freebsd-dev/secure/caroot/MAca-bundle.pl
Kyle Evans c3510c941c caroot: update CA bundle processor
Our current processor was identified as trusting cert not explicitly
marked for SERVER_AUTH, as well as certs that were tagged with
DISTRUST_AFTER.

Update the script to handle both scenarios. This patch was originally
authored by mandree@ for ports, and it was subsequently ported to base
caroot.

MFC after:	3 days
2021-04-13 16:59:24 -05:00

309 lines
8.1 KiB
Perl
Executable File

#!/usr/bin/env perl
##
## MAca-bundle.pl -- Regenerate ca-root-nss.crt from the Mozilla certdata.txt
##
## Rewritten in September 2011 by Matthias Andree to heed untrust
##
## Copyright (c) 2011, 2013 Matthias Andree <mandree@FreeBSD.org>
## All rights reserved.
## Copyright (c) 2018, Allan Jude <allanjude@FreeBSD.org>
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted provided that the following conditions are
## met:
##
## * Redistributions of source code must retain the above copyright
## notice, this list of conditions and the following disclaimer.
##
## * Redistributions in binary form must reproduce the above copyright
## notice, this list of conditions and the following disclaimer in the
## documentation and/or other materials provided with the distribution.
##
## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
## INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
## BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
## LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
## CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
## ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
## POSSIBILITY OF SUCH DAMAGE.
use strict;
use Carp;
use MIME::Base64;
use Getopt::Long;
my $VERSION = '$FreeBSD$';
my $generated = '@' . 'generated';
my $inputfh = *STDIN;
my $debug = 0;
my $infile;
my $outputdir;
my %labels;
my %certs;
my %trusts;
$debug++
if defined $ENV{'WITH_DEBUG'}
and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/;
GetOptions (
"debug+" => \$debug,
"infile:s" => \$infile,
"outputdir:s" => \$outputdir)
or die("Error in command line arguments\n$0 [-d] [-i input-file] [-o output-dir]\n");
if ($infile) {
open($inputfh, "<", $infile) or die "Failed to open $infile";
}
sub print_header($$)
{
my $dstfile = shift;
my $label = shift;
if ($outputdir) {
print $dstfile <<EOFH;
##
## $label
##
## This is a single X.509 certificate for a public Certificate
## Authority (CA). It was automatically extracted from Mozilla's
## root CA list (the file `certdata.txt' in security/nss).
##
## It contains a certificate trusted for server authentication.
##
## Extracted from nss
## with $VERSION
##
## $generated
##
EOFH
} else {
print $dstfile <<EOH;
##
## ca-root-nss.crt -- Bundle of CA Root Certificates
##
## This is a bundle of X.509 certificates of public Certificate
## Authorities (CA). These were automatically extracted from Mozilla's
## root CA list (the file `certdata.txt').
##
## It contains certificates trusted for server authentication.
##
## Extracted from nss
## with $VERSION
##
## $generated
##
EOH
}
}
# returns a string like YYMMDDhhmmssZ of current time in GMT zone
sub timenow()
{
my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
}
sub printcert($$$)
{
my ($fh, $label, $certdata) = @_;
return unless $certdata;
open(OUT, "|openssl x509 -text -inform DER -fingerprint")
or die "could not pipe to openssl x509";
print OUT $certdata;
close(OUT) or die "openssl x509 failed with exit code $?";
}
# converts a datastream that is to be \177-style octal constants
# from <> to a (binary) string and returns it
sub graboct($)
{
my $ifh = shift;
my $data;
while (<$ifh>) {
last if /^END/;
my (undef,@oct) = split /\\/;
my @bin = map(chr(oct), @oct);
$data .= join('', @bin);
}
return $data;
}
sub grabcert($)
{
my $ifh = shift;
my $certdata;
my $cka_label = '';
my $serial = 0;
my $distrust = 0;
while (<$ifh>) {
chomp;
last if ($_ eq '');
if (/^CKA_LABEL UTF8 "([^"]+)"/) {
$cka_label = $1;
}
if (/^CKA_VALUE MULTILINE_OCTAL/) {
$certdata = graboct($ifh);
}
if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
$serial = graboct($ifh);
}
if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
{
my $distrust_after = graboct($ifh);
my $time_now = timenow();
if ($time_now >= $distrust_after) { $distrust = 1; }
if ($debug) {
printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
}
if ($distrust) {
return undef;
}
}
}
return ($serial, $cka_label, $certdata);
}
sub grabtrust($) {
my $ifh = shift;
my $cka_label;
my $serial;
my $maytrust = 0;
my $distrust = 0;
while (<$ifh>) {
chomp;
last if ($_ eq '');
if (/^CKA_LABEL UTF8 "([^"]+)"/) {
$cka_label = $1;
}
if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
$serial = graboct($ifh);
}
if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/)
{
if ($1 eq 'CKT_NSS_NOT_TRUSTED') {
$distrust = 1;
} elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
$maytrust = 1;
} elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
confess "Unknown trust setting on line $.:\n"
. "$_\n"
. "Script must be updated:";
}
}
}
if (!$maytrust && !$distrust && $debug) {
print STDERR "line $.: no explicit trust/distrust found for $cka_label\n";
}
my $trust = ($maytrust and not $distrust);
return ($serial, $cka_label, $trust);
}
if (!$outputdir) {
print_header(*STDOUT, "");
}
my $untrusted = 0;
while (<$inputfh>) {
if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
my ($serial, $label, $certdata) = grabcert($inputfh);
if (defined $certs{$label."\0".$serial}) {
warn "Certificate $label duplicated!\n";
}
if (defined $certdata) {
$certs{$label."\0".$serial} = $certdata;
# We store the label in a separate hash because truncating the key
# with \0 was causing garbage data after the end of the text.
$labels{$label."\0".$serial} = $label;
} else { # $certdata undefined? distrust_after in effect
$untrusted ++;
}
} elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) {
my ($serial, $label, $trust) = grabtrust($inputfh);
if (defined $trusts{$label."\0".$serial}) {
warn "Trust for $label duplicated!\n";
}
$trusts{$label."\0".$serial} = $trust;
$labels{$label."\0".$serial} = $label;
} elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n";
}
}
sub label_to_filename(@) {
my @res = @_;
map { s/\0.*//; s/[^[:alnum:]\-]/_/g; $_ = "$_.pem"; } @res;
return wantarray ? @res : $res[0];
}
# weed out untrusted certificates
foreach my $it (keys %trusts) {
if (!$trusts{$it}) {
if (!exists($certs{$it})) {
warn "Found trust for nonexistent certificate $labels{$it}\n" if $debug;
} else {
delete $certs{$it};
warn "Skipping untrusted $labels{$it}\n" if $debug;
$untrusted++;
}
}
}
if (!$outputdir) {
print "## Untrusted certificates omitted from this bundle: $untrusted\n\n";
}
print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n";
my $certcount = 0;
foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) {
my $fh = *STDOUT;
my $filename;
if (!exists($trusts{$it})) {
die "Found certificate without trust block,\naborting";
}
if ($outputdir) {
$filename = label_to_filename($labels{$it});
open($fh, ">", "$outputdir/$filename") or die "Failed to open certificate $filename";
print_header($fh, $labels{$it});
}
printcert($fh, $labels{$it}, $certs{$it});
if ($outputdir) {
close($fh) or die "Unable to close: $filename";
} else {
print $fh "\n\n\n";
}
$certcount++;
print STDERR "Trusting $certcount: $labels{$it}\n" if $debug;
}
if ($certcount < 25) {
die "Certificate count of $certcount is implausibly low.\nAbort";
}
if (!$outputdir) {
print "## Number of certificates: $certcount\n";
print "## End of file.\n";
}
print STDERR "## Number of certificates: $certcount\n";