Makefile,make-ca: Use Microsoft's trust for code signing with -i | --mscodesign.
This commit is contained in:
parent
53ac95f8fd
commit
c41b7f3d4b
@ -14,6 +14,8 @@
|
|||||||
- Correct incorrectly named get_p11_val()
|
- Correct incorrectly named get_p11_val()
|
||||||
- Use .p11-kit extension for anchors
|
- Use .p11-kit extension for anchors
|
||||||
- Handle getopt style short options in get_args()
|
- Handle getopt style short options in get_args()
|
||||||
|
- Use Microsoft's trust for code signing with -i | --mscodesign
|
||||||
|
Note: this is manually generated, will add CCADB when avaialble
|
||||||
1.7 - Revert help2man update (requires complete perl environment)
|
1.7 - Revert help2man update (requires complete perl environment)
|
||||||
1.6 - Fix install target for make -j#
|
1.6 - Fix install target for make -j#
|
||||||
- Add detailed dependency info and add note about configuration file
|
- Add detailed dependency info and add note about configuration file
|
||||||
|
1
CS.txt
1
CS.txt
@ -9,6 +9,7 @@
|
|||||||
# Mozilla to create a unified trust store.
|
# Mozilla to create a unified trust store.
|
||||||
|
|
||||||
# List current as of 2021-08-07 04:30:00 UTC
|
# List current as of 2021-08-07 04:30:00 UTC
|
||||||
|
# Move this list to $SSLDIR and use -i to add code signing trust
|
||||||
|
|
||||||
02265526
|
02265526
|
||||||
064e0aa9
|
064e0aa9
|
||||||
|
6
Makefile
6
Makefile
@ -21,7 +21,7 @@ clean_man:
|
|||||||
rm -f make-ca.8
|
rm -f make-ca.8
|
||||||
chmod 0644 help2man
|
chmod 0644 help2man
|
||||||
|
|
||||||
install: all install_bin install_man install_systemd install_conf
|
install: all install_bin install_man install_systemd install_conf install_cs
|
||||||
|
|
||||||
install_bin:
|
install_bin:
|
||||||
install -vdm755 $(DESTDIR)$(SBINDIR)
|
install -vdm755 $(DESTDIR)$(SBINDIR)
|
||||||
@ -29,6 +29,10 @@ install_bin:
|
|||||||
install -vdm755 $(DESTDIR)$(LIBEXECDIR)
|
install -vdm755 $(DESTDIR)$(LIBEXECDIR)
|
||||||
install -vm700 copy-trust-modifications $(DESTDIR)$(LIBEXECDIR)
|
install -vm700 copy-trust-modifications $(DESTDIR)$(LIBEXECDIR)
|
||||||
|
|
||||||
|
install_cs:
|
||||||
|
install -vdm755 $(DESTDIR)$(ETCDIR)
|
||||||
|
install -vm644 CS.txt $(DESTDIR)$(ETCDIR)
|
||||||
|
|
||||||
install_systemd:
|
install_systemd:
|
||||||
if test -d /usr/lib/systemd/system; then \
|
if test -d /usr/lib/systemd/system; then \
|
||||||
install -vdm755 ${DESTDIR}/usr/lib/systemd/system; \
|
install -vdm755 ${DESTDIR}/usr/lib/systemd/system; \
|
||||||
|
35
make-ca
35
make-ca
@ -52,6 +52,7 @@ GET=0
|
|||||||
REBUILD=0
|
REBUILD=0
|
||||||
WITH_P12=0
|
WITH_P12=0
|
||||||
WITH_NSS=0
|
WITH_NSS=0
|
||||||
|
WITH_CS=1
|
||||||
|
|
||||||
function get_args(){
|
function get_args(){
|
||||||
while test -n "${1}" ; do
|
while test -n "${1}" ; do
|
||||||
@ -142,6 +143,10 @@ function get_args(){
|
|||||||
exit 3
|
exit 3
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
-i | --mscodesign)
|
||||||
|
WITH_CS="1"
|
||||||
|
shift 1
|
||||||
|
;;
|
||||||
-j | --javacerts)
|
-j | --javacerts)
|
||||||
check_arg $1 $2
|
check_arg $1 $2
|
||||||
KEYSTORE="${2}"
|
KEYSTORE="${2}"
|
||||||
@ -317,6 +322,10 @@ function showhelp(){
|
|||||||
echo " -u, --trust [/usr/bin/trust]"
|
echo " -u, --trust [/usr/bin/trust]"
|
||||||
echo " The path of the p11-kit trust utility"
|
echo " The path of the p11-kit trust utility"
|
||||||
echo ""
|
echo ""
|
||||||
|
echo " -i, --mscodesign"
|
||||||
|
echo " Use Microsoft's trus values for code singing"
|
||||||
|
echo " You must copy /etc/CS.txt to \$SSLDIR"
|
||||||
|
echo ""
|
||||||
echo " -f, --force Force run, even if source is not newer"
|
echo " -f, --force Force run, even if source is not newer"
|
||||||
echo ""
|
echo ""
|
||||||
echo " -g, --get Download certdata.txt directly from Mozilla's"
|
echo " -g, --get Download certdata.txt directly from Mozilla's"
|
||||||
@ -505,6 +514,12 @@ function get_trust_values() {
|
|||||||
cut -d " " -f 3`)"
|
cut -d " " -f 3`)"
|
||||||
cstrust="$(convert_trust `grep '^CKA_TRUST_CODE_SIGNING' ${1} | \
|
cstrust="$(convert_trust `grep '^CKA_TRUST_CODE_SIGNING' ${1} | \
|
||||||
cut -d " " -f 3`)"
|
cut -d " " -f 3`)"
|
||||||
|
if test "${WITH_CS}" -eq "1"; then
|
||||||
|
if test "${cstrust}" == ""; then
|
||||||
|
cstrust=$(grep -q "^${keyhash}" "${SSLDIR}/CS.txt" && echo "C")
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
# Not currently included in NSS certdata.txt
|
# Not currently included in NSS certdata.txt
|
||||||
#catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \
|
#catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \
|
||||||
# cut -d " " -f 3`)"
|
# cut -d " " -f 3`)"
|
||||||
@ -633,6 +648,11 @@ if test "${WITH_NSS}" -eq "1"; then
|
|||||||
"${CERTUTIL}" -N --empty-password -d "sql:${TEMPDIR}/pki/nssdb"
|
"${CERTUTIL}" -N --empty-password -d "sql:${TEMPDIR}/pki/nssdb"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if test "${WITH_CS}" -eq "1"; then
|
||||||
|
test ! -f "${SSLDIR}/CS.txt" && \
|
||||||
|
echo "List of hashes not found at ${SSLDIR}/CS.txt. Exiting..." && exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
# Download certdata.txt if selected
|
# Download certdata.txt if selected
|
||||||
if test "${GET}" == "1"; then
|
if test "${GET}" == "1"; then
|
||||||
echo -n "Checking for new version of certdata.txt..."
