source: postlfs/security/cacerts.xml@ 316a7a46

10.0 10.1 11.0 7.10 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind ken/refactor-virt lazarus nosym perl-modules qt5new trunk upgradedb xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since 316a7a46 was 316a7a46, checked in by Bruce Dubbs <bdubbs@…>, 6 years ago

Update to KDE Frameworks 5.18.0

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@16800 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 12.4 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY certhost "http://mxr.mozilla.org">
8 <!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins">
9 <!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt">
10 <!ENTITY ca-bundle-size "1.6 MB">
11 <!ENTITY cacerts-buildsize "6 MB">
12 <!ENTITY cacerts-time "0.1 SBU">
13]>
14
15<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
16 <?dbhtml filename="cacerts.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>Certificate Authority Certificates</title>
24
25 <para>The Public Key Infrastructure is used for many security issues in a
26 Linux system. In order for a certificate to be trusted, it must be signed by
27 a trusted agent called a Certificate Authority (CA). The certificates loaded
28 by this section are from the list on the Mozilla version control system and
29 formats it into a form used by <xref linkend='openssl'/>. The certificates
30 can also be used by other applications either directly of indirectly through
31 <application>openssl</application>.</para>
32
33 &lfs78_checked;
34
35 <indexterm zone="cacerts">
36 <primary sortas="a-cacerts">Certificate Authority Certificates</primary>
37 </indexterm>
38
39 <sect2 role="package">
40 <title>Introduction to Certificate Authorities</title>
41
42 <bridgehead renderas="sect3">Package Information</bridgehead>
43 <itemizedlist spacing="compact">
44 <listitem>
45 <para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
46 </listitem>
47 <listitem>
48 <para>CA Certificate size: &ca-bundle-size;</para>
49 </listitem>
50 <listitem>
51 <para>Estimated disk space required: &cacerts-buildsize;</para>
52 </listitem>
53 <listitem>
54 <para>Estimated build time: &cacerts-time;</para>
55 </listitem>
56 </itemizedlist>
57
58 <note><para>The certfile.txt file above is actually retrieved from <ulink
59 url="https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt"/>.
60 It is really an HTML file, but the text file can be retrieved indirectly
61 from the HTML file. The Download URL above automates that process and also
62 adds a line where the date can be extracted as a revision number by the
63 scripts below.</para></note>
64
65 <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
66
67 <bridgehead renderas="sect4">Required</bridgehead>
68 <para role="required"><xref linkend="openssl"/></para>
69
70 <bridgehead renderas="sect4">Recommended</bridgehead>
71 <para role="recommended"><xref linkend="wget"/></para>
72
73 <para condition="html" role="usernotes">User Notes:
74 <ulink url='&blfs-wiki;/cacerts'/></para>
75 </sect2>
76
77 <sect2 role="installation">
78 <title>Installation of Certificate Authority Certificates</title>
79
80 <para>First create a script to reformat a certificate into a
81 form needed by <application>openssl</application>. As the <systemitem
82 class="username">root</systemitem> user:</para>
83
84<screen role="root"><userinput>cat > /usr/bin/make-cert.pl &lt;&lt; "EOF"
85<literal>#!/usr/bin/perl -w
86
87# Used to generate PEM encoded files from Mozilla certdata.txt.
88# Run as ./make-cert.pl > certificate.crt
89#
90# Parts of this script courtesy of RedHat (mkcabundle.pl)
91#
92# This script modified for use with single file data (tempfile.cer) extracted
93# from certdata.txt, taken from the latest version in the Mozilla NSS source.
94# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
95#
96# Authors: DJ Lucas
97# Bruce Dubbs
98#
99# Version 20120211
100
101my $certdata = './tempfile.cer';
102
103open( IN, "cat $certdata|" )
104 || die "could not open $certdata";
105
106my $incert = 0;
107
108while ( &lt;IN&gt; )
109{
110 if ( /^CKA_VALUE MULTILINE_OCTAL/ )
111 {
112 $incert = 1;
113 open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
114 || die "could not pipe to openssl x509";
115 }
116
117 elsif ( /^END/ &amp;&amp; $incert )
118 {
119 close( OUT );
120 $incert = 0;
121 print "\n\n";
122 }
123
124 elsif ($incert)
125 {
126 my @bs = split( /\\/ );
127 foreach my $b (@bs)
128 {
129 chomp $b;
130 printf( OUT "%c", oct($b) ) unless $b eq '';
131 }
132 }
133}</literal>
134EOF
135
136chmod +x /usr/bin/make-cert.pl</userinput></screen>
137
138 <para>The following script creates the certificates and a bundle of all the
139 certificates. It creates a <filename class='directory'>./certs</filename>
140 directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again
141 create this script as the <systemitem class="username">root</systemitem>
142 user:</para>
143
144<screen role="root"><userinput>cat > /usr/bin/make-ca.sh &lt;&lt; "EOF"
145<literal>#!/bin/sh
146# Begin make-ca.sh
147# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
148#
149# The file certdata.txt must exist in the local directory
150# Version number is obtained from the version of the data.
