#15475 closed enhancement (fixed)

make-ca-1.8.1

Reported by: Bruce Dubbs Owned by: DJ Lucas
Priority: normal Milestone: 11.1
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (8)

comment:1 by DJ Lucas, 15 months ago

Summary: make-ca-1,8make-ca-1.8.1
  • Rerelease of 1.8 - set default for code signing to off

1.8 Release notes:

  • Use get_p11_label for certificate name in output when processing local certificates
  • Use "Subject:" line for get_p11_label()
  • Use last OU= value for get_p11_label() fallback
  • Fix several text issues in get_p11_label - Thanks to Michael Joost
  • Omit x-certificate-extension in comparison for copy-local-modifications
  • Use X509v3 Key Usage section to determine local trust for anchors added using 'trust anchor --store'
  • Add nss-{server,email}-distrust-after values in anchors - requires p11-kit >= 0.23.19
  • Use --filter=certificates for all stores
  • Fix output of NSSDB and Java PCKS#12 stores
  • Correct incorrectly named get_p11_val()
  • Use .p11-kit extension for anchors
  • Handle getopt style short options in get_args()
  • Use Microsoft's trust for code signing with -i | --mscodesign Note: this is manually generated, will add CCADB when available
  • Backup and restore anchors with PKIX extensions

comment:2 by Douglas R. Reno, 15 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:3 by DJ Lucas, 15 months ago

There are some text changes that need to be added as well. We should default to using /usr/bin/trust to import certificates into the anchors (which will use the x509 Extended Key Usage values for default trust values). This will, in turn, create an OpenSSL Trusted certificate in /etc/ssl/local so that certificates are preserved across updates. Also, the p11-kit helper should not update the store from the web, but rather run with the -r switch only, same thing for adding a certificate manually or manually changing trust). I had planned to take this ticket, first in a long time. :-) Here is what I have in my sandbox:

diff --git a/packages.ent b/packages.ent
index 7afca2cba2..2230df7b7e 100644
--- a/packages.ent
+++ b/packages.ent
@@ -19,7 +19,7 @@
 <!ENTITY linux-pam-version            "1.5.1">
 <!ENTITY linux-pam-docs-version       "1.5.1">
 <!ENTITY libpwquality-version         "1.4.4">
-<!ENTITY make-ca-version              "1.7">
+<!ENTITY make-ca-version              "1.8.1">
 <!ENTITY mitkrb-major-version         "1.19">
 <!ENTITY mitkrb-version               "&mitkrb-major-version;.2">
 <!ENTITY nftables-version             "0.9.3">
diff --git a/postlfs/security/make-ca.xml b/postlfs/security/make-ca.xml
index 2add2e7a62..2ff43bf667 100644
--- a/postlfs/security/make-ca.xml
+++ b/postlfs/security/make-ca.xml
@@ -10,8 +10,8 @@
   <!ENTITY make-ca-time          "0.1 SBU (with all runtime deps)">

   <!ENTITY make-ca-download      "https://github.com/djlucas/make-ca/releases/d
ownload/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
-  <!ENTITY make-ca-size          "28.5 KB">
-  <!ENTITY make-ca-md5sum        "e0356f5ae5623f227a3f69b5e8848ec6">
+  <!ENTITY make-ca-size          "29.8 KB">
+  <!ENTITY make-ca-md5sum        "957c39206ba0e9139807c5a47535747f">
 ]>

 <sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">

@@ -220,12 +220,19 @@ chmod 754 /etc/cron.weekly/update-pki.sh</userinput></screen>