|
echo -n "Checking for new version of certdata.txt..."
|
||||||
@ -724,9 +744,6 @@ done
|
|||||||
unset CERTBEGINLIST certbegin
|
unset CERTBEGINLIST certbegin
|
||||||
|
|
||||||
for tempfile in ${TEMPDIR}/certs/*.tmp; do
|
for tempfile in ${TEMPDIR}/certs/*.tmp; do
|
||||||
# Get trust values for the certifcate
|
|
||||||
get_trust_values "${tempfile}"
|
|
||||||
|
|
||||||
# Convert to a PEM formated certificate
|
# Convert to a PEM formated certificate
|
||||||
printf $(awk '/^CKA_VALUE/{flag=1;next}/^END/{flag=0}flag{printf $0}' \
|
printf $(awk '/^CKA_VALUE/{flag=1;next}/^END/{flag=0}flag{printf $0}' \
|
||||||
"${tempfile}") | "${OPENSSL}" x509 -text -inform DER -fingerprint \
|
"${tempfile}") | "${OPENSSL}" x509 -text -inform DER -fingerprint \
|
||||||
@ -736,6 +753,10 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
|
|||||||
certkey="$(${OPENSSL} x509 -in tempfile.crt -noout -pubkey)"
|
certkey="$(${OPENSSL} x509 -in tempfile.crt -noout -pubkey)"
|
||||||
certcer="$(${OPENSSL} x509 -in tempfile.crt)"
|
certcer="$(${OPENSSL} x509 -in tempfile.crt)"
|
||||||
certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)"
|
certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)"
|
||||||
|
keyhash="$(${OPENSSL} x509 -noout -in tempfile.crt -hash)"
|
||||||
|
|
||||||
|
# Get trust values for the certifcate
|
||||||
|
get_trust_values "${tempfile}"
|
||||||
|
|
||||||
# Get p11-kit label, oid, and values
|
# Get p11-kit label, oid, and values
|
||||||
get_p11_label "${tempfile}"
|
get_p11_label "${tempfile}"
|
||||||
@ -743,9 +764,6 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
|
|||||||
# Get p11 trust and OID values
|
# Get p11 trust and OID values
|
||||||
get_p11_trust
|
get_p11_trust
|
||||||
|
|
||||||
# Get a hash for the cert
|
|
||||||
keyhash=$("${OPENSSL}" x509 -noout -in tempfile.crt -hash)
|
|
||||||
|
|
||||||
# Print information about cert
|
# Print information about cert
|
||||||
echo "Certificate: ${p11label}"
|
echo "Certificate: ${p11label}"
|
||||||
echo "Keyhash: ${keyhash}"
|
echo "Keyhash: ${keyhash}"
|
||||||
@ -832,6 +850,11 @@ if test -d "${LOCALDIR}"; then
|
|||||||
grep "E-mail Protection" > /dev/null 2>&1 && echo "C")
|
grep "E-mail Protection" > /dev/null 2>&1 && echo "C")
|
||||||
cstrust=$(echo "${trustlist}" | \
|
cstrust=$(echo "${trustlist}" | \
|
||||||
grep "Code Signing" > /dev/null 2>&1 && echo "C")
|
grep "Code Signing" > /dev/null 2>&1 && echo "C")
|
||||||
|
if test "${WITH_CS}" -eq "1"; then
|
||||||
|
if test "${cstrust}" == ""; then
|
||||||
|
cstrust=$(grep -q "^${keyhash}" "${SSLDIR}/CS.txt" && echo "C")
|
||||||
|
fi
|
||||||
|
fi
|
||||||
catrust=$(echo "${trustlist}" | \
|
catrust=$(echo "${trustlist}" | \
|
||||||
grep "Client Auth" > /dev/null 2>&1 && echo "C")
|
grep "Client Auth" > /dev/null 2>&1 && echo "C")
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user