151#
152# Authors: DJ Lucas
153# Bruce Dubbs
154#
155# Version 20120211
156
157certdata="certdata.txt"
158
159if [ ! -r $certdata ]; then
160 echo "$certdata must be in the local directory"
161 exit 1
162fi
163
164REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
165
166if [ -z "${REVISION}" ]; then
167 echo "$certfile has no 'Revision' in CVS_ID"
168 exit 1
169fi
170
171VERSION=$(echo $REVISION | cut -f2 -d" ")
172
173TEMPDIR=$(mktemp -d)
174TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
175BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
176CONVERTSCRIPT="/usr/bin/make-cert.pl"
177SSLDIR="/etc/ssl"
178
179mkdir "${TEMPDIR}/certs"
180
181# Get a list of starting lines for each cert
182CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
183
184# Get a list of ending lines for each cert
185CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
186
187# Start a loop
188for certbegin in ${CERTBEGINLIST}; do
189 for certend in ${CERTENDLIST}; do
190 if test "${certend}" -gt "${certbegin}"; then
191 break
192 fi
193 done
194
195 # Dump to a temp file with the name of the file as the beginning line number
196 sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
197done
198
199unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
200
201mkdir -p certs
202rm -f certs/* # Make sure the directory is clean
203
204for tempfile in ${TEMPDIR}/certs/*.tmp; do
205 # Make sure that the cert is trusted...
206 grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
207 egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
208
209 if test "${?}" = "0"; then
210 # Throw a meaningful error and remove the file
211 cp "${tempfile}" tempfile.cer
212 perl ${CONVERTSCRIPT} > tempfile.crt
213 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
214 echo "Certificate ${keyhash} is not trusted! Removing..."
215 rm -f tempfile.cer tempfile.crt "${tempfile}"
216 continue
217 fi
218
219 # If execution made it to here in the loop, the temp cert is trusted
220 # Find the cert data and generate a cert file for it
221
222 cp "${tempfile}" tempfile.cer
223 perl ${CONVERTSCRIPT} > tempfile.crt
224 keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
225 mv tempfile.crt "certs/${keyhash}.pem"
226 rm -f tempfile.cer "${tempfile}"
227 echo "Created ${keyhash}.pem"
228done
229
230# Remove blacklisted files
231# MD5 Collision Proof of Concept CA
232if test -f certs/8f111d69.pem; then
233 echo "Certificate 8f111d69 is not trusted! Removing..."
234 rm -f certs/8f111d69.pem
235fi
236
237# Finally, generate the bundle and clean up.
238cat certs/*.pem > ${BUNDLE}
239rm -r "${TEMPDIR}"</literal>
240EOF
241
242chmod +x /usr/bin/make-ca.sh</userinput></screen>
243
244 <para>Add a short script to remove expired certificates from a directory.
