Changeset 30b7db74
- Timestamp:
- 10/29/2016 09:56:12 AM (8 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- be1bcf9c
- Parents:
- 7b8c7ec
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
general/prog/openjdk.xml
r7b8c7ec r30b7db74 553 553 <application>OpenJDK</application> uses its own format for the 554 554 CA certificates. Those certificates are located in a file named 555 <filename>/opt/jdk/jre/lib/security/cacerts</filename>. That file 556 may be generated from the one installed using the instructions on the 557 <xref linkend="cacerts"/> page, with the following procedure. 558 First, generate the <command>mkcacerts</command> script 555 <filename>/etc/ssl/java/cacerts</filename>. That file should be 556 generated using the system PKI trust store. The instructions 557 on the <xref linkend="cacerts"/> page will be used to do the update 558 by calling the following script. Install the 559 <command>mkcacerts</command> script and setup a symlink in the java 559 560 as the <systemitem class="username">root</systemitem> user: 560 561 </para> 561 562 562 <screen role="root"><userinput>cat > /opt/jdk/bin/mkcacerts << "EOF" 563 <screen role="root"><userinput>cat > /opt/jdk/bin/mkcacerts << "EOF" && 563 564 <literal>#!/bin/sh 564 565 # Simple script to extract x509 certificates and create a JRE cacerts file. … … 777 778 EOF 778 779 779 chmod -c 0755 /opt/jdk/bin/mkcacerts</userinput></screen> 780 chmod -c 0755 /opt/jdk/bin/mkcacerts && 781 ln -sfv /etc/ssl/java/cacerts /opt/jdk/jre/lib/security/cacerts</userinput></screen> 780 782 781 783 <note> … … 791 793 </para> 792 794 793 <screen role="root"><userinput>if [ -f / opt/jdk/jre/lib/security/cacerts ]; then794 mv / opt/jdk/jre/lib/security/cacerts \795 / opt/jdk/jre/lib/security/cacerts.bak795 <screen role="root"><userinput>if [ -f /etc/ssl/java/cacerts ]; then 796 mv /etc/ssl/java/cacerts \ 797 /etc/ssl/java/cacerts.bak 796 798 fi && 797 799 /opt/jdk/bin/mkcacerts \ … … 799 801 -k "/opt/jdk/bin/keytool" \ 800 802 -s "/usr/bin/openssl" \ 801 -o "/ opt/jdk/jre/lib/security/cacerts"</userinput></screen>803 -o "/etc/ssl/java/cacerts"</userinput></screen> 802 804 803 805 <para>Use the following commands to check if the … … 805 807 806 808 <screen role="root"><userinput>cd /opt/jdk 807 bin/keytool -list -keystore jre/lib/security/cacerts</userinput></screen>809 bin/keytool -list -keystore /etc/ssl/java/cacerts</userinput></screen> 808 810 809 811 <para>At the prompt "Enter keystore password:", press the "Enter" key if -
gnome/platform/rest.xml
r7b8c7ec r30b7db74 106 106 107 107 <screen><userinput>sed -i "/seems to be moved/s/^/#/" build/ltmain.sh && 108 ./configure --prefix=/usr && 108 ./configure --prefix=/usr \ 109 --with-ca-certificates=/etc/ssl/ca-bundle.crt && 109 110 make</userinput></screen> 110 111 … … 129 130 </para> 130 131 132 <para> 133 <parameter>--with-ca-certificates=/etc/ssl/ca-bundle.crt</parameter>: This 134 switch sets the location of the BLFS <xref linkend="cacerts"/> bundle. 135 </para> 136 131 137 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" 132 138 href="../../xincludes/gtk-doc-rebuild.xml"/> -
introduction/welcome/changelog.xml
r7b8c7ec r30b7db74 50 50 <ulink url="&blfs-ticket-root;8433">#8433</ulink>.</para> 51 51 </listitem> 52 <listitem> 53 <para>[dj] - Updated CA Certificates generation method using 54 the mk-ca-bundle.pl script included with curl.</para> 55 </listitem> 52 56 </itemizedlist> 53 57 </listitem> -
networking/netlibs/curl.xml
