Bug#558283: [PATCH] Add ca-certificates-nss with all certificates from certdata.txt
Philipp Kern
pkern at debian.org
Fri Nov 27 15:53:49 UTC 2009
---
debian/blacklist.txt | 5 ++
debian/ca-certificates-nss.dirs | 1 +
debian/certdata2pem.py | 129 +++++++++++++++++++++++++++++++++++++++
debian/control | 9 +++-
debian/rules | 18 +++++-
5 files changed, 159 insertions(+), 3 deletions(-)
create mode 100644 debian/blacklist.txt
create mode 100644 debian/ca-certificates-nss.dirs
create mode 100644 debian/certdata2pem.py
diff --git a/debian/blacklist.txt b/debian/blacklist.txt
new file mode 100644
index 0000000..8d57b86
--- /dev/null
+++ b/debian/blacklist.txt
@@ -0,0 +1,5 @@
+# One blacklist entry per line, corresponding to the label in certdata.txt.
+
+# MD5 Collision Proof of Concept CA
+"MD5 Collisions Forged Rogue CA 25c3"
+
diff --git a/debian/ca-certificates-nss.dirs b/debian/ca-certificates-nss.dirs
new file mode 100644
index 0000000..f5baa81
--- /dev/null
+++ b/debian/ca-certificates-nss.dirs
@@ -0,0 +1 @@
+usr/share/ca-certificates/nss
diff --git a/debian/certdata2pem.py b/debian/certdata2pem.py
new file mode 100644
index 0000000..10b340a
--- /dev/null
+++ b/debian/certdata2pem.py
@@ -0,0 +1,129 @@
+#!/usr/bin/python
+# vim:set et sw=4:
+#
+# certdata2pem.py - splits certdata.txt into multiple files
+#
+# Copyright (C) 2009 Philipp Kern <pkern at debian.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
+# USA.
+
+import base64
+import os.path
+import re
+import sys
+import textwrap
+
+certdata_fn = sys.argv[1]
+blacklist_fn = sys.argv[2]
+target_dir = sys.argv[3]
+
+objects = []
+
+# Dirty file parser.
+in_data, in_multiline, in_obj = False, False, False
+field, type, value, obj = None, None, None, dict()
+for line in open(certdata_fn, 'r'):
+ # Ignore the file header.
+ if not in_data:
+ if line.startswith('BEGINDATA'):
+ in_data = True
+ continue
+ # Ignore comment lines.
+ if line.startswith('#'):
+ continue
+ # Empty lines are significant if we are inside an object.
+ if in_obj and len(line.strip()) == 0:
+ objects.append(obj)
+ obj = dict()
+ in_obj = False
+ continue
+ if len(line.strip()) == 0:
+ continue
+ if in_multiline:
+ if not line.startswith('END'):
+ if type == 'MULTILINE_OCTAL':
+ line = line.strip()
+ for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
+ value += chr(int(i.group(1), 8))
+ else:
+ value += line
+ continue
+ obj[field] = value
+ in_multiline = False
+ continue
+ if line.startswith('CKA_CLASS'):
+ in_obj = True
+ line_parts = line.strip().split(' ', 2)
+ if len(line_parts) > 2:
+ field, type = line_parts[0:2]
+ value = ' '.join(line_parts[2:])
+ elif len(line_parts) == 2:
+ field, type = line_parts
+ value = None
+ else:
+ raise NotImplementedError, 'line_parts < 2 not supported.'
+ if type == 'MULTILINE_OCTAL':
+ in_multiline = True
+ value = ""
+ continue
+ obj[field] = value
+if len(obj.items()) > 0:
+ objects.append(obj)
+
+# Read blacklist.
+blacklist = []
+if os.path.exists(blacklist_fn):
+ for line in open(blacklist_fn, 'r'):
+ line = line.strip()
+ if line.startswith('#') or len(line) == 0:
+ continue
+ item = line.split('#', 1)[0].strip()
+ blacklist.append(item)
+
+# Build up trust database.
+trust = dict()
+for obj in objects:
+ if obj['CKA_CLASS'] != 'CKO_NETSCAPE_TRUST':
+ continue
+ if obj['CKA_LABEL'] in blacklist:
+ print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']
+ elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR':
+ trust[obj['CKA_LABEL']] = True
+ elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR':
+ trust[obj['CKA_LABEL']] = True
+ elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_UNTRUSTED':
+ print '!'*74
+ print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
+ print '!'*74
+ else:
+ print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \
+ (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
+ obj['CKA_TRUST_EMAIL_PROTECTION'])
+
+for obj in objects:
+ if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
+ if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
+ continue
+ fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+ .replace(' ', '_')\
+ .replace('(', '=')\
+ .replace(')', '=')\
+ .replace(',', '_') + '.crt'
+ f = open(os.path.join(target_dir, fname), 'w')
+ f.write("-----BEGIN CERTIFICATE-----\n")
+ f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+ f.write("\n-----END CERTIFICATE-----\n")
+
diff --git a/debian/control b/debian/control
index 75e5ae8..25d2b5e 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: libs
Priority: optional
Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintainers at lists.alioth.debian.org>
Uploaders: Mike Hommey <glandium at debian.org>
-Build-Depends: debhelper (>= 6.0.7~), autotools-dev, dpatch, dpkg-dev (>= 1.13.19), libnspr4-dev (>= 4.7.0), zlib1g-dev, libsqlite3-dev (>= 3.3.9)
+Build-Depends: debhelper (>= 6.0.7~), autotools-dev, dpatch, dpkg-dev (>= 1.13.19), libnspr4-dev (>= 4.7.0), zlib1g-dev, libsqlite3-dev (>= 3.3.9), python
Standards-Version: 3.8.1.0
Homepage: http://www.mozilla.org/projects/security/pki/nss/
Vcs-Git: git://git.debian.org/git/pkg-mozilla/nss.git
@@ -64,3 +64,10 @@ Description: Debugging symbols for the Network Security Service libraries
other security standards.
.
This package provides the debugging symbols for the library.
+
+Package: ca-certificates-nss
+Section: misc
+Architecture: all
+Description: Network Security Service CA certificates
+ This package includes PEM files of the CA certificates included in the
+ Network Security Service library.
diff --git a/debian/rules b/debian/rules
index 3647294..d0a2c69 100755
--- a/debian/rules
+++ b/debian/rules
@@ -95,9 +95,23 @@ install-stamp: build-stamp
$(foreach bin,certutil modutil pk12util shlibsign signtool ssltap pwdecrypt, \
$(DISTDIR)/bin/$(bin))
+ python debian/certdata2pem.py \
+ mozilla/security/nss/lib/ckfw/builtins/certdata.txt \
+ debian/blacklist.txt \
+ debian/ca-certificates-nss/usr/share/ca-certificates/nss
+
touch install-stamp
-binary-indep:
+binary-indep: install-stamp
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs -i
+ dh_compress -i
+ dh_fixperms -i
+ dh_installdeb -i
+ dh_gencontrol -i
+ dh_md5sums -i
+ dh_builddeb -i
binary-arch: install-stamp
dh_testdir
@@ -119,6 +133,6 @@ binary-arch: install-stamp
dh_md5sums -a
dh_builddeb -a
-binary: binary-arch
+binary: binary-indep binary-arch
.PHONY: clean install build clean-patched binary-indep binary-arch binary
--
1.6.5
More information about the pkg-mozilla-maintainers
mailing list