forked from kiss-community/repo
ca-certificates: drop from repositories. libressl is now used.
This commit is contained in:
Dylan Araps
parent
934e3cdde9
commit
4061266be1
@ -1,32 +0,0 @@
|
||||
#!/bin/sh -e
|
||||
#
|
||||
# ca-certificates version is based on commit?
|
||||
# There's no upstream version at all?!?!?
|
||||
# Not sure what to do here.
|
||||
#
|
||||
# Source: https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
|
||||
|
||||
cat > blacklist.txt <<EOF
|
||||
"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
|
||||
"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
|
||||
"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
|
||||
"Explicitly Distrust DigiNotar Root CA"
|
||||
"Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
"MITM subCA 1 issued by Trustwave"
|
||||
"MITM subCA 2 issued by Trustwave"
|
||||
"TURKTRUST Mis-issued Intermediate CA 1"
|
||||
"TURKTRUST Mis-issued Intermediate CA 2"
|
||||
EOF
|
||||
|
||||
gcc certdata2pem.c -o certdata2pem
|
||||
./certdata2pem certdata.txt
|
||||
|
||||
install -m0755 -d "$1/usr/share/ca-certificates/mozilla"
|
||||
install -m0755 -d "$1/usr/bin"
|
||||
install -m0755 -d "$1/etc/ssl/certs"
|
||||
|
||||
cp ./*.crt "$1/usr/share/ca-certificates/mozilla"
|
||||
cp update-ca-certificates "$1/usr/bin"
|
||||
|
||||
cd "$1/usr/share/ca-certificates"
|
||||
find . -name '*.crt' | sort | cut -b3- > "$1/etc/ca-certificates.conf"
|
||||
@ -1,3 +0,0 @@
|
||||
c979c6f35714a0fedb17d9e5ba37adecbbc91a8faf4186b4e23d6f9ca44fd6cb certdata.txt
|
||||
1a2b0a56e47463d8d5690a846bb3c8db29ea04ff774088ce22bf6b6542bac639 certdata2pem.c
|
||||
0427333826d678c885495ef11f3bb70cd340a5238f2ce34a7879c581887603b7 update-ca-certificates
|
||||
@ -1 +0,0 @@
|
||||
libressl
|
||||
@ -1,142 +0,0 @@
|
||||
/* Copyright (C) 2013, Felix Janda <felix.janda@posteo.de>
|
||||
|
||||
Permission to use, copy, modify, and/or distribute this software for
|
||||
any purpose with or without fee is hereby granted, provided that the
|
||||
above copyright notice and this permission notice appear in all copies.
|
||||
|
||||
SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <err.h>
|
||||
|
||||
void xwrite(FILE *f, void *p, size_t size)
|
||||
{
|
||||
if (fwrite(p, 1, size, f) != size) err(1, 0);
|
||||
}
|
||||
|
||||
int main(void)
|
||||
{
|
||||
FILE *f;
|
||||
char cert[4096], ecert[4096*4/3 + 100];
|
||||
char *line = 0, *tmp, *filename, *label, *pcert = 0;
|
||||
ssize_t len;
|
||||
size_t size, certsize;
|
||||
int trust;
|
||||
char **blacklist = 0, **node;
|
||||
|
||||
filename = "./blacklist.txt";
|
||||
if (!(f = fopen(filename, "r"))) err(1, "%s", filename);
|
||||
while ((len = getline(&line, &size, f)) != -1) {
|
||||
if ((line[0] != '#') && (len > 1)) {
|
||||
if (!(node = malloc(sizeof(void*) + len))) err(1, 0);
|
||||
*node = (char*)blacklist;
|
||||
memcpy(node + 1, line, len);
|
||||
blacklist = node;
|
||||
}
|
||||
}
|
||||
fclose(f);
|
||||
|
||||
filename = "./certdata.txt";
