Djam/rootcerts
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/rootcerts.git synced 2025-02-23 08:42:58 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #2 from import/rootcerts:rosa2021.1

Browse source 
Backports and update
This commit is contained in:
djam 2022-05-19 13:56:54 +00:00
commit 8c714ad221
19 changed files with 2027 additions and 3076 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.abf.yml
View file

@ -1,6 +1,2 @@
sources:
cacert.org.der: 135cec36f49cb8e93b1ab270cd80884676ce8f33
cacert_class3.der: ad7c3f64fc4439fef4e90be8f47c6cfa8aadfdce
publicxca_der.crt: 87a500da9573e70a02067441312bf07ff8d250b3
rootca_der.crt: b2bd9031aa6d0e14f4c57fd548258f37b1fb39e4
rootcerts.tar.bz2: 54c4ec6b7d2c04dee64f80a2e1b4fe545b1b7484
trust-fixes: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

87
ca-legacy Normal file
View file

@ -0,0 +1,87 @@
#!/bin/sh
#set -vx
LCFILE=/etc/pki/ca-trust/ca-legacy.conf
LLINK=/etc/pki/ca-trust/source/ca-bundle.legacy.crt
LDEFAULT=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
LDISABLE=/usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
# An absent value, or any unexpected value, is treated as "default".
is_disabled()
{
grep -i "^legacy *= *disable *$" $LCFILE >/dev/null 2>&1
}
do_check()
{
is_disabled
if [ $? -eq 0 ]; then
echo "Legacy CAs are set to DISABLED in file $LCFILE (affects install/upgrade)"
LEXPECT=$LDISABLE
else
echo "Legacy CAs are set to DEFAULT in file $LCFILE (affects install/upgrade)"
LEXPECT=$LDEFAULT
fi
echo "Status of symbolic link $LLINK:"
readlink -v $LLINK
}
do_install()
{
is_disabled
if [ $? -eq 0 ]; then
# found, legacy is disabled
ln -sf $LDISABLE $LLINK
else
# expression not found, legacy is set to default
ln -sf $LDEFAULT $LLINK
fi
}
do_default()
{
sed -i 's/^legacy *=.*$/legacy=default/' $LCFILE
do_install
/usr/bin/update-ca-trust
}
do_disable()
{
sed -i 's/^legacy *=.*$/legacy=disable/' $LCFILE
do_install
/usr/bin/update-ca-trust
}
do_help()
{
echo "usage: $0 [check | default | disable | install]"
}
if [[ $# -eq 0 ]]; then
# no parameters
do_help
exit $?
fi
if [[ "$1" = "install" ]]; then
do_install
exit $?
fi
if [[ "$1" = "default" ]]; then
do_default
exit $?
fi
if [[ "$1" = "disable" ]]; then
do_disable
exit $?
fi
if [[ "$1" = "check" ]]; then
do_check
exit $?
fi
echo "$0: Unsupported command $1"
do_help

85
ca-legacy.8.txt Normal file
View file

@ -0,0 +1,85 @@
////
Copyright (C) 2013 Red Hat, Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
////
ca-legacy(8)
============
:doctype: manpage
:man source: ca-legacy
NAME
----
ca-legacy - Manage the system configuration for legacy CA certificates
SYNOPSIS
--------
*ca-legacy* ['COMMAND']
DESCRIPTION
-----------
ca-legacy(8) is used to include or exclude a set of legacy Certificate Authority (CA)
certificates in the system's list of trusted CA certificates.
The list of CA certificates and trust flags included in the ca-certificates package
are based on the decisions made by Mozilla.org according to the Mozilla CA policy.
Occasionally, removal or distrust decisions made by Mozilla.org might be incompatible with the requirements
or limitations of some applications that also use the CA certificates list in the Linux environment.
The ca-certificates package might keep some CA certificates included and trusted by default,
as long as it is seen necessary by the maintainers, despite the fact that they have
been removed by Mozilla. These certificates are called legacy CA certificates.
The general requirements to keep legacy CA certificates included and trusted might change over time,
for example if functional limitations of software packages have been resolved.
Future versions of the ca-certificates package might reduce the set of legacy CA certificates
that are included and trusted by default.
The ca-legacy(8) command can be used to override the default behaviour.
The mechanisms to individually trust or distrust CA certificates as described in update-ca-trust(8) still apply.
COMMANDS
--------
*check*::
The current configuration will be shown.
*default*::
Configure the system to use the default configuration, as recommended
by the package maintainers.
*disable*::
Configure the system to explicitly disable legacy CA certificates.
Using this configuration, the system will use the set of
included and trusted CA certificates as released by Mozilla.
*install*::
The configuration file will be read and the system configuration
will be set accordingly. This command is executed automatically during
upgrades of the ca-certificates package.
FILES
-----
/etc/pki/ca-trust/ca-legacy.conf::
A configuration file that will be used and modified by the ca-legacy command.
The contents of the configuration file will be read on package upgrades.
AUTHOR
------
Written by Kai Engert.

24
ca-legacy.conf Normal file
View file

@ -0,0 +1,24 @@
# The upstream Mozilla.org project tests all changes to the root CA
# list with the NSS (Network Security Services) library.
#
# Occassionally, changes might cause compatibility issues with
# other cryptographic libraries, such as openssl or gnutls.
#
# The package maintainers of the CA certificates package might decide
# to temporarily keep certain (legacy) root CA certificates trusted,
# until incompatibility issues can be resolved.
#
# Using this configuration file it is possible to opt-out of the
# compatibility choices made by the package maintainer.
#
# legacy=default :
# This configuration uses the choices made by the package maintainer.
# It may keep root CA certificate as trusted, which the upstream
# Mozilla.org project has already marked as no longer trusted.
# The set of CA certificates that are being kept enabled may change
# between package versions.
#
# legacy=disable :
# Follow all removal decisions made by Mozilla.org
#
legacy=default

41
cacert.org.crt
View file

@ -1,41 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
-----END CERTIFICATE-----

