Context Navigation

cacerts.xml@ a3394a71

Visit:

systemd-13485

Last change on this file since a3394a71 was a3394a71, checked in by Douglas R. Reno <renodr@…>, 9 years ago

First round of tags for the day.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/branches/systemd@16502 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 12.4 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY certhost "http://mxr.mozilla.org">
8	<!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins">
9	<!ENTITY ca-bundle-download "&sources-anduin-other-http;/certdata.txt">
10	<!ENTITY ca-bundle-size "1.6 MB">
11	<!ENTITY cacerts-buildsize "6 MB">
12	<!ENTITY cacerts-time "0.1 SBU">
13	]>
14
15	<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
16	<?dbhtml filename="cacerts.html"?>
17
18	<sect1info>
19	<othername>$LastChangedBy$</othername>
20	<date>$Date$</date>
21	</sect1info>
22
23	<title>Certificate Authority Certificates</title>
24
25	<para>The Public Key Inrastructure is used for many security issues in a
26	Linux system. In order for a certificate to be trusted, it must be signed by
27	a trusted agent called a Certificate Authority (CA). The certificates loaded
28	by this section are from the list on the Mozilla version control system and
29	formats it into a form used by <xref linkend='openssl'/>. The certificates
30	can also be used by other applications either directly of indirectly through
31	<application>openssl</application>.</para>
32
33	&lfs78_checked;
34
35	<indexterm zone="cacerts">
36	<primary sortas="a-cacerts">Certificate Authority Certificates</primary>
37	</indexterm>
38
39	<sect2 role="package">
40	<title>Introduction to Certificate Authorities</title>
41
42	<bridgehead renderas="sect3">Package Information</bridgehead>
43	<itemizedlist spacing="compact">
44	<listitem>
45	<para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
46	</listitem>
47	<listitem>
48	<para>CA Certificate size: &ca-bundle-size;</para>
49	</listitem>
50	<listitem>
51	<para>Estimated disk space required: &cacerts-buildsize;</para>
52	</listitem>
53	<listitem>
54	<para>Estimated build time: &cacerts-time;</para>
55	</listitem>
56	</itemizedlist>
57
58	<note><para>The certfile.txt file above is actually retrieved from <ulink
59	url="https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt"/>.
60	It is really an HTML file, but the text file can be retrieved indirectly
61	from the HTML file. The Download URL above automates that process and also
62	adds a line where the date can be extracted as a revision number by the
63	scripts below.</para></note>
64
65	<bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
66
67	<bridgehead renderas="sect4">Required</bridgehead>
68	<para role="required">
69	<xref linkend="openssl"/>
70	</para>
71
72	<bridgehead renderas="sect4">Recommended</bridgehead>
73	<para role="recommended">
74	<xref linkend="wget"/>
75	</para>
76
77	<para condition="html" role="usernotes">User Notes:
78	<ulink url="&blfs-wiki;/cacerts"/></para>
79	</sect2>
80
81	<sect2 role="installation">
82	<title>Installation of Certificate Authority Certificates</title>
83
84	<para>First create a script to reformat a certificate into a
85	form needed by <application>openssl</application>. As the <systemitem
86	class="username">root</systemitem> user:</para>
87
88	<screen role="root"><userinput>cat > /usr/bin/make-cert.pl << "EOF"
89	<literal>#!/usr/bin/perl -w
90
91	# Used to generate PEM encoded files from Mozilla certdata.txt.
92	# Run as ./make-cert.pl > certificate.crt
93	#
94	# Parts of this script courtesy of RedHat (mkcabundle.pl)
95	#
96	# This script modified for use with single file data (tempfile.cer) extracted
97	# from certdata.txt, taken from the latest version in the Mozilla NSS source.
98	# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
99	#
100	# Authors: DJ Lucas
101	# Bruce Dubbs
102	#
103	# Version 20120211
104
105	my $certdata = './tempfile.cer';
106
107	open( IN, "cat $certdata\|" )
108	\|\| die "could not open $certdata";
109
110	my $incert = 0;
111
112	while ( <IN> )
113	{
114	if ( /^CKA_VALUE MULTILINE_OCTAL/ )
115	{
116	$incert = 1;
117	open( OUT, "\|openssl x509 -text -inform DER -fingerprint" )
118	\|\| die "could not pipe to openssl x509";
119	}
120
