Makefile,make-ca: Use Microsoft's trust for code signing with -i | --mscodesign.

This commit is contained in:
DJ Lucas 2021-08-08 11:03:12 -05:00
parent 53ac95f8fd
commit c41b7f3d4b
4 changed files with 41 additions and 11 deletions

View File

@ -14,6 +14,8 @@
- Correct incorrectly named get_p11_val() - Correct incorrectly named get_p11_val()
- Use .p11-kit extension for anchors - Use .p11-kit extension for anchors
- Handle getopt style short options in get_args() - Handle getopt style short options in get_args()
- Use Microsoft's trust for code signing with -i | --mscodesign
Note: this is manually generated, will add CCADB when avaialble
1.7 - Revert help2man update (requires complete perl environment) 1.7 - Revert help2man update (requires complete perl environment)
1.6 - Fix install target for make -j# 1.6 - Fix install target for make -j#
- Add detailed dependency info and add note about configuration file - Add detailed dependency info and add note about configuration file

1
CS.txt
View File

@ -9,6 +9,7 @@
# Mozilla to create a unified trust store. # Mozilla to create a unified trust store.
# List current as of 2021-08-07 04:30:00 UTC # List current as of 2021-08-07 04:30:00 UTC
# Move this list to $SSLDIR and use -i to add code signing trust
02265526 02265526
064e0aa9 064e0aa9

View File

@ -21,7 +21,7 @@ clean_man:
rm -f make-ca.8 rm -f make-ca.8
chmod 0644 help2man chmod 0644 help2man
install: all install_bin install_man install_systemd install_conf install: all install_bin install_man install_systemd install_conf install_cs
install_bin: install_bin:
install -vdm755 $(DESTDIR)$(SBINDIR) install -vdm755 $(DESTDIR)$(SBINDIR)
@ -29,6 +29,10 @@ install_bin:
install -vdm755 $(DESTDIR)$(LIBEXECDIR) install -vdm755 $(DESTDIR)$(LIBEXECDIR)
install -vm700 copy-trust-modifications $(DESTDIR)$(LIBEXECDIR) install -vm700 copy-trust-modifications $(DESTDIR)$(LIBEXECDIR)
install_cs:
install -vdm755 $(DESTDIR)$(ETCDIR)
install -vm644 CS.txt $(DESTDIR)$(ETCDIR)
install_systemd: install_systemd:
if test -d /usr/lib/systemd/system; then \ if test -d /usr/lib/systemd/system; then \
install -vdm755 ${DESTDIR}/usr/lib/systemd/system; \ install -vdm755 ${DESTDIR}/usr/lib/systemd/system; \

