From d3562bc2f01a2b4add7c4b93ff2000993a611ed3 Mon Sep 17 00:00:00 2001 From: Xi Ruoyao Date: Mon, 31 Jan 2022 18:52:21 +0800 Subject: [PATCH] verify hg.mozilla.org with bundled CA root Before this, make-ca does not verify the certificate of hg.mozilla.org at all. It makes sense as make-ca often runs on systems without trust anchor. But, a MIM can easily fake hg.mozilla.org and completely hijack the trust anchor of a BLFS system. To improve the situation, we ship the certificate of the CA root for hg.mozilla.org (DigiCert Global Root CA) in the make-ca package, and use it to verify hg.mozilla.org. --- CHANGELOG | 2 ++ Makefile | 7 ++++++- make-ca | 11 +++++++++-- mozilla-ca-root.pem | 23 +++++++++++++++++++++++ 4 files changed, 40 insertions(+), 3 deletions(-) create mode 100644 mozilla-ca-root.pem diff --git a/CHANGELOG b/CHANGELOG index 803fcfb..e9d1cb5 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,5 @@ +1.11 - Ship certificate of the CA root of hg.mozilla.org and use it for + verification 1.10 - Use --filter=ca-anchors for all stores - Update CS.txt (no changes since last update) - Fix installation of systemd timers on non-systemd systems diff --git a/Makefile b/Makefile index e357638..1bb125c 100644 --- a/Makefile +++ b/Makefile @@ -21,7 +21,8 @@ clean_man: rm -f make-ca.8 chmod 0644 help2man -install: all install_bin install_man install_systemd install_conf install_cs +install: all install_bin install_man install_systemd install_conf \ + install_cs install_mozilla_ca_root install_bin: install -vdm755 $(DESTDIR)$(SBINDIR) @@ -52,6 +53,10 @@ install_conf: install -vdm755 $(DESTDIR)$(ETCDIR) install -vm644 make-ca.conf.dist $(DESTDIR)$(ETCDIR) +install_mozilla_ca_root: + install -vdm755 $(DESTDIR)$(ETCDIR) + install -vm644 mozilla-ca-root.pem $(DESTDIR)$(ETCDIR) + uninstall: rm -f $(DESTDIR)$(SBINDIR)/make-ca rm -f $(DESTDIR)$(MANDIR)/man8/make-ca.8 diff --git a/make-ca b/make-ca index 4144e20..6a62362 100644 --- a/make-ca +++ b/make-ca @@ -11,9 +11,12 @@ shopt -s extglob; -VERSION="1.10" +VERSION="1.11" MAKE_CA_CONF="/etc/make-ca.conf" +# CA root for hg.mozilla.org +MOZILLA_CA_ROOT="/etc/make-ca/mozilla-ca-root.pem" + # Get/set defaults if test -f "${MAKE_CA_CONF}"; then . "${MAKE_CA_CONF}" @@ -658,7 +661,11 @@ if test "${GET}" == "1"; then echo -n "Checking for new version of certdata.txt..." HOST=$(echo "${URL}" | /usr/bin/cut -d / -f 3) _url=$(echo "${URL}" | sed 's@raw-file@log@') - SARGS="-ign_eof -connect ${HOST}:443" + SARGS="-ign_eof -connect ${HOST}:443 -verifyCAfile ${MOZILLA_CA_ROOT}" + if test -d /etc/ssl/certs; then + SARGS="${SARGS} -verifyCApath ${CERTDIR}" + fi + SARGS="${SARGS} -verify_return_error" if test "${PROXY}x" != "x"; then SARGS="${SARGS} -proxy ${PROXY}" fi diff --git a/mozilla-ca-root.pem b/mozilla-ca-root.pem new file mode 100644 index 0000000..e4842b8 --- /dev/null +++ b/mozilla-ca-root.pem @@ -0,0 +1,23 @@ +-----BEGIN TRUSTED CERTIFICATE----- +MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j +b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB +CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97 +nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt +43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P +T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4 +gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO +BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR +TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw +DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr +hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg +06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF +PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls +YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk +CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4wLzAUBggrBgEFBQcD +BAYIKwYBBQUHAwEMF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENB +-----END TRUSTED CERTIFICATE-----