Context Navigation

cacerts.xml@ 50cf9af

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 7.10 7.6 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 50cf9af was 50cf9af, checked in by Bruce Dubbs <bdubbs@…>, 10 years ago

tags

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@14254 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 12.4 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY certhost "http://mxr.mozilla.org">
8	<!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins">
9	<!ENTITY ca-bundle-download "&sources-anduin-other-http;/certdata.txt">
10	<!ENTITY ca-bundle-size "1.2 MB">
11	<!ENTITY cacerts-buildsize "1.2 MB">
12	<!ENTITY cacerts-time "less than 0.1 SBU">
13	]>
14
15	<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
16	<?dbhtml filename="cacerts.html"?>
17
18	<sect1info>
19	<othername>$LastChangedBy$</othername>
20	<date>$Date$</date>
21	</sect1info>
22
23	<title>Certificate Authority Certificates</title>
24
25	<para>The Public Key Inrastructure is used for many security issues in a
26	Linux system. In order for a certificate to be trusted, it must be signed by
27	a trusted agent called a Certificate Authority (CA). The certificates loaded
28	by this section are from the list on the Mozilla version control system and
29	formats it into a form used by <xref linkend='openssl'/>. The certificates
30	can also be used by other applications either directly of indirectly through
31	<application>openssl</application>.</para>
32
33	&lfs76_checked;
34
35	<indexterm zone="cacerts">
36	<primary sortas="a-cacerts">Certificate Authority Certificates</primary>
37	</indexterm>
38
39	<sect2 role="package">
40	<title>Introduction to Certificate Authorities</title>
41
42	<bridgehead renderas="sect3">Package Information</bridgehead>
43	<itemizedlist spacing="compact">
44	<listitem>
45	<para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
46	</listitem>
47	<listitem>
48	<para>CA Bundle size: &ca-bundle-size;</para>
49	</listitem>
50	<listitem>
51	<para>Estimated disk space required: &cacerts-buildsize;</para>
52	</listitem>
53	<listitem>
54	<para>Estimated build time: &cacerts-time;</para>
55	</listitem>
56	</itemizedlist>
57
58	<note><para>The certfile.txt file above is actually retrieved from <ulink
59	url="https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt"/>.
60	It is really an HTML file, but the text file can be retrieved indirectly
61	from the HTML file. The Download URL above automates that process and also
62	adds a line where the date can be extracted as a revision number by the
63	scripts below.</para></note>
64
65	<bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
66
67	<bridgehead renderas="sect4">Required</bridgehead>
68	<para role="required"><xref linkend="openssl"/></para>
69
70	<bridgehead renderas="sect4">Recommended</bridgehead>
71	<para role="recommended"><xref linkend="wget"/></para>
72
73	<para condition="html" role="usernotes">User Notes:
74	<ulink url='&blfs-wiki;/cacerts'/></para>
75	</sect2>
76
77	<sect2 role="installation">
78	<title>Installation of Certificate Authority Certificates</title>
79
80	<para>First create a script to reformat a certificate into a
81	form needed by <application>openssl</application>. As the <systemitem
82	class="username">root</systemitem> user:</para>
83
84	<screen role="root"><userinput>cat > /usr/bin/make-cert.pl << "EOF"
85	<literal>#!/usr/bin/perl -w
86
87	# Used to generate PEM encoded files from Mozilla certdata.txt.
88	# Run as ./make-cert.pl > certificate.crt
89	#
90	# Parts of this script courtesy of RedHat (mkcabundle.pl)
91	#
92	# This script modified for use with single file data (tempfile.cer) extracted
93	# from certdata.txt, taken from the latest version in the Mozilla NSS source.
94	# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
95	#
96	# Authors: DJ Lucas
97	# Bruce Dubbs
98	#
99	# Version 20120211
100
101	my $certdata = './tempfile.cer';
102
103	open( IN, "cat $certdata\|" )
104	\|\| die "could not open $certdata";
105
106	my $incert = 0;
107
108	while ( <IN> )
109	{
110	if ( /^CKA_VALUE MULTILINE_OCTAL/ )
111	{
112	$incert = 1;
113	open( OUT, "\|openssl x509 -text -inform DER -fingerprint" )
114	\|\| die "could not pipe to openssl x509";
115	}
116
