Context Navigation

cacerts.xml@ dd9e0c3

Visit:

systemd-13485

Last change on this file since dd9e0c3 was 6d27308, checked in by Douglas R. Reno <renodr@…>, 8 years ago

GCC6 Tags

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/branches/systemd@17356 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 12.5 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY certhost "http://mxr.mozilla.org">
8	<!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins">
9	<!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt">
10	<!ENTITY ca-bundle-size "1.6 MB">
11	<!ENTITY cacerts-buildsize "6 MB">
12	<!ENTITY cacerts-time "0.1 SBU">
13	]>
14
15	<sect1 id="cacerts" xreflabel="Certificate Authority Certificates">
16	<?dbhtml filename="cacerts.html"?>
17
18	<sect1info>
19	<othername>$LastChangedBy$</othername>
20	<date>$Date$</date>
21	</sect1info>
22
23	<title>Certificate Authority Certificates</title>
24
25	<para>The Public Key Inrastructure is used for many security issues in a
26	Linux system. In order for a certificate to be trusted, it must be signed by
27	a trusted agent called a Certificate Authority (CA). The certificates loaded
28	by this section are from the list on the Mozilla version control system and
29	formats it into a form used by <xref linkend='openssl'/>. The certificates
30	can also be used by other applications either directly of indirectly through
31	<application>openssl</application>.</para>
32
33	&lfs79_checked;
34
35	&gcc6_checked;
36
37	<indexterm zone="cacerts">
38	<primary sortas="a-cacerts">Certificate Authority Certificates</primary>
39	</indexterm>
40
41	<sect2 role="package">
42	<title>Introduction to Certificate Authorities</title>
43
44	<bridgehead renderas="sect3">Package Information</bridgehead>
45	<itemizedlist spacing="compact">
46	<listitem>
47	<para>CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>
48	</listitem>
49	<listitem>
50	<para>CA Certificate size: &ca-bundle-size;</para>
51	</listitem>
52	<listitem>
53	<para>Estimated disk space required: &cacerts-buildsize;</para>
54	</listitem>
55	<listitem>
56	<para>Estimated build time: &cacerts-time;</para>
57	</listitem>
58	</itemizedlist>
59
60	<note><para>The certfile.txt file above is actually retrieved from <ulink
61	url="https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt"/>.
62	It is really an HTML file, but the text file can be retrieved indirectly
63	from the HTML file. The Download URL above automates that process and also
64	adds a line where the date can be extracted as a revision number by the
65	scripts below.</para></note>
66
67	<bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead>
68
69	<bridgehead renderas="sect4">Required</bridgehead>
70	<para role="required">
71	<xref linkend="openssl"/>
72	</para>
73
74	<bridgehead renderas="sect4">Recommended</bridgehead>
75	<para role="recommended">
76	<xref linkend="wget"/>
77	</para>
78
79	<para condition="html" role="usernotes">User Notes:
80	<ulink url="&blfs-wiki;/cacerts"/></para>
81	</sect2>
82
83	<sect2 role="installation">
84	<title>Installation of Certificate Authority Certificates</title>
85
86	<para>First create a script to reformat a certificate into a
87	form needed by <application>openssl</application>. As the <systemitem
88	class="username">root</systemitem> user:</para>
89
90	<screen role="root"><userinput>cat > /usr/bin/make-cert.pl << "EOF"
91	<literal>#!/usr/bin/perl -w
92
93	# Used to generate PEM encoded files from Mozilla certdata.txt.
94	# Run as ./make-cert.pl > certificate.crt
95	#
96	# Parts of this script courtesy of RedHat (mkcabundle.pl)
97	#
98	# This script modified for use with single file data (tempfile.cer) extracted
99	# from certdata.txt, taken from the latest version in the Mozilla NSS source.
100	# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
101	#
102	# Authors: DJ Lucas
103	# Bruce Dubbs
104	#
105	# Version 20120211
106
107	my $certdata = './tempfile.cer';
108
109	open( IN, "cat $certdata\|" )
110	\|\| die "could not open $certdata";
111
112	my $incert = 0;
113
114	while ( <IN> )
115	{
116	if ( /^CKA_VALUE MULTILINE_OCTAL/ )
117	{
118	$incert = 1;
119	open( OUT, "\|openssl x509 -text -inform DER -fingerprint" )
120	\|\| die "could not pipe to openssl x509";
121	}
122
123	elsif ( /^END/ && $incert )