3107
certdata-20190314.00.txt → certdata.txt
View file

File diff suppressed because it is too large Load diff

413
certdata2pem.py Normal file
View file

@ -0,0 +1,413 @@
#!/usr/bin/python
# vim:set et sw=4:
#
# certdata2pem.py - splits certdata.txt into multiple files
#
# Copyright (C) 2009 Philipp Kern <pkern@debian.org>
# Copyright (C) 2013 Kai Engert <kaie@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
# USA.
import base64
import os.path
import re
import sys
import textwrap
import urllib.request, urllib.parse, urllib.error
import subprocess
objects = []
def printable_serial(obj):
return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])
# Dirty file parser.
in_data, in_multiline, in_obj = False, False, False
field, ftype, value, binval, obj = None, None, None, bytearray(), dict()
for line in open('certdata.txt', 'r'):
# Ignore the file header.
if not in_data:
if line.startswith('BEGINDATA'):
in_data = True
continue
# Ignore comment lines.
if line.startswith('#'):
continue
# Empty lines are significant if we are inside an object.
if in_obj and len(line.strip()) == 0:
objects.append(obj)
obj = dict()
in_obj = False
continue
if len(line.strip()) == 0:
continue
if in_multiline:
if not line.startswith('END'):
if ftype == 'MULTILINE_OCTAL':
line = line.strip()
for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
integ = int(i.group(1), 8)
binval.extend((integ).to_bytes(1, sys.byteorder))
obj[field] = binval
else:
value += line
obj[field] = value
continue
in_multiline = False
continue
if line.startswith('CKA_CLASS'):
in_obj = True
line_parts = line.strip().split(' ', 2)
if len(line_parts) > 2:
field, ftype = line_parts[0:2]
value = ' '.join(line_parts[2:])
elif len(line_parts) == 2:
field, ftype = line_parts
value = None
else:
raise NotImplementedError('line_parts < 2 not supported.\n' + line)
if ftype == 'MULTILINE_OCTAL':
in_multiline = True
value = ""
binval = bytearray()
continue
obj[field] = value
if len(list(obj.items())) > 0:
objects.append(obj)
# Build up trust database.
trustmap = dict()
for obj in objects:
if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
continue
key = obj['CKA_LABEL'] + printable_serial(obj)
trustmap[key] = obj
print(" added trust", key)
# Build up cert database.
certmap = dict()
for obj in objects:
if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
continue
key = obj['CKA_LABEL'] + printable_serial(obj)
certmap[key] = obj
print(" added cert", key)
def obj_to_filename(obj):
label = obj['CKA_LABEL'][1:-1]
label = label.replace('/', '_')\
.replace(' ', '_')\
.replace('(', '=')\
.replace(')', '=')\
.replace(',', '_')
labelbytes = bytearray()
i = 0
imax = len(label)
while i < imax:
if i < imax-3 and label[i] == '\\' and label[i+1] == 'x':
labelbytes.extend(bytes.fromhex(label[i+2:i+4]))
i += 4
continue
labelbytes.extend(str.encode(label[i]))
i = i+1
continue
label = labelbytes.decode('utf-8')
serial = printable_serial(obj)
return label + ":" + serial
def write_cert_ext_to_file(f, oid, value, public_key):
f.write("[p11-kit-object-v1]\n")
f.write("label: ");
f.write(tobj['CKA_LABEL'])
f.write("\n")
f.write("class: x-certificate-extension\n");
f.write("object-id: " + oid + "\n")
f.write("value: \"" + value + "\"\n")
f.write("modifiable: false\n");
f.write(public_key)
trust_types = {
"CKA_TRUST_DIGITAL_SIGNATURE": "digital-signature",
"CKA_TRUST_NON_REPUDIATION": "non-repudiation",
"CKA_TRUST_KEY_ENCIPHERMENT": "key-encipherment",
"CKA_TRUST_DATA_ENCIPHERMENT": "data-encipherment",
"CKA_TRUST_KEY_AGREEMENT": "key-agreement",
"CKA_TRUST_KEY_CERT_SIGN": "cert-sign",
"CKA_TRUST_CRL_SIGN": "crl-sign",
"CKA_TRUST_SERVER_AUTH": "server-auth",
"CKA_TRUST_CLIENT_AUTH": "client-auth",
"CKA_TRUST_CODE_SIGNING": "code-signing",
"CKA_TRUST_EMAIL_PROTECTION": "email-protection",
"CKA_TRUST_IPSEC_END_SYSTEM": "ipsec-end-system",
"CKA_TRUST_IPSEC_TUNNEL": "ipsec-tunnel",
"CKA_TRUST_IPSEC_USER": "ipsec-user",
"CKA_TRUST_TIME_STAMPING": "time-stamping",
"CKA_TRUST_STEP_UP_APPROVED": "step-up-approved",
}
legacy_trust_types = {
"LEGACY_CKA_TRUST_SERVER_AUTH": "server-auth",
"LEGACY_CKA_TRUST_CODE_SIGNING": "code-signing",
"LEGACY_CKA_TRUST_EMAIL_PROTECTION": "email-protection",
}
legacy_to_real_trust_types = {
"LEGACY_CKA_TRUST_SERVER_AUTH": "CKA_TRUST_SERVER_AUTH",
"LEGACY_CKA_TRUST_CODE_SIGNING": "CKA_TRUST_CODE_SIGNING",
"LEGACY_CKA_TRUST_EMAIL_PROTECTION": "CKA_TRUST_EMAIL_PROTECTION",
}
openssl_trust = {
"CKA_TRUST_SERVER_AUTH": "serverAuth",
"CKA_TRUST_CLIENT_AUTH": "clientAuth",
"CKA_TRUST_CODE_SIGNING": "codeSigning",
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
}
cert_distrust_types = {
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
}
for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj)
print("producing trust for " + key)
trustbits = []
distrustbits = []
openssl_trustflags = []
openssl_distrustflags = []
legacy_trustbits = []
legacy_openssl_trustflags = []
for t in list(trust_types.keys()):
if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
trustbits.append(t)
if t in openssl_trust:
openssl_trustflags.append(openssl_trust[t])
if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
distrustbits.append(t)
if t in openssl_trust:
openssl_distrustflags.append(openssl_trust[t])
for t in list(legacy_trust_types.keys()):
if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
real_t = legacy_to_real_trust_types[t]
legacy_trustbits.append(real_t)
if real_t in openssl_trust:
legacy_openssl_trustflags.append(openssl_trust[real_t])
if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
raise NotImplementedError('legacy distrust not supported.\n' + line)
fname = obj_to_filename(tobj)
try:
obj = certmap[key]
except:
obj = None
# optional debug code, that dumps the parsed input to files
#fulldump = "dump-" + fname
#dumpf = open(fulldump, 'w')
#dumpf.write(str(obj));
#dumpf.write(str(tobj));
#dumpf.close();
is_legacy = 0
if 'LEGACY_CKA_TRUST_SERVER_AUTH' in tobj or 'LEGACY_CKA_TRUST_EMAIL_PROTECTION' in tobj or 'LEGACY_CKA_TRUST_CODE_SIGNING' in tobj:
is_legacy = 1
if obj == None:
raise NotImplementedError('found legacy trust without certificate.\n' + line)
legacy_fname = "legacy-default/" + fname + ".crt"
f = open(legacy_fname, 'w')
f.write("# alias=%s\n"%tobj['CKA_LABEL'])
f.write("# trust=" + " ".join(legacy_trustbits) + "\n")
if legacy_openssl_trustflags:
f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n")
f.write("-----BEGIN CERTIFICATE-----\n")
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
f.write("\n".join(temp_wrapped))
f.write("\n-----END CERTIFICATE-----\n")
f.close()
if 'CKA_TRUST_SERVER_AUTH' in tobj or 'CKA_TRUST_EMAIL_PROTECTION' in tobj or 'CKA_TRUST_CODE_SIGNING' in tobj:
legacy_fname = "legacy-disable/" + fname + ".crt"
f = open(legacy_fname, 'w')
f.write("# alias=%s\n"%tobj['CKA_LABEL'])
f.write("# trust=" + " ".join(trustbits) + "\n")
if openssl_trustflags:
f.write("# openssl-trust=" + " ".join(openssl_trustflags) + "\n")
f.write("-----BEGIN CERTIFICATE-----\n")
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
f.write("\n-----END CERTIFICATE-----\n")
f.close()
# don't produce p11-kit output for legacy certificates
continue
pk = ''
cert_comment = ''
if obj != None:
# must extract the public key from the cert, let's use openssl
cert_fname = "cert-" + fname
fc = open(cert_fname, 'w')
fc.write("-----BEGIN CERTIFICATE-----\n")
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
fc.write("\n".join(temp_wrapped))
fc.write("\n-----END CERTIFICATE-----\n")
fc.close();
pk_fname = "pubkey-" + fname
fpkout = open(pk_fname, "w")
dump_pk_command = ["openssl", "x509", "-in", cert_fname, "-noout", "-pubkey"]
subprocess.call(dump_pk_command, stdout=fpkout)
fpkout.close()
with open (pk_fname, "r") as myfile:
pk=myfile.read()
# obtain certificate information suitable as a comment
comment_fname = "comment-" + fname
fcout = open(comment_fname, "w")
comment_command = ["openssl", "x509", "-in", cert_fname, "-noout", "-text"]
subprocess.call(comment_command, stdout=fcout)
fcout.close()
sed_command = ["sed", "--in-place", "s/^/#/", comment_fname]
subprocess.call(sed_command)
with open (comment_fname, "r", errors = 'replace') as myfile:
cert_comment=myfile.read()
fname += ".tmp-p11-kit"
f = open(fname, 'w')
if obj != None:
is_distrusted = False
has_server_trust = False
has_email_trust = False
has_code_trust = False
if 'CKA_TRUST_SERVER_AUTH' in tobj:
if tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED':
is_distrusted = True
elif tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR':
has_server_trust = True
if 'CKA_TRUST_EMAIL_PROTECTION' in tobj:
if tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED':
is_distrusted = True
elif tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR':
has_email_trust = True
if 'CKA_TRUST_CODE_SIGNING' in tobj:
if tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED':
is_distrusted = True
elif tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_TRUSTED_DELEGATOR':
has_code_trust = True
if is_distrusted:
trust_ext_oid = "1.3.6.1.4.1.3319.6.10.1"
trust_ext_value = "0.%06%0a%2b%06%01%04%01%99w%06%0a%01%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
write_cert_ext_to_file(f, trust_ext_oid, trust_ext_value, pk)
trust_ext_oid = "2.5.29.37"
if has_server_trust:
if has_email_trust:
if has_code_trust:
# server + email + code
trust_ext_value = "0%2a%06%03U%1d%25%01%01%ff%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
else:
# server + email
trust_ext_value = "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01"
else:
if has_code_trust:
# server + code
trust_ext_value = "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
else:
# server
trust_ext_value = "0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%01"
else:
if has_email_trust:
if has_code_trust:
# email + code
trust_ext_value = "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%03"
else:
# email
trust_ext_value = "0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%04"
else:
if has_code_trust:
# code
trust_ext_value = "0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%03"
else:
# none
trust_ext_value = "0%18%06%03U%1d%25%01%01%ff%04%0e0%0c%06%0a%2b%06%01%04%01%99w%06%0a%10"
# no 2.5.29.37 for neutral certificates
if (is_distrusted or has_server_trust or has_email_trust or has_code_trust):
write_cert_ext_to_file(f, trust_ext_oid, trust_ext_value, pk)
pk = ''
f.write("\n")
f.write("[p11-kit-object-v1]\n")
f.write("label: ");
f.write(tobj['CKA_LABEL'])
f.write("\n")
if is_distrusted:
f.write("x-distrusted: true\n")
elif has_server_trust or has_email_trust or has_code_trust:
f.write("trusted: true\n")
else:
f.write("trusted: false\n")
# requires p11-kit >= 0.23.4
f.write("nss-mozilla-ca-policy: true\n")
f.write("modifiable: false\n");
# requires p11-kit >= 0.23.19
for t in list(cert_distrust_types.keys()):
if t in obj:
value = obj[t]
if value == 'CK_FALSE':
value = bytearray(1)
f.write(cert_distrust_types[t] + ": \"")
f.write(urllib.parse.quote(value));
f.write("\"\n")
f.write("-----BEGIN CERTIFICATE-----\n")
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
f.write("\n".join(temp_wrapped))
f.write("\n-----END CERTIFICATE-----\n")
f.write(cert_comment)
f.write("\n")
else:
f.write("[p11-kit-object-v1]\n")
f.write("label: ");
f.write(tobj['CKA_LABEL']);
f.write("\n")
f.write("class: certificate\n")
f.write("certificate-type: x-509\n")
f.write("modifiable: false\n");
f.write("issuer: \"");
f.write(urllib.parse.quote(tobj['CKA_ISSUER']));
f.write("\"\n")
f.write("serial-number: \"");
f.write(urllib.parse.quote(tobj['CKA_SERIAL_NUMBER']));
f.write("\"\n")
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
f.write("x-distrusted: true\n")
f.write("\n\n")
f.close()
print(" -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags))

19
generate-cacerts-fix-entrustsslca.patch
View file

@ -1,19 +0,0 @@
--- generate-cacerts.pl 2008-07-05 09:11:11.000000000 +0300
+++ generate-cacerts.pl.1 2008-07-05 19:59:02.000000000 +0300
@@ -116,7 +116,7 @@
{
$cert_alias = "entrust2048ca";
}
- elsif ($cert =~ /www.entrust.net\/CPS /)
+ elsif ($cert =~ /www.entrust.net\/CPS is incorp\. by/)
{
$cert_alias = "entrustsslca";
}
@@ -285,7 +285,6 @@
/A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
{
$write_current_cert = 0;
- $pem_file_count--;
}
elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
{

65
generate-cacerts-mandriva.patch
View file

@ -1,65 +0,0 @@
--- generate-cacerts.pl 2008-07-05 19:59:02.000000000 +0300
+++ generate-cacerts.pl.2 2008-07-05 20:06:42.000000000 +0300
@@ -76,16 +76,14 @@
{
$cert_alias = "verisignclass2g3ca";
}
- elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
- {
- $cert_alias = "verisignclass3ca";
- }
+ # "Class 3 Public Primary Certification Authority" is duplicated,
+ # so using serial number to match it.
+
# Version 1 of Class 3 Public Primary Certification Authority
# - G2 is added. Version 3 is excluded. See below.
- elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
- {
- $cert_alias = "verisignclass3g2ca";
- }
+
+ # "Class 3 Public Primary Certification Authority - G2" is duplicated,
+ # so using serial number to match it.
elsif ($cert =~
/VeriSign Class 3 Public Primary Certification Authority - G3/)
{
@@ -234,6 +232,14 @@
# trustcenterclass2caii
# trustcenterclass4caii
# trustcenteruniversalcai
+ elsif ($cert_alias eq "VERISIGNCLASS3CA")
+ {
+ $cert_alias = "verisignclass3ca";
+ }
+ elsif ($cert_alias eq "VERISIGNCLASS3G2CA")
+ {
+ $cert_alias = "verisignclass3g2ca";
+ }
else
{
# Generate an alias using the OU and CN attributes of the
@@ -264,6 +270,14 @@
$cert_alias = "extra-$_";
}
}
+ elsif ($cert =~ /70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf/)
+ {
+ $cert_alias = "VERISIGNCLASS3CA";
+ }
+ elsif ($cert =~ /7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6/)
+ {
+ $cert_alias = "VERISIGNCLASS3G2CA";
+ }
# When it attempts to parse:
#
# Class 3 Public Primary Certification Authority - G2, Version 3
@@ -308,7 +322,8 @@
print PEM $cert;
close(PEM);
}
- $write_current_cert = 1
+ $write_current_cert = 1;
+ $cert_alias .= "-alt";
}
else
{

10
generate-cacerts-rename-duplicates.patch
View file

@ -1,10 +0,0 @@
--- generate-cacerts.pl.2 2009-03-23 18:01:32.000000000 +0100
+++ generate-cacerts.pl 2009-03-23 18:23:14.000000000 +0100
@@ -310,6 +310,7 @@
if ($write_current_cert == 1)
{
$pem_file_count++;
+ $cert_alias .= "-alt" while -e "$cert_alias.pem";
open(PEM, ">$cert_alias.pem");
print PEM $cert;
}

348
generate-cacerts.pl
View file

@ -1,348 +0,0 @@
#!/usr/bin/perl
# Copyright (C) 2007, 2008 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# generate-cacerts.pl generates a JKS keystore named 'cacerts' from
# OpenSSL's certificate bundle using OpenJDK's keytool.
# First extract each of OpenSSL's bundled certificates into its own
# aliased filename.
$file = $ARGV[1];
open(CERTS, $file);
@certs = <CERTS>;
close(CERTS);
$pem_file_count = 0;
$in_cert_block = 0;
$write_current_cert = 1;
foreach $cert (@certs)
{
if ($cert =~ /Issuer: /)
{
$_ = $cert;
if ($cert =~ /personal-freemail/)
{
$cert_alias = "thawtepersonalfreemailca";
}
elsif ($cert =~ /personal-basic/)
{
$cert_alias = "thawtepersonalbasicca";
}
elsif ($cert =~ /personal-premium/)
{
$cert_alias = "thawtepersonalpremiumca";
}
elsif ($cert =~ /server-certs/)
{
$cert_alias = "thawteserverca";
}
elsif ($cert =~ /premium-server/)
{
$cert_alias = "thawtepremiumserverca";
}
elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
{
$cert_alias = "verisignclass1ca";
}
elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
{
$cert_alias = "verisignclass1g2ca";
}
elsif ($cert =~
/VeriSign Class 1 Public Primary Certification Authority - G3/)
{
$cert_alias = "verisignclass1g3ca";
}
elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
{
$cert_alias = "verisignclass2ca";
}
elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
{
$cert_alias = "verisignclass2g2ca";
}
elsif ($cert =~
/VeriSign Class 2 Public Primary Certification Authority - G3/)
{
$cert_alias = "verisignclass2g3ca";
}
elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
{
$cert_alias = "verisignclass3ca";
}
# Version 1 of Class 3 Public Primary Certification Authority
# - G2 is added. Version 3 is excluded. See below.
elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
{
$cert_alias = "verisignclass3g2ca";
}
elsif ($cert =~
/VeriSign Class 3 Public Primary Certification Authority - G3/)
{
$cert_alias = "verisignclass3g3ca";
}
elsif ($cert =~
/RSA Data Security.*Secure Server Certification Authority/)
{
$cert_alias = "verisignserverca";
}
elsif ($cert =~ /GTE CyberTrust Global Root/)
{
$cert_alias = "gtecybertrustglobalca";
}
elsif ($cert =~ /Baltimore CyberTrust Root/)
{
$cert_alias = "baltimorecybertrustca";
}
elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
{
$cert_alias = "entrustclientca";
}
elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
{
$cert_alias = "entrustglobalclientca";
}
elsif ($cert =~ /www.entrust.net\/CPS_2048/)
{
$cert_alias = "entrust2048ca";
}
elsif ($cert =~ /www.entrust.net\/CPS /)
{
$cert_alias = "entrustsslca";
}
elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
{
$cert_alias = "entrustgsslca";
}
elsif ($cert =~ /The Go Daddy Group/)
{
$cert_alias = "godaddyclass2ca";
}
elsif ($cert =~ /Starfield Class 2 Certification Authority/)
{
$cert_alias = "starfieldclass2ca";
}
elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
{
$cert_alias = "valicertclass2ca";
}
elsif ($cert =~ /GeoTrust Global CA$/)
{
$cert_alias = "geotrustglobalca";
}
elsif ($cert =~ /Equifax Secure Certificate Authority/)
{
$cert_alias = "equifaxsecureca";
}
elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
{
$cert_alias = "equifaxsecureebusinessca1";
}
elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
{
$cert_alias = "equifaxsecureebusinessca2";
}
elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
{
$cert_alias = "equifaxsecureglobalebusinessca1";
}
elsif ($cert =~ /Sonera Class1 CA/)
{
$cert_alias = "soneraclass1ca";
}
elsif ($cert =~ /Sonera Class2 CA/)
{
$cert_alias = "soneraclass2ca";
}
elsif ($cert =~ /AAA Certificate Services/)
{
$cert_alias = "comodoaaaca";
}
elsif ($cert =~ /AddTrust Class 1 CA Root/)
{
$cert_alias = "addtrustclass1ca";
}
elsif ($cert =~ /AddTrust External CA Root/)
{
$cert_alias = "addtrustexternalca";
}
elsif ($cert =~ /AddTrust Qualified CA Root/)
{
$cert_alias = "addtrustqualifiedca";
}
elsif ($cert =~ /UTN-USERFirst-Hardware/)
{
$cert_alias = "utnuserfirsthardwareca";
}
elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
{
$cert_alias = "utnuserfirstclientauthemailca";
}
elsif ($cert =~ /UTN - DATACorp SGC/)
{
$cert_alias = "utndatacorpsgcca";
}
elsif ($cert =~ /UTN-USERFirst-Object/)
{
$cert_alias = "utnuserfirstobjectca";
}
elsif ($cert =~ /America Online Root Certification Authority 1/)
{
$cert_alias = "aolrootca1";
}
elsif ($cert =~ /DigiCert Assured ID Root CA/)
{
$cert_alias = "digicertassuredidrootca";
}
elsif ($cert =~ /DigiCert Global Root CA/)
{
$cert_alias = "digicertglobalrootca";
}
elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
{
$cert_alias = "digicerthighassuranceevrootca";
}
elsif ($cert =~ /GlobalSign Root CA$/)
{
$cert_alias = "globalsignca";
}
elsif ($cert =~ /GlobalSign Root CA - R2/)
{
$cert_alias = "globalsignr2ca";
}
elsif ($cert =~ /Elektronik.*Kas.*2005/)
{
$cert_alias = "extra-elektronikkas2005";
}
elsif ($cert =~ /Elektronik/)
{
$cert_alias = "extra-elektronik2005";
}
# Mozilla does not provide these certificates:
# baltimorecodesigningca
# gtecybertrust5ca
# trustcenterclass2caii
# trustcenterclass4caii
# trustcenteruniversalcai
else
{
# Generate an alias using the OU and CN attributes of the
# Issuer field if both are present, otherwise use only the
# CN attribute. The Issuer field must have either the OU
# or the CN attribute.
$_ = $cert;
if ($cert =~ /OU=/)
{
s/Issuer:.*?OU=//;
# Remove other occurrences of OU=.
s/OU=.*CN=//;
# Remove CN= if there were not other occurrences of OU=.
s/CN=//;
s/\/emailAddress.*//;
s/Certificate Authority/ca/g;
s/Certification Authority/ca/g;
}
elsif ($cert =~ /CN=/)
{
s/Issuer:.*CN=//;
s/\/emailAddress.*//;
s/Certificate Authority/ca/g;
s/Certification Authority/ca/g;
}
s/\W//g;
tr/A-Z/a-z/;
$cert_alias = "extra-$_";
}
}
# When it attempts to parse:
#
# Class 3 Public Primary Certification Authority - G2, Version 3
#
# keytool says:
#
# #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
# Unparseable AuthorityInfoAccess extension due to
# java.io.IOException: Invalid encoding of URI
#
# If we do not exclude this file
# openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails
# on this cert, printing:
#
# Couldn't verify: java.security.SignatureException: Signature
# does not match.
#
elsif ($cert =~
/A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
{
$write_current_cert = 0;
$pem_file_count--;
}
elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
{
if ($in_cert_block != 0)
{
die "$file is malformed.";
}
$in_cert_block = 1;
if ($write_current_cert == 1)
{
$pem_file_count++;
open(PEM, ">$cert_alias.pem");
print PEM $cert;
}
}
elsif ($cert eq "-----END CERTIFICATE-----\n")
{
$in_cert_block = 0;
if ($write_current_cert == 1)
{
print PEM $cert;
close(PEM);
}
$write_current_cert = 1
}
else
{
if ($in_cert_block == 1 && $write_current_cert == 1)
{
print PEM $cert;
}
}
}
# Check that the correct number of .pem files were produced.
@pem_files = <*.pem>;
if (@pem_files != $pem_file_count)
{
print "$pem_file_count";
die "Number of .pem files produced does not match".
" number of certs read from $file.";
}
# Now store each cert in the 'cacerts' file using keytool.
$certs_written_count = 0;
foreach $pem_file (@pem_files)
{
system "/bin/echo yes | $ARGV[0] -import".
" -alias `basename $pem_file .pem`".
" -keystore cacerts -storepass 'changeit' -file $pem_file";
unlink($pem_file);
$certs_written_count++;
}
# Check that the correct number of certs were added to the keystore.
if ($certs_written_count != $pem_file_count)
{
die "Number of certs added to keystore does not match".
" number of certs read from $file.";
}

61
nssckbi.h Normal file
View file

@ -0,0 +1,61 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSCKBI_H
#define NSSCKBI_H
/*
* NSS BUILTINS Version numbers.
*
* These are the version numbers for the builtins module packaged with
* this release on NSS. To determine the version numbers of the builtin
* module you are using, use the appropriate PKCS #11 calls.
*
* These version numbers detail changes to the PKCS #11 interface. They map
* to the PKCS #11 spec versions.
*/
#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
/* These version numbers detail the changes
* to the list of trusted certificates.
*
* The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
* whenever we change the list of trusted certificates.
*
* Please use the following rules when increasing the version number:
*
* - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR
* must always be an EVEN number (e.g. 16, 18, 20 etc.)
*
* - whenever possible, if older branches require a modification to the
* list, these changes should be made on the main line of development (trunk),
* and the older branches should update to the most recent list.
*
* - ODD minor version numbers are reserved to indicate a snapshot that has
* deviated from the main line of development, e.g. if it was necessary
* to modify the list on a stable branch.
* Once the version has been changed to an odd number (e.g. 2.13) on a branch,
* it should remain unchanged on that branch, even if further changes are
* made on that branch.
*
* NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
* whether we may use its full range (0-255) or only 0-99 because
* of the comment in the CK_VERSION type definition.
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 42
#define NSS_BUILTINS_LIBRARY_VERSION "2.42"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
/* These version numbers detail the semantic changes to ckbi itself
* (new PKCS #11 objects), etc. */
#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
#endif /* NSSCKBI_H */

153
rootcerts-igp-brasil.txt
View file

@ -1,153 +0,0 @@
#
# Certificate "ICP-Brasil"
#
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "ICP-Brasil"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\201\264\061\013\060\011\006\003\125\004\006\023\002\102\122
\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102
\162\141\163\151\154\061\075\060\073\006\003\125\004\013\023\064
\111\156\163\164\151\164\165\164\157\040\116\141\143\151\157\156
\141\154\040\144\145\040\124\145\143\156\157\154\157\147\151\141
\040\144\141\040\111\156\146\157\162\155\141\143\141\157\040\055
\040\111\124\111\061\021\060\017\006\003\125\004\007\023\010\102
\162\141\163\151\154\151\141\061\013\060\011\006\003\125\004\010
\023\002\104\106\061\061\060\057\006\003\125\004\003\023\050\101
\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146
\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141
\163\151\154\145\151\162\141
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\201\264\061\013\060\011\006\003\125\004\006\023\002\102\122
\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102
\162\141\163\151\154\061\075\060\073\006\003\125\004\013\023\064
\111\156\163\164\151\164\165\164\157\040\116\141\143\151\157\156
\141\154\040\144\145\040\124\145\143\156\157\154\157\147\151\141
\040\144\141\040\111\156\146\157\162\155\141\143\141\157\040\055
\040\111\124\111\061\021\060\017\006\003\125\004\007\023\010\102
\162\141\163\151\154\151\141\061\013\060\011\006\003\125\004\010
\023\002\104\106\061\061\060\057\006\003\125\004\003\023\050\101
\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146
\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141
\163\151\154\145\151\162\141
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\004
END
CKA_VALUE MULTILINE_OCTAL
\060\202\004\270\060\202\003\240\240\003\002\001\002\002\001\004
\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
\201\264\061\013\060\011\006\003\125\004\006\023\002\102\122\061
\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102\162
\141\163\151\154\061\075\060\073\006\003\125\004\013\023\064\111
\156\163\164\151\164\165\164\157\040\116\141\143\151\157\156\141
\154\040\144\145\040\124\145\143\156\157\154\157\147\151\141\040
\144\141\040\111\156\146\157\162\155\141\143\141\157\040\055\040
\111\124\111\061\021\060\017\006\003\125\004\007\023\010\102\162
\141\163\151\154\151\141\061\013\060\011\006\003\125\004\010\023
\002\104\106\061\061\060\057\006\003\125\004\003\023\050\101\165
\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146\151
\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141\163
\151\154\145\151\162\141\060\036\027\015\060\061\061\061\063\060
\061\062\065\070\060\060\132\027\015\061\061\061\061\063\060\062
\063\065\071\060\060\132\060\201\264\061\013\060\011\006\003\125
\004\006\023\002\102\122\061\023\060\021\006\003\125\004\012\023
\012\111\103\120\055\102\162\141\163\151\154\061\075\060\073\006
\003\125\004\013\023\064\111\156\163\164\151\164\165\164\157\040
\116\141\143\151\157\156\141\154\040\144\145\040\124\145\143\156
\157\154\157\147\151\141\040\144\141\040\111\156\146\157\162\155
\141\143\141\157\040\055\040\111\124\111\061\021\060\017\006\003
\125\004\007\023\010\102\162\141\163\151\154\151\141\061\013\060
\011\006\003\125\004\010\023\002\104\106\061\061\060\057\006\003
\125\004\003\023\050\101\165\164\157\162\151\144\141\144\145\040
\103\145\162\164\151\146\151\143\141\144\157\162\141\040\122\141
\151\172\040\102\162\141\163\151\154\145\151\162\141\060\202\001
\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
\003\202\001\017\000\060\202\001\012\002\202\001\001\000\300\363
\056\167\005\377\206\371\276\122\035\233\376\124\000\160\165\100
\212\306\246\150\271\026\166\114\017\367\364\277\264\342\210\201
\032\313\350\354\276\144\201\245\071\107\135\352\346\055\223\323
\032\377\172\124\246\007\037\064\010\364\275\211\271\202\314\243
\102\217\136\232\307\076\307\251\270\125\154\044\366\052\214\145
\040\212\344\104\044\002\257\324\267\211\373\052\342\304\327\350
\035\176\334\035\042\014\137\122\303\355\340\054\215\255\216\164
\101\136\173\050\315\224\117\314\171\256\271\263\022\072\373\114
\200\206\245\045\000\227\150\025\251\356\261\152\050\276\156\146
\021\325\012\346\131\240\122\000\156\175\056\271\053\216\266\055
\155\030\105\156\205\003\173\120\312\373\244\374\263\222\372\223
\307\074\242\112\133\036\226\275\275\343\063\264\065\102\366\303
\311\353\103\026\136\036\232\235\122\250\325\107\013\161\265\021
\310\107\215\275\231\336\125\022\200\001\116\250\273\007\143\016
\374\045\261\242\262\164\122\260\171\335\023\241\016\073\156\145
\012\201\311\276\301\135\336\115\031\067\351\103\247\117\002\003
\001\000\001\243\201\322\060\201\317\060\116\006\003\125\035\040
\004\107\060\105\060\103\006\005\140\114\001\001\000\060\072\060
\070\006\010\053\006\001\005\005\007\002\001\026\054\150\164\164
\160\072\057\057\141\143\162\141\151\172\056\151\143\160\142\162
\141\163\151\154\056\147\157\166\056\142\162\057\104\120\103\141
\143\162\141\151\172\056\160\144\146\060\075\006\003\125\035\037
\004\066\060\064\060\062\240\060\240\056\206\054\150\164\164\160
\072\057\057\141\143\162\141\151\172\056\151\143\160\142\162\141
\163\151\154\056\147\157\166\056\142\162\057\114\103\122\141\143
\162\141\151\172\056\143\162\154\060\035\006\003\125\035\016\004
\026\004\024\212\372\361\127\204\021\023\065\220\102\372\127\111
\124\151\015\244\304\360\067\060\017\006\003\125\035\023\001\001
\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001
\001\377\004\004\003\002\001\006\060\015\006\011\052\206\110\206
\367\015\001\001\005\005\000\003\202\001\001\000\031\003\227\065
\123\370\140\042\036\216\162\002\300\176\042\140\025\152\157\230
\066\126\252\125\167\323\366\307\026\230\374\210\032\033\045\051
\271\270\072\155\355\070\253\142\035\124\305\355\337\101\241\245
\142\062\136\373\334\335\372\054\317\105\260\152\134\365\120\003
\176\004\135\314\044\342\252\126\271\375\141\036\270\226\175\332
\361\360\007\052\112\252\372\012\344\005\301\052\373\344\132\054
\113\071\160\014\000\332\357\111\223\357\006\143\002\144\041\235
\234\166\304\236\260\175\151\123\365\124\037\113\377\311\141\342
\034\354\133\236\330\223\113\167\115\024\071\043\014\152\042\277
\267\277\136\234\243\107\020\015\237\272\221\367\274\110\240\177
\221\041\341\265\100\067\225\150\206\264\346\350\306\071\337\036
\327\101\226\153\324\301\073\153\236\145\024\111\322\171\075\056
\232\123\200\215\035\246\001\273\322\063\225\371\241\046\115\256
\147\255\167\074\223\217\147\345\010\317\002\013\263\013\151\275
\044\221\331\340\104\211\124\004\141\305\327\364\271\236\143\333
\053\357\100\343\253\035\337\172\052\053\311\374
END
# Trust for Certificate "ICP-Brasil"
CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "ICP-Brasil"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\216\375\312\274\223\346\036\222\135\115\035\355\030\032\103\040
\244\147\241\071
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\226\211\175\141\321\125\053\047\342\132\071\264\052\154\104\157
END
CKA_ISSUER MULTILINE_OCTAL
\060\201\264\061\013\060\011\006\003\125\004\006\023\002\102\122
\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102
\162\141\163\151\154\061\075\060\073\006\003\125\004\013\023\064
\111\156\163\164\151\164\165\164\157\040\116\141\143\151\157\156
\141\154\040\144\145\040\124\145\143\156\157\154\157\147\151\141
\040\144\141\040\111\156\146\157\162\155\141\143\141\157\040\055
\040\111\124\111\061\021\060\017\006\003\125\004\007\023\010\102
\162\141\163\151\154\151\141\061\013\060\011\006\003\125\004\010
\023\002\104\106\061\061\060\057\006\003\125\004\003\023\050\101
\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146
\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141
\163\151\154\145\151\162\141
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\004
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR

340
rootcerts.spec
View file

@ -3,9 +3,16 @@
%define debug_package %{nil}
# _without = java enabled, _with = java disabled
%bcond_with java
%bcond_without java
%define pkidir %{_sysconfdir}/pki
%define catrustdir %{_sysconfdir}/pki/ca-trust
%define classic_tls_bundle ca-bundle.crt
%define openssl_format_trust_bundle ca-bundle.trust.crt
%define p11_format_bundle ca-bundle.trust.p11-kit
%define legacy_default_bundle ca-bundle.legacy.default.crt
%define legacy_disable_bundle ca-bundle.legacy.disable.crt
%define java_bundle java/cacerts
Summary: Bundle of CA Root Certificates
Name: rootcerts
@ -15,63 +22,57 @@ Name: rootcerts
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch: 1
Version: 20191126.00
Release: 1
Version: 20200910.00
Release: 3
License: GPL
Group: System/Servers
URL: %{disturl}
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0: rootcerts.tar.bz2
# http://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt
Source1: certdata-%{version}.txt
Source2: rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3: cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4: verisign-class-3-secure-server-ca.pem
#http://www.cacert.org/certs/root.crt
Source5: cacert.org.crt
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6: generate-cacerts.pl
# http://www.cacert.org/certs/class3.der
Source7: cacert_class3.der
# certificates from signet
# http://www.signet.pl/repository/index.html
# http://www.signet.pl/repository/signetrootca/rootca_der.crt
# http://www.signet.pl/repository/publicca/publicxca_der.crt
Source8: rootca_der.crt
Source9: publicxca_der.crt
# Helpers from Fedora
Source20: update-ca-trust
Source21: update-ca-trust.8.txt
Source22: update-ca-trust.8
# Fix overwriting issue with generate-cacerts.pl
Patch0: generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1: generate-cacerts-mandriva.patch
# Just rename identically named certificates that are not handled by mandriva.cpatch
Patch2: generate-cacerts-rename-duplicates.patch
BuildRequires: perl
# For Source0, the NSS commit trunk version of this file is here:
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
# The version tag for this package should come from the commit date of the version used from the NSS repository above
# To choose which NSS commit version to use, we can check the certdata.txt file used in either...
# the current Mozilla release:
# https://hg.mozilla.org/releases/mozilla-release/log/default/security/nss/lib/ckfw/builtins/certdata.txt
# or the Mozilla development commit trunk:
# https://hg.mozilla.org/mozilla-central/log/default/security/nss/lib/ckfw/builtins/certdata.txt
# Ideally, it should correspond to the version shipped in the NSS release we are using
Source0: https://hg.mozilla.org/releases/mozilla-release/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
# Similarly, Source1 comes from:
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
# Check the log to see if it needs to be updated:
# https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/nssckbi.h
Source1: nssckbi.h
Source2: update-ca-trust
Source3: trust-fixes
Source4: certdata2pem.py
Source5: ca-legacy.conf
Source6: ca-legacy
Source9: ca-legacy.8.txt
Source10: update-ca-trust.8.txt
BuildRequires: python3
BuildRequires: openssl
#BuildRequires: openssl-perl
BuildRequires: nss
BuildRequires: automake
BuildRequires: libtool
#BuildRequires: asciidoc
#BuildRequires: xsltproc
%if %{with java}
BuildRequires: java-devel
BuildRequires: java-rpmbuild
BuildRequires: javapackages-tools
%endif
# For update-ca-trust
Requires: p11-kit
BuildRequires: docbook-xsl
BuildRequires: asciidoc
BuildRequires: xsltproc
Requires(post): coreutils
Requires(post): p11-kit
Requires(post): p11-kit-trust
BuildArch: noarch
Provides: ca-certificates
# update-ca-trust (provided by rootcerts, called by %%post script)
# calls /usr/bin/p11-kit, which in turn calls /usr/bin/trust
Requires(post): p11-kit p11-kit-trust
Requires: p11-kit p11-kit-trust
%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
@ -91,80 +92,125 @@ in a format used by Java Runtime Environment.
%endif
%prep
%setup -q -n rootcerts
mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt
# extract the license
head -4 builtins/certdata.txt > LICENSE
# add additional CA's here, needs to have the mozilla format...
cat %{SOURCE2} >> builtins/certdata.txt
# CAcert
cp %{SOURCE3} .
cp %{SOURCE5} .
cp %{SOURCE6} .
cp %{SOURCE7} .
cp %{SOURCE8} .
cp %{SOURCE9} .
%patch0 -p0
%patch1 -p0
%patch2 -p0
rm -rf %{name}
mkdir -p %{name}/certs/legacy-default
mkdir %{name}/certs/legacy-disable
mkdir %{name}/java
%build
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
pushd %{name}/certs
cp %{SOURCE0} certdata.txt
python3 %{SOURCE4} >c2p.log 2>c2p.err
popd
pushd %{name}
(
cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities. It was generated from the Mozilla root CA list.
# These certificates and trust/distrust attributes use the file format accepted
# by the p11-kit-trust module.
#
# Source: nss/lib/ckfw/builtins/certdata.txt
# Source: nss/lib/ckfw/builtins/nssckbi.h
#
# Generated from:
EOF
cat %{SOURCE1} |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
echo '#';
) > %{p11_format_bundle}
# CAcert
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
addbuiltin -n "CAcert Inc. Class 3" -t "CT,C,C" < cacert_class3.der >> builtins/certdata.txt
touch %{legacy_default_bundle}
NUM_LEGACY_DEFAULT=$(find certs/legacy-default -type f | wc -l)
if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then
for f in certs/legacy-default/*.crt; do
echo "processing $f"
tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f)
alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g')
targs=""
if [ -n "$tbits" ]; then
for t in $tbits; do
targs="${targs} -addtrust $t"
done
fi
if [ -n "$targs" ]; then
echo "legacy default flags $targs for $f" >> info.trust
openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_default_bundle}
fi
done
fi
# new verisign intermediate certificate
# -t trust trust flags (cCTpPuw).
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \
addbuiltin -n "VeriSign Class 3 Secure Server CA" \
-t "CT,C,C" >> builtins/certdata.txt
touch %{legacy_disable_bundle}
NUM_LEGACY_DISABLE=$(find certs/legacy-disable -type f | wc -l)
if [ $NUM_LEGACY_DISABLE -ne 0 ]; then
for f in certs/legacy-disable/*.crt; do
echo "processing $f"
tbits=$(sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f)
alias=$(sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g')
targs=""
if [ -n "$tbits" ]; then
for t in $tbits; do
targs="${targs} -addtrust $t"
done
fi
if [ -n "$targs" ]; then
echo "legacy disable flags $targs for $f" >> info.trust
openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> %{legacy_disable_bundle}
fi
done
fi
perl mkcerts.pl > certs.sh
P11FILES=$(find certs -name \*.tmp-p11-kit | wc -l)
if [ $P11FILES -ne 0 ]; then
for p in certs/*.tmp-p11-kit; do
cat "$p" >> %{p11_format_bundle}
done
fi
# Append our trust fixes
cat %{SOURCE3} >> %{p11_format_bundle}
popd
%configure --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
#manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xsltproc --nonet -o %{name}/update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
%make_build
cat pem/*.pem > ca-bundle.crt
cat %{SOURCE4} >> ca-bundle.crt
%if %{with java}
mkdir java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif
#manpage -we use generated one for now
#cp %{SOURCE21} update-ca-trust.8.txt
#asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt
#xsltproc --nonet -o update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml
cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xsltproc --nonet -o %{name}/ca-legacy.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
%install
%make_install
mkdir -p -m 755 %{buildroot}%{pkidir}/java
mkdir -p -m 755 %{buildroot}%{catrustdir}/source
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/anchors
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/blacklist
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/pem
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/openssl
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/java
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/edk2
mkdir -p -m 755 %{buildroot}%{_mandir}/man8
install -p -m 644 %{name}/update-ca-trust.8 %{buildroot}%{_mandir}/man8
install -p -m 644 %{name}/ca-legacy.8 %{buildroot}%{_mandir}/man8
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs/source
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}
install -p -m 644 %{SOURCE5} %{buildroot}%{catrustdir}/ca-legacy.conf
install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust
install -p -m 755 %{SOURCE6} %{buildroot}%{_bindir}/ca-legacy
install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem
install -m0644 %{name}/certs/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
mkdir -p -m 755 %{buildroot}%{catrustdir}/source
mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source
install -p -m 644 %{name}/%{p11_format_bundle} %{buildroot}%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%if %{with java}
mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-legacy
install -p -m 644 %{name}/%{legacy_default_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
install -p -m 644 %{name}/%{legacy_disable_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif
cat > README << EOF
@ -181,49 +227,81 @@ configure this file as the SSLCACertificateFile.
EOF
# fix #58107
# be compatible with Debian/Ubuntu SSL paths
# fix #58107 (also used by dovecot default config)
install -d %{buildroot}%{_sysconfdir}/ssl
for d in certs private; do
ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
done
mkdir -p %{buildroot}%{_mandir}/man8
install -p -m 755 %{SOURCE20} %{buildroot}%{_bindir}/update-ca-trust
mkdir -p %{buildroot}/bin
pushd %{buildroot}/bin
ln -s ../%{_bindir}/update-ca-trust update-ca-trust
popd
#install -p -m 644 update-ca-trust.8 %{buildroot}%{_mandir}/man8
install -p -m 644 %{SOURCE22} %{buildroot}%{_mandir}/man8
# touch ghosted files that will be extracted dynamically
# Set chmod 444 to use identical permission
touch %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/tls-ca-bundle.pem
touch %{buildroot}%{catrustdir}/extracted/pem/email-ca-bundle.pem
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/email-ca-bundle.pem
touch %{buildroot}%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
chmod 444 %{buildroot}%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
touch %{buildroot}%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
chmod 444 %{buildroot}%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
touch %{buildroot}%{catrustdir}/extracted/%{java_bundle}
chmod 444 %{buildroot}%{catrustdir}/extracted/%{java_bundle}
touch %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin
# Compatibility with Fedora-oriented packages
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/anchors
mkdir -p -m 755 %{buildroot}%{catrustdir}/source/blacklist
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/pem
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/openssl
mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/java
# legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
%{buildroot}%{pkidir}/tls/cert.pem
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
%{buildroot}%{pkidir}/tls/certs/%{classic_tls_bundle}
ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
%{buildroot}%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%if %{with java}
ln -s %{catrustdir}/extracted/%{java_bundle} \
%{buildroot}%{pkidir}/%{java_bundle}
%endif
%post
%{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust
%files
%doc README LICENSE
%doc README
%dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/blacklist
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%{_mandir}/man8/ca-legacy.8.*
%{_mandir}/man8/update-ca-trust.8.*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/private
%{_bindir}/update-ca-trust
/bin/update-ca-trust
%{_mandir}/man?/*
# symlinks for old locations
%{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
# master bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_bundle}
# update/extract tool
%config(noreplace) %{catrustdir}/ca-legacy.conf
%{_bindir}/update-ca-trust
%{_bindir}/ca-legacy
%ghost %{catrustdir}/source/ca-bundle.legacy.crt
# files extracted files
%ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
%ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
%{catrustdir}/source/anchors
%{catrustdir}/source/blacklist
%{catrustdir}/extracted/pem
%{catrustdir}/extracted/openssl
%{catrustdir}/extracted/java
%if %{with java}
%files java
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif

1
trust-fixes Normal file
View file

@ -0,0 +1 @@

12
update-ca-trust Executable file → Normal file
View file

@ -9,10 +9,14 @@
DEST=/etc/pki/ca-trust/extracted
# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin

293
update-ca-trust.8
View file

@ -1,293 +0,0 @@
'\" t
.\" Title: update-ca-trust
.\" Author: [see the "AUTHOR" section]
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
.\" Date: 10/07/2015
.\" Manual: \ \&
.\" Source: update-ca-trust
.\" Language: English
.\"
.TH "UPDATE\-CA\-TRUST" "8" "10/07/2015" "update\-ca\-trust" "\ \&"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
update-ca-trust \- manage consolidated and dynamic configuration of CA certificates and associated trust
.SH "SYNOPSIS"
.sp
\fBupdate\-ca\-trust\fR [\fICOMMAND\fR]
.SH "DESCRIPTION"
.sp
update\-ca\-trust(8) is used to manage a consolidated and dynamic configuration feature of Certificate Authority (CA) certificates and associated trust\&.
.sp
The feature is available for new applications that read the consolidated configuration files found in the /etc/pki/ca\-trust/extracted directory or that load the PKCS#11 module p11\-kit\-trust\&.so
.sp
Parts of the new feature are also provided in a way to make it useful for legacy applications\&.
.sp
Many legacy applications expect CA certificates and trust configuration in a fixed location, contained in files with particular path and name, or by referring to a classic PKCS#11 trust module provided by the NSS cryptographic library\&.
.sp
The dynamic configuration feature provides functionally compatible replacements for classic configuration files and for the classic NSS trust module named libnssckbi\&.
.sp
In order to enable legacy applications, that read the classic files or access the classic module, to make use of the new consolidated and dynamic configuration feature, the classic filenames have been changed to symbolic links\&. The symbolic links refer to dynamically created and consolidated output stored below the /etc/pki/ca\-trust/extracted directory hierarchy\&.
.sp
The output is produced using the \fIupdate\-ca\-trust\fR command (without parameters), or using the \fIupdate\-ca\-trust extract\fR command\&. In order to produce the output, a flexible set of source configuration is read, as described in section SOURCE CONFIGURATION\&.
.sp
In addition, the classic PKCS#11 module is replaced with a new PKCS#11 module (p11\-kit\-trust\&.so) that dynamically reads the same source configuration\&.
.SH "SOURCE CONFIGURATION"
.sp
The dynamic configuration feature uses several source directories that will be scanned for any number of source files\&. \fBIt is important to select the correct subdirectory for adding files, as the subdirectory defines how contained certificates will be trusted or distrusted, and which file formats are read\&.\fR
.sp
Files in \fBsubdirectories below the directory hierarchy /usr/share/pki/ca\-trust\-source/\fR contain CA certificates and trust settings in the PEM file format\&. The trust settings found here will be interpreted with a \fBlow priority\fR\&.
.sp
Files in \fBsubdirectories below the directory hierarchy /etc/pki/ca\-trust/source/\fR contain CA certificates and trust settings in the PEM file format\&. The trust settings found here will be interpreted with a \fBhigh priority\fR\&.
.PP
\fBYou may use the following rules of thumb to decide, whether your configuration files should be added to the /etc or rather to the /usr directory hierarchy:\fR
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you are manually adding a configuration file to a system, you probably want it to override any other default configuration, and you most likely should add it to the respective subdirectory in the /etc hierarchy\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you are creating a package that provides additional root CA certificates, that is intended for distribution to several computer systems, but you still want to allow the administrator to override your list, then your package should add your files to the respective subdirectory in the /usr hierarchy\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
If you are creating a package that is supposed to override the default system trust settings, that is intended for distribution to several computer systems, then your package should install the files to the respective subdirectory in the /etc hierarchy\&.
.RE
.PP
\fBQUICK HELP 1\fR\fB: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system:\fR
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
add it as a new file to directory /etc/pki/ca\-trust/source/anchors/
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
run
\fIupdate\-ca\-trust extract\fR
.RE
.PP
\fBQUICK HELP 2\fR\fB: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:\fR
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
add it as a new file to directory /etc/pki/ca\-trust/source/
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
run
\fIupdate\-ca\-trust extract\fR
.RE
.PP
\fBIn order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to\&.\fR
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
simple trust anchors subdirectory: /usr/share/pki/ca\-trust\-source/anchors/ or /etc/pki/ca\-trust/source/anchors/
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
simple blacklist (distrust) subdirectory: /usr/share/pki/ca\-trust\-source/blacklist/ or /etc/pki/ca\-trust/source/blacklist/
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
extended format directory: /usr/share/pki/ca\-trust\-source/ or /etc/pki/ca\-trust/source/
.RE
.PP
\fBIn the main directories /usr/share/pki/ca\-trust\-source/ or /etc/pki/ca\-trust/source/ you may install one or multiple files in the following file formats:\fR
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
certificate files that include trust flags, in the BEGIN/END TRUSTED CERTIFICATE file format (any file name), which have been created using the openssl x509 tool and the \-addreject \-addtrust options\&. Bundle files with multiple certificates are supported\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
files in the p11\-kit file format using the \&.p11\-kit file name extension, which can (e\&.g\&.) be used to distrust certificates based on serial number and issuer name, without having the full certificate available\&. (This is currently an undocumented format, to be extended later\&. For examples of the supported formats, see the files shipped with the ca\-certificates package\&.)
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
certificate files without trust flags in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format (any file name)\&. Such files will be added with neutral trust, neither trusted nor distrusted\&. They will simply be known to the system, which might be helpful to assist cryptographic software in constructing chains of certificates\&. (If you want a CA certificate in these file formats to be trusted, you should remove it from this directory and move it to the \&./anchors subdirectory instead\&.)
.RE
.sp
In the anchors subdirectories /usr/share/pki/ca\-trust\-source/anchors/ or /etc/pki/ca\-trust/source/anchors/ you may install one or multiple certificates in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format\&. Each certificate will be treated as \fBtrusted\fR for all purposes\&.
.sp
In the blacklist subdirectories /usr/share/pki/ca\-trust\-source/blacklist/ or /etc/pki/ca\-trust/source/blacklist/ you may install one or multiple certificates in either the DER file format or in the PEM (BEGIN/END CERTIFICATE) file format\&. Each certificate will be treated as \fBdistrusted\fR for all purposes\&.
.sp
Please refer to the x509(1) manual page for the documentation of the BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats\&.
.sp
Applications that rely on a static file for a list of trusted CAs may load one of the files found in the /etc/pki/ca\-trust/extracted directory\&. After modifying any file in the /usr/share/pki/ca\-trust\-source/ or /etc/pki/ca\-trust/source/ directories or in any of their subdirectories, or after adding a file, it is necessary to run the \fIupdate\-ca\-trust extract\fR command, in order to update the consolidated files in /etc/pki/ca\-trust/extracted/ \&.
.sp
Applications that load the classic PKCS#11 module using filename libnssckbi\&.so (which has been converted into a symbolic link pointing to the new module) and any application capable of loading PKCS#11 modules and loading p11\-kit\-trust\&.so, will benefit from the dynamically merged set of certificates and trust information stored in the /usr/share/pki/ca\-trust\-source/ and /etc/pki/ca\-trust/source/ directories\&.
.SH "EXTRACTED CONFIGURATION"
.sp
The directory /etc/pki/ca\-trust/extracted/ contains generated CA certificate bundle files which are created and updated, based on the SOURCE CONFIGURATION by running the \fIupdate\-ca\-trust extract\fR command\&.
.sp
If your application isn\(cqt able to load the PKCS#11 module p11\-kit\-trust\&.so, then you can use these files in your application to load a list of global root CA certificates\&.
.sp
Please never manually edit the files stored in this directory, because your changes will be lost and the files automatically overwritten, each time the \fIupdate\-ca\-trust extract\fR command gets executed\&.
.sp
In order to install new trusted or distrusted certificates, please rather install them in the respective subdirectory below the /usr/share/pki/ca\-trust\-source/ or /etc/pki/ca\-trust/source/ directories, as described in the SOURCE CONFIGURATION section\&.
.sp
The directory /etc/pki/ca\-trust/extracted/java/ contains a CA certificate bundle in the java keystore file format\&. Distrust information cannot be represented in this file format, and distrusted certificates are missing from these files\&. File cacerts contains CA certificates trusted for TLS server authentication\&.
.sp
The directory /etc/pki/ca\-trust/extracted/openssl/ contains CA certificate bundle files in the extended BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page\&. File ca\-bundle\&.trust\&.crt contains the full set of all trusted or distrusted certificates, including the associated trust flags\&.
.sp
The directory /etc/pki/ca\-trust/extracted/pem/ contains CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, as decribed in the x509(1) manual page\&. Distrust information cannot be represented in this file format, and distrusted certificates are missing from these files\&. File tls\-ca\-bundle\&.pem contains CA certificates trusted for TLS server authentication\&. File email\-ca\-bundle\&.pem contains CA certificates trusted for E\-Mail protection\&. File objsign\-ca\-bundle\&.pem contains CA certificates trusted for code signing\&.
.SH "COMMANDS"
.PP
(absent/empty command)
.RS 4
Same as the
\fBextract\fR
command described below\&. (However, the command may print fewer warnings, as this command is being run during rpm package installation, where non\-fatal status output is undesired\&.)
.RE
.PP
\fBextract\fR
.RS 4
Instruct update\-ca\-trust to scan the
SOURCE CONFIGURATION
and produce updated versions of the consolidated configuration files stored below the /etc/pki/ca\-trust/extracted directory hierarchy\&.
.RE
.SH "FILES"
.PP
/etc/pki/tls/certs/ca\-bundle\&.crt
.RS 4
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information\&. This file is a symbolic link that refers to the consolidated output created by the update\-ca\-trust command\&.
.RE
.PP
/etc/pki/tls/certs/ca\-bundle\&.trust\&.crt
.RS 4
Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage\&. This file is a symbolic link that refers to the consolidated output created by the update\-ca\-trust command\&.
.RE
.PP
/etc/pki/java/cacerts
.RS 4
Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information\&. This file is a symbolic link that refers to the consolidated output created by the update\-ca\-trust command\&.
.RE
.PP
/usr/share/pki/ca\-trust\-source
.RS 4
Contains multiple, low priority source configuration files as explained in section
SOURCE CONFIGURATION\&. Please pay attention to the specific meanings of the respective subdirectories\&.
.RE
.PP
/etc/pki/ca\-trust/source
.RS 4
Contains multiple, high priority source configuration files as explained in section
SOURCE CONFIGURATION\&. Please pay attention to the specific meanings of the respective subdirectories\&.
.RE
.PP
/etc/pki/ca\-trust/extracted
.RS 4
Contains consolidated and automatically generated configuration files for consumption by applications, which are created using the
\fIupdate\-ca\-trust extract\fR
command\&. Don\(cqt edit files in this directory, because they will be overwritten\&. See section
EXTRACTED CONFIGURATION
for additional details\&.
.RE
.SH "AUTHOR"
.sp
Written by Kai Engert and Stef Walter\&.

11
update-ca-trust.8.txt
View file

@ -192,7 +192,7 @@ or distrusted certificates, including the associated trust flags.
The directory /etc/pki/ca-trust/extracted/pem/ contains
CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format,
as decribed in the x509(1) manual page.
as described in the x509(1) manual page.
Distrust information cannot be represented in this file format,
and distrusted certificates are missing from these files.
File tls-ca-bundle.pem contains CA certificates
@ -202,6 +202,15 @@ trusted for E-Mail protection.
File objsign-ca-bundle.pem contains CA certificates
trusted for code signing.
The directory /etc/pki/ca-trust/extracted/edk2/ contains a CA
certificate bundle ("cacerts.bin") in the "sequence of
EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
sections "31.4.1 Signature Database" and
"EFI_CERT_X509_GUID". Distrust information cannot be represented in
this file format, and distrusted certificates are missing from these
files. File "cacerts.bin" contains CA certificates trusted for TLS
server authentication.
COMMANDS
--------

27
verisign-class-3-secure-server-ca.pem
View file

@ -1,27 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIEnDCCBAWgAwIBAgIQdTN9mrDhIzuuLX3kRpFi1DANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDUwMTE5MDAwMDAwWhcNMTUwMTE4MjM1OTU5WjCBsDELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cu
dmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMhVmVyaVNpZ24gQ2xhc3Mg
MyBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAlcMhEo5AxQ0BX3ZeZpTZcyxYGSK4yfx6OZAqd3J8HT732FXjr0LLhzAC3Fus
cOa4RLQrNeuT0hcFfstG1lxToDJRnXRkWPkMmgDqXkRJZHL0zRDihQr5NO6ziGap
paRa0A6Yf1gNK1K7hql+LvqySHyN2y1fAXWijQY7i7RhB8m+Ipn4G9G1V2YETTX0
kXGWtZkIJZuXyDrzILHdnpgMSmO3ps6wAc74k2rzDG6fsemEe4GYQeaB3D0s57Rr
4578CBbXs9W5ZhKZfG1xyE2+xw/j+zet1XWHIWuG0EQUWlR5OZZpVsm5Mc2JYVjh
2XYFBa33uQKvp/1HkaIiNFox0QIDAQABo4IBgTCCAX0wEgYDVR0TAQH/BAgwBgEB
/wIBADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwMQYDVR0fBCowKDAmoCSgIoYgaHR0
cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwDgYDVR0PAQH/BAQDAgEGMBEG
CWCGSAGG+EIBAQQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRQ2xhc3Mz
Q0EyMDQ4LTEtNDUwHQYDVR0OBBYEFG/sr6DdiqTv9SoQZy0/VYK81+8lMIGABgNV
HSMEeTB3oWOkYTBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIElu
Yy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlv
biBBdXRob3JpdHmCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQEFBQADgYEA
w34IRl2RNs9n3Nenr6+4IsOLBHTTsWC85v63RBKBWzFzFGNWxnIu0RoDQ1w4ClBK
Tc3athmo9JkNr+P32PF1KGX2av6b9L1S2T/L2hbLpZ4ujmZSeD0m+v6UNohKlV4q
TBnvbvqCPy0D79YoszcYz0KyNCFkR9MgazpM3OYDkAw=
-----END CERTIFICATE-----