     <para>
       The <filename class="directory">/etc/ssl/local</filename> directory
-      is available to add additional CA certificates to the system. For
-      instance, you might need to add an organization or government CA
-      certificate. Files in this directory must be in the
-      <application>OpenSSL</application> trusted certificate format. To
-      create an <application>OpenSSL</application> trusted certificate from
-      a regular PEM encoded file, you need to add trust arguments to the
+      is available to add additional CA certificates to the system trust store.
+      This directory is also used to store certificates that were added to or
+      modified  in the system trust store by <xref linkend="p11-kit"/> so that
+      trust values are maintained across upgrades. Files in this directory must
+      be in the <application>OpenSSL</application> trusted certificate format.
+      Certificates imported using the <command>trust</command> utility from
+      <xref linkend="p11-kit"/> will utilize the x509 Extended Key Usage values
+      to assign default trust values for the system anchors.
+    </para>
+
+    <para>If you need to override trust values, or otherwise need to create
+      an <application>OpenSSL</application> trusted certificate manually
+      from a regular PEM encoded file, you need to add trust arguments to the
       <command>openssl</command> command, and create a new certificate. For
       example, using the <ulink url="http://www.cacert.org/">CAcert</ulink>
       roots, if you want to trust both for all three roles, the following
@@ -242,7 +249,7 @@ openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
 openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
         -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
         > /etc/ssl/local/CAcert_Class_3_root.pem &amp;&amp;
-/usr/sbin/make-ca -r -f</userinput></screen>
+/usr/sbin/make-ca -r</userinput></screen>

     <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>

@@ -264,7 +271,7 @@ openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
              -addreject emailProtection \
              -addreject codeSigning \
        > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &amp;&amp;
-/usr/sbin/make-ca -r -f</userinput></screen>
+/usr/sbin/make-ca -r</userinput></screen>

   </sect2>

diff --git a/postlfs/security/p11-kit.xml b/postlfs/security/p11-kit.xml
index 8cf818b71d..4261b0b0c9 100644
--- a/postlfs/security/p11-kit.xml
+++ b/postlfs/security/p11-kit.xml
@@ -103,8 +103,8 @@ cat &gt;&gt; trust/trust-extract-compat &lt;&lt; "EOF"
 <literal># Copy existing anchor modifications to /etc/ssl/local
 /usr/libexec/make-ca/copy-trust-modifications

-# Generate a new trust store
-/usr/sbin/make-ca -f -g</literal>
+# Update trust stores
+/usr/sbin/make-ca -r</literal>
 EOF</userinput></screen>

     <para>

in reply to:  3 comment:4 by Douglas R. Reno, 15 months ago

Replying to DJ Lucas:

There are some text changes that need to be added as well. We should default to using /usr/bin/trust to import certificates into the anchors (which will use the x509 Extended Key Usage values for default trust values). This will, in turn, create an OpenSSL Trusted certificate in /etc/ssl/local so that certificates are preserved across updates. Also, the p11-kit helper should not update the store from the web, but rather run with the -r switch only, same thing for adding a certificate manually or manually changing trust). I had planned to take this ticket, first in a long time. :-) Here is what I have in my sandbox:

diff --git a/packages.ent b/packages.ent
index 7afca2cba2..2230df7b7e 100644
--- a/packages.ent
+++ b/packages.ent
@@ -19,7 +19,7 @@
 <!ENTITY linux-pam-version            "1.5.1">
 <!ENTITY linux-pam-docs-version       "1.5.1">
 <!ENTITY libpwquality-version         "1.4.4">
-<!ENTITY make-ca-version              "1.7">
+<!ENTITY make-ca-version              "1.8.1">
 <!ENTITY mitkrb-major-version         "1.19">
 <!ENTITY mitkrb-version               "&mitkrb-major-version;.2">
 <!ENTITY nftables-version             "0.9.3">
diff --git a/postlfs/security/make-ca.xml b/postlfs/security/make-ca.xml
index 2add2e7a62..2ff43bf667 100644
--- a/postlfs/security/make-ca.xml
+++ b/postlfs/security/make-ca.xml
@@ -10,8 +10,8 @@
   <!ENTITY make-ca-time          "0.1 SBU (with all runtime deps)">

   <!ENTITY make-ca-download      "https://github.com/djlucas/make-ca/releases/d
ownload/v&make-ca-version;/make-ca-&make-ca-version;.tar.xz">
-  <!ENTITY make-ca-size          "28.5 KB">
-  <!ENTITY make-ca-md5sum        "e0356f5ae5623f227a3f69b5e8848ec6">
+  <!ENTITY make-ca-size          "29.8 KB">
+  <!ENTITY make-ca-md5sum        "957c39206ba0e9139807c5a47535747f">
 ]>