121	elsif ( /^END/ && $incert )
122	{
123	close( OUT );
124	$incert = 0;
125	print "\n\n";
126	}
127
128	elsif ($incert)
129	{
130	my @bs = split( /\\/ );
131	foreach my $b (@bs)
132	{
133	chomp $b;
134	printf( OUT "%c", oct($b) ) unless $b eq '';
135	}
136	}
137	}</literal>
138	EOF
139
140	chmod +x /usr/bin/make-cert.pl</userinput></screen>
141
142	<para>The following script creates the certificates and a bundle of all the
143	certificates. It creates a <filename class='directory'>./certs</filename>
144	directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again
145	create this script as the <systemitem class="username">root</systemitem>
146	user:</para>
147
148	<screen role="root"><userinput>cat > /usr/bin/make-ca.sh << "EOF"
149	<literal>#!/bin/sh
150	# Begin make-ca.sh
151	# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
152	#
153	# The file certdata.txt must exist in the local directory
154	# Version number is obtained from the version of the data.
155	#
156	# Authors: DJ Lucas
157	# Bruce Dubbs
158	#
159	# Version 20120211
160
161	certdata="certdata.txt"
162
163	if [ ! -r $certdata ]; then
164	echo "$certdata must be in the local directory"
165	exit 1
166	fi
167
168	REVISION=$(grep CVS_ID $certdata \| cut -f4 -d'$')
169
170	if [ -z "${REVISION}" ]; then
171	echo "$certfile has no 'Revision' in CVS_ID"
172	exit 1
173	fi
174
175	VERSION=$(echo $REVISION \| cut -f2 -d" ")
176
177	TEMPDIR=$(mktemp -d)
178	TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
179	BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
180	CONVERTSCRIPT="/usr/bin/make-cert.pl"
181	SSLDIR="/etc/ssl"
182
183	mkdir "${TEMPDIR}/certs"
184
185	# Get a list of starting lines for each cert
186	CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" \| cut -d ":" -f1)
187
188	# Get a list of ending lines for each cert
189	CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" \| cut -d ":" -f 1`
190
191	# Start a loop
192	for certbegin in ${CERTBEGINLIST}; do
193	for certend in ${CERTENDLIST}; do
194	if test "${certend}" -gt "${certbegin}"; then
195	break
196	fi
197	done
198
199	# Dump to a temp file with the name of the file as the beginning line number
200	sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
201	done
202
203	unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
204
205	mkdir -p certs
206	rm -f certs/* # Make sure the directory is clean
207
208	for tempfile in ${TEMPDIR}/certs/*.tmp; do
209	# Make sure that the cert is trusted...
210	grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" \| \
211	egrep "TRUST_UNKNOWN\|NOT_TRUSTED" > /dev/null
212
213	if test "${?}" = "0"; then
214	# Throw a meaningful error and remove the file
215	cp "${tempfile}" tempfile.cer
216	perl ${CONVERTSCRIPT} > tempfile.crt
217	keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
218	echo "Certificate ${keyhash} is not trusted! Removing..."
219	rm -f tempfile.cer tempfile.crt "${tempfile}"
220	continue
221	fi
222
223	# If execution made it to here in the loop, the temp cert is trusted
224	# Find the cert data and generate a cert file for it
225
226	cp "${tempfile}" tempfile.cer
227	perl ${CONVERTSCRIPT} > tempfile.crt
228	keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
229	mv tempfile.crt "certs/${keyhash}.pem"
230	rm -f tempfile.cer "${tempfile}"
231	echo "Created ${keyhash}.pem"
232	done
233
234	# Remove blacklisted files
235	# MD5 Collision Proof of Concept CA
236	if test -f certs/8f111d69.pem; then
237	echo "Certificate 8f111d69 is not trusted! Removing..."
238	rm -f certs/8f111d69.pem
239	fi
240
241	# Finally, generate the bundle and clean up.
242	cat certs/*.pem > ${BUNDLE}
243	rm -r "${TEMPDIR}"</literal>
244	EOF
245
246	chmod +x /usr/bin/make-ca.sh</userinput></screen>
247
248	<para>Add a short script to remove expired certificates from a directory.
249	Again create this script as the <systemitem
250	class="username">root</systemitem> user:</para>
251
252	<screen role="root"><userinput>cat > /usr/sbin/remove-expired-certs.sh << "EOF"
253	<literal>#!/bin/sh
254	# Begin /usr/sbin/remove-expired-certs.sh
255	#
256	# Version 20120211
257
258	# Make sure the date is parsed correctly on all systems
259	mydate()
260	{
261	local y=$( echo $1 \| cut -d" " -f4 )
262	local M=$( echo $1 \| cut -d" " -f1 )
263	local d=$( echo $1 \| cut -d" " -f2 )
264	local m
265
266	if [ ${d} -lt 10 ]; then d="0${d}"; fi
267
268	case $M in
269	Jan) m="01";;
270	Feb) m="02";;
271	Mar) m="03";;
272	Apr) m="04";;
273	May) m="05";;
274	Jun) m="06";;
275	Jul) m="07";;
276	Aug) m="08";;
277	Sep) m="09";;
278	Oct) m="10";;
279	Nov) m="11";;
280	Dec) m="12";;
281	esac
282
283	certdate="${y}${m}${d}"
284	}
285
286	OPENSSL=/usr/bin/openssl
287	DIR=/etc/ssl/certs
288
289	if [ $# -gt 0 ]; then
290	DIR="$1"
291	fi
292
293	certs=$( find ${DIR} -type f -name ".pem" -o -name ".crt" )
294	today=$( date +%Y%m%d )
295
296	for cert in $certs; do
297	notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
298	date=$( echo ${notafter} \| sed 's/^notAfter=//' )
299	mydate "$date"
300
301	if [ ${certdate} -lt ${today} ]; then
302	echo "${cert} expired on ${certdate}! Removing..."
303	rm -f "${cert}"
304	fi
305	done</literal>
306	EOF
307
308	chmod u+x /usr/sbin/remove-expired-certs.sh</userinput></screen>
309
310	<para>The following commands will fetch the certificates and convert them to
311	the correct format. If desired, a web browser may be used instead of
312	<application>wget</application> but the file will need to be saved with the
313	name <filename>certdata.txt</filename>. These commands can be repeated as
314	necessary to update the CA Certificates.</para>
315
316	<screen><userinput>URL=&sources-anduin-other-http;/certdata.txt &&
317	rm -f certdata.txt &&
318	wget $URL &&
319	make-ca.sh &&
320	unset URL</userinput></screen>
321
322	<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
323
324	<screen role="root"><userinput>SSLDIR=/etc/ssl &&
325	remove-expired-certs.sh certs &&
326	install -d ${SSLDIR}/certs &&
327	cp -v certs/*.pem ${SSLDIR}/certs &&
328	c_rehash &&
329	install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &&
330	ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt &&
331	unset SSLDIR</userinput></screen>
332
333	<para>Finally, clean up the current directory:</para>
334
335	<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
336
337	<para>After installing or updating certificates, if OpenJDK is installed,
338	update the certificates for Java using the procedures at <xref linkend='ojdk-certs'/>.</para>
339
340
341	</sect2>
342
343	<sect2 role="content">
344	<title>Contents</title>
345
346	<segmentedlist>
347	<segtitle>Installed Programs</segtitle>
348	<segtitle>Installed Libraries</segtitle>
349	<segtitle>Installed Directories</segtitle>
350
351	<seglistitem>
352	<seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
353	<seg>None</seg>
354	<seg>/etc/ssl/certs</seg>
355	</seglistitem>
356	</segmentedlist>
357
358	<variablelist>
359	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
360	<?dbfo list-presentation="list"?>
361	<?dbhtml list-presentation="table"?>
362
363	<varlistentry id="make-ca">
364	<term><command>make-ca.sh</command></term>
365	<listitem>
366	<para>is a shell script that reformats
367	the <filename>certdata.txt</filename> file for use by
368	<application>openssl</application>.</para>
369	<indexterm zone="cacerts make-ca">
370	<primary sortas="b-make-ca">make-ca</primary>
371	</indexterm>
372	</listitem>
373	</varlistentry>
374
375	<varlistentry id="make-cert">
376	<term><command>make-cert.pl</command></term>
377	<listitem>
378	<para>is a utility <application>perl</application> script that
379	converts a single binary certificate (.der format) into .pem format.</para>
380	<indexterm zone="cacerts make-cert">
381	<primary sortas="b-make-cert">make-cert</primary>
382	</indexterm>
383	</listitem>
384	</varlistentry>
385
386	<varlistentry id="remove-expired-certs">
387	<term><command>remove-expired-certs.sh</command></term>
388	<listitem>
389	<para>is a utility shell script that
390	removes expired certificates from a directory. The default
391	directory is <filename class='directory'>/etc/ssl/certs</filename>.</para>
392	<indexterm zone="cacerts remove-expired-certs">
393	<primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
394	</indexterm>
395	</listitem>
396	</varlistentry>
397	</variablelist>
398
399	</sect2>
400	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/cacerts.xml@ a3394a71

Download in other formats: