From e24bfeb6b00079064aa36f3a6c37ecfd036b7043 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Oct 28 2014 19:54:15 +0000 Subject: - Introduce the ca-legacy utility and a ca-legacy.conf configuration file. By default, legacy roots required for OpenSSL/GnuTLS compatibility are kept enabled. Using the ca-legacy utility, the legacy roots can be disabled. If disabled, the system will use the trust set as provided by the upstream Mozilla CA list. (See also: rhbz#1158197) --- diff --git a/ca-certificates.spec b/ca-certificates.spec index d8eba55..681c416 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -2,6 +2,8 @@ %define catrustdir %{_sysconfdir}/pki/ca-trust %define classic_tls_bundle ca-bundle.crt %define trusted_all_bundle ca-bundle.trust.crt +%define legacy_enable_bundle ca-bundle.legacy.enable.crt +%define legacy_disable_bundle ca-bundle.legacy.disable.crt %define neutral_bundle ca-bundle.neutral-trust.crt %define bundle_supplement ca-bundle.supplement.p11-kit %define java_bundle java/cacerts @@ -37,7 +39,7 @@ Name: ca-certificates Version: 2014.2.1 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 3%{?dist} +Release: 4%{?dist} License: Public Domain Group: System Environment/Base @@ -49,6 +51,8 @@ Source1: nssckbi.h Source2: update-ca-trust Source3: trust-fixes Source4: certdata2pem.py +Source5: ca-legacy.conf +Source6: ca-legacy Source10: update-ca-trust.8.txt Source11: README.usr Source12: README.etc @@ -76,6 +80,8 @@ Mozilla Foundation for use with the Internet PKI. rm -rf %{name} mkdir %{name} mkdir %{name}/certs +mkdir %{name}/certs/legacy-enable +mkdir %{name}/certs/legacy-disable mkdir %{name}/java %build @@ -103,6 +109,7 @@ EOF cat %{SOURCE1} |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}'; echo '#'; ) > %{trusted_all_bundle} + touch %{neutral_bundle} for f in certs/*.crt; do echo "processing $f" tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f` @@ -132,9 +139,45 @@ EOF openssl x509 -text -in "$f" >> %{neutral_bundle} fi done - for p in certs/*.p11-kit; do - cat "$p" >> %{bundle_supplement} + + for f in certs/legacy-enable/*.crt; do + echo "processing $f" + tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f` + alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'` + targs="" + if [ -n "$tbits" ]; then + for t in $tbits; do + targs="${targs} -addtrust $t" + done + fi + if [ -n "$targs" ]; then + echo "legacy enable flags $targs for $f" >> info.trust + openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_enable_bundle} + fi done + + for f in certs/legacy-disable/*.crt; do + echo "processing $f" + tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f` + alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'` + targs="" + if [ -n "$tbits" ]; then + for t in $tbits; do + targs="${targs} -addtrust $t" + done + fi + if [ -n "$targs" ]; then + echo "legacy disable flags $targs for $f" >> info.trust + openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle} + fi + done + + P11FILES=`find certs -name *.p11-kit | wc -l` + if [ $P11FILES -ne 0 ]; then + for p in certs/*.p11-kit; do + cat "$p" >> %{bundle_supplement} + done + fi # Append our trust fixes cat %{SOURCE3} >> %{bundle_supplement} popd @@ -160,6 +203,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist +mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir} mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8 @@ -175,14 +219,25 @@ install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README install -p -m 644 %{name}/%{trusted_all_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle} install -p -m 644 %{name}/%{neutral_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle} install -p -m 644 %{name}/%{bundle_supplement} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement} + +install -p -m 644 %{name}/%{legacy_enable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle} +install -p -m 644 %{name}/%{legacy_disable_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle} + +install -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{catrustdir}/ca-legacy.conf + touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{trusted_all_bundle} touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{neutral_bundle} touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supplement} +touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle} +touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle} + # TODO: consider to dynamically create the update-ca-trust script from within # this .spec file, in order to have the output file+directory names at once place only. install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/update-ca-trust +install -p -m 755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/ca-legacy + # touch ghosted files that will be extracted dynamically touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem @@ -250,6 +305,7 @@ fi #if [ $1 -gt 1 ] ; then # # when upgrading or downgrading #fi +%{_bindir}/ca-legacy install %{_bindir}/update-ca-trust @@ -272,6 +328,9 @@ fi %dir %{_datadir}/pki/ca-trust-source %dir %{_datadir}/pki/ca-trust-source/anchors %dir %{_datadir}/pki/ca-trust-source/blacklist +%dir %{_datadir}/pki/ca-trust-legacy + +%config(noreplace) %{catrustdir}/ca-legacy.conf %{_mandir}/man8/update-ca-trust.8.gz %{_datadir}/pki/ca-trust-source/README @@ -293,8 +352,12 @@ fi %{_datadir}/pki/ca-trust-source/%{trusted_all_bundle} %{_datadir}/pki/ca-trust-source/%{neutral_bundle} %{_datadir}/pki/ca-trust-source/%{bundle_supplement} +%{_datadir}/pki/ca-trust-legacy/%{legacy_enable_bundle} +%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle} # update/extract tool %{_bindir}/update-ca-trust +%{_bindir}/ca-legacy +%ghost %{catrustdir}/source/ca-bundle.legacy.crt # files extracted files %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem @@ -304,6 +367,13 @@ fi %changelog +* Tue Oct 28 2014 Kai Engert - 2014.2.1-4 +- Introduce the ca-legacy utility and a ca-legacy.conf configuration file. + By default, legacy roots required for OpenSSL/GnuTLS compatibility + are kept enabled. Using the ca-legacy utility, the legacy roots can be + disabled. If disabled, the system will use the trust set as provided + by the upstream Mozilla CA list. (See also: rhbz#1158197) + * Sun Sep 21 2014 Kai Engert - 2014.2.1-3 - Temporarily re-enable several legacy root CA certificates because of compatibility issues with software based on OpenSSL/GnuTLS, diff --git a/ca-legacy b/ca-legacy new file mode 100644 index 0000000..4b57fd8 --- /dev/null +++ b/ca-legacy @@ -0,0 +1,83 @@ +#!/bin/sh + +#set -vx + +LCFILE=/etc/pki/ca-trust/ca-legacy.conf +LLINK=/etc/pki/ca-trust/source/ca-bundle.legacy.crt +LENABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.enable.crt +LDISABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt + +do_grep() +{ + grep -i "^legacy *= *enable *$" $LCFILE >/dev/null 2>&1 +} + +do_check() +{ + do_grep + if [ $? -eq 0 ]; then + echo "Legacy CAs are set to ENABLED in file $LCFILE (affects install/upgrade)" + LEXPECT=$LENABLE + else + echo "Legacy CAs are set to DISABLED in file $LCFILE (affects install/upgrade)" + LEXPECT=$LDISABLE + fi + echo "Status of symbolic link $LLINK:" + readlink -v $LLINK +} + +do_install() +{ + do_grep + if [ $? -eq 0 ]; then + # expression was found, legacy is enabled + ln -sf $LENABLE $LLINK + else + # not found, legacy is disabled + ln -sf $LDISABLE $LLINK + fi +} + +do_enable() +{ + sed -i 's/^legacy *=.*$/legacy=enable/' $LCFILE + do_install + /usr/bin/update-ca-trust +} + +do_disable() +{ + sed -i 's/^legacy *=.*$/legacy=disable/' $LCFILE + do_install + /usr/bin/update-ca-trust +} + +do_help() +{ + echo "usage: $0 [check | enable | disable | install]" +} + +if [[ $# -eq 0 ]]; then + # no parameters + do_help + exit $? +fi + +if [[ "$1" = "install" ]]; then + do_install + exit $? +fi + +if [[ "$1" = "enable" ]]; then + do_enable + exit $? +fi +if [[ "$1" = "disable" ]]; then + do_disable + exit $? +fi + +if [[ "$1" = "check" ]]; then + do_check + exit $? +fi diff --git a/ca-legacy.conf b/ca-legacy.conf new file mode 100644 index 0000000..e45c4a1 --- /dev/null +++ b/ca-legacy.conf @@ -0,0 +1,9 @@ +# legacy=enable : +# Certain legacy certs, that have been removed by upstream Mozilla, +# are still marked as trusted, if required for backwards compatibility +# with cryptographic libraries like openssl or gnutls. +# +# legacy=disable : +# Follow all removal decisions of upstream Mozilla CA maintainers +# +legacy=enable diff --git a/certdata.txt b/certdata.txt index f7acdd2..aa51afa 100644 --- a/certdata.txt +++ b/certdata.txt @@ -992,11 +992,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314 \272\277 END -#temporarily re-enabled -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1288,10 +1289,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\021\000\271\057\140\314\210\237\241\172\106\011\270\133\160 \154\212\257 END +LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1839,12 +1842,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -#temporarily re-enabled -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -1982,12 +1982,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -#temporarily re-enabled -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -2125,12 +2122,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -#temporarily re-enabled -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -3070,12 +3064,9 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\067\112\322\103 END -#temporarily re-enabled -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # @@ -18516,11 +18507,12 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277 \022\276 END -#temporarily re-enabled -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR -#temporarily re-enabled -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE # diff --git a/certdata2pem.py b/certdata2pem.py index 175de1a..23d3fd6 100644 --- a/certdata2pem.py +++ b/certdata2pem.py @@ -132,6 +132,18 @@ trust_types = { "CKA_TRUST_STEP_UP_APPROVED": "step-up-approved", } +legacy_trust_types = { + "LEGACY_CKA_TRUST_SERVER_AUTH": "server-auth", + "LEGACY_CKA_TRUST_CODE_SIGNING": "code-signing", + "LEGACY_CKA_TRUST_EMAIL_PROTECTION": "email-protection", +} + +legacy_to_real_trust_types = { + "LEGACY_CKA_TRUST_SERVER_AUTH": "CKA_TRUST_SERVER_AUTH", + "LEGACY_CKA_TRUST_CODE_SIGNING": "CKA_TRUST_CODE_SIGNING", + "LEGACY_CKA_TRUST_EMAIL_PROTECTION": "CKA_TRUST_EMAIL_PROTECTION", +} + openssl_trust = { "CKA_TRUST_SERVER_AUTH": "serverAuth", "CKA_TRUST_CLIENT_AUTH": "clientAuth", @@ -147,6 +159,8 @@ for tobj in objects: distrustbits = [] openssl_trustflags = [] openssl_distrustflags = [] + legacy_trustbits = [] + legacy_openssl_trustflags = [] for t in trust_types.keys(): if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR': trustbits.append(t) @@ -157,6 +171,15 @@ for tobj in objects: if t in openssl_trust: openssl_distrustflags.append(openssl_trust[t]) + for t in legacy_trust_types.keys(): + if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR': + real_t = legacy_to_real_trust_types[t] + legacy_trustbits.append(real_t) + if real_t in openssl_trust: + legacy_openssl_trustflags.append(openssl_trust[real_t]) + if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED': + raise NotImplementedError, 'legacy distrust not supported.\n' + line + fname = obj_to_filename(tobj) try: obj = certmap[key] @@ -168,6 +191,26 @@ for tobj in objects: else: fname += ".p11-kit" + is_legacy = 0 + if tobj.has_key('LEGACY_CKA_TRUST_SERVER_AUTH') or tobj.has_key('LEGACY_CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('LEGACY_CKA_TRUST_CODE_SIGNING'): + is_legacy = 1 + if obj == None: + raise NotImplementedError, 'found legacy trust without certificate.\n' + line + legacy_fname = "legacy-enable/" + fname + f = open(legacy_fname, 'w') + f.write("# alias=%s\n"%tobj['CKA_LABEL']) + f.write("# trust=" + " ".join(legacy_trustbits) + "\n") + if legacy_openssl_trustflags: + f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n") + f.write("-----BEGIN CERTIFICATE-----\n") + f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) + f.write("\n-----END CERTIFICATE-----\n") + f.close() + if tobj.has_key('CKA_TRUST_SERVER_AUTH') or tobj.has_key('CKA_TRUST_EMAIL_PROTECTION') or tobj.has_key('CKA_TRUST_CODE_SIGNING'): + fname = "legacy-disable/" + fname + else: + continue + f = open(fname, 'w') if obj != None: f.write("# alias=%s\n"%tobj['CKA_LABEL']) @@ -196,4 +239,5 @@ for tobj in objects: if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'): f.write("x-distrusted: true\n") f.write("\n\n") + f.close() print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)