245 Again create this script as the <systemitem
246 class="username">root</systemitem> user:</para>
247
248<screen role="root"><userinput>cat > /usr/sbin/remove-expired-certs.sh &lt;&lt; "EOF"
249<literal>#!/bin/sh
250# Begin /usr/sbin/remove-expired-certs.sh
251#
252# Version 20120211
253
254# Make sure the date is parsed correctly on all systems
255mydate()
256{
257 local y=$( echo $1 | cut -d" " -f4 )
258 local M=$( echo $1 | cut -d" " -f1 )
259 local d=$( echo $1 | cut -d" " -f2 )
260 local m
261
262 if [ ${d} -lt 10 ]; then d="0${d}"; fi
263
264 case $M in
265 Jan) m="01";;
266 Feb) m="02";;
267 Mar) m="03";;
268 Apr) m="04";;
269 May) m="05";;
270 Jun) m="06";;
271 Jul) m="07";;
272 Aug) m="08";;
273 Sep) m="09";;
274 Oct) m="10";;
275 Nov) m="11";;
276 Dec) m="12";;
277 esac
278
279 certdate="${y}${m}${d}"
280}
281
282OPENSSL=/usr/bin/openssl
283DIR=/etc/ssl/certs
284
285if [ $# -gt 0 ]; then
286 DIR="$1"
287fi
288
289certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
290today=$( date +%Y%m%d )
291
292for cert in $certs; do
293 notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
294 date=$( echo ${notafter} | sed 's/^notAfter=//' )
295 mydate "$date"
296
297 if [ ${certdate} -lt ${today} ]; then
298 echo "${cert} expired on ${certdate}! Removing..."
299 rm -f "${cert}"
300 fi
301done</literal>
302EOF
303
304chmod u+x /usr/sbin/remove-expired-certs.sh</userinput></screen>
305
306 <para>The following commands will fetch the certificates and convert them to
307 the correct format. If desired, a web browser may be used instead of
308 <application>wget</application> but the file will need to be saved with the
309 name <filename>certdata.txt</filename>. These commands can be repeated as
310 necessary to update the CA Certificates.</para>
311
312 <screen><userinput>URL=&sources-anduin-http;/other/certdata.txt &amp;&amp;
313rm -f certdata.txt &amp;&amp;
314wget $URL &amp;&amp;
315make-ca.sh &amp;&amp;
316unset URL</userinput></screen>
317
318 <para>Now, as the <systemitem class="username">root</systemitem> user:</para>
319
320<screen role="root"><userinput>SSLDIR=/etc/ssl &amp;&amp;
321remove-expired-certs.sh certs &amp;&amp;
322install -d ${SSLDIR}/certs &amp;&amp;
323cp -v certs/*.pem ${SSLDIR}/certs &amp;&amp;
324c_rehash &amp;&amp;
325install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &amp;&amp;
326ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt &amp;&amp;
327unset SSLDIR</userinput></screen>
328
329 <para>Finally, clean up the current directory:</para>
330
331<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
332
333 <para>After installing or updating certificates, if OpenJDK is installed,
334 update the certificates for Java using the procedures at <xref linkend='ojdk-certs'/>.</para>
335
336
337 </sect2>
338
339 <sect2 role="content">
340 <title>Contents</title>
341
342 <segmentedlist>
343 <segtitle>Installed Programs</segtitle>
344 <segtitle>Installed Libraries</segtitle>
345 <segtitle>Installed Directories</segtitle>
346
347 <seglistitem>
348 <seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
349 <seg>None</seg>
350 <seg>/etc/ssl/certs</seg>
351 </seglistitem>
352 </segmentedlist>
353
354 <variablelist>
355 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
356 <?dbfo list-presentation="list"?>
357 <?dbhtml list-presentation="table"?>
358
359 <varlistentry id="make-ca">
360 <term><command>make-ca.sh</command></term>
361 <listitem>
362 <para>is a shell script that reformats
363 the <filename>certdata.txt</filename> file for use by
364 <application>openssl</application>.</para>
365 <indexterm zone="cacerts make-ca">
366 <primary sortas="b-make-ca">make-ca</primary>
367 </indexterm>
368 </listitem>
369 </varlistentry>
370
371 <varlistentry id="make-cert">
372 <term><command>make-cert.pl</command></term>
373 <listitem>
374 <para>is a utility <application>perl</application> script that
375 converts a single binary certificate (.der format) into .pem format.</para>
376 <indexterm zone="cacerts make-cert">
377 <primary sortas="b-make-cert">make-cert</primary>
378 </indexterm>
379 </listitem>
380 </varlistentry>
381
382 <varlistentry id="remove-expired-certs">
383 <term><command>remove-expired-certs.sh</command></term>
384 <listitem>
385 <para>is a utility shell script that
386 removes expired certificates from a directory. The default
387 directory is <filename class='directory'>/etc/ssl/certs</filename>.</para>
388 <indexterm zone="cacerts remove-expired-certs">
389 <primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
390 </indexterm>
391 </listitem>
392 </varlistentry>
393 </variablelist>
394
395 </sect2>
396</sect1>
Note: See TracBrowser for help on using the repository browser.