|
||||
if (!(f = fopen(filename, "r"))) err(1, "%s", filename);
|
||||
while ((len = getline(&line, &size, f)) != -1) {
|
||||
tmp = line;
|
||||
if (line[0] == '#') continue;
|
||||
if (pcert) {
|
||||
if (!strcmp(line, "END\n")) {
|
||||
char *base64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
||||
"abcdefghijklmnopqrstuvwxyz0123456789+/";
|
||||
size_t i, j, k, val;
|
||||
|
||||
for (i = 0, val = 0, tmp = ecert; i < (size_t)(pcert - cert); i++) {
|
||||
val = (val << 8) + (unsigned char)cert[i];
|
||||
if (i % 3 == 2) {
|
||||
for (j = 0; j < 4; j++, val >>= 6) tmp[3 - j] = base64[val & 0x3f];
|
||||
tmp += 4;
|
||||
}
|
||||
if (i && !(i % 48)) {
|
||||
*tmp = '\n';
|
||||
tmp++;
|
||||
}
|
||||
}
|
||||
if (k = i % 3) {
|
||||
tmp[2] = '=';
|
||||
tmp[3] = '=';
|
||||
val <<= 6 - 2*k;
|
||||
for (j = 0; j < k + 1; j++, val >>= 6) tmp[k - j] = base64[val & 0x3f];
|
||||
tmp += 4;
|
||||
}
|
||||
certsize = tmp - ecert;
|
||||
pcert = 0;
|
||||
} else while (sscanf(tmp, "\\%hho", pcert) == 1) pcert++, tmp += 4;
|
||||
} else if (!memcmp(line, "CKA_LABEL UTF8 ", 15)) {
|
||||
|
||||
char *p2, *tmp2;
|
||||
len -= 15;
|
||||
if (!(label = malloc(len))) err(1, 0);
|
||||
memcpy(label, line + 15, len);
|
||||
trust = 0;
|
||||
for (node = blacklist; node; node = (char**)*node)
|
||||
if (!strcmp(label, (char*)(node + 1))) trust = 4;
|
||||
if (!(p2 = malloc(len + 2))) err(1, 0);
|
||||
for (tmp = label + 1, tmp2 = p2; *tmp != '"'; tmp++, tmp2++) {
|
||||
switch (*tmp) {
|
||||
case '\\':
|
||||
if (sscanf(tmp, "\\x%hhx", tmp2)!=1) errx(1, "Bad triple: %s\n", tmp);
|
||||
tmp += 3;
|
||||
break;
|
||||
case '/':
|
||||
case ' ':
|
||||
*tmp2 = '_';
|
||||
break;
|
||||
case '(':
|
||||
case ')':
|
||||
*tmp2 = '=';
|
||||
break;
|
||||
default:
|
||||
*tmp2 = *tmp;
|
||||
}
|
||||
}
|
||||
strcpy(tmp2, ".crt");
|
||||
free(label);
|
||||
label = p2;
|
||||
} else if (!strcmp(line, "CKA_VALUE MULTILINE_OCTAL\n")) pcert = cert;
|
||||
else if (!memcmp(line, "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_", 39)) {
|
||||
tmp += 39;
|
||||
if (!strcmp(tmp, "TRUSTED_DELEGATOR\n")) trust |= 1;
|
||||
else if (!strcmp(tmp, "NOT_TRUSTED\n")) trust |= 2;
|
||||
} else if (!memcmp(line,
|
||||
"CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_", 44)) {
|
||||
tmp += 44;
|
||||
if (!strcmp(tmp, "TRUSTED_DELEGATOR\n")) trust |= 1;
|
||||
else if (!strcmp(tmp, "NOT_TRUSTED\n")) trust |= 2;
|
||||
if (!trust) printf("Ignoring %s\n", label);
|
||||
if (trust == 1) {
|
||||
FILE *out;
|
||||
if (!(out = fopen(label, "w"))) err(1, "%s", label);
|
||||
xwrite(out, "-----BEGIN CERTIFICATE-----\n", 28);
|
||||
xwrite(out, ecert, certsize);
|
||||
xwrite(out, "\n-----END CERTIFICATE-----\n", 27);
|
||||
fclose(out);
|
||||
}
|
||||
}
|
||||
}
|
||||
fclose(f);
|
||||
|
||||
while (blacklist) {
|
||||
node = (char**)*blacklist;
|
||||
free(blacklist);
|
||||
blacklist = node;
|
||||
}
|
||||
free(line);
|
||||
free(label);
|
||||
return 0;
|
||||
}
|
||||
@ -1,215 +0,0 @@
|
||||
#!/bin/sh -e
|
||||
#
|
||||
# update-ca-certificates
|
||||
#
|
||||
# Copyright (c) 2003 Fumitoshi UKAI <ukai@debian.or.jp>
|
||||
# Copyright (c) 2009 Philipp Kern <pkern@debian.org>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301,
|
||||
# USA.
|
||||
#
|
||||
|
||||
verbose=0
|
||||
fresh=0
|
||||
default=0
|
||||
CERTSCONF=$DESTDIR/etc/ca-certificates.conf
|
||||
CERTSDIR=/usr/share/ca-certificates
|
||||
LOCALCERTSDIR=$DESTDIR/usr/local/share/ca-certificates
|
||||
CERTBUNDLE=ca-certificates.crt
|
||||
ETCCERTSDIR=$DESTDIR/etc/ssl/certs
|
||||
HOOKSDIR=$DESTDIR/etc/ca-certificates/update.d
|
||||
|
||||
while [ $# -gt 0 ];
|
||||
do
|
||||
case $1 in
|
||||
--verbose|-v)
|
||||
verbose=1;;
|
||||
--fresh|-f)
|
||||
fresh=1;;
|
||||
--default|-d)
|
||||
default=1
|
||||
fresh=1;;
|
||||
--certsconf)
|
||||
shift
|
||||
CERTSCONF="$1";;
|
||||
--certsdir)
|
||||
shift
|
||||
CERTSDIR="$1";;
|
||||
--localcertsdir)
|
||||
shift
|
||||
LOCALCERTSDIR="$1";;
|
||||
--certbundle)
|
||||
shift
|
||||
CERTBUNDLE="$1";;
|
||||
--etccertsdir)
|
||||
shift
|
||||
ETCCERTSDIR="$1";;
|
||||
--hooksdir)
|
||||
shift
|
||||
HOOKSDIR="$1";;
|
||||
--help|-h|*)
|
||||
echo "$0: [--verbose] [--fresh]"
|
||||
exit;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
if [ ! -s "$CERTSCONF" ]
|
||||
then
|
||||
fresh=1
|
||||
fi
|
||||
|
||||
cleanup() {
|
||||
rm -f "$TEMPBUNDLE"
|
||||
rm -f "$ADDED"
|
||||
rm -f "$REMOVED"
|
||||
}
|
||||
trap cleanup 0
|
||||
|
||||
# Helper files. (Some of them are not simple arrays because we spawn
|
||||
# subshells later on.)
|
||||
TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
|
||||
ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
|
||||
REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
|
||||
|
||||
# Adds a certificate to the list of trusted ones. This includes a symlink
|
||||
# in /etc/ssl/certs to the certificate file and its inclusion into the
|
||||
# bundle.
|
||||
add() {
|
||||
CERT="$1"
|
||||
PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
|
||||
-e 's/[()]/=/g' \
|
||||
-e 's/,/_/g').pem"
|
||||
if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
|
||||
then
|
||||
ln -sf "$CERT" "$PEM"
|
||||
echo "+$PEM" >> "$ADDED"
|
||||
fi
|
||||
# Add trailing newline to certificate, if it is missing (#635570)
|
||||
# shellcheck disable=1003
|
||||
sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
|
||||
}
|
||||
|
||||
remove() {
|
||||
CERT="$1"
|
||||
PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem"
|
||||
if test -L "$PEM"
|
||||
then
|
||||
rm -f "$PEM"
|
||||
echo "-$PEM" >> "$REMOVED"
|
||||
fi
|
||||
}
|
||||
|
||||
cd "$ETCCERTSDIR"
|
||||
if [ "$fresh" = 1 ]; then
|
||||
echo "Clearing symlinks in $ETCCERTSDIR..."
|
||||
find . -type l -print | while read -r symlink
|
||||
do
|
||||
case $(readlink "$symlink") in
|
||||
"$CERTSDIR"*|"$LOCALCERTSDIR"*) rm -f "$symlink" ;;
|
||||
esac
|
||||
done
|
||||
find . -type l -print | while read -r symlink
|
||||
do
|
||||
test -f "$symlink" || rm -f "$symlink"
|
||||
done
|
||||
echo "done."
|
||||
fi
|
||||
|
||||
echo "Updating certificates in $ETCCERTSDIR..."
|
||||
|
||||
# Add default certificate authorities if requested
|
||||
if [ "$default" = 1 ]; then
|
||||
find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read -r crt
|
||||
do
|
||||
add "$crt"
|
||||
done
|
||||
fi
|
||||
|
||||
# Handle certificates that should be removed. This is an explicit act
|
||||
# by prefixing lines in the configuration files with exclamation marks (!).
|
||||
sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read -r crt
|
||||
do
|
||||
remove "$CERTSDIR/$crt"
|
||||
done
|
||||
|
||||
sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read -r crt
|
||||
do
|
||||
if ! test -f "$CERTSDIR/$crt"
|
||||
then
|
||||
echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2
|
||||
continue
|
||||
fi
|
||||
add "$CERTSDIR/$crt"
|
||||
done
|
||||
|
||||
# Now process certificate authorities installed by the local system
|
||||
# administrator.
|
||||
if [ -d "$LOCALCERTSDIR" ]
|
||||
then
|
||||
find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read -r crt
|
||||
do
|
||||
add "$crt"
|
||||
done
|
||||
fi
|
||||
|
||||
rm -f "$CERTBUNDLE"
|
||||
|
||||
ADDED_CNT=$(wc -l < "$ADDED")
|
||||
REMOVED_CNT=$(wc -l < "$REMOVED")
|
||||
|
||||
if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
|
||||
then
|
||||
# only run if set of files has changed
|
||||
# Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl certhash`
|
||||
# from exiting with an error. See #895482, #895473.
|
||||
find "$ETCCERTSDIR" -type l ! -exec test -e {} \; -print | while read -r orphan
|
||||
do
|
||||
rm -f "$orphan"
|
||||
if [ "$verbose" = 1 ]; then
|
||||
echo "Removed orphan symlink $orphan"
|
||||
fi
|
||||
done
|
||||
if [ "$verbose" = 0 ]
|
||||
then
|
||||
openssl certhash . > /dev/null
|
||||
else
|
||||
openssl certhash -v .
|
||||
fi
|
||||
fi
|
||||
|
||||
chmod 0644 "$TEMPBUNDLE"
|
||||
mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
|
||||
# Restore proper SELinux label after moving the file
|
||||
[ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" >/dev/null 2>&1
|
||||
|
||||
echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
|
||||
|
||||
if [ -d "$HOOKSDIR" ]
|
||||
then
|
||||
|
||||
echo "Running hooks in $HOOKSDIR..."
|
||||
VERBOSE_ARG=
|
||||
[ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
|
||||
eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read -r hook
|
||||
do
|
||||
( cat "$ADDED"
|
||||
cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
|
||||
done
|
||||
echo "done."
|
||||
|
||||
fi
|
||||
|
||||
# vim:set et sw=2:
|
||||
@ -1,3 +0,0 @@
|
||||
#!/bin/sh -e
|
||||
|
||||
/usr/sbin/update-ca-certificates --fresh
|
||||
@ -1,3 +0,0 @@
|
||||
https://hg.mozilla.org/mozilla-central/raw-file/cae93ef1993e02a136ef64d974856071b905997f/security/nss/lib/ckfw/builtins/certdata.txt
|
||||
files/certdata2pem.c
|
||||
files/update-ca-certificates
|
||||
@ -1 +0,0 @@
|
||||
20190831 1
|
||||
Loading…
Reference in New Issue
Block a user