source: postlfs/security/cacerts.xml@ 2f8cc75

10.0 10.1 11.0 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk upgradedb xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 2f8cc75 was 2f8cc75, checked in by Bruce Dubbs <bdubbs@…>, 9 years ago

Remove curlftpfs

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@10626 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 11.8 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY certhost "http://mxr.mozilla.org">
8 <!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins">
9 <!ENTITY ca-bundle-download "&certhost;&certdir;/certdata.txt?raw=1">
10 <!ENTITY ca-bundle-size "1.2 MB">
11 <!ENTITY cacerts-buildsize "1.2 MB">
12 <!ENTITY cacerts-time "less than 0.1 SBU">
13]>
14
15<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
16 <?dbhtml filename="cacerts.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Certificate Authority Certificates</title>
24
25 <para>The Public Key Inrastructure is used for many security issues in a
26 Linux system. In order for a certificate to be trusted, it must be signed by
27 a trusted agent called a Certificate Authority (CA). The certificates loaded
28 by this section are from the list on the Mozilla version control system and
29 formats it into a form used by <xref linkend='openssl'/>. The certificates
30 can also be used by other applications either directly of indirectly through
31 <application>openssl</application>.</para>
32
33 &lfs72_checked;
34
35 <indexterm zone="cacerts">
36 <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
37 </indexterm>
38
39 <sect2 role="package">
40 <title>Introduction to Certificate Authorities</title>
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
46 </listitem>
47 <listitem>
48 <para>CA Bundle size: &ca-bundle-size;</para>
49 </listitem>
50 <listitem>
51 <para>Estimated disk space required: &cacerts-buildsize;</para>
52 </listitem>
53 <listitem>
54 <para>Estimated build time: &cacerts-time;</para>
55 </listitem>
56 </itemizedlist>
57
58 <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
59
60 <bridgehead renderas="sect4">Required</bridgehead>
61 <para role="required"><xref linkend="openssl"/></para>
62
63 <bridgehead renderas="sect4">Optional</bridgehead>
64 <para role="optional"><xref linkend="wget"/></para>
65
66 <para condition="html" role="usernotes">User Notes:
67 <ulink url='&blfs-wiki;/cacerts'/></para>
68 </sect2>
69
70 <sect2 role="installation">
71 <title>Installation of Certificate Authority Certificates</title>
72
73 <para>First create a script to reformat a certificate into a
74 form needed by <application>openssl</application>. As the <systemitem
75 class="username">root</systemitem> user:</para>
76
77 <screen role="root"><userinput>cat > /bin/make-cert.pl &lt;&lt; "EOF"
78#!/usr/bin/perl -w
79
80# Used to generate PEM encoded files from Mozilla certdata.txt.
81# Run as ./mkcrt.pl > certificate.crt
82#
83# Parts of this script courtesy of RedHat (mkcabundle.pl)
84#
85# This script modified for use with single file data (tempfile.cer) extracted
86# from certdata.txt, taken from the latest version in the Mozilla NSS source.
87# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
88#
89# Authors: DJ Lucas
90# Bruce Dubbs
91#
92# Version 20120211
93
94my $certdata = './tempfile.cer';
95
96open( IN, "cat $certdata|" )
97 || die "could not open $certdata";
98
99my $incert = 0;
100
101while ( &lt;IN&gt; )
102{
103 if ( /^CKA_VALUE MULTILINE_OCTAL/ )
104 {
105 $incert = 1;
106 open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
107 || die "could not pipe to openssl x509";
108 }
109
110 elsif ( /^END/ &amp;&amp; $incert )
111 {
112 close( OUT );
113 $incert = 0;
114 print "\n\n";
115 }
116
117 elsif ($incert)
118 {
119 my @bs = split( /\\/ );
120 foreach my $b (@bs)
121 {
122 chomp $b;
123 printf( OUT "%c", oct($b) ) unless $b eq '';
124 }
125 }
126}
127EOF
128
129chmod +x /bin/make-cert.pl</userinput></screen>
130
131 <para>The following script creates the certificates and a bundle of all the
132 certificates. It creates a <filename class='directory'>./certs</filename>
133 directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again
134 create this script as the <systemitem class="username">root</systemitem>
135 user:</para>
136
137 <screen role="root"><userinput>cat > /bin/make-ca.sh &lt;&lt; "EOF"
138#!/bin/bash
139# Begin make-ca.sh
140# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
141#
142# The file certdata.txt must exist in the local directory
143# Version number is obtained from the version of the data.
144#
145# Authors: DJ Lucas
146# Bruce Dubbs
147#
148# Version 20120211
149
150certdata="certdata.txt"
151
152if [ ! -r $certdata ]; then
153 echo "$certdata must be in the local directory"
154 exit 1
155fi
156
157REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
158
159if [ -z "${REVISION}" ]; then
160 echo "$certfile has no 'Revision' in CVS_ID"
161 exit 1
162fi
163
164VERSION=$(echo $REVISION | cut -f2 -d" ")
165
166TEMPDIR=$(mktemp -d)
167TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
168BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
169CONVERTSCRIPT="/bin/make-cert.pl"
170SSLDIR="/etc/ssl"
171
172mkdir "${TEMPDIR}/certs"
173
174# Get a list of staring lines for each cert
175CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
176
177# Get a list of ending lines for each cert
178CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
179
180# Start a loop
181for certbegin in ${CERTBEGINLIST}; do
182 for certend in ${CERTENDLIST}; do
183 if test "${certend}" -gt "${certbegin}"; then
184 break
185 fi
186 done
187
188 # Dump to a temp file with the name of the file as the beginning line number
189 sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
190done
191
192unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
193
194mkdir -p certs
195rm certs/* # Make sure the directory is clean
196
197for tempfile in ${TEMPDIR}/certs/*.tmp; do
198 # Make sure that the cert is trusted...
199 grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
200 egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
201
202 if test "${?}" = "0"; then
203 # Throw a meaningful error and remove the file
204 cp "${tempfile}" tempfile.cer
205 perl ${CONVERTSCRIPT} > tempfile.crt
206 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
207 echo "Certificate ${keyhash} is not trusted! Removing..."
208 rm -f tempfile.cer tempfile.crt "${tempfile}"
209 continue
210 fi
211
212 # If execution made it to here in the loop, the temp cert is trusted
213 # Find the cert data and generate a cert file for it
214
215 cp "${tempfile}" tempfile.cer
216 perl ${CONVERTSCRIPT} > tempfile.crt
217 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
218 mv tempfile.crt "certs/${keyhash}.pem"
219 rm -f tempfile.cer "${tempfile}"
220 echo "Created ${keyhash}.pem"
221done
222
223# Remove blacklisted files
224# MD5 Collision Proof of Concept CA
225if test -f certs/8f111d69.pem; then
226 echo "Certificate 8f111d69 is not trusted! Removing..."
227 rm -f certs/8f111d69.pem
228fi
229
230# Finally, generate the bundle and clean up.
231cat certs/*.pem > ${BUNDLE}
232rm -r "${TEMPDIR}"
233EOF
234
235chmod +x /bin/make-ca.sh</userinput></screen>
236
237 <para>Add a short script to remove expired certificates from a directory.
238 Again create this script as the <systemitem
239 class="username">root</systemitem> user:</para>
240
241 <screen role="root"><userinput>cat > /bin/remove-expired-certs.sh &lt;&lt; "EOF"
242#!/bin/bash
243# Begin /bin/remove-expired-certs.sh
244#
245# Version 20120211
246
247# Make sure the date is parsed correctly on all systems
248function mydate()
249{
250 local y=$( echo $1 | cut -d" " -f4 )
251 local M=$( echo $1 | cut -d" " -f1 )
252 local d=$( echo $1 | cut -d" " -f2 )
253 local m
254
255 if [ ${d} -lt 10 ]; then d="0${d}"; fi
256
257 case $M in
258 Jan) m="01";;
259 Feb) m="02";;
260 Mar) m="03";;
261 Apr) m="04";;
262 May) m="05";;
263 Jun) m="06";;
264 Jul) m="07";;
265 Aug) m="08";;
266 Sep) m="09";;
267 Oct) m="10";;
268 Nov) m="11";;
269 Dec) m="12";;
270 esac
271
272 certdate="${y}${m}${d}"
273}
274
275OPENSSL=/usr/bin/openssl
276DIR=/etc/ssl/certs
277
278if [ $# -gt 0 ]; then
279 DIR="$1"
280fi
281
282certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
283today=$( date +%Y%m%d )
284
285for cert in $certs; do
286 notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
287 date=$( echo ${notafter} | sed 's/^notAfter=//' )
288 mydate "$date"
289
290 if [ ${certdate} -lt ${today} ]; then
291 echo "${cert} expired on ${certdate}! Removing..."
292 rm -f "${cert}"
293 fi
294done
295EOF
296
297chmod +x /bin/remove-expired-certs.sh</userinput></screen>
298
299 <para>The following commands will fetch the certificates and convert them to
300 the correct format. If desired, a web browser may be used instead of
301 <application>wget</application> but the file will need to be saved with the
302 name <filename>certdata.txt</filename>. These commands can be repeated as
303 necessary to update the CA Certificates.</para>
304
305 <screen><userinput>certhost='http://mxr.mozilla.org' &amp;&amp;
306certdir='/mozilla/source/security/nss/lib/ckfw/builtins' &amp;&amp;
307url="$certhost$certdir/certdata.txt?raw=1" &amp;&amp;
308
309wget --output-document certdata.txt $url &amp;&amp;
310unset certhost certdir url &amp;&amp;
311make-ca.sh &amp;&amp;
312remove-expired-certs.sh certs</userinput></screen>
313
314 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
315
316<screen role="root"><userinput>SSLDIR=/etc/ssl &amp;&amp;
317install -d ${SSLDIR}/certs &amp;&amp;
318cp -v certs/*.pem ${SSLDIR}/certs &amp;&amp;
319c_rehash &amp;&amp;
320install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &amp;&amp;
321unset SSLDIR</userinput></screen>
322
323 <para>Finally, clean up the current directory:</para>
324
325<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
326
327 </sect2>
328
329 <sect2 role="content">
330 <title>Contents</title>
331
332 <segmentedlist>
333 <segtitle>Installed Programs</segtitle>
334 <segtitle>Installed Libraries</segtitle>
335 <segtitle>Installed Directories</segtitle>
336
337 <seglistitem>
338 <seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
339 <seg>None</seg>
340 <seg>/etc/ssl/certs</seg>
341 </seglistitem>
342 </segmentedlist>
343
344 <variablelist>
345 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
346 <?dbfo list-presentation="list"?>
347 <?dbhtml list-presentation="table"?>
348
349 <varlistentry id="make-ca">
350 <term><command>make-ca.sh</command></term>
351 <listitem>
352 <para>is a <application>bash</application> script that reformats
353 the <filename>certdata.txt</filename> file for use by
354 <application>openssl</application>.</para>
355 <indexterm zone="cacerts make-ca">
356 <primary sortas="b-make-ca">make-ca</primary>
357 </indexterm>
358 </listitem>
359 </varlistentry>
360
361 <varlistentry id="make-cert">
362 <term><command>make-cert.pl</command></term>
363 <listitem>
364 <para>is a utility <application>perl</application> script that
365 converts a single binary certificate (.der format) into .pem format.</para>
366 <indexterm zone="cacerts make-cert">
367 <primary sortas="b-make-cert">make-cert</primary>
368 </indexterm>
369 </listitem>
370 </varlistentry>
371
372 <varlistentry id="remove-expired-certs">
373 <term><command>remove-expired-certs.sh</command></term>
374 <listitem>
375 <para>is a utility <application>perl</application> script that
376 removes expired certificates from a directory. The default
377 directory is <filename class='directory'>/etc/ssl/certs</filename>.</para>
378 <indexterm zone="cacerts remove-expired-certs">
379 <primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
380 </indexterm>
381 </listitem>
382 </varlistentry>
383 </variablelist>
384
385 </sect2>
386</sect1>
Note: See TracBrowser for help on using the repository browser.