124	{
125	close( OUT );
126	$incert = 0;
127	print "\n\n";
128	}
129
130	elsif ($incert)
131	{
132	my @bs = split( /\\/ );
133	foreach my $b (@bs)
134	{
135	chomp $b;
136	printf( OUT "%c", oct($b) ) unless $b eq '';
137	}
138	}
139	}</literal>
140	EOF
141
142	chmod +x /usr/bin/make-cert.pl</userinput></screen>
143
144	<para>The following script creates the certificates and a bundle of all the
145	certificates. It creates a <filename class='directory'>./certs</filename>
146	directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again
147	create this script as the <systemitem class="username">root</systemitem>
148	user:</para>
149
150	<screen role="root"><userinput>cat > /usr/bin/make-ca.sh << "EOF"
151	<literal>#!/bin/sh
152	# Begin make-ca.sh
153	# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
154	#
155	# The file certdata.txt must exist in the local directory
156	# Version number is obtained from the version of the data.
157	#
158	# Authors: DJ Lucas
159	# Bruce Dubbs
160	#
161	# Version 20120211
162
163	# Some data in the certs have UTF-8 characters
164	export LANG=en_US.utf8
165
166	certdata="certdata.txt"
167
168	if [ ! -r $certdata ]; then
169	echo "$certdata must be in the local directory"
170	exit 1
171	fi
172
173	REVISION=$(grep CVS_ID $certdata \| cut -f4 -d'$')
174
175	if [ -z "${REVISION}" ]; then
176	echo "$certfile has no 'Revision' in CVS_ID"
177	exit 1
178	fi
179
180	VERSION=$(echo $REVISION \| cut -f2 -d" ")
181
182	TEMPDIR=$(mktemp -d)
183	TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
184	BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
185	CONVERTSCRIPT="/usr/bin/make-cert.pl"
186	SSLDIR="/etc/ssl"
187
188	mkdir "${TEMPDIR}/certs"
189
190	# Get a list of starting lines for each cert
191	CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" \| cut -d ":" -f1)
192
193	# Get a list of ending lines for each cert
194	CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" \| cut -d ":" -f 1`
195
196	# Start a loop
197	for certbegin in ${CERTBEGINLIST}; do
198	for certend in ${CERTENDLIST}; do
199	if test "${certend}" -gt "${certbegin}"; then
200	break
201	fi
202	done
203
204	# Dump to a temp file with the name of the file as the beginning line number
205	sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
206	done
207
208	unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend
209
210	mkdir -p certs
211	rm -f certs/* # Make sure the directory is clean
212
213	for tempfile in ${TEMPDIR}/certs/*.tmp; do
214	# Make sure that the cert is trusted...
215	grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" \| \
216	egrep "TRUST_UNKNOWN\|NOT_TRUSTED" > /dev/null
217
218	if test "${?}" = "0"; then
219	# Throw a meaningful error and remove the file
220	cp "${tempfile}" tempfile.cer
221	perl ${CONVERTSCRIPT} > tempfile.crt
222	keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
223	echo "Certificate ${keyhash} is not trusted! Removing..."
224	rm -f tempfile.cer tempfile.crt "${tempfile}"
225	continue
226	fi
227
228	# If execution made it to here in the loop, the temp cert is trusted
229	# Find the cert data and generate a cert file for it
230
231	cp "${tempfile}" tempfile.cer
232	perl ${CONVERTSCRIPT} > tempfile.crt
233	keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
234	mv tempfile.crt "certs/${keyhash}.pem"
235	rm -f tempfile.cer "${tempfile}"
236	echo "Created ${keyhash}.pem"
237	done
238
239	# Remove blacklisted files
240	# MD5 Collision Proof of Concept CA
241	if test -f certs/8f111d69.pem; then
242	echo "Certificate 8f111d69 is not trusted! Removing..."
243	rm -f certs/8f111d69.pem
244	fi
245
246	# Finally, generate the bundle and clean up.
247	cat certs/*.pem > ${BUNDLE}
248	rm -r "${TEMPDIR}"</literal>
249	EOF
250
251	chmod +x /usr/bin/make-ca.sh</userinput></screen>
252
253	<para>Add a short script to remove expired certificates from a directory.
254	Again create this script as the <systemitem
255	class="username">root</systemitem> user:</para>
256
257	<screen role="root"><userinput>cat > /usr/sbin/remove-expired-certs.sh << "EOF"
258	<literal>#!/bin/sh
259	# Begin /usr/sbin/remove-expired-certs.sh
260	#
261	# Version 20120211
262
263	# Make sure the date is parsed correctly on all systems
264	mydate()
265	{
266	local y=$( echo $1 \| cut -d" " -f4 )
