diff --git a/CHANGELOG b/CHANGELOG index 7d2ef13..ed29bcb 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,4 +1,4 @@ -0.4 - +0.4 - Add email and code signing flat file certificate stores 0.3 - Generate single file stores (Java and GNUTLS) using main OpenSSL store as source to avoid duplicates 0.2 - Install source certdata.txt file diff --git a/CS.txt b/CS.txt new file mode 100644 index 0000000..27fba88 --- /dev/null +++ b/CS.txt @@ -0,0 +1,14 @@ +Mozilla no longer provides any trust information for code signing, opting only +to supply VERIFY trust, so that Mozilla neither provides policy, nor removes +the functionality from NSS. There is no trusted source of authority for code +signing (such as we use Mozilla for TLS/S-Mime). The following list of +certificate hashes that are already installed (as they have TLS trust from +Mozilla) that are also trusted by Microsoft for code signing. The Microsoft +Trusted Root Certificate Program's inclusion policy is available for review at +https://technet.microsoft.com/en-us/library/mt171474.aspx. + +02265526,062cdee6,157753a5,244b5494,2c543cd1,2e4eed3c,3513523f,4304c5e5, +442adcac,480720ec,48bec511,4a6481c9,4bfab552,5ad8a5d6,653b494a,6b99d060, +7d0b38bd,ae8153b9,aee5f10d,b1159c4c,b204d74a,b7a5b843,ba89ed3b,c01cdfa2, +c0ff1f52,cbf06781,d7e8dc79,e2799e36,f081611a,f3377b1b,f387163d,f39fc864 + diff --git a/make-ca b/make-ca old mode 100755 new mode 100644 index a4f14f5..78d6c6c --- a/make-ca +++ b/make-ca @@ -22,6 +22,8 @@ else OPENSSL="/usr/bin/openssl" ANCHORDIR="${PKIDIR}/anchors" CABUNDLE="${SSLDIR}/ca-bundle.crt" + SMBUNDLE="${SSLDIR}/email-ca-bundle.crt" + CSBUNDLE="${SSLDIR}/objsign-ca-bundle.crt" CERTDIR="${SSLDIR}/certs" KEYSTORE="${SSLDIR}/java/cacerts" NSSDB="${PKIDIR}/nssdb" @@ -773,15 +775,21 @@ for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do trustlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \ grep -A1 "Trusted Uses") satrust="" + smtrust="" + cstrust="" satrust=$(echo "${trustlist}" | \ grep "TLS Web Server" 2>&1> /dev/null && echo "C") + smtrust=$(echo "${trustlist}" | \ + grep "E-mail Protection" 2>&1 >/dev/null && echo "C") + cstrust=$(echo "${trustlist}" | \ + grep "Code Signing" 2>&1 >/dev/null && echo "C") if test "${satrust}x" == "Cx"; then echo "" echo "${certname}" | sed 's@Alias:@Certificate: @' echo "Keyhash: ${keyhash}" - # Append to the bundle + # Append to the CA bundle "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \ > "${TEMPDIR}/ssl/certs/${keyhash}.pem" cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CABUNDLE}" @@ -797,6 +805,28 @@ for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@' fi fi + if test "${smtrust}x" == "Cx"; then + echo "" + echo "${certname}" | sed 's@Alias:@Certificate: @' + echo "Keyhash: ${keyhash}" + + # Append to the s-mime bundle + "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \ + > "${TEMPDIR}/ssl/certs/${keyhash}.pem" + cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${SMBUNDLE}" + echo "Added to s-mime certificate bundle." + fi + if test "${cstrust}x" == "Cx"; then + echo "" + echo "${certname}" | sed 's@Alias:@Certificate: @' + echo "Keyhash: ${keyhash}" + + # Append to the code signing bundle + "${OPENSSL}" x509 -in "${cert}" -text -fingerprint \ + > "${TEMPDIR}/ssl/certs/${keyhash}.pem" + cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CSBUNDLE}" + echo "Added to code signing certificate bundle." + fi done /usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null