_help
+ exit $?
+fi
+
+if [[ "$1" = "install" ]]; then
+ do_install
+ exit $?
+fi
+
+if [[ "$1" = "enable" ]]; then
+ do_enable
+ exit $?
+fi
+if [[ "$1" = "disable" ]]; then
+ do_disable
+ exit $?
+fi
+
+if [[ "$1" = "check" ]]; then
+ do_check
+ exit $?
+fi
diff --git a/ca-legacy.conf b/ca-legacy.conf
new file mode 100644
index 0000000..e45c4a1
--- /dev/null
+++ b/ca-legacy.conf
@@ -0,0 +1,9 @@
+# legacy=enable :
+# Certain legacy certs, that have been removed by upstream Mozilla,
+# are still marked as trusted, if required for backwards compatibility
+# with cryptographic libraries like openssl or gnutls.
+#
+# legacy=disable :
+# Follow all removal decisions of upstream Mozilla CA maintainers
+#
+legacy=enable
diff --git a/certdata.txt b/certdata.txt
index f7acdd2..aa51afa 100644
--- a/certdata.txt
+++ b/certdata.txt
@@ -992,11 +992,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
\272\277
END
-#temporarily re-enabled
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@@ -1288,10 +1289,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160
\154\212\257
END
+LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@@ -1839,12 +1842,9 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
-#temporarily re-enabled
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@@ -1982,12 +1982,9 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
-#temporarily re-enabled
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@@ -2125,12 +2122,9 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
-#temporarily re-enabled
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@@ -3070,12 +3064,9 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\004\067\112\322\103
END
-#temporarily re-enabled
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
@@ -18516,11 +18507,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277
\022\276
END
-#temporarily re-enabled
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
-#temporarily re-enabled
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
diff --git a/certdata2pem.py b/certdata2pem.py
index 175de1a..23d3fd6 100644
--- a/certdata2pem.py
+++ b/certdata2pem.py
@@ -132,6 +132,18 @@ trust_types = {
"CKA_TRUST_STEP_UP_APPROVED": "step-up-approved",
}
+legacy_trust_types = {
+ "LEGACY_CKA_TRUST_SERVER_AUTH": "server-auth",
+ "LEGACY_CKA_TRUST_CODE_SIGNING": "code-signing",
+ "LEGACY_CKA_TRUST_EMAIL_PROTECTION": "email-protection",
+}
+
+legacy_to_real_trust_types = {
+ "LEGACY_CKA_TRUST_SERVER_AUTH": "CKA_TRUST_SERVER_AUTH",
+ "LEGACY_CKA_TRUST_CODE_SIGNING": "CKA_TRUST_CODE_SIGNING",
+ "LEGACY_CKA_TRUST_EMAIL_PROTECTION": "CKA_TRUST_EMAIL_PROTECTION",
+}
+
openssl_trust = {
"CKA_TRUST_SERVER_AUTH": "serverAuth",
"CKA_TRUST_CLIENT_AUTH": "clientAuth",
@@ -147,6 +159,8 @@ for tobj in objects:
distrustbits = []
openssl_trustflags = []
openssl_distrustflags = []
+ legacy_trustbits = []
+ legacy_openssl_trustflags = []
for t in trust_types.keys():
if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
trustbits.append(t)
@@ -157,6 +171,15 @@ for tobj in objects:
if t in openssl_trust:
openssl_distrustflags.append(openssl_trust[t])
+ for t in legacy_trust_types.keys():
+ if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
+ real_t = legacy_to_real_trust_types[t]
+ legacy_trustbits.append(real_t)
+ if real_t in openssl_trust:
+ legacy_openssl_trustflags.append(openssl_trust[real_t])
+ if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
+ raise NotImplementedError, 'legacy distrust not supported.\n' + line
+
fname = obj_to_filename(tobj)
try:
obj = certmap[key]
@@ -168,6 +191,26 @@ for tobj in objects:
else:
fname += ".p11-kit"
+ is_legacy = 0
+ if tobj.has_key('LEGACY_CKA_TRUST_SERVER_AUTH') or tobj.has_key('LEGACY_CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('LEGACY_CKA_TRUST_CODE_SIGNING'):
+ is_legacy = 1
+ if obj == None:
+ raise NotImplementedError, 'found legacy trust without certificate.\n' + line
+ legacy_fname = "legacy-enable/" + fname
+ f = open(legacy_fname, 'w')
+ f.write("# alias=%s\n"%tobj['CKA_LABEL'])
+ f.write("# trust=" + " ".join(legacy_trustbits) + "\n")
+ if legacy_openssl_trustflags:
+ f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n")
+ f.write("-----BEGIN CERTIFICATE-----\n")
+ f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+ f.write("\n-----END CERTIFICATE-----\n")
+ f.close()
+ if tobj.has_key('CKA_TRUST_SERVER_AUTH') or tobj.has_key('CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('CKA_TRUST_CODE_SIGNING'):
+ fname = "legacy-disable/" + fname
+ else:
+ continue
+
f = open(fname, 'w')
if obj != None:
f.write("# alias=%s\n"%tobj['CKA_LABEL'])
@@ -196,4 +239,5 @@ for tobj in objects:
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
f.write("x-distrusted: true\n")
f.write("\n\n")
+ f.close()
print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)
diff --git a/trust-fixes b/trust-fixes
index e675062..e69de29 100644
--- a/trust-fixes
+++ b/trust-fixes
@@ -1,8 +0,0 @@
-[p11-kit-object-v1]
-label: "Add missing BasicConstraints for Entrust root"
-id: "%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70"
-class: x-certificate-extension
-object-id: 2.5.29.19
-x-critical: true
-value: "%30%03%01%01%FF"
-
More information about the scm-commits
mailing list