PR#3: Extract certificate bundle in EDK2 format - rpms/ca-certificates

rpms / ca-certificates

#3 Extract certificate bundle in EDK2 format

Merged 5 years ago by kengert. Opened 5 years ago by ueno.

rpms/ ueno/ca-certificates master into master

Extract certificate bundle in EDK2 format

Daiki Ueno • 5 years ago

6220683

README.edk2

file added

+13

		`@@ -0,0 +1,13 @@`
		`+ This directory /etc/pki/ca-trust/extracted/edk2/ contains a`
		`+ CA certificate bundle file which is automatically created`
		`+ based on the information found in the`
		`+ /usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/`
		`+ directories.`
		`+`
		`+ The file is in the EDK2 (EFI Development Kit II) file format.`
		`+`
		`+ Please never manually edit the files stored in this directory,`
		`+ because your changes will be lost and the files automatically overwritten,`
		`+ each time the update-ca-trust command gets executed.`
		`+`
		`+ Please refer to the update-ca-trust(8) manual page for additional information.`

ca-certificates.spec

file modified

+13 -3

		`@@ -38,7 +38,7 @@`
		`Version: 2018.2.24`
		`# for Rawhide, please always use release >= 2`
		`# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)`
		`- Release: 3%{?dist}`
		`+ Release: 4%{?dist}`
		`License: Public Domain`

		`Group: System Environment/Base`
		`@@ -60,7 +60,8 @@`
		`Source14: README.java`
		`Source15: README.openssl`
		`Source16: README.pem`
		`- Source17: README.src`
		`+ Source17: README.edk2`
		`+ Source18: README.src`

		`BuildArch: noarch`

		`@@ -189,6 +190,7 @@`
		`mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem`
		`mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl`
		`mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java`
		`+ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2`
		`mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source`
		`mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors`
		`mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist`
		`@@ -204,7 +206,8 @@`
		`install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README`
		`install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README`
		`install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README`
		`- install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README`
		`+ install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README`
		`+ install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README`

		`install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}`

		`@@ -236,6 +239,8 @@`
		`chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}`
		`touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}`
		`chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}`
		`+ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin`
		`+ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin`

		`# /etc/ssl/certs symlink for 3rd-party tools`
		`ln -s ../pki/tls/certs \`
		`@@ -337,6 +342,7 @@`
		`%{catrustdir}/extracted/java/README`
		`%{catrustdir}/extracted/openssl/README`
		`%{catrustdir}/extracted/pem/README`
		`+ %{catrustdir}/extracted/edk2/README`
		`%{catrustdir}/source/README`

		`# symlinks for old locations`
		`@@ -362,9 +368,13 @@`
		`%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem`
		`%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}`
		`%ghost %{catrustdir}/extracted/%{java_bundle}`
		`+ %ghost %{catrustdir}/extracted/edk2/cacerts.bin`


		`%changelog`
		`+ * Mon Jun 11 2018 Daiki Ueno <dueno@redhat.com> - 2018.2.24-4`
		`+ - Extract certificate bundle in EDK2 format, suggested by Laszlo Ersek`
		`+`
		`* Mon Jun 04 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-3`
		`- Adjust ghost file permissions, rhbz#1564432`

update-ca-trust

file modified

		`@@ -19,3 +19,4 @@`
		`/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem`
		`/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem`
		`/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts`
		`+ /usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin`

update-ca-trust.8.txt

file modified

		`@@ -202,6 +202,15 @@`
		`File objsign-ca-bundle.pem contains CA certificates`
		`trusted for code signing.`

		`+ The directory /etc/pki/ca-trust/extracted/edk2/ contains a CA`
		`+ certificate bundle ("cacerts.bin") in the "sequence of`
		`+ EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,`
		`+ sections "31.4.1 Signature Database" and`
		`+ "EFI_CERT_X509_GUID". Distrust information cannot be represented in`
		`+ this file format, and distrusted certificates are missing from these`
		`+ files. File "cacerts.bin" contains CA certificates trusted for TLS`
		`+ server authentication.`
		`+`

		`COMMANDS`
		`--------`

ueno commented 5 years ago

This patch makes update-ca-trust extract an EDK2 certificate bundle. Note that this requires p11-kit >= 0.23.10, which is currently available in rawhide only.

Originally requested in:
https://bugzilla.redhat.com/show_bug.cgi?id=1559580