35
make-ca
View File

@ -52,6 +52,7 @@ GET=0
REBUILD=0 REBUILD=0
WITH_P12=0 WITH_P12=0
WITH_NSS=0 WITH_NSS=0
WITH_CS=1
function get_args(){ function get_args(){
while test -n "${1}" ; do while test -n "${1}" ; do
@ -142,6 +143,10 @@ function get_args(){
exit 3 exit 3
fi fi
;; ;;
-i | --mscodesign)
WITH_CS="1"
shift 1
;;
-j | --javacerts) -j | --javacerts)
check_arg $1 $2 check_arg $1 $2
KEYSTORE="${2}" KEYSTORE="${2}"
@ -317,6 +322,10 @@ function showhelp(){
echo " -u, --trust [/usr/bin/trust]" echo " -u, --trust [/usr/bin/trust]"
echo " The path of the p11-kit trust utility" echo " The path of the p11-kit trust utility"
echo "" echo ""
echo " -i, --mscodesign"
echo " Use Microsoft's trus values for code singing"
echo " You must copy /etc/CS.txt to \$SSLDIR"
echo ""
echo " -f, --force Force run, even if source is not newer" echo " -f, --force Force run, even if source is not newer"
echo "" echo ""
echo " -g, --get Download certdata.txt directly from Mozilla's" echo " -g, --get Download certdata.txt directly from Mozilla's"
@ -505,6 +514,12 @@ function get_trust_values() {
cut -d " " -f 3`)" cut -d " " -f 3`)"
cstrust="$(convert_trust `grep '^CKA_TRUST_CODE_SIGNING' ${1} | \ cstrust="$(convert_trust `grep '^CKA_TRUST_CODE_SIGNING' ${1} | \
cut -d " " -f 3`)" cut -d " " -f 3`)"
if test "${WITH_CS}" -eq "1"; then
if test "${cstrust}" == ""; then
cstrust=$(grep -q "^${keyhash}" "${SSLDIR}/CS.txt" && echo "C")
fi
fi
# Not currently included in NSS certdata.txt # Not currently included in NSS certdata.txt
#catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \ #catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \
# cut -d " " -f 3`)" # cut -d " " -f 3`)"
@ -633,6 +648,11 @@ if test "${WITH_NSS}" -eq "1"; then
"${CERTUTIL}" -N --empty-password -d "sql:${TEMPDIR}/pki/nssdb" "${CERTUTIL}" -N --empty-password -d "sql:${TEMPDIR}/pki/nssdb"
fi fi
if test "${WITH_CS}" -eq "1"; then
test ! -f "${SSLDIR}/CS.txt" && \
echo "List of hashes not found at ${SSLDIR}/CS.txt. Exiting..." && exit 1
fi
# Download certdata.txt if selected # Download certdata.txt if selected
if test "${GET}" == "1"; then if test "${GET}" == "1"; then
echo -n "Checking for new version of certdata.txt..." echo -n "Checking for new version of certdata.txt..."
@ -724,9 +744,6 @@ done
unset CERTBEGINLIST certbegin unset CERTBEGINLIST certbegin
for tempfile in ${TEMPDIR}/certs/*.tmp; do for tempfile in ${TEMPDIR}/certs/*.tmp; do
# Get trust values for the certifcate
get_trust_values "${tempfile}"
# Convert to a PEM formated certificate # Convert to a PEM formated certificate
printf $(awk '/^CKA_VALUE/{flag=1;next}/^END/{flag=0}flag{printf $0}' \ printf $(awk '/^CKA_VALUE/{flag=1;next}/^END/{flag=0}flag{printf $0}' \
"${tempfile}") | "${OPENSSL}" x509 -text -inform DER -fingerprint \ "${tempfile}") | "${OPENSSL}" x509 -text -inform DER -fingerprint \
@ -736,6 +753,10 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
certkey="$(${OPENSSL} x509 -in tempfile.crt -noout -pubkey)" certkey="$(${OPENSSL} x509 -in tempfile.crt -noout -pubkey)"
certcer="$(${OPENSSL} x509 -in tempfile.crt)" certcer="$(${OPENSSL} x509 -in tempfile.crt)"
certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)" certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)"
keyhash="$(${OPENSSL} x509 -noout -in tempfile.crt -hash)"
# Get trust values for the certifcate
get_trust_values "${tempfile}"
# Get p11-kit label, oid, and values # Get p11-kit label, oid, and values
get_p11_label "${tempfile}" get_p11_label "${tempfile}"
@ -743,9 +764,6 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
# Get p11 trust and OID values # Get p11 trust and OID values
get_p11_trust get_p11_trust
# Get a hash for the cert
keyhash=$("${OPENSSL}" x509 -noout -in tempfile.crt -hash)
# Print information about cert # Print information about cert
echo "Certificate: ${p11label}" echo "Certificate: ${p11label}"
echo "Keyhash: ${keyhash}" echo "Keyhash: ${keyhash}"
@ -832,6 +850,11 @@ if test -d "${LOCALDIR}"; then
grep "E-mail Protection" > /dev/null 2>&1 && echo "C") grep "E-mail Protection" > /dev/null 2>&1 && echo "C")
cstrust=$(echo "${trustlist}" | \ cstrust=$(echo "${trustlist}" | \
grep "Code Signing" > /dev/null 2>&1 && echo "C") grep "Code Signing" > /dev/null 2>&1 && echo "C")
if test "${WITH_CS}" -eq "1"; then
if test "${cstrust}" == ""; then
cstrust=$(grep -q "^${keyhash}" "${SSLDIR}/CS.txt" && echo "C")
fi
fi
catrust=$(echo "${trustlist}" | \ catrust=$(echo "${trustlist}" | \
grep "Client Auth" > /dev/null 2>&1 && echo "C") grep "Client Auth" > /dev/null 2>&1 && echo "C")