Date: Fri, 3 Sep 2021 14:34:00 GMT From: Matthias Andree <mandree@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: ef0a3916cedb - main - security/ca_root_nss: only add SERVER_AUTH certs, Message-ID: <202109031434.183EY05K088139@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by mandree: URL: https://cgit.FreeBSD.org/ports/commit/?id=ef0a3916cedb43beb7d256d89a8de56038d65ded commit ef0a3916cedb43beb7d256d89a8de56038d65ded Author: Matthias Andree <mandree@FreeBSD.org> AuthorDate: 2021-08-26 16:57:56 +0000 Commit: Matthias Andree <mandree@FreeBSD.org> CommitDate: 2021-09-03 14:33:49 +0000 security/ca_root_nss: only add SERVER_AUTH certs, and support CKA_NSS_SERVER_DISTRUST_AFTER to not include certificates if the extracted bundle of certificates is generated later than the expiration date. This script no longer emits trust certificates for * EMAIL_PROTECTION * CODE_SIGNING because the default certificate bundle in FreeBSD is supposed to be used for server authentication. Reported by: Christian Heimes <christian@python.org> via: Gordon Tetlow Approved by: ports-secteam (riggs@) (maintainer) --- security/ca_root_nss/Makefile | 1 + security/ca_root_nss/files/MAca-bundle.pl.in | 49 ++++++++++++++++++++++------ 2 files changed, 40 insertions(+), 10 deletions(-) diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile index c0eb7da53802..65181152eed6 100644 --- a/security/ca_root_nss/Makefile +++ b/security/ca_root_nss/Makefile @@ -1,5 +1,6 @@ PORTNAME= ca_root_nss PORTVERSION= ${VERSION_NSS} +PORTREVISION= 1 CATEGORIES= security MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} diff --git a/security/ca_root_nss/files/MAca-bundle.pl.in b/security/ca_root_nss/files/MAca-bundle.pl.in index 092c2b445031..b94ca54ba2d1 100644 --- a/security/ca_root_nss/files/MAca-bundle.pl.in +++ b/security/ca_root_nss/files/MAca-bundle.pl.in @@ -44,6 +44,8 @@ print <<EOH; ## Authorities (CA). These were automatically extracted from Mozilla's ## root CA list (the file `certdata.txt'). ## +## It contains certificates trusted for server authentication. +## ## Extracted from nss-%%VERSION_NSS%% ## EOH @@ -55,6 +57,13 @@ $debug++ my %certs; my %trusts; +# returns a string like YYMMDDhhmmssZ of current time in GMT zone +sub timenow() +{ + my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time); + return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec; +} + sub printcert_plain($$) { my ($label, $certdata) = @_; @@ -80,6 +89,8 @@ sub printcert($$) { printcert_info($a, $b); } +# converts a datastream that is to be \177-style octal constants +# from <> to a (binary) string and returns it sub graboct() { my $data; @@ -94,12 +105,12 @@ sub graboct() return $data; } - sub grabcert() { my $certdata; - my $cka_label; - my $serial; + my $cka_label = ''; + my $serial = 0; + my $distrust = 0; while (<>) { chomp; @@ -116,6 +127,19 @@ sub grabcert() if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { $serial = graboct(); } + + if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/) + { + my $distrust_after = graboct(); + my $time_now = timenow(); + if ($time_now >= $distrust_after) { $distrust = 1; } + if ($debug) { + printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow(); + } + if ($distrust) { + return undef; + } + } } return ($serial, $cka_label, $certdata); } @@ -138,13 +162,13 @@ sub grabtrust() { $serial = graboct(); } - if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/) + if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/) { - if ($2 eq 'CKT_NSS_NOT_TRUSTED') { + if ($1 eq 'CKT_NSS_NOT_TRUSTED') { $distrust = 1; - } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') { + } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') { $maytrust = 1; - } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') { + } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') { confess "Unknown trust setting on line $.:\n" . "$_\n" . "Script must be updated:"; @@ -160,13 +184,19 @@ sub grabtrust() { return ($serial, $cka_label, $trust); } +my $untrusted = 0; + while (<>) { if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { my ($serial, $label, $certdata) = grabcert(); if (defined $certs{$label."\0".$serial}) { warn "Certificate $label duplicated!\n"; } - $certs{$label."\0".$serial} = $certdata; + if (defined $certdata) { + $certs{$label."\0".$serial} = $certdata; + } else { # $certdata undefined? distrust_after in effect + $untrusted ++; + } } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { my ($serial, $label, $trust) = grabtrust(); if (defined $trusts{$label."\0".$serial}) { @@ -180,12 +210,11 @@ while (<>) { sub printlabel(@) { my @res = @_; - map { s/\0.*//; s/[^[:print:]]/_/g; $_ = "\"$_\""; } @res; + map { s/\0.*//; s/[^[:print:]]/_/g; "\"$_\""; } @res; return wantarray ? @res : $res[0]; } # weed out untrusted certificates -my $untrusted = 0; foreach my $it (keys %trusts) { if (!$trusts{$it}) { if (!exists($certs{$it})) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109031434.183EY05K088139>