Bug#558283: [PATCH] Add ca-certificates-nss with all certificates from certdata.txt

Philipp Kern pkern at debian.org
Fri Nov 27 15:53:49 UTC 2009


---
 debian/blacklist.txt            |    5 ++
 debian/ca-certificates-nss.dirs |    1 +
 debian/certdata2pem.py          |  129 +++++++++++++++++++++++++++++++++++++++
 debian/control                  |    9 +++-
 debian/rules                    |   18 +++++-
 5 files changed, 159 insertions(+), 3 deletions(-)
 create mode 100644 debian/blacklist.txt
 create mode 100644 debian/ca-certificates-nss.dirs
 create mode 100644 debian/certdata2pem.py

diff --git a/debian/blacklist.txt b/debian/blacklist.txt
new file mode 100644
index 0000000..8d57b86
--- /dev/null
+++ b/debian/blacklist.txt
@@ -0,0 +1,5 @@
+# One blacklist entry per line, corresponding to the label in certdata.txt.
+
+# MD5 Collision Proof of Concept CA
+"MD5 Collisions Forged Rogue CA 25c3"
+
diff --git a/debian/ca-certificates-nss.dirs b/debian/ca-certificates-nss.dirs
new file mode 100644
index 0000000..f5baa81
--- /dev/null
+++ b/debian/ca-certificates-nss.dirs
@@ -0,0 +1 @@
+usr/share/ca-certificates/nss
diff --git a/debian/certdata2pem.py b/debian/certdata2pem.py
new file mode 100644
index 0000000..10b340a
--- /dev/null
+++ b/debian/certdata2pem.py
@@ -0,0 +1,129 @@
+#!/usr/bin/python
+# vim:set et sw=4:
+#
+# certdata2pem.py - splits certdata.txt into multiple files
+#
+# Copyright (C) 2009 Philipp Kern <pkern at debian.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
+# USA.
+
+import base64
+import os.path
+import re
+import sys
+import textwrap
+
+certdata_fn = sys.argv[1]
+blacklist_fn = sys.argv[2]
+target_dir = sys.argv[3]
+
+objects = []
+
+# Dirty file parser.
+in_data, in_multiline, in_obj = False, False, False
+field, type, value, obj = None, None, None, dict()
+for line in open(certdata_fn, 'r'):
+    # Ignore the file header.
+    if not in_data:
+        if line.startswith('BEGINDATA'):
+            in_data = True
+        continue
+    # Ignore comment lines.
+    if line.startswith('#'):
+        continue
+    # Empty lines are significant if we are inside an object.
+    if in_obj and len(line.strip()) == 0:
+        objects.append(obj)
+        obj = dict()
+        in_obj = False
+        continue
+    if len(line.strip()) == 0:
+        continue
+    if in_multiline:
+        if not line.startswith('END'):
+            if type == 'MULTILINE_OCTAL':
+                line = line.strip()
+                for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
+                    value += chr(int(i.group(1), 8))
+            else:
+                value += line
+            continue
+        obj[field] = value
+        in_multiline = False
+        continue
+    if line.startswith('CKA_CLASS'):
+        in_obj = True
+    line_parts = line.strip().split(' ', 2)
+    if len(line_parts) > 2:
+        field, type = line_parts[0:2]
+        value = ' '.join(line_parts[2:])
+    elif len(line_parts) == 2:
+        field, type = line_parts
+        value = None
+    else:
+        raise NotImplementedError, 'line_parts < 2 not supported.'
+    if type == 'MULTILINE_OCTAL':
+        in_multiline = True
+        value = ""
+        continue
+    obj[field] = value
+if len(obj.items()) > 0:
+    objects.append(obj)
+
+# Read blacklist.
+blacklist = []
+if os.path.exists(blacklist_fn):
+    for line in open(blacklist_fn, 'r'):
+        line = line.strip()
+        if line.startswith('#') or len(line) == 0:
+            continue
+        item = line.split('#', 1)[0].strip()
+        blacklist.append(item)
+
+# Build up trust database.
+trust = dict()
+for obj in objects:
+    if obj['CKA_CLASS'] != 'CKO_NETSCAPE_TRUST':
+        continue
+    if obj['CKA_LABEL'] in blacklist:
+        print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']
+    elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR':
+        trust[obj['CKA_LABEL']] = True
+    elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR':
+        trust[obj['CKA_LABEL']] = True
+    elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_UNTRUSTED':
+        print '!'*74
+        print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
+        print '!'*74
+    else:
+        print "Ignoring certificate %s.  SAUTH=%s, EPROT=%s" % \
+              (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
+               obj['CKA_TRUST_EMAIL_PROTECTION'])
+
+for obj in objects:
+    if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+        if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+            continue
+        fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+                                      .replace(' ', '_')\
+                                      .replace('(', '=')\
+                                      .replace(')', '=')\
+                                      .replace(',', '_') + '.crt'
+        f = open(os.path.join(target_dir, fname), 'w')
+        f.write("-----BEGIN CERTIFICATE-----\n")
+        f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+        f.write("\n-----END CERTIFICATE-----\n")
+
diff --git a/debian/control b/debian/control
index 75e5ae8..25d2b5e 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: libs
 Priority: optional
 Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintainers at lists.alioth.debian.org>
 Uploaders: Mike Hommey <glandium at debian.org>
-Build-Depends: debhelper (>= 6.0.7~), autotools-dev, dpatch, dpkg-dev (>= 1.13.19), libnspr4-dev (>= 4.7.0), zlib1g-dev, libsqlite3-dev (>= 3.3.9)
+Build-Depends: debhelper (>= 6.0.7~), autotools-dev, dpatch, dpkg-dev (>= 1.13.19), libnspr4-dev (>= 4.7.0), zlib1g-dev, libsqlite3-dev (>= 3.3.9), python
 Standards-Version: 3.8.1.0
 Homepage: http://www.mozilla.org/projects/security/pki/nss/
 Vcs-Git: git://git.debian.org/git/pkg-mozilla/nss.git
@@ -64,3 +64,10 @@ Description: Debugging symbols for the Network Security Service libraries
  other security standards.
  .
  This package provides the debugging symbols for the library.
+
+Package: ca-certificates-nss
+Section: misc
+Architecture: all
+Description: Network Security Service CA certificates
+ This package includes PEM files of the CA certificates included in the
+ Network Security Service library.
diff --git a/debian/rules b/debian/rules
index 3647294..d0a2c69 100755
--- a/debian/rules
+++ b/debian/rules
@@ -95,9 +95,23 @@ install-stamp: build-stamp
 		$(foreach bin,certutil modutil pk12util shlibsign signtool ssltap pwdecrypt, \
 		$(DISTDIR)/bin/$(bin))
 
+	python debian/certdata2pem.py \
+		mozilla/security/nss/lib/ckfw/builtins/certdata.txt \
+		debian/blacklist.txt \
+		debian/ca-certificates-nss/usr/share/ca-certificates/nss
+
 	touch install-stamp
 
-binary-indep:
+binary-indep: install-stamp
+	dh_testdir
+	dh_testroot
+	dh_installchangelogs -i
+	dh_compress -i
+	dh_fixperms -i
+	dh_installdeb -i
+	dh_gencontrol -i
+	dh_md5sums -i
+	dh_builddeb -i
 
 binary-arch: install-stamp
 	dh_testdir
@@ -119,6 +133,6 @@ binary-arch: install-stamp
 	dh_md5sums -a
 	dh_builddeb -a
 
-binary: binary-arch
+binary: binary-indep binary-arch
 
 .PHONY: clean install build clean-patched binary-indep binary-arch binary
-- 
1.6.5







More information about the pkg-mozilla-maintainers mailing list