Context Navigation

cacerts.xml@ 2fc4f2f

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 2fc4f2f was 2fc4f2f, checked in by Wayne Blaszczyk <wblaszcz@…>, 13 years ago

Added wget dependency to Certificate Authority Certificates.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@8925 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 11.1 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY certhost "http://mxr.mozilla.org">
8	<!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins">
9	<!ENTITY ca-bundle-download "&certhost;&certdir;/certdata.txt?raw=1">
10	<!ENTITY ca-bundle-size "1.2 MB">
11	<!ENTITY cacerts-buildsize "1.2 MB">
12	<!ENTITY cacerts-time "less than 0.1 SBU">
13	]>
14
15	<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
16	<?dbhtml filename="cacerts.html"?>
17
18	<sect1info>
19	<othername>$LastChangedBy$</othername>
20	<date>$Date$</date>
21	</sect1info>
22
23	<title>Certificate Authority Certificates</title>
24
25	<para>The Public Key Inrastructure is used for many security issues in a
26	Linux system. In order for a certificate to be trusted, it must be signed by
27	a trusted agent called a Certificate Authority (CA). The certificates loaded
28	by this section are from the list on the Mozilla version control system and
29	formats it into a form used by <xref linkend='openssl'/>. The certificates
30	can also be used by other applications either directly of indirectly through
31	<application>openssl</application>.</para>
32
33	&lfs70_checked;
34
35	<indexterm zone="cacerts">
36	<primary sortas="a-cacerts">Certificate Authority Certificates</primary>
37	</indexterm>
38
39	<sect2 role="package">
40	<title>Introduction to Certificate Authorities</title>
41
42	<bridgehead renderas="sect3">Package Information</bridgehead>
43	<itemizedlist spacing="compact">
44	<listitem>
45	<para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
46	</listitem>
47	<listitem>
48	<para>CA Bundle size: &ca-bundle-size;</para>
49	</listitem>
50	<listitem>
51	<para>Estimated disk space required: &cacerts-buildsize;</para>
52	</listitem>
53	<listitem>
54	<para>Estimated build time: &cacerts-time;</para>
55	</listitem>
56	</itemizedlist>
57
58	<bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
59
60	<bridgehead renderas="sect4">Required</bridgehead>
61	<para role="required"><xref linkend="openssl"/> and
62	<xref linkend="wget"/></para>
63
64	<para condition="html" role="usernotes">User Notes:
65	<ulink url='&blfs-wiki;/cacerts'/></para>
66	</sect2>
67
68	<sect2 role="installation">
69	<title>Installation of Certificate Authority Certificates</title>
70
71	<para>First create a script to reformat a certificate into a
72	form needed by <application>openssl</application>. As the <systemitem
73	class="username">root</systemitem> user:</para>
74
75	<screen><userinput>cat > /bin/make-cert.pl << "EOF"
76	#!/usr/bin/perl -w
77
78	# Used to generate PEM encoded files from Mozilla certdata.txt.
79	# Run as ./mkcrt.pl > certificate.crt
80	#
81	# Parts of this script courtesy of RedHat (mkcabundle.pl)
82	#
83	# This script modified for use with single file data (tempfile.cer) extracted
84	# from certdata.txt, taken from the latest version in the Mozilla NSS source.
85	# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
86	#
87	# Authors: DJ Lucas
88	# Bruce Dubbs
89
90	my $certdata = './tempfile.cer';
91
92	open( IN, "cat $certdata\|" )
93	\|\| die "could not open $certdata";
94
95	my $incert = 0;
96
97	while ( <IN> )
98	{
99	if ( /^CKA_VALUE MULTILINE_OCTAL/ )
100	{
101	$incert = 1;
102	open( OUT, "\|openssl x509 -text -inform DER -fingerprint" )
103	\|\| die "could not pipe to openssl x509";
104	}
105
106	elsif ( /^END/ && $incert )
107	{
108	close( OUT );
109	$incert = 0;
110	print "\n\n";
111	}
112
113	elsif ($incert)
114	{
115	my @bs = split( /\\/ );
116	foreach my $b (@bs)
117	{
118	chomp $b;
119	printf( OUT "%c", oct($b) ) unless $b eq '';
120	}
121	}
122	}
123	EOF
124
125	chmod +x /bin/make-cert.pl</userinput></screen>
126
127	<para>The following script creates the certificates and a bundle of all the
128	certificates. It creates a <filename class='directory'>./certs</filename>
129	directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again
130	create this script as the <systemitem class="username">root</systemitem>
131	user:</para>
132
133	<screen><userinput>cat > /bin/make-ca.sh << "EOF"
134	#!/bin/bash
135	# Begin make-ca.sh
136	# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
137	#
138	# The file certdata.txt must exist in the local directory
139	# Version number is obtained from the version of the data.
140	#
141	# Authors: DJ Lucas
142	# Bruce Dubbs
143
144	certdata="certdata.txt"
145
146	if [ ! -r $certdata ]; then
147	echo "$certdata must be in the local directory"
148	exit 1
149	fi
150
151	REVISION=$(grep CVS_ID $certdata \| cut -f4 -d'$')
152
153	if [ -z "${REVISION}" ]; then
154	echo "$certfile has no 'Revision' in CVS_ID"
155	exit 1
156	fi
157
158	VERSION=$(echo $REVISION \| cut -f2 -d" ")
159
160	TEMPDIR=$(mktemp -d)
161	TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
162	BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
163	CONVERTSCRIPT="make-cert.pl"
164	SSLDIR="/etc/ssl"
165
166	mkdir "${TEMPDIR}/certs"
167
168	# Get a list of staring lines for each cert
169	CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" \| cut -d ":" -f1)
170
171	# Get a list of ending lines for each cert
172	CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" \| cut -d ":" -f 1`
173
174	# Start a loop
175	for certbegin in ${CERTBEGINLIST}; do
176	for certend in ${CERTENDLIST}; do
177	if test "${certend}" -gt "${certbegin}"; then
178	break
179	fi
180	done
181
182	# Dump to a temp file with the name of the file as the beginning line number
183	sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
184	done
185
186	unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
187
188	mkdir -p certs
189	rm certs/* # Make sure the directory is clean
190
191	for tempfile in ${TEMPDIR}/certs/*.tmp; do
192	# Make sure that the cert is trusted...
193	grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" \| \
194	grep "CKT_NETSCAPE_TRUST_UNKNOWN" > /dev/null
195
196	if test "${?}" = "0"; then
197	# Throw a meaningful error and remove the file
198	cp "${tempfile}" tempfile.cer
199	"${CONVERTSCRIPT}" > tempfile.crt
200	keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
201	echo "Certificate ${keyhash} is not trusted! Removing..."
202	rm -f tempfile.cer tempfile.crt "${tempfile}"
203	continue
204	fi
205
206	# If execution made it to here in the loop, the temp cert is trusted
207	# Find the cert data and generate a cert file for it
208
209	cp "${tempfile}" tempfile.cer
210	"${CONVERTSCRIPT}" > tempfile.crt
211	keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
212	mv tempfile.crt "certs/${keyhash}.pem"
213	rm -f tempfile.cer "${tempfile}"
214	echo "Created ${keyhash}.pem"
215	done
216
217	# Remove blacklisted files
218	# MD5 Collision Proof of Concept CA
219	if test -f certs/8f111d69.pem; then
220	echo "Certificate 8f111d69 is not trusted! Removing..."
221	rm -f certs/8f111d69.pem
222	fi
223
224	# Finally, generate the bundle and clean up.
225	cat certs/*.pem > ${BUNDLE}
226	rm -r "${TEMPDIR}"
227	EOF
228
229	chmod +x /bin/make-ca.sh</userinput></screen>
230
231	<para>Add a short script to remove expired certifictes from a directory.
232	Again create this script as the <systemitem
233	class="username">root</systemitem> user:</para>
234
235	<screen><userinput>cat > /bin/remove-expired-certs.sh << "EOF"
236	#!/bin/bash
237	# Begin /bin/remove-expired-certs.sh
238
239	OPENSSL=/usr/bin/openssl
240	DIR=/etc/ssl/certs
241
242	if [ $# -gt 0 ]; then
243	DIR="$1"
244	fi
245
246	certs=$( find ${DIR} -type f -name ".pem" -o -name ".crt" )
247	today=$( date +%Y%m%d )
248
249	for cert in $certs; do
250	notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
251	date=$( echo ${notafter} \| sed 's/^notAfter=//' )
252
253	if [ $( date -d "${date}" +%Y%m%d ) -lt ${today} ]; then
254	echo "${cert} is expired! Removing..."
255	rm -f "${cert}"
256	fi
257	done
258	EOF
259
260	chmod +x /bin/remove-expired-certs.sh</userinput></screen>
261
262	<para>The following commands will fetch the certificates and convert them to
263	the correct format. If desired, a web browser may be used instead of
264	<application>wget</application> but the file will need to be saved with the
265	name <filename>certdata.txt</filename>. These commands can be repeated as
266	necessary to update the CA Certificates.</para>
267
268	<screen><userinput>certhost='http://mxr.mozilla.org' &&
269	certdir='/mozilla/source/security/nss/lib/ckfw/builtins' &&
270	url="$certhost$certdir/certdata.txt?raw=1" &&
271
272	wget --output-document certdata.txt $url &&
273	unset certhost certdir url &&
274	make-ca.sh &&
275	remove-expired-certs.sh certs</userinput></screen>
276
277	<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
278
279	<screen><userinput>SSLDIR=/etc/ssl &&
280	install -d ${SSLDIR}/certs &&
281	cp -v certs/*.pem ${SSLDIR}/certs &&
282	c_rehash &&
283	install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &&
284	unset SSLDIR</userinput></screen>
285
286	<para>Finally, clean up the current directory:</para>
287
288	<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
289
290	</sect2>
291
292	<sect2 role="content">
293	<title>Contents</title>
294
295	<segmentedlist>
296	<segtitle>Installed Programs</segtitle>
297	<segtitle>Installed Libraries</segtitle>
298	<segtitle>Installed Directories</segtitle>
299
300	<seglistitem>
301	<seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
302	<seg>None</seg>
303	<seg>/etc/ssl/certs</seg>
304	</seglistitem>
305	</segmentedlist>
306
307	<variablelist>
308	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
309	<?dbfo list-presentation="list"?>
310	<?dbhtml list-presentation="table"?>
311
312	<varlistentry id="make-ca">
313	<term><command>make-ca.sh</command></term>
314	<listitem>
315	<para>is a <application>bash</application> script that reformats
316	the <filename>certdata.txt</filename> file for use by
317	<application>openssl</application>.</para>
318	<indexterm zone="cacerts make-ca">
319	<primary sortas="b-make-ca">make-ca</primary>
320	</indexterm>
321	</listitem>
322	</varlistentry>
323
324	<varlistentry id="make-cert">
325	<term><command>make-cert.pl</command></term>
326	<listitem>
327	<para>is a utility <application>perl</application> script that
328	converts a single binary certificate (.der format) into .pem format.</para>
329	<indexterm zone="cacerts make-cert">
330	<primary sortas="b-make-cert">make-cert</primary>
331	</indexterm>
332	</listitem>
333	</varlistentry>
334
335	<varlistentry id="remove-expired-certs">
336	<term><command>remove-expired-certs.sh</command></term>
337	<listitem>
338	<para>is a utility <application>perl</application> script that
339	removed expired certificates fom a directory. The defaut
340	directory is <filename class='directory'>/etc/ssl/ceerts</filename>.</para>
341	<indexterm zone="cacerts remove-expired-certs">
342	<primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
343	</indexterm>
344	</listitem>
345	</varlistentry>
346	</variablelist>
347
348	</sect2>
349	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/cacerts.xml@ 2fc4f2f

Download in other formats: