Context Navigation

cacerts.xml@ 2f8cc75

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 2f8cc75 was 2f8cc75, checked in by Bruce Dubbs <bdubbs@…>, 12 years ago

Remove curlftpfs

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@10626 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 11.8 KB

Rev	Line
[c9b953e6]	1	<?xml version="1.0" encoding="ISO-8859-1"?>
	2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
	4	<!ENTITY % general-entities SYSTEM "../../general.ent">
	5	%general-entities;
	6
	7	<!ENTITY certhost "http://mxr.mozilla.org">
	8	<!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins">
	9	<!ENTITY ca-bundle-download "&certhost;&certdir;/certdata.txt?raw=1">
	10	<!ENTITY ca-bundle-size "1.2 MB">
	11	<!ENTITY cacerts-buildsize "1.2 MB">
	12	<!ENTITY cacerts-time "less than 0.1 SBU">
	13	]>
	14
	15	<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
	16	<?dbhtml filename="cacerts.html"?>
	17
	18	<sect1info>
	19	<othername>$LastChangedBy$</othername>
	20	<date>$Date$</date>
	21	</sect1info>
	22
	23	<title>Certificate Authority Certificates</title>
	24
	25	<para>The Public Key Inrastructure is used for many security issues in a
	26	Linux system. In order for a certificate to be trusted, it must be signed by
	27	a trusted agent called a Certificate Authority (CA). The certificates loaded
	28	by this section are from the list on the Mozilla version control system and
	29	formats it into a form used by <xref linkend='openssl'/>. The certificates
	30	can also be used by other applications either directly of indirectly through
	31	<application>openssl</application>.</para>
	32
[2f8cc75]	33	&lfs72_checked;
[c9b953e6]	34
	35	<indexterm zone="cacerts">
	36	<primary sortas="a-cacerts">Certificate Authority Certificates</primary>
	37	</indexterm>
	38
	39	<sect2 role="package">
	40	<title>Introduction to Certificate Authorities</title>
	41
	42	<bridgehead renderas="sect3">Package Information</bridgehead>
	43	<itemizedlist spacing="compact">
	44	<listitem>
	45	<para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
	46	</listitem>
	47	<listitem>
	48	<para>CA Bundle size: &ca-bundle-size;</para>
	49	</listitem>
	50	<listitem>
	51	<para>Estimated disk space required: &cacerts-buildsize;</para>
	52	</listitem>
	53	<listitem>
	54	<para>Estimated build time: &cacerts-time;</para>
	55	</listitem>
	56	</itemizedlist>
	57
	58	<bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
	59
	60	<bridgehead renderas="sect4">Required</bridgehead>
[afc3f45]	61	<para role="required"><xref linkend="openssl"/></para>
	62
	63	<bridgehead renderas="sect4">Optional</bridgehead>
	64	<para role="optional"><xref linkend="wget"/></para>
[c9b953e6]	65
	66	<para condition="html" role="usernotes">User Notes:
	67	<ulink url='&blfs-wiki;/cacerts'/></para>
	68	</sect2>
	69
	70	<sect2 role="installation">
	71	<title>Installation of Certificate Authority Certificates</title>
	72
	73	<para>First create a script to reformat a certificate into a
	74	form needed by <application>openssl</application>. As the <systemitem
	75	class="username">root</systemitem> user:</para>
	76
[de5068d]	77	<screen role="root"><userinput>cat > /bin/make-cert.pl << "EOF"
[c9b953e6]	78	#!/usr/bin/perl -w
	79
	80	# Used to generate PEM encoded files from Mozilla certdata.txt.
	81	# Run as ./mkcrt.pl > certificate.crt
	82	#
	83	# Parts of this script courtesy of RedHat (mkcabundle.pl)
	84	#
	85	# This script modified for use with single file data (tempfile.cer) extracted
	86	# from certdata.txt, taken from the latest version in the Mozilla NSS source.
	87	# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
	88	#
	89	# Authors: DJ Lucas
	90	# Bruce Dubbs
[fe54f243]	91	#
	92	# Version 20120211
[c9b953e6]	93
	94	my $certdata = './tempfile.cer';
	95
	96	open( IN, "cat $certdata\|" )
	97	\|\| die "could not open $certdata";
	98
	99	my $incert = 0;
	100
[9a1c6a74]	101	while ( <IN> )
[c9b953e6]	102	{
[9a1c6a74]	103	if ( /^CKA_VALUE MULTILINE_OCTAL/ )
[c9b953e6]	104	{
	105	$incert = 1;
	106	open( OUT, "\|openssl x509 -text -inform DER -fingerprint" )
	107	\|\| die "could not pipe to openssl x509";
[9a1c6a74]	108	}
	109
	110	elsif ( /^END/ && $incert )
[c9b953e6]	111	{
	112	close( OUT );
	113	$incert = 0;
	114	print "\n\n";
[9a1c6a74]	115	}
	116
	117	elsif ($incert)
[c9b953e6]	118	{
	119	my @bs = split( /\\/ );
[9a1c6a74]	120	foreach my $b (@bs)
[c9b953e6]	121	{
	122	chomp $b;
