Makefile,make-ca: Use Microsoft's trust for code signing with -i | --mscodesign.

CHANGELOG

@@ -14,6 +14,8 @@
          - Correct incorrectly named get_p11_val()
          - Use .p11-kit extension for anchors
          - Handle getopt style short options in get_args()
+         - Use Microsoft's trust for code signing with -i | --mscodesign
+           Note: this is manually generated, will add CCADB when avaialble
 1.7      - Revert help2man update (requires complete perl environment)
 1.6      - Fix install target for make -j#
          - Add detailed dependency info and add note about configuration file 

CS.txt

@@ -9,6 +9,7 @@
 # Mozilla to create a unified trust store.
 
 # List current as of 2021-08-07 04:30:00 UTC
+# Move this list to $SSLDIR and use -i to add code signing trust
 
 02265526
 064e0aa9

Makefile

@@ -21,21 +21,25 @@ clean_man:
 	rm -f make-ca.8
 	chmod 0644 help2man
 
-install: all install_bin install_man install_systemd install_conf
+install: all install_bin install_man install_systemd install_conf install_cs
 
 install_bin:
 	install -vdm755 $(DESTDIR)$(SBINDIR)
-	install -vm755 make-ca $(DESTDIR)$(SBINDIR)
+	install -vm755  make-ca $(DESTDIR)$(SBINDIR)
 	install -vdm755 $(DESTDIR)$(LIBEXECDIR)
-	install -vm700 copy-trust-modifications $(DESTDIR)$(LIBEXECDIR)
+	install -vm700  copy-trust-modifications $(DESTDIR)$(LIBEXECDIR)
+
+install_cs:
+	install -vdm755 $(DESTDIR)$(ETCDIR)
+	install -vm644  CS.txt $(DESTDIR)$(ETCDIR)
 
 install_systemd:
 	if test -d /usr/lib/systemd/system; then \
 	    install -vdm755 ${DESTDIR}/usr/lib/systemd/system; \
-	    install -vm644 systemd/* $(DESTDIR)/usr/lib/systemd/system; \
+	    install -vm644  systemd/* $(DESTDIR)/usr/lib/systemd/system; \
 	elif test -d /lib/systemd/system; then \
 	    install -vdm755 ${DESTDIR}/lib/systemd/system; \
-	    install -vm644 systemd/* ${DESTDIR}/lib/systemd/system; \
+	    install -vm644  systemd/* ${DESTDIR}/lib/systemd/system; \
 	fi
 
 install_man: man

make-ca

@@ -52,6 +52,7 @@ GET=0
 REBUILD=0
 WITH_P12=0
 WITH_NSS=0
+WITH_CS=1
 
 function get_args(){
   while test -n "${1}" ; do
@@ -142,6 +143,10 @@ function get_args(){
           exit 3
         fi
       ;;
+      -i | --mscodesign)
+        WITH_CS="1"
+        shift 1
+      ;;
       -j | --javacerts)
         check_arg $1 $2
         KEYSTORE="${2}"
@@ -317,6 +322,10 @@ function showhelp(){
   echo "        -u, --trust [/usr/bin/trust]"
   echo "                         The path of the p11-kit trust utility"
   echo ""
+  echo "        -i, --mscodesign"
+  echo "                         Use Microsoft's trus values for code singing"
+  echo "                         You must copy /etc/CS.txt to \$SSLDIR"
+  echo ""
   echo "        -f, --force      Force run, even if source is not newer"
   echo ""
   echo "        -g, --get        Download certdata.txt directly from Mozilla's"
@@ -505,6 +514,12 @@ function get_trust_values() {
                   cut -d " " -f 3`)"
   cstrust="$(convert_trust `grep '^CKA_TRUST_CODE_SIGNING' ${1} | \
                   cut -d " " -f 3`)"
+  if test "${WITH_CS}" -eq "1"; then
+    if test "${cstrust}" == ""; then
+      cstrust=$(grep -q "^${keyhash}" "${SSLDIR}/CS.txt" && echo "C")
+    fi
+  fi
+
   # Not currently included in NSS certdata.txt
   #catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \
   #                cut -d " " -f 3`)"
@@ -633,6 +648,11 @@ if test "${WITH_NSS}" -eq "1"; then
   "${CERTUTIL}" -N --empty-password -d "sql:${TEMPDIR}/pki/nssdb"
 fi
 
+if test "${WITH_CS}" -eq "1"; then
+  test ! -f "${SSLDIR}/CS.txt" && \
+    echo "List of hashes not found at ${SSLDIR}/CS.txt. Exiting..." && exit 1
+fi
+
 # Download certdata.txt if selected
 if test "${GET}" == "1"; then
   echo -n "Checking for new version of certdata.txt..."
@@ -724,9 +744,6 @@ done
 unset CERTBEGINLIST certbegin
 
 for tempfile in ${TEMPDIR}/certs/*.tmp; do
-  # Get trust values for the certifcate
-  get_trust_values "${tempfile}"
-
   # Convert to a PEM formated certificate
   printf $(awk '/^CKA_VALUE/{flag=1;next}/^END/{flag=0}flag{printf $0}' \
   "${tempfile}") | "${OPENSSL}" x509 -text -inform DER -fingerprint \
@@ -736,6 +753,10 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
   certkey="$(${OPENSSL} x509 -in tempfile.crt -noout -pubkey)"
   certcer="$(${OPENSSL} x509 -in tempfile.crt)"
   certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)"
+  keyhash="$(${OPENSSL} x509 -noout -in tempfile.crt -hash)"
+
+  # Get trust values for the certifcate
+  get_trust_values "${tempfile}"
 
   # Get p11-kit label, oid, and values
   get_p11_label "${tempfile}"
@@ -743,9 +764,6 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
   # Get p11 trust and OID values
   get_p11_trust
 
-  # Get a hash for the cert
-  keyhash=$("${OPENSSL}" x509 -noout -in tempfile.crt -hash)
-
   # Print information about cert
   echo "Certificate:  ${p11label}"
   echo "Keyhash:      ${keyhash}"
@@ -832,6 +850,11 @@ if test -d "${LOCALDIR}"; then
               grep "E-mail Protection" > /dev/null 2>&1 && echo "C")
     cstrust=$(echo "${trustlist}" | \
               grep "Code Signing" > /dev/null 2>&1 && echo "C")
+    if test "${WITH_CS}" -eq "1"; then
+      if test "${cstrust}" == ""; then
+        cstrust=$(grep -q "^${keyhash}" "${SSLDIR}/CS.txt" && echo "C")
+      fi
+    fi
     catrust=$(echo "${trustlist}" | \
               grep "Client Auth" > /dev/null 2>&1 && echo "C")