267	local M=$( echo $1 \| cut -d" " -f1 )
268	local d=$( echo $1 \| cut -d" " -f2 )
269	local m
270
271	if [ ${d} -lt 10 ]; then d="0${d}"; fi
272
273	case $M in
274	Jan) m="01";;
275	Feb) m="02";;
276	Mar) m="03";;
277	Apr) m="04";;
278	May) m="05";;
279	Jun) m="06";;
280	Jul) m="07";;
281	Aug) m="08";;
282	Sep) m="09";;
283	Oct) m="10";;
284	Nov) m="11";;
285	Dec) m="12";;
286	esac
287
288	certdate="${y}${m}${d}"
289	}
290
291	OPENSSL=/usr/bin/openssl
292	DIR=/etc/ssl/certs
293
294	if [ $# -gt 0 ]; then
295	DIR="$1"
296	fi
297
298	certs=$( find ${DIR} -type f -name ".pem" -o -name ".crt" )
299	today=$( date +%Y%m%d )
300
301	for cert in $certs; do
302	notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
303	date=$( echo ${notafter} \| sed 's/^notAfter=//' )
304	mydate "$date"
305
306	if [ ${certdate} -lt ${today} ]; then
307	echo "${cert} expired on ${certdate}! Removing..."
308	rm -f "${cert}"
309	fi
310	done</literal>
311	EOF
312
313	chmod u+x /usr/sbin/remove-expired-certs.sh</userinput></screen>
314
315	<para>The following commands will fetch the certificates and convert them to
316	the correct format. If desired, a web browser may be used instead of
317	<application>wget</application> but the file will need to be saved with the
318	name <filename>certdata.txt</filename>. These commands can be repeated as
319	necessary to update the CA Certificates.</para>
320
321	<screen><userinput>URL=&sources-anduin-http;/other/certdata.txt &&
322	rm -f certdata.txt &&
323	wget $URL &&
324	make-ca.sh &&
325	unset URL</userinput></screen>
326
327	<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
328
329	<screen role="root"><userinput>SSLDIR=/etc/ssl &&
330	remove-expired-certs.sh certs &&
331	install -d ${SSLDIR}/certs &&
332	cp -v certs/*.pem ${SSLDIR}/certs &&
333	c_rehash &&
334	install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt &&
335	ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt &&
336	unset SSLDIR</userinput></screen>
337
338	<para>Finally, clean up the current directory:</para>
339
340	<screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen>
341
342	<para>After installing or updating certificates, if OpenJDK is installed,
343	update the certificates for Java using the procedures at <xref linkend='ojdk-certs'/>.</para>
344
345
346	</sect2>
347
348	<sect2 role="content">
349	<title>Contents</title>
350
351	<segmentedlist>
352	<segtitle>Installed Programs</segtitle>
353	<segtitle>Installed Libraries</segtitle>
354	<segtitle>Installed Directories</segtitle>
355
356	<seglistitem>
357	<seg>make-ca.sh, make-cert.pl and remove-expired-certs.sh</seg>
358	<seg>None</seg>
359	<seg>/etc/ssl/certs</seg>
360	</seglistitem>
361	</segmentedlist>
362
363	<variablelist>
364	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
365	<?dbfo list-presentation="list"?>
366	<?dbhtml list-presentation="table"?>
367
368	<varlistentry id="make-ca">
369	<term><command>make-ca.sh</command></term>
370	<listitem>
371	<para>is a shell script that reformats
372	the <filename>certdata.txt</filename> file for use by
373	<application>openssl</application>.</para>
374	<indexterm zone="cacerts make-ca">
375	<primary sortas="b-make-ca">make-ca</primary>
376	</indexterm>
377	</listitem>
378	</varlistentry>
379
380	<varlistentry id="make-cert">
381	<term><command>make-cert.pl</command></term>
382	<listitem>
383	<para>is a utility <application>perl</application> script that
384	converts a single binary certificate (.der format) into .pem format.</para>
385	<indexterm zone="cacerts make-cert">
386	<primary sortas="b-make-cert">make-cert</primary>
387	</indexterm>
388	</listitem>
389	</varlistentry>
390
391	<varlistentry id="remove-expired-certs">
392	<term><command>remove-expired-certs.sh</command></term>
393	<listitem>
394	<para>is a utility shell script that
395	removes expired certificates from a directory. The default
396	directory is <filename class='directory'>/etc/ssl/certs</filename>.</para>
397	<indexterm zone="cacerts remove-expired-certs">
398	<primary sortas="b-remove-expired-certs">remove-expired-certs</primary>
399	</indexterm>
400	</listitem>
401	</varlistentry>
402	</variablelist>
403
404	</sect2>
405	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/cacerts.xml@ dd9e0c3

Download in other formats: