Add email and code signing single stores.

This commit is contained in:
DJ Lucas 2017-09-27 00:32:19 -05:00
parent 73d32415a1
commit 3e5253e9f9
3 changed files with 46 additions and 2 deletions

View File

@ -1,4 +1,4 @@
0.4 -
0.4 - Add email and code signing flat file certificate stores
0.3 - Generate single file stores (Java and GNUTLS) using main OpenSSL
store as source to avoid duplicates
0.2 - Install source certdata.txt file

14
CS.txt Normal file
View File

@ -0,0 +1,14 @@
Mozilla no longer provides any trust information for code signing, opting only
to supply VERIFY trust, so that Mozilla neither provides policy, nor removes
the functionality from NSS. There is no trusted source of authority for code
signing (such as we use Mozilla for TLS/S-Mime). The following list of
certificate hashes that are already installed (as they have TLS trust from
Mozilla) that are also trusted by Microsoft for code signing. The Microsoft
Trusted Root Certificate Program's inclusion policy is available for review at
https://technet.microsoft.com/en-us/library/mt171474.aspx.
02265526,062cdee6,157753a5,244b5494,2c543cd1,2e4eed3c,3513523f,4304c5e5,
442adcac,480720ec,48bec511,4a6481c9,4bfab552,5ad8a5d6,653b494a,6b99d060,
7d0b38bd,ae8153b9,aee5f10d,b1159c4c,b204d74a,b7a5b843,ba89ed3b,c01cdfa2,
c0ff1f52,cbf06781,d7e8dc79,e2799e36,f081611a,f3377b1b,f387163d,f39fc864

32
make-ca Executable file → Normal file
View File

@ -22,6 +22,8 @@ else
OPENSSL="/usr/bin/openssl"
ANCHORDIR="${PKIDIR}/anchors"
CABUNDLE="${SSLDIR}/ca-bundle.crt"
SMBUNDLE="${SSLDIR}/email-ca-bundle.crt"
CSBUNDLE="${SSLDIR}/objsign-ca-bundle.crt"
CERTDIR="${SSLDIR}/certs"
KEYSTORE="${SSLDIR}/java/cacerts"
NSSDB="${PKIDIR}/nssdb"
@ -773,15 +775,21 @@ for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do
trustlist=$("${OPENSSL}" x509 -in "${cert}" -text -trustout | \
grep -A1 "Trusted Uses")
satrust=""
smtrust=""
cstrust=""
satrust=$(echo "${trustlist}" | \
grep "TLS Web Server" 2>&1> /dev/null && echo "C")
smtrust=$(echo "${trustlist}" | \
grep "E-mail Protection" 2>&1 >/dev/null && echo "C")
cstrust=$(echo "${trustlist}" | \
grep "Code Signing" 2>&1 >/dev/null && echo "C")
if test "${satrust}x" == "Cx"; then
echo ""
echo "${certname}" | sed 's@Alias:@Certificate: @'
echo "Keyhash: ${keyhash}"
# Append to the bundle
# Append to the CA bundle
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
> "${TEMPDIR}/ssl/certs/${keyhash}.pem"
cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CABUNDLE}"
@ -797,6 +805,28 @@ for cert in `find "${DESTDIR}${CERTDIR}" -name "*.pem"`; do
sed -e 's@Certificate was a@A@' -e 's@keystore@Java keystore.@'
fi
fi
if test "${smtrust}x" == "Cx"; then
echo ""
echo "${certname}" | sed 's@Alias:@Certificate: @'
echo "Keyhash: ${keyhash}"
# Append to the s-mime bundle
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
> "${TEMPDIR}/ssl/certs/${keyhash}.pem"
cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${SMBUNDLE}"
echo "Added to s-mime certificate bundle."
fi
if test "${cstrust}x" == "Cx"; then
echo ""
echo "${certname}" | sed 's@Alias:@Certificate: @'
echo "Keyhash: ${keyhash}"
# Append to the code signing bundle
"${OPENSSL}" x509 -in "${cert}" -text -fingerprint \
> "${TEMPDIR}/ssl/certs/${keyhash}.pem"
cat "${TEMPDIR}/ssl/certs/${keyhash}.pem" >> "${DESTDIR}${CSBUNDLE}"
echo "Added to code signing certificate bundle."
fi
done
/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null