 <sect1 id="make-ca" xreflabel="make-ca-&make-ca-version;">

@@ -220,12 +220,19 @@ chmod 754 /etc/cron.weekly/update-pki.sh</userinput></screen>

     <para>
       The <filename class="directory">/etc/ssl/local</filename> directory
-      is available to add additional CA certificates to the system. For
-      instance, you might need to add an organization or government CA
-      certificate. Files in this directory must be in the
-      <application>OpenSSL</application> trusted certificate format. To
-      create an <application>OpenSSL</application> trusted certificate from
-      a regular PEM encoded file, you need to add trust arguments to the
+      is available to add additional CA certificates to the system trust store.
+      This directory is also used to store certificates that were added to or
+      modified  in the system trust store by <xref linkend="p11-kit"/> so that
+      trust values are maintained across upgrades. Files in this directory must
+      be in the <application>OpenSSL</application> trusted certificate format.
+      Certificates imported using the <command>trust</command> utility from
+      <xref linkend="p11-kit"/> will utilize the x509 Extended Key Usage values
+      to assign default trust values for the system anchors.
+    </para>
+
+    <para>If you need to override trust values, or otherwise need to create
+      an <application>OpenSSL</application> trusted certificate manually
+      from a regular PEM encoded file, you need to add trust arguments to the
       <command>openssl</command> command, and create a new certificate. For
       example, using the <ulink url="http://www.cacert.org/">CAcert</ulink>
       roots, if you want to trust both for all three roles, the following
@@ -242,7 +249,7 @@ openssl x509 -in root.crt -text -fingerprint -setalias "CAcert Class 1 root" \
 openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
         -addtrust serverAuth -addtrust emailProtection -addtrust codeSigning \
         > /etc/ssl/local/CAcert_Class_3_root.pem &amp;&amp;
-/usr/sbin/make-ca -r -f</userinput></screen>
+/usr/sbin/make-ca -r</userinput></screen>

     <bridgehead renderas="sect3">Overriding Mozilla Trust</bridgehead>

@@ -264,7 +271,7 @@ openssl x509 -in class3.crt -text -fingerprint -setalias "CAcert Class 3 root" \
              -addreject emailProtection \
              -addreject codeSigning \
        > /etc/ssl/local/Disabled_Makebelieve_CA_Root.pem &amp;&amp;
-/usr/sbin/make-ca -r -f</userinput></screen>
+/usr/sbin/make-ca -r</userinput></screen>

   </sect2>

diff --git a/postlfs/security/p11-kit.xml b/postlfs/security/p11-kit.xml
index 8cf818b71d..4261b0b0c9 100644
--- a/postlfs/security/p11-kit.xml
+++ b/postlfs/security/p11-kit.xml
@@ -103,8 +103,8 @@ cat &gt;&gt; trust/trust-extract-compat &lt;&lt; "EOF"
 <literal># Copy existing anchor modifications to /etc/ssl/local
 /usr/libexec/make-ca/copy-trust-modifications

-# Generate a new trust store
-/usr/sbin/make-ca -f -g</literal>
+# Update trust stores
+/usr/sbin/make-ca -r</literal>
 EOF</userinput></screen>

     <para>

Let me pass that right over to you!

comment:5 by Douglas R. Reno, 15 months ago

Owner: changed from Douglas R. Reno to dj
Status: assignednew

comment:6 by Bruce Dubbs, 15 months ago

Please round off make-ca-size to 30 KB. We only want to use decimals when less than 10, and for KB we probably should always round to whole KB.

Last edited 15 months ago by Bruce Dubbs (previous) (diff)

comment:7 by DJ Lucas, 15 months ago

Owner: changed from dj to DJ Lucas
Status: newassigned

comment:8 by DJ Lucas, 15 months ago

Resolution: fixed
Status: assignedclosed

Done. Thanks.

Fixed at commit 6133936264a5356a07eb8f2d081b5ae2c295788d.

Note: See TracTickets for help on using tickets.