From c41b7f3d4b6ba75ce1a3b7d821edb5863aa162fd Mon Sep 17 00:00:00 2001 From: DJ Lucas Date: Sun, 8 Aug 2021 11:03:12 -0500 Subject: [PATCH] Makefile,make-ca: Use Microsoft's trust for code signing with -i | --mscodesign. --- CHANGELOG | 2 ++ CS.txt | 1 + Makefile | 14 +++++++++----- make-ca | 35 +++++++++++++++++++++++++++++------ 4 files changed, 41 insertions(+), 11 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index eb90fb5..2de257c 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -14,6 +14,8 @@ - Correct incorrectly named get_p11_val() - Use .p11-kit extension for anchors - Handle getopt style short options in get_args() + - Use Microsoft's trust for code signing with -i | --mscodesign + Note: this is manually generated, will add CCADB when avaialble 1.7 - Revert help2man update (requires complete perl environment) 1.6 - Fix install target for make -j# - Add detailed dependency info and add note about configuration file diff --git a/CS.txt b/CS.txt index e2c25bd..a6fca00 100644 --- a/CS.txt +++ b/CS.txt @@ -9,6 +9,7 @@ # Mozilla to create a unified trust store. # List current as of 2021-08-07 04:30:00 UTC +# Move this list to $SSLDIR and use -i to add code signing trust 02265526 064e0aa9 diff --git a/Makefile b/Makefile index 9b48ff2..d9dfc39 100644 --- a/Makefile +++ b/Makefile @@ -21,21 +21,25 @@ clean_man: rm -f make-ca.8 chmod 0644 help2man -install: all install_bin install_man install_systemd install_conf +install: all install_bin install_man install_systemd install_conf install_cs install_bin: install -vdm755 $(DESTDIR)$(SBINDIR) - install -vm755 make-ca $(DESTDIR)$(SBINDIR) + install -vm755 make-ca $(DESTDIR)$(SBINDIR) install -vdm755 $(DESTDIR)$(LIBEXECDIR) - install -vm700 copy-trust-modifications $(DESTDIR)$(LIBEXECDIR) + install -vm700 copy-trust-modifications $(DESTDIR)$(LIBEXECDIR) + +install_cs: + install -vdm755 $(DESTDIR)$(ETCDIR) + install -vm644 CS.txt $(DESTDIR)$(ETCDIR) install_systemd: if test -d /usr/lib/systemd/system; then \ install -vdm755 ${DESTDIR}/usr/lib/systemd/system; \ - install -vm644 systemd/* $(DESTDIR)/usr/lib/systemd/system; \ + install -vm644 systemd/* $(DESTDIR)/usr/lib/systemd/system; \ elif test -d /lib/systemd/system; then \ install -vdm755 ${DESTDIR}/lib/systemd/system; \ - install -vm644 systemd/* ${DESTDIR}/lib/systemd/system; \ + install -vm644 systemd/* ${DESTDIR}/lib/systemd/system; \ fi install_man: man diff --git a/make-ca b/make-ca index e8bec98..805af81 100644 --- a/make-ca +++ b/make-ca @@ -52,6 +52,7 @@ GET=0 REBUILD=0 WITH_P12=0 WITH_NSS=0 +WITH_CS=1 function get_args(){ while test -n "${1}" ; do @@ -142,6 +143,10 @@ function get_args(){ exit 3 fi ;; + -i | --mscodesign) + WITH_CS="1" + shift 1 + ;; -j | --javacerts) check_arg $1 $2 KEYSTORE="${2}" @@ -317,6 +322,10 @@ function showhelp(){ echo " -u, --trust [/usr/bin/trust]" echo " The path of the p11-kit trust utility" echo "" + echo " -i, --mscodesign" + echo " Use Microsoft's trus values for code singing" + echo " You must copy /etc/CS.txt to \$SSLDIR" + echo "" echo " -f, --force Force run, even if source is not newer" echo "" echo " -g, --get Download certdata.txt directly from Mozilla's" @@ -505,6 +514,12 @@ function get_trust_values() { cut -d " " -f 3`)" cstrust="$(convert_trust `grep '^CKA_TRUST_CODE_SIGNING' ${1} | \ cut -d " " -f 3`)" + if test "${WITH_CS}" -eq "1"; then + if test "${cstrust}" == ""; then + cstrust=$(grep -q "^${keyhash}" "${SSLDIR}/CS.txt" && echo "C") + fi + fi + # Not currently included in NSS certdata.txt #catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \ # cut -d " " -f 3`)" @@ -633,6 +648,11 @@ if test "${WITH_NSS}" -eq "1"; then "${CERTUTIL}" -N --empty-password -d "sql:${TEMPDIR}/pki/nssdb" fi +if test "${WITH_CS}" -eq "1"; then + test ! -f "${SSLDIR}/CS.txt" && \ + echo "List of hashes not found at ${SSLDIR}/CS.txt. Exiting..." && exit 1 +fi + # Download certdata.txt if selected if test "${GET}" == "1"; then echo -n "Checking for new version of certdata.txt..." @@ -724,9 +744,6 @@ done unset CERTBEGINLIST certbegin for tempfile in ${TEMPDIR}/certs/*.tmp; do - # Get trust values for the certifcate - get_trust_values "${tempfile}" - # Convert to a PEM formated certificate printf $(awk '/^CKA_VALUE/{flag=1;next}/^END/{flag=0}flag{printf $0}' \ "${tempfile}") | "${OPENSSL}" x509 -text -inform DER -fingerprint \ @@ -736,6 +753,10 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do certkey="$(${OPENSSL} x509 -in tempfile.crt -noout -pubkey)" certcer="$(${OPENSSL} x509 -in tempfile.crt)" certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)" + keyhash="$(${OPENSSL} x509 -noout -in tempfile.crt -hash)" + + # Get trust values for the certifcate + get_trust_values "${tempfile}" # Get p11-kit label, oid, and values get_p11_label "${tempfile}" @@ -743,9 +764,6 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do # Get p11 trust and OID values get_p11_trust - # Get a hash for the cert - keyhash=$("${OPENSSL}" x509 -noout -in tempfile.crt -hash) - # Print information about cert echo "Certificate: ${p11label}" echo "Keyhash: ${keyhash}" @@ -832,6 +850,11 @@ if test -d "${LOCALDIR}"; then grep "E-mail Protection" > /dev/null 2>&1 && echo "C") cstrust=$(echo "${trustlist}" | \ grep "Code Signing" > /dev/null 2>&1 && echo "C") + if test "${WITH_CS}" -eq "1"; then + if test "${cstrust}" == ""; then + cstrust=$(grep -q "^${keyhash}" "${SSLDIR}/CS.txt" && echo "C") + fi + fi catrust=$(echo "${trustlist}" | \ grep "Client Auth" > /dev/null 2>&1 && echo "C")