117	elsif ( /^END/ && $incert )
118	{
119	close( OUT );
120	$incert = 0;
121	print "\n\n";
122	}
123
124	elsif ($incert)
125	{
126	my @bs = split( /\\/ );
127	foreach my $b (@bs)
128	{
129	chomp $b;
130	printf( OUT "%c", oct($b) ) unless $b eq '';
131	}
132	}
133	}</literal>
134	EOF
135
136	chmod +x /usr/bin/make-cert.pl</userinput></screen>
137
138	<para>The following script creates the certificates and a bundle of all the
139	certificates. It creates a <filename class='directory'>./certs</filename>
140	directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again
141	create this script as the <systemitem class="username">root</systemitem>
142	user:</para>
143
144	<screen role="root"><userinput>cat > /usr/bin/make-ca.sh << "EOF"
145	<literal>#!/bin/sh
146	# Begin make-ca.sh
147	# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
148	#
149	# The file certdata.txt must exist in the local directory
150	# Version number is obtained from the version of the data.
151	#
152	# Authors: DJ Lucas
153	# Bruce Dubbs
154	#
155	# Version 20120211
156
157	certdata="certdata.txt"
158
159	if [ ! -r $certdata ]; then
160	echo "$certdata must be in the local directory"
161	exit 1
162	fi
163
164	REVISION=$(grep CVS_ID $certdata \| cut -f4 -d'$')
165
166	if [ -z "${REVISION}" ]; then
167	echo "$certfile has no 'Revision' in CVS_ID"
168	exit 1
169	fi
170
171	VERSION=$(echo $REVISION \| cut -f2 -d" ")
172
173	TEMPDIR=$(mktemp -d)
174	TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
175	BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
176	CONVERTSCRIPT="/usr/bin/make-cert.pl"
177	SSLDIR="/etc/ssl"
178
179	mkdir "${TEMPDIR}/certs"
180
181	# Get a list of starting lines for each cert
182	CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" \| cut -d ":" -f1)
183
184	# Get a list of ending lines for each cert
185	CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" \| cut -d ":" -f 1`
186
187	# Start a loop
188	for certbegin in ${CERTBEGINLIST}; do
189	for certend in ${CERTENDLIST}; do
190	if test "${certend}" -gt "${certbegin}"; then
191	break
192	fi
193	done
194
195	# Dump to a temp file with the name of the file as the beginning line number
196	sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
197	done
198
199	unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
200
201	mkdir -p certs
202	rm -f certs/* # Make sure the directory is clean
203
204	for tempfile in ${TEMPDIR}/certs/*.tmp; do
205	# Make sure that the cert is trusted...
206	grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" \| \
207	egrep "TRUST_UNKNOWN\|NOT_TRUSTED" > /dev/null
208
209	if test "${?}" = "0"; then
210	# Throw a meaningful error and remove the file
211	cp "${tempfile}" tempfile.cer
212	perl ${CONVERTSCRIPT} > tempfile.crt
213	keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
214	echo "Certificate ${keyhash} is not trusted! Removing..."
215	rm -f tempfile.cer tempfile.crt "${tempfile}"
216	continue
217	fi
218
219	# If execution made it to here in the loop, the temp cert is trusted
220	# Find the cert data and generate a cert file for it
221
222	cp "${tempfile}" tempfile.cer
223	perl ${CONVERTSCRIPT} > tempfile.crt
224	keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
225	mv tempfile.crt "certs/${keyhash}.pem"
226	rm -f tempfile.cer "${tempfile}"
227	echo "Created ${keyhash}.pem"
228	done
229
230	# Remove blacklisted files
231	# MD5 Collision Proof of Concept CA
232	if test -f certs/8f111d69.pem; then
233	echo "Certificate 8f111d69 is not trusted! Removing..."
234	rm -f certs/8f111d69.pem
235	fi
236
237	# Finally, generate the bundle and clean up.
238	cat certs/*.pem > ${BUNDLE}
239	rm -r "${TEMPDIR}"</literal>
240	EOF
241
242	chmod +x /usr/bin/make-ca.sh</userinput></screen>
243
244	<para>Add a short script to remove expired certificates from a directory.
245	Again create this script as the <systemitem
246	class="username">root</systemitem> user:</para>
247
248	<screen role="root"><userinput>cat > /usr/bin/remove-expired-certs.sh << "EOF"
249	<literal>#!/bin/sh
250	# Begin /usr/bin/remove-expired-certs.sh
251	#
252	# Version 20120211
253
254	# Make sure the date is parsed correctly on all systems
255	mydate()
256	{
257	local y=$( echo $1 \| cut -d" " -f4 )
258	local M=$( echo $1 \| cut -d" " -f1 )
