source: postlfs/security/cacerts.xml@ 0134954

10.0 10.1 11.0 7.10 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind ken/refactor-virt lazarus nosym perl-modules qt5new trunk xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 0134954 was 0134954, checked in by Bruce Dubbs <bdubbs@…>, 5 years ago

Initial 7.10 tags; only 765 to go

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@17651 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 12.5 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY certhost "http://mxr.mozilla.org">
8 <!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins">
9 <!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt">
10 <!ENTITY ca-bundle-size "1.6 MB">
11 <!ENTITY cacerts-buildsize "6 MB">
12 <!ENTITY cacerts-time "0.1 SBU">
13]>
14
15<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
16 <?dbhtml filename="cacerts.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Certificate Authority Certificates</title>
24
25 <para>The Public Key Infrastructure is used for many security issues in a
26 Linux system. In order for a certificate to be trusted, it must be signed by
27 a trusted agent called a Certificate Authority (CA). The certificates loaded
28 by this section are from the list on the Mozilla version control system and
29 formats it into a form used by <xref linkend='openssl'/>. The certificates
30 can also be used by other applications either directly of indirectly through
31 <application>openssl</application>.</para>
32
33 &lfs7a_checked;
34
35 <indexterm zone="cacerts">
36 <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
37 </indexterm>
38
39 <sect2 role="package">
40 <title>Introduction to Certificate Authorities</title>
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
46 </listitem>
47 <listitem>
48 <para>CA Certificate size: &ca-bundle-size;</para>
49 </listitem>
50 <listitem>
51 <para>Estimated disk space required: &cacerts-buildsize;</para>
52 </listitem>
53 <listitem>
54 <para>Estimated build time: &cacerts-time;</para>
55 </listitem>
56 </itemizedlist>
57
58 <note><para>The certfile.txt file above is actually retrieved from <ulink
59 url="https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt"/>.
60 It is really an HTML file, but the text file can be retrieved indirectly
61 from the HTML file. The Download URL above automates that process and also
62 adds a line where the date can be extracted as a revision number by the
63 scripts below.</para></note>
64
65 <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
66
67 <bridgehead renderas="sect4">Required</bridgehead>
68 <para role="required"><xref linkend="openssl"/></para>
69
70 <bridgehead renderas="sect4">Recommended</bridgehead>
71 <para role="recommended"><xref linkend="wget"/></para>
72
73 <para condition="html" role="usernotes">User Notes:
74 <ulink url='&blfs-wiki;/cacerts'/></para>
75 </sect2>
76
77 <sect2 role="installation">
78 <title>Installation of Certificate Authority Certificates</title>
79
80 <para>First create a script to reformat a certificate into a
81 form needed by <application>openssl</application>. As the <systemitem
82 class="username">root</systemitem> user:</para>
83
84<screen role="root"><userinput>cat > /usr/bin/make-cert.pl &lt;&lt; "EOF"
85<literal>#!/usr/bin/perl -w
86
87# Used to generate PEM encoded files from Mozilla certdata.txt.
88# Run as ./make-cert.pl > certificate.crt
89#
90# Parts of this script courtesy of RedHat (mkcabundle.pl)
91#
92# This script modified for use with single file data (tempfile.cer) extracted
93# from certdata.txt, taken from the latest version in the Mozilla NSS source.
94# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
95#
96# Authors: DJ Lucas
97# Bruce Dubbs
98#
99# Version 20120211
100
101my $certdata = './tempfile.cer';
102
103open( IN, "cat $certdata|" )
104 || die "could not open $certdata";
105
106my $incert = 0;
107
108while ( &lt;IN&gt; )
109{
110 if ( /^CKA_VALUE MULTILINE_OCTAL/ )
111 {
112 $incert = 1;
113 open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
114 || die "could not pipe to openssl x509";
115 }
116
117 elsif ( /^END/ &amp;&amp; $incert )
118 {
119 close( OUT );
120 $incert = 0;
121 print "\n\n";
122 }
123
124 elsif ($incert)
125 {
126 my @bs = split( /\\/ );
127 foreach my $b (@bs)
128 {
129 chomp $b;
130 printf( OUT "%c", oct($b) ) unless $b eq '';
131 }
132 }
133}</literal>
134EOF
135
136chmod +x /usr/bin/make-cert.pl</userinput></screen>
137
138 <para>The following script creates the certificates and a bundle of all the
139 certificates. It creates a <filename class='directory'>./certs</filename>
140 directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again
141 create this script as the <systemitem class="username">root</systemitem>
142 user:</para>
143
144<screen role="root"><userinput>cat > /usr/bin/make-ca.sh &lt;&lt; "EOF"
145<literal>#!/bin/sh
146# Begin make-ca.sh
147# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
148#
149# The file certdata.txt must exist in the local directory
150# Version number is obtained from the version of the data.
