Makefile,make-ca: Use Microsoft's trust for code signing with -i | --mscodesign.

2021-08-08 11:03:12 -05:00 · 2021-08-08 11:03:12 -05:00 · c41b7f3d4b
commit c41b7f3d4b
parent 53ac95f8fd
4 changed files with 41 additions and 11 deletions
--- a/2
+++ b/2
@ -14,6 +14,8 @@
         - Correct incorrectly named get_p11_val()
         - Use .p11-kit extension for anchors
         - Handle getopt style short options in get_args()
+         - Use Microsoft's trust for code signing with -i | --mscodesign
+           Note: this is manually generated, will add CCADB when avaialble
 1.7      - Revert help2man update (requires complete perl environment)
 1.6      - Fix install target for make -j#
         - Add detailed dependency info and add note about configuration file 
--- a/CS.txt
+++ b/CS.txt
@ -9,6 +9,7 @@
 # Mozilla to create a unified trust store.

 # List current as of 2021-08-07 04:30:00 UTC
+# Move this list to $SSLDIR and use -i to add code signing trust

 02265526
 064e0aa9
--- a/6
+++ b/6
@ -21,7 +21,7 @@ clean_man:
 	rm -f make-ca.8
 	chmod 0644 help2man

-install: all install_bin install_man install_systemd install_conf
+install: all install_bin install_man install_systemd install_conf install_cs

 install_bin:
 	install -vdm755 $(DESTDIR)$(SBINDIR)
@ -29,6 +29,10 @@ install_bin:
 	install -vdm755 $(DESTDIR)$(LIBEXECDIR)
 	install -vm700  copy-trust-modifications $(DESTDIR)$(LIBEXECDIR)

+install_cs:
+	install -vdm755 $(DESTDIR)$(ETCDIR)
+	install -vm644  CS.txt $(DESTDIR)$(ETCDIR)
+
 install_systemd:
 	if test -d /usr/lib/systemd/system; then \
 	    install -vdm755 ${DESTDIR}/usr/lib/systemd/system; \
--- a/35
+++ b/35
@ -52,6 +52,7 @@ GET=0
 REBUILD=0
 WITH_P12=0
 WITH_NSS=0
+WITH_CS=1

 function get_args(){
  while test -n "${1}" ; do
@ -142,6 +143,10 @@ function get_args(){
          exit 3
        fi
      ;;
+      -i | --mscodesign)
+        WITH_CS="1"
+        shift 1
+      ;;
      -j | --javacerts)
        check_arg $1 $2
        KEYSTORE="${2}"
@ -317,6 +322,10 @@ function showhelp(){
  echo "        -u, --trust [/usr/bin/trust]"
  echo "                         The path of the p11-kit trust utility"
  echo ""
+  echo "        -i, --mscodesign"
+  echo "                         Use Microsoft's trus values for code singing"
+  echo "                         You must copy /etc/CS.txt to \$SSLDIR"
+  echo ""
  echo "        -f, --force      Force run, even if source is not newer"
  echo ""
  echo "        -g, --get        Download certdata.txt directly from Mozilla's"
@ -505,6 +514,12 @@ function get_trust_values() {
                  cut -d " " -f 3`)"
  cstrust="$(convert_trust `grep '^CKA_TRUST_CODE_SIGNING' ${1} | \
                  cut -d " " -f 3`)"
+  if test "${WITH_CS}" -eq "1"; then
+    if test "${cstrust}" == ""; then
+      cstrust=$(grep -q "^${keyhash}" "${SSLDIR}/CS.txt" && echo "C")
+    fi
+  fi
+
  # Not currently included in NSS certdata.txt
  #catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \
  #                cut -d " " -f 3`)"
@ -633,6 +648,11 @@ if test "${WITH_NSS}" -eq "1"; then
  "${CERTUTIL}" -N --empty-password -d "sql:${TEMPDIR}/pki/nssdb"
 fi

+if test "${WITH_CS}" -eq "1"; then
+  test ! -f "${SSLDIR}/CS.txt" && \
+    echo "List of hashes not found at ${SSLDIR}/CS.txt. Exiting..." && exit 1
+fi
+
 # Download certdata.txt if selected
 if test "${GET}" == "1"; then
  echo -n "Checking for new version of certdata.txt..."
@ -724,9 +744,6 @@ done
 unset CERTBEGINLIST certbegin

 for tempfile in ${TEMPDIR}/certs/*.tmp; do
-  # Get trust values for the certifcate
-  get_trust_values "${tempfile}"
-
  # Convert to a PEM formated certificate
  printf $(awk '/^CKA_VALUE/{flag=1;next}/^END/{flag=0}flag{printf $0}' \
  "${tempfile}") | "${OPENSSL}" x509 -text -inform DER -fingerprint \
@ -736,6 +753,10 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
  certkey="$(${OPENSSL} x509 -in tempfile.crt -noout -pubkey)"
  certcer="$(${OPENSSL} x509 -in tempfile.crt)"
  certtxt="$(${OPENSSL} x509 -in tempfile.crt -noout -text)"
+  keyhash="$(${OPENSSL} x509 -noout -in tempfile.crt -hash)"
+
+  # Get trust values for the certifcate
+  get_trust_values "${tempfile}"

  # Get p11-kit label, oid, and values
  get_p11_label "${tempfile}"
@ -743,9 +764,6 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
  # Get p11 trust and OID values
  get_p11_trust

-  # Get a hash for the cert
-  keyhash=$("${OPENSSL}" x509 -noout -in tempfile.crt -hash)
-
  # Print information about cert
  echo "Certificate:  ${p11label}"
  echo "Keyhash:      ${keyhash}"
@ -832,6 +850,11 @@ if test -d "${LOCALDIR}"; then
              grep "E-mail Protection" > /dev/null 2>&1 && echo "C")
    cstrust=$(echo "${trustlist}" | \
              grep "Code Signing" > /dev/null 2>&1 && echo "C")
+    if test "${WITH_CS}" -eq "1"; then
+      if test "${cstrust}" == ""; then
+        cstrust=$(grep -q "^${keyhash}" "${SSLDIR}/CS.txt" && echo "C")
+      fi
+    fi
    catrust=$(echo "${trustlist}" | \
              grep "Client Auth" > /dev/null 2>&1 && echo "C")