	123	printf( OUT "%c", oct($b) ) unless $b eq '';
	124	}
	125	}
	126	}
	127	EOF
	128
	129	chmod +x /bin/make-cert.pl</userinput></screen>
	130
	131	<para>The following script creates the certificates and a bundle of all the
	132	certificates. It creates a <filename class='directory'>./certs</filename>
	133	directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again
	134	create this script as the <systemitem class="username">root</systemitem>
	135	user:</para>
	136
[de5068d]	137	<screen role="root"><userinput>cat > /bin/make-ca.sh << "EOF"
[c9b953e6]	138	#!/bin/bash
	139	# Begin make-ca.sh
	140	# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
	141	#
	142	# The file certdata.txt must exist in the local directory
	143	# Version number is obtained from the version of the data.
	144	#
	145	# Authors: DJ Lucas
	146	# Bruce Dubbs
[fe54f243]	147	#
	148	# Version 20120211
[c9b953e6]	149
	150	certdata="certdata.txt"
	151
	152	if [ ! -r $certdata ]; then
	153	echo "$certdata must be in the local directory"
	154	exit 1
	155	fi
	156
	157	REVISION=$(grep CVS_ID $certdata \| cut -f4 -d'$')
	158
	159	if [ -z "${REVISION}" ]; then
	160	echo "$certfile has no 'Revision' in CVS_ID"
	161	exit 1
	162	fi
	163
	164	VERSION=$(echo $REVISION \| cut -f2 -d" ")
	165
	166	TEMPDIR=$(mktemp -d)
	167	TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
	168	BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
[9a1c6a74]	169	CONVERTSCRIPT="/bin/make-cert.pl"
[c9b953e6]	170	SSLDIR="/etc/ssl"
	171
	172	mkdir "${TEMPDIR}/certs"
	173
	174	# Get a list of staring lines for each cert
	175	CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" \| cut -d ":" -f1)
	176
	177	# Get a list of ending lines for each cert
	178	CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" \| cut -d ":" -f 1`
	179
	180	# Start a loop
	181	for certbegin in ${CERTBEGINLIST}; do
	182	for certend in ${CERTENDLIST}; do
	183	if test "${certend}" -gt "${certbegin}"; then
	184	break
	185	fi
	186	done
	187
	188	# Dump to a temp file with the name of the file as the beginning line number
	189	sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
	190	done
	191
	192	unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
	193
	194	mkdir -p certs
	195	rm certs/* # Make sure the directory is clean
	196
	197	for tempfile in ${TEMPDIR}/certs/*.tmp; do
	198	# Make sure that the cert is trusted...
	199	grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" \| \
[fe54f243]	200	egrep "TRUST_UNKNOWN\|NOT_TRUSTED" > /dev/null
[c9b953e6]	201
	202	if test "${?}" = "0"; then
	203	# Throw a meaningful error and remove the file
	204	cp "${tempfile}" tempfile.cer
[9a1c6a74]	205	perl ${CONVERTSCRIPT} > tempfile.crt
[c9b953e6]	206	keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
	207	echo "Certificate ${keyhash} is not trusted! Removing..."
	208	rm -f tempfile.cer tempfile.crt "${tempfile}"
	209	continue
	210	fi
	211
	212	# If execution made it to here in the loop, the temp cert is trusted
	213	# Find the cert data and generate a cert file for it
	214
	215	cp "${tempfile}" tempfile.cer
[9a1c6a74]	216	perl ${CONVERTSCRIPT} > tempfile.crt
[c9b953e6]	217	keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
	218	mv tempfile.crt "certs/${keyhash}.pem"
	219	rm -f tempfile.cer "${tempfile}"
	220	echo "Created ${keyhash}.pem"
	221	done
	222
	223	# Remove blacklisted files
	224	# MD5 Collision Proof of Concept CA
	225	if test -f certs/8f111d69.pem; then
	226	echo "Certificate 8f111d69 is not trusted! Removing..."
	227	rm -f certs/8f111d69.pem
	228	fi
	229
	230	# Finally, generate the bundle and clean up.
	231	cat certs/*.pem > ${BUNDLE}
	232	rm -r "${TEMPDIR}"
	233	EOF
	234
	235	chmod +x /bin/make-ca.sh</userinput></screen>
	236
[6ad29d3]	237	<para>Add a short script to remove expired certificates from a directory.
[f216c56]	238	Again create this script as the <systemitem
	239	class="username">root</systemitem> user:</para>
	240
[de5068d]	241	<screen role="root"><userinput>cat > /bin/remove-expired-certs.sh << "EOF"
[f216c56]	242	#!/bin/bash
	243	# Begin /bin/remove-expired-certs.sh
[fe54f243]	244	#
	245	# Version 20120211
	246
	247	# Make sure the date is parsed correctly on all systems
	248	function mydate()
	249	{
	250	local y=$( echo $1 \| cut -d" " -f4 )
	251	local M=$( echo $1 \| cut -d" " -f1 )
	252	local d=$( echo $1 \| cut -d" " -f2 )
	253	local m
	254
[f42ffb8a]	255	if [ ${d} -lt 10 ]; then d="0${d}"; fi
	256
[fe54f243]	257	case $M in
	258	Jan) m="01";;
	259	Feb) m="02";;
	260	Mar) m="03";;
	261	Apr) m="04";;
	262	May) m="05";;
	263	Jun) m="06";;
	264	Jul) m="07";;
	265	Aug) m="08";;
	266	Sep) m="09";;
	267	Oct) m="10";;
	268	Nov) m="11";;
	269	Dec) m="12";;
	270	esac
	271
	272	certdate="${y}${m}${d}"
	273	}
[f216c56]	274
	275	OPENSSL=/usr/bin/openssl
	276	DIR=/etc/ssl/certs
	277
	278	if [ $# -gt 0 ]; then
	279	DIR="$1"
	280	fi
	281
	282	certs=$( find ${DIR} -type f -name ".pem" -o -name ".crt" )
	283	today=$( date +%Y%m%d )
	284
	285	for cert in $certs; do
	286	notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
	287	date=$( echo ${notafter} \| sed 's/^notAfter=//' )
[f42ffb8a]	288	mydate "$date"
[f216c56]	289
[fe54f243]	290	if [ ${certdate} -lt ${today} ]; then
[f42ffb8a]	291	echo "${cert} expired on ${certdate}! Removing..."
[f216c56]	292	rm -f "${cert}"
	293	fi
	294	done
	295	EOF
	296
	297	chmod +x /bin/remove-expired-certs.sh</userinput></screen>
	298
[c9b953e6]	299	<para>The following commands will fetch the certificates and convert them to
	300	the correct format. If desired, a web browser may be used instead of
	301	<application>wget</application> but the file will need to be saved with the
	302	name <filename>certdata.txt</filename>. These commands can be repeated as
	303	necessary to update the CA Certificates.</para>
	304
	305	<screen><userinput>certhost='http://mxr.mozilla.org' &&
	306	certdir='/mozilla/source/security/nss/lib/ckfw/builtins' &&
	307	url="$certhost$certdir/certdata.txt?raw=1" &&
	308
	309	wget --output-document certdata.txt $url &&
	310	unset certhost certdir url &&
[f216c56]	311	make-ca.sh &&
	312	remove-expired-certs.sh certs</userinput></screen>
[c9b953e6]	313
	314	<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
	315
[de5068d]	316	<screen role="root"><userinput>SSLDIR=/etc/ssl &&
[f216c56]	317	install -d ${SSLDIR}/certs &&
	318	cp -v certs/*.pem ${SSLDIR}/certs &&
	319	c_rehash &&
	320	install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &&
	321	unset SSLDIR</userinput></screen>
[c9b953e6]	322
	323	<para>Finally, clean up the current directory:</para>
	324
	325	<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
	326
	327	</sect2>
	328
	329	<sect2 role="content">
	330	<title>Contents</title>
	331
	332	<segmentedlist>
	333	<segtitle>Installed Programs</segtitle>
	334	<segtitle>Installed Libraries</segtitle>
	335	<segtitle>Installed Directories</segtitle>
	336
	337	<seglistitem>
[f216c56]	338	<seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
[c9b953e6]	339	<seg>None</seg>
	340	<seg>/etc/ssl/certs</seg>
	341	</seglistitem>
	342	</segmentedlist>
	343
	344	<variablelist>
	345	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
	346	<?dbfo list-presentation="list"?>
	347	<?dbhtml list-presentation="table"?>
	348
	349	<varlistentry id="make-ca">
	350	<term><command>make-ca.sh</command></term>
	351	<listitem>
	352	<para>is a <application>bash</application> script that reformats
	353	the <filename>certdata.txt</filename> file for use by
	354	<application>openssl</application>.</para>
	355	<indexterm zone="cacerts make-ca">
	356	<primary sortas="b-make-ca">make-ca</primary>
	357	</indexterm>
	358	</listitem>
	359	</varlistentry>
	360
	361	<varlistentry id="make-cert">
	362	<term><command>make-cert.pl</command></term>
	363	<listitem>
[9a1c6a74]	364	<para>is a utility <application>perl</application> script that
[c9b953e6]	365	converts a single binary certificate (.der format) into .pem format.</para>
	366	<indexterm zone="cacerts make-cert">
	367	<primary sortas="b-make-cert">make-cert</primary>
	368	</indexterm>
	369	</listitem>
	370	</varlistentry>
[f216c56]	371
	372	<varlistentry id="remove-expired-certs">
	373	<term><command>remove-expired-certs.sh</command></term>
	374	<listitem>
[9a1c6a74]	375	<para>is a utility <application>perl</application> script that
[068c8df]	376	removes expired certificates from a directory. The default
[6ad29d3]	377	directory is <filename class='directory'>/etc/ssl/certs</filename>.</para>
[f216c56]	378	<indexterm zone="cacerts remove-expired-certs">
	379	<primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
	380	</indexterm>
	381	</listitem>
	382	</varlistentry>
[c9b953e6]	383	</variablelist>
	384
	385	</sect2>
	386	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/cacerts.xml@ 2f8cc75

Download in other formats: