From owner-dev-commits-src-branches@freebsd.org Sat Sep 4 07:39:32 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 16BE56AD4A1; Sat, 4 Sep 2021 07:39:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4H1ml806clz3s6n; Sat, 4 Sep 2021 07:39:32 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D9EA713DF9; Sat, 4 Sep 2021 07:39:31 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 1847dVr1049427; Sat, 4 Sep 2021 07:39:31 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 1847dVxE049426; Sat, 4 Sep 2021 07:39:31 GMT (envelope-from git) Date: Sat, 4 Sep 2021 07:39:31 GMT Message-Id: <202109040739.1847dVxE049426@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Kyle Evans Subject: git: 0ef0442fcf63 - stable/12 - caroot: update CA bundle processor MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kevans X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 0ef0442fcf63392502e4d2a645807a723562de0f Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Sep 2021 07:39:32 -0000 The branch stable/12 has been updated by kevans: URL: https://cgit.FreeBSD.org/src/commit/?id=0ef0442fcf63392502e4d2a645807a723562de0f commit 0ef0442fcf63392502e4d2a645807a723562de0f Author: Kyle Evans AuthorDate: 2021-03-30 03:05:38 +0000 Commit: Kyle Evans CommitDate: 2021-09-04 07:39:00 +0000 caroot: update CA bundle processor Our current processor was identified as trusting cert not explicitly marked for SERVER_AUTH, as well as certs that were tagged with DISTRUST_AFTER. Update the script to handle both scenarios. This patch was originally authored by mandree@ for ports, and it was subsequently ported to base caroot. (cherry picked from commit c3510c941c0dddd09389915a9395e6f059088bab) --- secure/caroot/MAca-bundle.pl | 55 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 43 insertions(+), 12 deletions(-) diff --git a/secure/caroot/MAca-bundle.pl b/secure/caroot/MAca-bundle.pl index bfac77c73941..8521b620337f 100755 --- a/secure/caroot/MAca-bundle.pl +++ b/secure/caroot/MAca-bundle.pl @@ -76,6 +76,8 @@ sub print_header($$) ## Authority (CA). It was automatically extracted from Mozilla's ## root CA list (the file `certdata.txt' in security/nss). ## +## It contains a certificate trusted for server authentication. +## ## Extracted from nss ## with $VERSION ## @@ -91,6 +93,8 @@ EOFH ## Authorities (CA). These were automatically extracted from Mozilla's ## root CA list (the file `certdata.txt'). ## +## It contains certificates trusted for server authentication. +## ## Extracted from nss ## with $VERSION ## @@ -100,6 +104,13 @@ EOH } } +# returns a string like YYMMDDhhmmssZ of current time in GMT zone +sub timenow() +{ + my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time); + return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec; +} + sub printcert($$$) { my ($fh, $label, $certdata) = @_; @@ -110,6 +121,8 @@ sub printcert($$$) close(OUT) or die "openssl x509 failed with exit code $?"; } +# converts a datastream that is to be \177-style octal constants +# from <> to a (binary) string and returns it sub graboct($) { my $ifh = shift; @@ -125,13 +138,13 @@ sub graboct($) return $data; } - sub grabcert($) { my $ifh = shift; my $certdata; - my $cka_label; - my $serial; + my $cka_label = ''; + my $serial = 0; + my $distrust = 0; while (<$ifh>) { chomp; @@ -148,6 +161,19 @@ sub grabcert($) if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { $serial = graboct($ifh); } + + if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/) + { + my $distrust_after = graboct($ifh); + my $time_now = timenow(); + if ($time_now >= $distrust_after) { $distrust = 1; } + if ($debug) { + printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow(); + } + if ($distrust) { + return undef; + } + } } return ($serial, $cka_label, $certdata); } @@ -171,13 +197,13 @@ sub grabtrust($) { $serial = graboct($ifh); } - if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/) + if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/) { - if ($2 eq 'CKT_NSS_NOT_TRUSTED') { + if ($1 eq 'CKT_NSS_NOT_TRUSTED') { $distrust = 1; - } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') { + } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') { $maytrust = 1; - } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') { + } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') { confess "Unknown trust setting on line $.:\n" . "$_\n" . "Script must be updated:"; @@ -197,16 +223,22 @@ if (!$outputdir) { print_header(*STDOUT, ""); } +my $untrusted = 0; + while (<$inputfh>) { if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { my ($serial, $label, $certdata) = grabcert($inputfh); if (defined $certs{$label."\0".$serial}) { warn "Certificate $label duplicated!\n"; } - $certs{$label."\0".$serial} = $certdata; - # We store the label in a separate hash because truncating the key - # with \0 was causing garbage data after the end of the text. - $labels{$label."\0".$serial} = $label; + if (defined $certdata) { + $certs{$label."\0".$serial} = $certdata; + # We store the label in a separate hash because truncating the key + # with \0 was causing garbage data after the end of the text. + $labels{$label."\0".$serial} = $label; + } else { # $certdata undefined? distrust_after in effect + $untrusted ++; + } } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { my ($serial, $label, $trust) = grabtrust($inputfh); if (defined $trusts{$label."\0".$serial}) { @@ -226,7 +258,6 @@ sub label_to_filename(@) { } # weed out untrusted certificates -my $untrusted = 0; foreach my $it (keys %trusts) { if (!$trusts{$it}) { if (!exists($certs{$it})) {