151#
152# Authors: DJ Lucas
153# Bruce Dubbs
154#
155# Version 20120211
156
157# Some data in the certs have UTF-8 characters
158export LANG=en_US.utf8
159
160certdata="certdata.txt"
161
162if [ ! -r $certdata ]; then
163 echo "$certdata must be in the local directory"
164 exit 1
165fi
166
167REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
168
169if [ -z "${REVISION}" ]; then
170 echo "$certfile has no 'Revision' in CVS_ID"
171 exit 1
172fi
173
174VERSION=$(echo $REVISION | cut -f2 -d" ")
175
176TEMPDIR=$(mktemp -d)
177TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
178BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
179CONVERTSCRIPT="/usr/bin/make-cert.pl"
180SSLDIR="/etc/ssl"
181
182mkdir "${TEMPDIR}/certs"
183
184# Get a list of starting lines for each cert
185CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
186
187# Get a list of ending lines for each cert
188CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
189
190# Start a loop
191for certbegin in ${CERTBEGINLIST}; do
192 for certend in ${CERTENDLIST}; do
193 if test "${certend}" -gt "${certbegin}"; then
194 break
195 fi
196 done
197
198 # Dump to a temp file with the name of the file as the beginning line number
199 sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
200done
201
202unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
203
204mkdir -p certs
205rm -f certs/* # Make sure the directory is clean
206
207for tempfile in ${TEMPDIR}/certs/*.tmp; do
208 # Make sure that the cert is trusted...
209 grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
210 egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
211
212 if test "${?}" = "0"; then
213 # Throw a meaningful error and remove the file
214 cp "${tempfile}" tempfile.cer
215 perl ${CONVERTSCRIPT} > tempfile.crt
216 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
217 echo "Certificate ${keyhash} is not trusted! Removing..."
218 rm -f tempfile.cer tempfile.crt "${tempfile}"
219 continue
220 fi
221
222 # If execution made it to here in the loop, the temp cert is trusted
223 # Find the cert data and generate a cert file for it
224
225 cp "${tempfile}" tempfile.cer
226 perl ${CONVERTSCRIPT} > tempfile.crt
227 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
228 mv tempfile.crt "certs/${keyhash}.pem"
229 rm -f tempfile.cer "${tempfile}"
230 echo "Created ${keyhash}.pem"
231done
232
233# Remove blacklisted files
234# MD5 Collision Proof of Concept CA
235if test -f certs/8f111d69.pem; then
236 echo "Certificate 8f111d69 is not trusted! Removing..."
237 rm -f certs/8f111d69.pem
238fi
239
240# Finally, generate the bundle and clean up.
241cat certs/*.pem > ${BUNDLE}
242rm -r "${TEMPDIR}"</literal>
243EOF
244
245chmod +x /usr/bin/make-ca.sh</userinput></screen>
246
247 <para>Add a short script to remove expired certificates from a directory.