r7b8c7ec r30b7db74 120 120 </para> 121 121 122 <screen><userinput>./configure --prefix=/usr \ 123 --disable-static \ 124 --enable-threaded-resolver && 122 <screen><userinput>./configure --prefix=/usr \ 123 --disable-static \ 124 --enable-threaded-resolver \ 125 --with-ca-bundle=/etc/ssl/ca-bundle.crt && 125 126 make</userinput></screen> 126 127 … … 173 174 174 175 <screen role="root"><userinput>make install && 176 install -vdm755 lib/mk-ca-bundle.pl /usr/bin && 175 177 176 178 rm -rf docs/examples/.deps && … … 206 208 207 209 <para> 210 <parameter>--with-ca-bundle=/etc/ssl/ca-bundle.crt</parameter>: This 211 switch sets the location of the BLFS <xref linkend="cacerts"/> bundle. 212 </para> 213 214 <para> 208 215 <option>--with-gssapi</option>: This parameter adds 209 216 <application>Kerberos 5</application> support to … … 235 242 <seglistitem> 236 243 <seg> 237 curl and curl-config244 curl, curl-config, and mk-ca-bundle.pl 238 245 </seg> 239 246 <seg> … … 277 284 </varlistentry> 278 285 286 <varlistentry id="mk-ca-bundle-pl"> 287 <term><command>mk-ca-bundle.pl</command></term> 288 <listitem> 289 <para> 290 downloads a copy of certdata.txt from the Mozilla version control 291 system, and reformats it for use by 292 <application>gnutls</application>. 293 </para> 294 <indexterm zone="curl mk-ca-bundle-pl"> 295 <primary sortas="b-mk-ca-bundle-pl">mk-ca-bundle.pl</primary> 296 </indexterm> 297 </listitem> 298 </varlistentry> 299 279 300 <varlistentry id="libcurl"> 280 301 <term><filename class="libraryfile">libcurl.so</filename></term> -
postlfs/security/cacerts.xml
r7b8c7ec r30b7db74 5 5 %general-entities; 6 6 7 <!ENTITY certhost "http://mxr.mozilla.org"> 8 <!ENTITY certdir "/mozilla/source/security/nss/lib/ckfw/builtins"> 9 <!ENTITY ca-bundle-download "&sources-anduin-http;/other/certdata.txt"> 10 <!ENTITY ca-bundle-size "1.6 MB"> 11 <!ENTITY cacerts-buildsize "6 MB"> 7 <!ENTITY make-ca-download "&sources-anduin-http;/other/make-ca.sh"> 8 <!ENTITY make-ca-size "4.1 KB"> 9 <!ENTITY make-ca-md5sum "487ca7ce6f7b81b3e46362138f93310c"> 10 <!ENTITY cacerts-buildsize "1.4 MB"> 12 11 <!ENTITY cacerts-time "0.1 SBU"> 13 12 ]> … … 23 22 <title>Certificate Authority Certificates</title> 24 23 25 <para>The Public Key Infrastructure is used for many security issues in a24 <para>The Public Key Infrastructure is used for many security features in a 26 25 Linux system. In order for a certificate to be trusted, it must be signed by 27 a trusted agent called a Certificate Authority (CA). The certificates loaded 28 by this section are from the list on the Mozilla version control system and 29 formats it into a form used by <xref linkend='openssl'/>. The certificates 30 can also be used by other applications either directly of indirectly through 31 <application>openssl</application>.</para> 26 a trusted agent called a Certificate Authority (CA). The certificates 27 installed in this section are obtained from the Mozilla version control 28 system, and reformatted for use by <xref linkend='openssl'/> and 29 <xref linkend='gnutls'/>. The certificates can also be used by other 30 applications, either directly or indirectly by linking to one of these 31 packages.</para> 32 32 33 33 &lfs7a_checked; … … 43 43 <itemizedlist spacing="compact"> 44 44 <listitem> 45 <para> CA Certificate Download: <ulink url="&ca-bundle-download;"/></para>45 <para>Download (HTTP): <ulink url="&make-ca-download;"/></para> 46 46 </listitem> 47 47 <listitem> 48 <para>CA Certificate size: &ca-bundle-size;</para> 48 <para>Download size: &make-ca-size;</para> 49 </listitem> 50 <listitem> 51 <para>Download MD5 Sum: &make-ca-md5sum;</para> 49 52 </listitem> 50 53 <listitem> … … 56 59 </itemizedlist> 57 60 58 <note><para>The certfile.txt file above is actually retrieved from <ulink59 url="https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt"/>.60 It is really an HTML file, but the text file can be retrieved indirectly61 from the HTML file. The Download URL above automates that process and also62 adds a line where the date can be extracted as a revision number by the63 scripts below.</para></note>64 65 61 <bridgehead renderas="sect3">Certificate Authority Certificates Dependencies</bridgehead> 66 62 67 63 <bridgehead renderas="sect4">Required</bridgehead> 68 <para role="required"><xref linkend="openssl"/></para> 69 70 <bridgehead renderas="sect4">Recommended</bridgehead> 71 <para role="recommended"><xref linkend="wget"/></para> 64 <para role="required"><xref linkend="openssl"/> and 65 <xref linkend="curl"/></para> 72 66 73 67 <para condition="html" role="usernotes">User Notes: … … 78 72 <title>Installation of Certificate Authority Certificates</title> 79 73 80 <para>First create a script to reformat a certificate into a 81 form needed by <application>openssl</application>. As the <systemitem 82 class="username">root</systemitem> user:</para> 74 <para>The <application>make-ca.sh</application> script will download a set 75 of certificates from one of five projects (aurora, beta, central, nss, or 76 release) in the Mozialla version control system. It defaults to the release 77 branch, which is identical to the version that ships with the Mozilla 78 products in this book. If you'd like to change the branch that is retrieved, 79 edit the file and set <envar>CERTSOURCE</envar> to one of the five values 80 above.</para> 83 81 84 <screen role="root"><userinput>cat > /usr/bin/make-cert.pl << "EOF" 85 <literal>#!/usr/bin/perl -w 82 <para>Additionally, any local certificates stored in 83 <filename>/etc/ssl/local</filename> will be copied into both the single-file 84 <filename>/etc/ssl/ca-bundle.crt</filename> (used by programs that link to 85 <application>gnutls</application>), and into the certificate store directory 86 <filename>/etc/ssl/certs</filename> (used by programs that link to 87 <application>OpenSSL</application>). All certificates will pass a date and 88 trust validation, and any existing certificates in 89 <filename>/etc/ssl/ca-bundle.crt</filename> or 90 <filename>/etc/ssl/certs</filename> will be removed upon successful 91 completion of this script.</para> 86 92 87 # Used to generate PEM encoded files from Mozilla certdata.txt. 88 # Run as ./make-cert.pl > certificate.crt 89 # 90 # Parts of this script courtesy of RedHat (mkcabundle.pl) 91 # 92 # This script modified for use with single file data (tempfile.cer) extracted 93 # from certdata.txt, taken from the latest version in the Mozilla NSS source. 94 # mozilla/security/nss/lib/ckfw/builtins/certdata.txt 95 # 96 # Authors: DJ Lucas 97 # Bruce Dubbs 98 # 99 # Version 20120211 93 <para>Finally, if you've installed <xref linkend="java"/> or <xref 94 linkend="openjdk"/>, then it will also update the java cacerts file at 95 <filename>/etc/ssl/java/cacerts</filename>.</para> 100 96 101 my $certdata = './tempfile.cer'; 97 <para>First install the above script into the correct location. As the 98 <systemitem class="username">root</systemitem> user:</para> 102 99 103 open( IN, "cat $certdata|" ) 104 || die "could not open $certdata"; 100 <screen role="root"><userinput>install -vm750 make-ca.sh /usr/sbin</userinput></screen> 105 101 106 my $incert = 0; 102 <para>As the <systemitem class="username">root</systemitem> user, create the 103 needed directories, and update the certificate store:</para> 107 104 108 while ( <IN> ) 109 { 110 if ( /^CKA_VALUE MULTILINE_OCTAL/ ) 111 { 112 $incert = 1; 113 open( OUT, "|openssl x509 -text -inform DER -fingerprint" ) 114 || die "could not pipe to openssl x509"; 115 } 105 <screen role="root"><userinput>install -vdm755 /etc/ssl/{certs,java,local} && 106 /usr/sbin/make-ca.sh 107 </userinput></screen> 116 108 117 elsif ( /^END/ && $incert ) 118 { 119 close( OUT ); 120 $incert = 0; 121 print "\n\n"; 122 } 123 124 elsif ($incert) 125 { 126 my @bs = split( /\\/ ); 127 foreach my $b (@bs) 128 { 129 chomp $b; 130 printf( OUT "%c", oct($b) ) unless $b eq ''; 131 } 132 } 133 }</literal> 134 EOF 135 136 chmod +x /usr/bin/make-cert.pl</userinput></screen> 137 138 <para>The following script creates the certificates and a bundle of all the 139 certificates. It creates a <filename class='directory'>./certs</filename> 140 directory and <filename>./BLFS-ca-bundle-${VERSION}.crt</filename>. Again 141 create this script as the <systemitem class="username">root</systemitem> 142 user:</para> 143 144 <screen role="root"><userinput>cat > /usr/bin/make-ca.sh << "EOF" 145 <literal>#!/bin/sh 146 # Begin make-ca.sh 147 # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs 148 # 149 # The file certdata.txt must exist in the local directory 150 # Version number is obtained from the version of the data. 151 # 152 # Authors: DJ Lucas 153 # Bruce Dubbs 154 # 155 # Version 20120211 156 157 # Some data in the certs have UTF-8 characters 158 export LANG=en_US.utf8 159 160 certdata="certdata.txt" 161 162 if [ ! -r $certdata ]; then 163 echo "$certdata must be in the local directory" 164 exit 1 165 fi 166 167 REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$') 168 169 if [ -z "${REVISION}" ]; then 170 echo "$certfile has no 'Revision' in CVS_ID" 171 exit 1 172 fi 173 174 VERSION=$(echo $REVISION | cut -f2 -d" ") 175 176 TEMPDIR=$(mktemp -d) 177 TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH" 178 BUNDLE="BLFS-ca-bundle-${VERSION}.crt" 179 CONVERTSCRIPT="/usr/bin/make-cert.pl" 180 SSLDIR="/etc/ssl" 181 182 mkdir "${TEMPDIR}/certs" 183 184 # Get a list of starting lines for each cert 185 CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1) 186 187 # Get a list of ending lines for each cert 188 CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1` 189 190 # Start a loop 191 for certbegin in ${CERTBEGINLIST}; do 192 for certend in ${CERTENDLIST}; do 193 if test "${certend}" -gt "${certbegin}"; then 194 break 195 fi 196 done 197 198 # Dump to a temp file with the name of the file as the beginning line number 199 sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp" 200 done 201 202 unset CERTBEGINLIST CERTDATA CERTENDLIST certbegin certend 203 204 mkdir -p certs 205 rm -f certs/* # Make sure the directory is clean 206 207 for tempfile in ${TEMPDIR}/certs/*.tmp; do 208 # Make sure that the cert is trusted... 209 grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \ 210 egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null 211 212 if test "${?}" = "0"; then 213 # Throw a meaningful error and remove the file 214 cp "${tempfile}" tempfile.cer 215 perl ${CONVERTSCRIPT} > tempfile.crt 216 keyhash=$(openssl x509 -noout -in tempfile.crt -hash) 217 echo "Certificate ${keyhash} is not trusted! Removing..." 218 rm -f tempfile.cer tempfile.crt "${tempfile}" 219 continue 220 fi 221 222 # If execution made it to here in the loop, the temp cert is trusted 223 # Find the cert data and generate a cert file for it 224 225 cp "${tempfile}" tempfile.cer 226 perl ${CONVERTSCRIPT} > tempfile.crt 227 keyhash=$(openssl x509 -noout -in tempfile.crt -hash) 228 mv tempfile.crt "certs/${keyhash}.pem" 229 rm -f tempfile.cer "${tempfile}" 230 echo "Created ${keyhash}.pem" 231 done 232 233 # Remove blacklisted files 234 # MD5 Collision Proof of Concept CA 235 if test -f certs/8f111d69.pem; then 236 echo "Certificate 8f111d69 is not trusted! Removing..." 237 rm -f certs/8f111d69.pem 238 fi 239 240 # Finally, generate the bundle and clean up. 241 cat certs/*.pem > ${BUNDLE} 242 rm -r "${TEMPDIR}"</literal> 243 EOF 244 245 chmod +x /usr/bin/make-ca.sh</userinput></screen> 246 247 <para>Add a short script to remove expired certificates from a directory. 248 Again create this script as the <systemitem 249 class="username">root</systemitem> user:</para> 250 251 <screen role="root"><userinput>cat > /usr/sbin/remove-expired-certs.sh << "EOF" 252 <literal>#!/bin/sh 253 # Begin /usr/sbin/remove-expired-certs.sh 254 # 255 # Version 20120211 256 257 # Make sure the date is parsed correctly on all systems 258 mydate() 259 { 260 local y=$( echo $1 | cut -d" " -f4 ) 261 local M=$( echo $1 | cut -d" " -f1 ) 262 local d=$( echo $1 | cut -d" " -f2 ) 263 local m 264 265 if [ ${d} -lt 10 ]; then d="0${d}"; fi 266 267 case $M in 268 Jan) m="01";; 269 Feb) m="02";; 270 Mar) m="03";; 271 Apr) m="04";; 272 May) m="05";; 273 Jun) m="06";; 274 Jul) m="07";; 275 Aug) m="08";; 276 Sep) m="09";; 277 Oct) m="10";; 278 Nov) m="11";; 279 Dec) m="12";; 280 esac 281 282 certdate="${y}${m}${d}" 283 } 284 285 OPENSSL=/usr/bin/openssl 286 DIR=/etc/ssl/certs 287 288 if [ $# -gt 0 ]; then 289 DIR="$1" 290 fi 291 292 certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" ) 293 today=$( date +%Y%m%d ) 294 295 for cert in $certs; do 296 notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout ) 297 date=$( echo ${notafter} | sed 's/^notAfter=//' ) 298 mydate "$date" 299 300 if [ ${certdate} -lt ${today} ]; then 301 echo "${cert} expired on ${certdate}! Removing..." 302 rm -f "${cert}" 303 fi 304 done</literal> 305 EOF 306 307 chmod u+x /usr/sbin/remove-expired-certs.sh</userinput></screen> 308 309 <para>The following commands will fetch the certificates and convert them to 310 the correct format. If desired, a web browser may be used instead of 311 <application>wget</application> but the file will need to be saved with the 312 name <filename>certdata.txt</filename>. These commands can be repeated as 313 necessary to update the CA Certificates.</para> 314 315 <screen><userinput>URL=&sources-anduin-http;/other/certdata.txt && 316 rm -f certdata.txt && 317 wget $URL && 318 make-ca.sh && 319 unset URL</userinput></screen> 320 321 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 322 323 <screen role="root"><userinput>SSLDIR=/etc/ssl && 324 remove-expired-certs.sh certs && 325 install -d ${SSLDIR}/certs && 326 cp -v certs/*.pem ${SSLDIR}/certs && 327 c_rehash && 328 install BLFS-ca-bundle*.crt ${SSLDIR}/ca-bundle.crt && 329 ln -sfv ../ca-bundle.crt ${SSLDIR}/certs/ca-certificates.crt && 330 unset SSLDIR</userinput></screen> 331 332 <para>Finally, clean up the current directory:</para> 333 334 <screen><userinput>rm -r certs BLFS-ca-bundle*</userinput></screen> 335 336 <para>After installing or updating certificates, if OpenJDK is installed, 337 update the certificates for Java using the procedures at <xref linkend='ojdk-certs'/>.</para> 338 109 <para>You should periodically run the <application>make-ca.sh</application> 110 script (as the <systemitem class="username">root</systemitem> user), or as 111 part of a monthly <application>cron</application> job to ensure that you 112 have the latest available version of the certificates.</para> 339 113 340 114 </sect2> … … 349 123 350 124 <seglistitem> 351 <seg>make-ca.sh , make-cert.pl and remove-expired-certs.sh</seg>125 <seg>make-ca.sh</seg> 352 126 <seg>None</seg> 353 <seg>/etc/ssl/ certs</seg>127 <seg>/etc/ssl/{certs,java,local}</seg> 354 128 </seglistitem> 355 129 </segmentedlist> … … 363 137 <term><command>make-ca.sh</command></term> 364 138 <listitem> 365 <para>is a shell script that reformats366 the <filename>certdata.txt</filename> file for use by367 <application>openssl</application>.</para>139 <para>is a shell script that downloads a current verion of 140 <filename>certdata.txt</filename>, and prepares it for use 141 as the system certificate store.</para> 368 142 <indexterm zone="cacerts make-ca"> 369 143 <primary sortas="b-make-ca">make-ca</primary> 370 </indexterm>371 </listitem>372 </varlistentry>373 374 <varlistentry id="make-cert">375 <term><command>make-cert.pl</command></term>376 <listitem>377 <para>is a utility <application>perl</application> script that378 converts a single binary certificate (.der format) into .pem format.</para>379 <indexterm zone="cacerts make-cert">380 <primary sortas="b-make-cert">make-cert</primary>381 </indexterm>382 </listitem>383 </varlistentry>384 385 <varlistentry id="remove-expired-certs">386 <term><command>remove-expired-certs.sh</command></term>387 <listitem>388 <para>is a utility shell script that389 removes expired certificates from a directory. The default390 directory is <filename class='directory'>/etc/ssl/certs</filename>.</para>391 <indexterm zone="cacerts remove-expired-certs">392 <primary sortas="b-remove-expired-certs">remove-expired-certs</primary>393 144 </indexterm> 394 145 </listitem>
Note:
See TracChangeset
for help on using the changeset viewer.