verify hg.mozilla.org with bundled CA root

Before this, make-ca does not verify the certificate of hg.mozilla.org
at all.  It makes sense as make-ca often runs on systems without trust
anchor.  But, a MIM can easily fake hg.mozilla.org and completely hijack
the trust anchor of a BLFS system.

To improve the situation, we ship the certificate of the CA root for
hg.mozilla.org (DigiCert Global Root CA) in the make-ca package, and use
it to verify hg.mozilla.org.
This commit is contained in:
Xi Ruoyao 2022-01-31 18:52:21 +08:00
parent 3093851fdd
commit d3562bc2f0
No known key found for this signature in database
GPG Key ID: D95E4716CCBB34DC
4 changed files with 40 additions and 3 deletions

View File

@ -1,3 +1,5 @@
1.11 - Ship certificate of the CA root of hg.mozilla.org and use it for
verification
1.10 - Use --filter=ca-anchors for all stores 1.10 - Use --filter=ca-anchors for all stores
- Update CS.txt (no changes since last update) - Update CS.txt (no changes since last update)
- Fix installation of systemd timers on non-systemd systems - Fix installation of systemd timers on non-systemd systems

View File

@ -21,7 +21,8 @@ clean_man:
rm -f make-ca.8 rm -f make-ca.8
chmod 0644 help2man chmod 0644 help2man
install: all install_bin install_man install_systemd install_conf install_cs install: all install_bin install_man install_systemd install_conf \
install_cs install_mozilla_ca_root
install_bin: install_bin:
install -vdm755 $(DESTDIR)$(SBINDIR) install -vdm755 $(DESTDIR)$(SBINDIR)
@ -52,6 +53,10 @@ install_conf:
install -vdm755 $(DESTDIR)$(ETCDIR) install -vdm755 $(DESTDIR)$(ETCDIR)
install -vm644 make-ca.conf.dist $(DESTDIR)$(ETCDIR) install -vm644 make-ca.conf.dist $(DESTDIR)$(ETCDIR)
install_mozilla_ca_root:
install -vdm755 $(DESTDIR)$(ETCDIR)
install -vm644 mozilla-ca-root.pem $(DESTDIR)$(ETCDIR)
uninstall: uninstall:
rm -f $(DESTDIR)$(SBINDIR)/make-ca rm -f $(DESTDIR)$(SBINDIR)/make-ca
rm -f $(DESTDIR)$(MANDIR)/man8/make-ca.8 rm -f $(DESTDIR)$(MANDIR)/man8/make-ca.8

11
make-ca
View File

@ -11,9 +11,12 @@
shopt -s extglob; shopt -s extglob;
VERSION="1.10" VERSION="1.11"
MAKE_CA_CONF="/etc/make-ca.conf" MAKE_CA_CONF="/etc/make-ca.conf"
# CA root for hg.mozilla.org
MOZILLA_CA_ROOT="/etc/make-ca/mozilla-ca-root.pem"
# Get/set defaults # Get/set defaults
if test -f "${MAKE_CA_CONF}"; then if test -f "${MAKE_CA_CONF}"; then
. "${MAKE_CA_CONF}" . "${MAKE_CA_CONF}"
@ -658,7 +661,11 @@ if test "${GET}" == "1"; then
echo -n "Checking for new version of certdata.txt..." echo -n "Checking for new version of certdata.txt..."
HOST=$(echo "${URL}" | /usr/bin/cut -d / -f 3) HOST=$(echo "${URL}" | /usr/bin/cut -d / -f 3)
_url=$(echo "${URL}" | sed 's@raw-file@log@') _url=$(echo "${URL}" | sed 's@raw-file@log@')
SARGS="-ign_eof -connect ${HOST}:443" SARGS="-ign_eof -connect ${HOST}:443 -verifyCAfile ${MOZILLA_CA_ROOT}"
if test -d /etc/ssl/certs; then
SARGS="${SARGS} -verifyCApath ${CERTDIR}"
fi
SARGS="${SARGS} -verify_return_error"
if test "${PROXY}x" != "x"; then if test "${PROXY}x" != "x"; then
SARGS="${SARGS} -proxy ${PROXY}" SARGS="${SARGS} -proxy ${PROXY}"
fi fi

23
mozilla-ca-root.pem Normal file
View File

@ -0,0 +1,23 @@
-----BEGIN TRUSTED CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4wLzAUBggrBgEFBQcD
BAYIKwYBBQUHAwEMF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENB
-----END TRUSTED CERTIFICATE-----