248 Again create this script as the <systemitem
249 class="username">root</systemitem> user:</para>
250
251<screen role="root"><userinput>cat > /usr/sbin/remove-expired-certs.sh &lt;&lt; "EOF"
252<literal>#!/bin/sh
253# Begin /usr/sbin/remove-expired-certs.sh
254#
255# Version 20120211
256
257# Make sure the date is parsed correctly on all systems
258mydate()
259{
260 local y=$( echo $1 | cut -d" " -f4 )
261 local M=$( echo $1 | cut -d" " -f1 )
262 local d=$( echo $1 | cut -d" " -f2 )
263 local m
264
265 if [ ${d} -lt 10 ]; then d="0${d}"; fi
266
267 case $M in
268 Jan) m="01";;
269 Feb) m="02";;
270 Mar) m="03";;
271 Apr) m="04";;
272 May) m="05";;
273 Jun) m="06";;
274 Jul) m="07";;
275 Aug) m="08";;
276 Sep) m="09";;
277 Oct) m="10";;
278 Nov) m="11";;
279 Dec) m="12";;
280 esac
281
282 certdate="${y}${m}${d}"
283}
284
285OPENSSL=/usr/bin/openssl
286DIR=/etc/ssl/certs
287
288if [ $# -gt 0 ]; then
289 DIR="$1"
290fi
291
292certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
293today=$( date +%Y%m%d )
294
295for cert in $certs; do
296 notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
297 date=$( echo ${notafter} | sed 's/^notAfter=//' )
298 mydate "$date"
299
300 if [ ${certdate} -lt ${today} ]; then
301 echo "${cert} expired on ${certdate}! Removing..."
302 rm -f "${cert}"
303 fi
304done</literal>
305EOF
306
307chmod u+x /usr/sbin/remove-expired-certs.sh</userinput></screen>
308
309 <para>The following commands will fetch the certificates and convert them to
310 the correct format. If desired, a web browser may be used instead of
311 <application>wget</application> but the file will need to be saved with the
312 name <filename>certdata.txt</filename>. These commands can be repeated as
313 necessary to update the CA Certificates.</para>
314
315 <screen><userinput>URL=&sources-anduin-http;/other/certdata.txt &amp;&amp;
316rm -f certdata.txt &amp;&amp;
317wget $URL &amp;&amp;
318make-ca.sh &amp;&amp;
319unset URL</userinput></screen>
320
321 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
322
323<screen role="root"><userinput>SSLDIR=/etc/ssl &amp;&amp;
324remove-expired-certs.sh certs &amp;&amp;
325install -d ${SSLDIR}/certs &amp;&amp;
326cp -v certs/*.pem ${SSLDIR}/certs &amp;&amp;
327c_rehash &amp;&amp;
328install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &amp;&amp;
329ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt &amp;&amp;
330unset SSLDIR</userinput></screen>
331
332 <para>Finally, clean up the current directory:</para>
333
334<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
335
336 <para>After installing or updating certificates, if OpenJDK is installed,
337 update the certificates for Java using the procedures at <xref linkend='ojdk-certs'/>.</para>
338
339
340 </sect2>
341
342 <sect2 role="content">
343 <title>Contents</title>
344
345 <segmentedlist>
346 <segtitle>Installed Programs</segtitle>
347 <segtitle>Installed Libraries</segtitle>
348 <segtitle>Installed Directories</segtitle>
349
350 <seglistitem>
351 <seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
352 <seg>None</seg>
353 <seg>/etc/ssl/certs</seg>
354 </seglistitem>
355 </segmentedlist>
356
357 <variablelist>
358 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
359 <?dbfo list-presentation="list"?>
360 <?dbhtml list-presentation="table"?>
361
362 <varlistentry id="make-ca">
363 <term><command>make-ca.sh</command></term>
364 <listitem>
365 <para>is a shell script that reformats
366 the <filename>certdata.txt</filename> file for use by
367 <application>openssl</application>.</para>
368 <indexterm zone="cacerts make-ca">
369 <primary sortas="b-make-ca">make-ca</primary>
370 </indexterm>
371 </listitem>
372 </varlistentry>
373
374 <varlistentry id="make-cert">
375 <term><command>make-cert.pl</command></term>
376 <listitem>
377 <para>is a utility <application>perl</application> script that
378 converts a single binary certificate (.der format) into .pem format.</para>
379 <indexterm zone="cacerts make-cert">
380 <primary sortas="b-make-cert">make-cert</primary>
381 </indexterm>
382 </listitem>
383 </varlistentry>
384
385 <varlistentry id="remove-expired-certs">
386 <term><command>remove-expired-certs.sh</command></term>
387 <listitem>
388 <para>is a utility shell script that
389 removes expired certificates from a directory. The default
390 directory is <filename class='directory'>/etc/ssl/certs</filename>.</para>
391 <indexterm zone="cacerts remove-expired-certs">
392 <primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
393 </indexterm>
394 </listitem>
395 </varlistentry>
396 </variablelist>
397
398 </sect2>
399</sect1>
Note: See TracBrowser for help on using the repository browser.