r8598 - trunk/auxfiles

dj at linuxfromscratch.org dj at linuxfromscratch.org
Thu Sep 9 00:11:25 PDT 2010


Author: dj
Date: 2010-09-09 01:11:15 -0600 (Thu, 09 Sep 2010)
New Revision: 8598

Added:
   trunk/auxfiles/mkblfsca.sh
   trunk/auxfiles/mkcert.pl
Removed:
   trunk/auxfiles/makeblfscas.sh
   trunk/auxfiles/mkcabundle.pl
Log:
Updated BLFS-CA scripts to account for untrusted CAs.

Deleted: trunk/auxfiles/makeblfscas.sh
===================================================================
--- trunk/auxfiles/makeblfscas.sh	2010-09-08 06:26:20 UTC (rev 8597)
+++ trunk/auxfiles/makeblfscas.sh	2010-09-09 07:11:15 UTC (rev 8598)
@@ -1,62 +0,0 @@
-#!/bin/bash
-# Begin mkblfscas.sh
-# Script to populate  OpenSSL's CApath from a bundle of PEM formatted CAs
-
-# Version number is obtained from the version of nss.
-if test -z "${1}"
-then
-    VERSION="3.12.7.0"
-else
-  VERSION="${1}"
-fi
-
-TEMPDIR=`mktemp -d`
-CAFILE="${TEMPDIR}/ca-bundle.crt"
-TARBALL="${PWD}/BLFS-ca-bundle-${VERSION}.tar.bz2"
-CASCRIPT="./mkcabundle.pl"
-
-"${CASCRIPT}" > "${CAFILE}"
-
-mkdir "${TEMPDIR}/certs"
-
-# Get a list of staring lines for each cert
-CERTLIST=`grep -n "^Certificate:$" "${CAFILE}" | cut -d ":" -f 1`
-
-# Get a list of ending lines for each cert
-ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
-
-# Start a loop
-for certbegin in `echo "${CERTLIST}"`
-do
-  for certend in `echo "${ENDCERTLIST}"`
-  do
-    if test "${certend}" -gt "${certbegin}"
-    then
-      break
-    fi
-  done
-  sed -n "${certbegin},${certend}p" "${CAFILE}" > "${TEMPDIR}/certs/${certbegin}"
-  object=`grep -m 1 -o "O=.*, " "${TEMPDIR}/certs/${certbegin}" | sed -e 's at O=@@' -e 's@,.*@@'`
-  keyhash=`openssl x509 -noout -in "${TEMPDIR}/certs/${certbegin}" -hash`
-  if test -z "$object"
-  then
-      object="NO OBJECT PROVIDED IN DESCRIPTION"
-  fi
-  echo "generated PEM file with hash ${keyhash} for ${object}"
-  mv "${TEMPDIR}/certs/${certbegin}" "${TEMPDIR}/certs/${keyhash}.pem"
-done
-
-# Remove expired CAs
-if test -f "${TEMPDIR}/certs/8f111d69.pem"; then
-  rm "${TEMPDIR}/certs/8f111d69.pem"
-fi
-if test -f "${TEMPDIR}/certs/f2cce23a.pem"; then
-  rm "${TEMPDIR}/certs/f2cce23a.pem"
-fi
-
-cd "${TEMPDIR}"
-tar -jcf "${TARBALL}" certs/
-cd ..
-rm -r "${TEMPDIR}"
-
-# End mkblfscas.sh

Added: trunk/auxfiles/mkblfsca.sh
===================================================================
--- trunk/auxfiles/mkblfsca.sh	                        (rev 0)
+++ trunk/auxfiles/mkblfsca.sh	2010-09-09 07:11:15 UTC (rev 8598)
@@ -0,0 +1,82 @@
+#!/bin/bash
+# Begin mkblfscas.sh
+# Script to populate  OpenSSL's CApath from a bundle of PEM formatted CAs
+
+# Version number is obtained from the version of nss.
+if test -z "${1}"
+then
+    #rev 1.65
+    VERSION="3.12.8.0"
+else
+  VERSION="${1}"
+fi
+
+TEMPDIR=`mktemp -d`
+CERTDATA="certdata.txt"
+TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
+TARBALL="${PWD}/BLFS-ca-bundle-${VERSION}.tar.bz2"
+CONVERTSCRIPT="./mkcert.pl"
+
+mkdir "${TEMPDIR}/certs"
+
+# Get a list of staring lines for each cert
+CERTBEGINLIST=`grep -n "^# Certificate" "${CERTDATA}" | cut -d ":" -f 1`
+
+# Get a list of ending lines for each cert
+CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${CERTDATA}" | cut -d ":" -f 1`
+# Start a loop
+for certbegin in ${CERTBEGINLIST}
+do
+  for certend in ${CERTENDLIST}
+  do
+    if test "${certend}" -gt "${certbegin}"
+    then
+      break
+    fi
+  done
+  # Dump to a temp file with the name of the file as the beginning line number
+  sed -n "${certbegin},${certend}p" "${CERTDATA}" > "${TEMPDIR}/certs/${certbegin}.tmp"
+done
+unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
+
+mkdir -p certs
+
+for tempfile in ${TEMPDIR}/certs/*.tmp
+do
+ # Make sure that the cert is trusted...
+  grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
+    grep "CKT_NETSCAPE_TRUST_UNKNOWN" > /dev/null
+  if test "${?}" = "0"
+  then
+    # Thow a meaningful error and remove the file
+    cp "${tempfile}" tempfile.cer
+    "${CONVERTSCRIPT}" > tempfile.crt
+    keyhash=`openssl x509 -noout -in tempfile.crt -hash`
+    echo "Certificate ${keyhash} is not trusted!  Removing..."
+    rm -f tempfile.cer tempfile.crt "${tempfile}"
+    continue
+  fi
+  # If execution made it to here in the loop, the temp cert is trusted
+  # Find the cert data and generate a cert file for it
+
+  cp "${tempfile}" tempfile.cer
+  "${CONVERTSCRIPT}" > tempfile.crt
+  keyhash=`openssl x509 -noout -in tempfile.crt -hash`
+  mv tempfile.crt "certs/${keyhash}.crt"
+  rm -f tempfile.cer "${tempfile}"
+  echo "Created ${keyhash}.crt"
+done
+
+# Remove blacklisted files
+# MD5 Collision Proof of Concept CA
+if test -f certs/8f111d69.crt
+then
+  echo "Certificate 8f111d69 is not trusted!  Removing..."
+  rm -f certs/8f111d69.crt
+fi
+
+# Finally, generate the tarball and clean up.
+tar -jcf ${TARBALL} certs/
+rm -r certs/
+rm -r "${TEMPDIR}"
+


Property changes on: trunk/auxfiles/mkblfsca.sh
___________________________________________________________________
Added: svn:executable
   + *

Deleted: trunk/auxfiles/mkcabundle.pl
===================================================================
--- trunk/auxfiles/mkcabundle.pl	2010-09-08 06:26:20 UTC (rev 8597)
+++ trunk/auxfiles/mkcabundle.pl	2010-09-09 07:11:15 UTC (rev 8598)
@@ -1,47 +0,0 @@
-#!/usr/bin/perl -w
-#
-# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.
-# Run as ./mkcabundle.pl > ca-bundle.crt
-#
-# This script courtesy of RedHat.  Latest version is avaliable from:
-# http://cvs.fedoraproject.org/viewvc/rpms/ca-certificates/devel/mkcabundle.pl
-#
-
-# This script modified to use a local copy of certdata.txt obtained from the 
-# latest version of the firefox source tree.  The certdata.txt file can be
-# found in mozilla-$version/security/nss/lib/ckfw/builtins/certdata.txt
-
-my $certdata = './certdata.txt';
-
-open(IN, "cat $certdata|")
-    || die "could not open  certdata.txt";
-
-my $incert = 0;
-
-print<<EOH;
-# This is a bundle of X.509 certificates of public Certificate
-# Authorities.  It was generated from the Mozilla root CA list.
-#
-# Source: $certdata
-#
-EOH
-
-while (<IN>) {
-    if (/^CKA_VALUE MULTILINE_OCTAL/) {
-        $incert = 1;
-        open(OUT, "|openssl x509 -text -inform DER -fingerprint")
-            || die "could not pipe to openssl x509";
-    } elsif (/^END/ && $incert) {
-        close(OUT);
-        $incert = 0;
-        print "\n\n";
-    } elsif ($incert) {
-        my @bs = split(/\\/);
-        foreach my $b (@bs) {
-            chomp $b;
-            printf(OUT "%c", oct($b)) unless $b eq '';
-        }
-    } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
-        print "# Generated from certdata.txt RCS revision $1\n#\n";
-    }
-}

Added: trunk/auxfiles/mkcert.pl
===================================================================
--- trunk/auxfiles/mkcert.pl	                        (rev 0)
+++ trunk/auxfiles/mkcert.pl	2010-09-09 07:11:15 UTC (rev 8598)
@@ -0,0 +1,35 @@
+#!/usr/bin/perl -w
+#
+# Used to generate PEM encoded files from Mozilla certdata.txt.
+# Run as ./mkcrt.pl > certificate.crt
+#
+# Parts of this script courtesy of RedHat (mkcabundle.pl)
+#
+# This script modified for use with single file data (tempfile.cer) extracted
+# from certdata.txt, taken from the latest version in the Mozilla NSS source. 
+# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+
+my $certdata = './tempfile.cer';
+
+open(IN, "cat $certdata|")
+    || die "could not open $certdata";
+
+my $incert = 0;
+
+while (<IN>) {
+    if (/^CKA_VALUE MULTILINE_OCTAL/) {
+        $incert = 1;
+        open(OUT, "|openssl x509 -text -inform DER -fingerprint")
+            || die "could not pipe to openssl x509";
+    } elsif (/^END/ && $incert) {
+        close(OUT);
+        $incert = 0;
+        print "\n\n";
+    } elsif ($incert) {
+        my @bs = split(/\\/);
+        foreach my $b (@bs) {
+            chomp $b;
+            printf(OUT "%c", oct($b)) unless $b eq '';
+        }
+    } 
+}


Property changes on: trunk/auxfiles/mkcert.pl
___________________________________________________________________
Added: svn:executable
   + *




More information about the blfs-book mailing list