259	local d=$( echo $1 \| cut -d" " -f2 )
260	local m
261
262	if [ ${d} -lt 10 ]; then d="0${d}"; fi
263
264	case $M in
265	Jan) m="01";;
266	Feb) m="02";;
267	Mar) m="03";;
268	Apr) m="04";;
269	May) m="05";;
270	Jun) m="06";;
271	Jul) m="07";;
272	Aug) m="08";;
273	Sep) m="09";;
274	Oct) m="10";;
275	Nov) m="11";;
276	Dec) m="12";;
277	esac
278
279	certdate="${y}${m}${d}"
280	}
281
282	OPENSSL=/usr/bin/openssl
283	DIR=/etc/ssl/certs
284
285	if [ $# -gt 0 ]; then
286	DIR="$1"
287	fi
288
289	certs=$( find ${DIR} -type f -name ".pem" -o -name ".crt" )
290	today=$( date +%Y%m%d )
291
292	for cert in $certs; do
293	notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
294	date=$( echo ${notafter} \| sed 's/^notAfter=//' )
295	mydate "$date"
296
297	if [ ${certdate} -lt ${today} ]; then
298	echo "${cert} expired on ${certdate}! Removing..."
299	rm -f "${cert}"
300	fi
301	done</literal>
302	EOF
303
304	chmod +x /usr/bin/remove-expired-certs.sh</userinput></screen>
305
306	<para>The following commands will fetch the certificates and convert them to
307	the correct format. If desired, a web browser may be used instead of
308	<application>wget</application> but the file will need to be saved with the
309	name <filename>certdata.txt</filename>. These commands can be repeated as
310	necessary to update the CA Certificates.</para>
311
312	<screen><userinput>URL=&sources-anduin-other-http;/certdata.txt &&
313	rm -f certdata.txt &&
314	wget $URL &&
315	make-ca.sh &&
316	remove-expired-certs.sh certs &&
317	unset URL</userinput></screen>
318
319	<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
320
321	<screen role="root"><userinput>SSLDIR=/etc/ssl &&
322	install -d ${SSLDIR}/certs &&
323	cp -v certs/*.pem ${SSLDIR}/certs &&
324	c_rehash &&
325	install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &&
326	ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt &&
327	unset SSLDIR</userinput></screen>
328
329	<para>Finally, clean up the current directory:</para>
330
331	<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
332
333	<para>After installing or updating certificates, if OpenJDK is installed,
334	update the certificates for Java using the procedures at <xref linkend='ojdk-certs'/>.</para>
335
336
337	</sect2>
338
339	<sect2 role="content">
340	<title>Contents</title>
341
342	<segmentedlist>
343	<segtitle>Installed Programs</segtitle>
344	<segtitle>Installed Libraries</segtitle>
345	<segtitle>Installed Directories</segtitle>
346
347	<seglistitem>
348	<seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
349	<seg>None</seg>
350	<seg>/etc/ssl/certs</seg>
351	</seglistitem>
352	</segmentedlist>
353
354	<variablelist>
355	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
356	<?dbfo list-presentation="list"?>
357	<?dbhtml list-presentation="table"?>
358
359	<varlistentry id="make-ca">
360	<term><command>make-ca.sh</command></term>
361	<listitem>
362	<para>is a shell script that reformats
363	the <filename>certdata.txt</filename> file for use by
364	<application>openssl</application>.</para>
365	<indexterm zone="cacerts make-ca">
366	<primary sortas="b-make-ca">make-ca</primary>
367	</indexterm>
368	</listitem>
369	</varlistentry>
370
371	<varlistentry id="make-cert">
372	<term><command>make-cert.pl</command></term>
373	<listitem>
374	<para>is a utility <application>perl</application> script that
375	converts a single binary certificate (.der format) into .pem format.</para>
376	<indexterm zone="cacerts make-cert">
377	<primary sortas="b-make-cert">make-cert</primary>
378	</indexterm>
379	</listitem>
380	</varlistentry>
381
382	<varlistentry id="remove-expired-certs">
383	<term><command>remove-expired-certs.sh</command></term>
384	<listitem>
385	<para>is a utility <application>perl</application> script that
386	removes expired certificates from a directory. The default
387	directory is <filename class='directory'>/etc/ssl/certs</filename>.</para>
388	<indexterm zone="cacerts remove-expired-certs">
389	<primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
390	</indexterm>
391	</listitem>
392	</varlistentry>
393	</variablelist>
394
395	</sect2>
396	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/cacerts.xml@ 50cf9af

Download in other formats: