make-ca-1.8.1

[Bruce Dubbs]

New minor version.

[DJ Lucas]

• Rerelease of 1.8 - set default for code signing to off

1.8 Release notes:

• Use get_p11_label for certificate name in output when processing local certificates
• Use "Subject:" line for get_p11_label()
• Use last OU= value for get_p11_label() fallback
• Fix several text issues in get_p11_label - Thanks to Michael Joost
• Omit x-certificate-extension in comparison for copy-local-modifications
• Use X509v3 Key Usage section to determine local trust for anchors added using 'trust anchor --store'
• Add nss-{server,email}-distrust-after values in anchors - requires p11-kit >= 0.23.19
• Use --filter=certificates for all stores
• Fix output of NSSDB and Java PCKS#12 stores
• Correct incorrectly named get_p11_val()
• Use .p11-kit extension for anchors
• Handle getopt style short options in get_args()
• Use Microsoft's trust for code signing with -i | --mscodesign Note: this is manually generated, will add CCADB when available
• Backup and restore anchors with PKIX extensions

[DJ Lucas]

There are some text changes that need to be added as well. We should default to using /usr/bin/trust to import certificates into the anchors (which will use the x509 Extended Key Usage values for default trust values). This will, in turn, create an OpenSSL Trusted certificate in /etc/ssl/local so that certificates are preserved across updates. Also, the p11-kit helper should not update the store from the web, but rather run with the -r switch only, same thing for adding a certificate manually or manually changing trust). I had planned to take this ticket, first in a long time. :-) Here is what I have in my sandbox:

diff --git a/packages.ent b/packages.ent
index 7afca2cba2..2230df7b7e 100644
--- a/packages.ent
+++ b/packages.ent
@@ -19,7 +19,7 @@
 <!ENTITY linux-pam-version            "1.5.1">
 <!ENTITY linux-pam-docs-version       "1.5.1">
 <!ENTITY libpwquality-version         "1.4.4">
-<!ENTITY make-ca-version              "1.7">
+<!ENTITY make-ca-version              "1.8.1">
 <!ENTITY mitkrb-major-version         "1.19">
 <!ENTITY mitkrb-version               "&mitkrb-major-version;.2">
 <!ENTITY nftables-version             "0.9.3">
diff --git a/postlfs/security/make-ca.xml b/postlfs/security/make-ca.xml
index 2add2e7a62..2ff43bf667 100644
--- a/postlfs/security/make-ca.xml
+++ b/postlfs/security/make-ca.xml
@@ -10,8 +10,8 @@
   <!ENTITY make-ca-time          "0.1 SBU (with all runtime deps)">

   <!ENTITY make-ca-download      "https://github.com/djlucas/make-ca/releases/d
ownload/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
-  <!ENTITY make-ca-size          "28.5 KB">
-  <!ENTITY make-ca-md5sum        "e0356f5ae5623f227a3f69b5e8848ec6">
+  <!ENTITY make-ca-size          "29.8 KB">
+  <!ENTITY make-ca-md5sum        "957c39206ba0e9139807c5a47535747f">
 ]>

 <sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">

@@ -220,12 +220,19 @@ chmod 754 /etc/cron.weekly/update-pki.sh</userinput></screen>

     <para>
       The <filename class="directory">/etc/ssl/local</filename> directory
-      is available to add additional CA certificates to the system. For
-      instance, you might need to add an organization or government CA
-      certificate. Files in this directory must be in the
-      <application>OpenSSL</application> trusted certificate format. To
-      create an <application>OpenSSL</application> trusted certificate from
-      a regular PEM encoded file, you need to add trust arguments to the
+      is available to add additional CA certificates to the system trust store.
+      This directory is also used to store certificates that were added to or
+      modified  in the system trust store by <xref linkend="p11-kit"/> so that
+      trust values are maintained across upgrades. Files in this directory must
+      be in the <application>OpenSSL</application> trusted certificate format.
+      Certificates imported using the <command>trust</command> utility from
+      <xref linkend="p11-kit"/> will utilize the x509 Extended Key Usage values
+      to assign default trust values for the system anchors.
+    </para>
+
+    <para>If you need to override trust values, or otherwise need to create
+      an <application>OpenSSL</application> trusted certificate manually
+      from a regular PEM encoded file, you need to add trust arguments to the
       <command>openssl</command> command, and create a new certificate. For
       example, using the <ulink url="http://www.cacert.org/">CAcert</ulink>
       roots, if you want to trust both for all three roles, the following
@@ -242,7 +249,7 @@ openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
 openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
         -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
         > /etc/ssl/local/CAcert_Class_3_root.pem &amp;&amp;
-/usr/sbin/make-ca -r -f</userinput></screen>
+/usr/sbin/make-ca -r</userinput></screen>

     <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>

@@ -264,7 +271,7 @@ openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
              -addreject emailProtection \
              -addreject codeSigning \
        > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &amp;&amp;
-/usr/sbin/make-ca -r -f</userinput></screen>
+/usr/sbin/make-ca -r</userinput></screen>

   </sect2>

diff --git a/postlfs/security/p11-kit.xml b/postlfs/security/p11-kit.xml
index 8cf818b71d..4261b0b0c9 100644
--- a/postlfs/security/p11-kit.xml
+++ b/postlfs/security/p11-kit.xml
@@ -103,8 +103,8 @@ cat &gt;&gt; trust/trust-extract-compat &lt;&lt; "EOF"
 <literal># Copy existing anchor modifications to /etc/ssl/local
 /usr/libexec/make-ca/copy-trust-modifications

-# Generate a new trust store
-/usr/sbin/make-ca -f -g</literal>
+# Update trust stores
+/usr/sbin/make-ca -r</literal>
 EOF</userinput></screen>

     <para>

[Douglas R. Reno]

Replying to DJ Lucas:

There are some text changes that need to be added as well. We should default to using /usr/bin/trust to import certificates into the anchors (which will use the x509 Extended Key Usage values for default trust values). This will, in turn, create an OpenSSL Trusted certificate in /etc/ssl/local so that certificates are preserved across updates. Also, the p11-kit helper should not update the store from the web, but rather run with the -r switch only, same thing for adding a certificate manually or manually changing trust). I had planned to take this ticket, first in a long time. :-) Here is what I have in my sandbox:

diff --git a/packages.ent b/packages.ent
index 7afca2cba2..2230df7b7e 100644
--- a/packages.ent
+++ b/packages.ent
@@ -19,7 +19,7 @@
 <!ENTITY linux-pam-version            "1.5.1">
 <!ENTITY linux-pam-docs-version       "1.5.1">
 <!ENTITY libpwquality-version         "1.4.4">
-<!ENTITY make-ca-version              "1.7">
+<!ENTITY make-ca-version              "1.8.1">
 <!ENTITY mitkrb-major-version         "1.19">
 <!ENTITY mitkrb-version               "&mitkrb-major-version;.2">
 <!ENTITY nftables-version             "0.9.3">
diff --git a/postlfs/security/make-ca.xml b/postlfs/security/make-ca.xml
index 2add2e7a62..2ff43bf667 100644
--- a/postlfs/security/make-ca.xml
+++ b/postlfs/security/make-ca.xml
@@ -10,8 +10,8 @@
   <!ENTITY make-ca-time          "0.1 SBU (with all runtime deps)">

   <!ENTITY make-ca-download      "https://github.com/djlucas/make-ca/releases/d
ownload/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
-  <!ENTITY make-ca-size          "28.5 KB">
-  <!ENTITY make-ca-md5sum        "e0356f5ae5623f227a3f69b5e8848ec6">
+  <!ENTITY make-ca-size          "29.8 KB">
+  <!ENTITY make-ca-md5sum        "957c39206ba0e9139807c5a47535747f">
 ]>

 <sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">

@@ -220,12 +220,19 @@ chmod 754 /etc/cron.weekly/update-pki.sh</userinput></screen>

     <para>
       The <filename class="directory">/etc/ssl/local</filename> directory
-      is available to add additional CA certificates to the system. For
-      instance, you might need to add an organization or government CA
-      certificate. Files in this directory must be in the
-      <application>OpenSSL</application> trusted certificate format. To
-      create an <application>OpenSSL</application> trusted certificate from
-      a regular PEM encoded file, you need to add trust arguments to the
+      is available to add additional CA certificates to the system trust store.
+      This directory is also used to store certificates that were added to or
+      modified  in the system trust store by <xref linkend="p11-kit"/> so that
+      trust values are maintained across upgrades. Files in this directory must
+      be in the <application>OpenSSL</application> trusted certificate format.
+      Certificates imported using the <command>trust</command> utility from
+      <xref linkend="p11-kit"/> will utilize the x509 Extended Key Usage values
+      to assign default trust values for the system anchors.
+    </para>
+
+    <para>If you need to override trust values, or otherwise need to create
+      an <application>OpenSSL</application> trusted certificate manually
+      from a regular PEM encoded file, you need to add trust arguments to the
       <command>openssl</command> command, and create a new certificate. For
       example, using the <ulink url="http://www.cacert.org/">CAcert</ulink>
       roots, if you want to trust both for all three roles, the following
@@ -242,7 +249,7 @@ openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
 openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
         -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
         > /etc/ssl/local/CAcert_Class_3_root.pem &amp;&amp;
-/usr/sbin/make-ca -r -f</userinput></screen>
+/usr/sbin/make-ca -r</userinput></screen>

     <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>

@@ -264,7 +271,7 @@ openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
              -addreject emailProtection \
              -addreject codeSigning \
        > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &amp;&amp;
-/usr/sbin/make-ca -r -f</userinput></screen>
+/usr/sbin/make-ca -r</userinput></screen>

   </sect2>

diff --git a/postlfs/security/p11-kit.xml b/postlfs/security/p11-kit.xml
index 8cf818b71d..4261b0b0c9 100644
--- a/postlfs/security/p11-kit.xml
+++ b/postlfs/security/p11-kit.xml
@@ -103,8 +103,8 @@ cat &gt;&gt; trust/trust-extract-compat &lt;&lt; "EOF"
 <literal># Copy existing anchor modifications to /etc/ssl/local
 /usr/libexec/make-ca/copy-trust-modifications

-# Generate a new trust store
-/usr/sbin/make-ca -f -g</literal>
+# Update trust stores
+/usr/sbin/make-ca -r</literal>
 EOF</userinput></screen>

     <para>

Let me pass that right over to you!

[Bruce Dubbs]

Please round off make-ca-size to 30 KB. We only want to use decimals when less than 10, and for KB we probably should always round to whole KB.

[DJ Lucas]

Done. Thanks.

Fixed at commit 6133936264a5356a07eb8f2d081b5ae2c295788d.