verify hg.mozilla.org with bundled CA root

Before this, make-ca does not verify the certificate of hg.mozilla.org
at all.  It makes sense as make-ca often runs on systems without trust
anchor.  But, a MIM can easily fake hg.mozilla.org and completely hijack
the trust anchor of a BLFS system.

To improve the situation, we ship the certificate of the CA root for
hg.mozilla.org (DigiCert Global Root CA) in the make-ca package, and use
it to verify hg.mozilla.org.

CHANGELOG

@@ -1,3 +1,5 @@
+1.11     - Ship certificate of the CA root of hg.mozilla.org and use it for
+           verification
 1.10     - Use --filter=ca-anchors for all stores
          - Update CS.txt (no changes since last update)
          - Fix installation of systemd timers on non-systemd systems

Makefile

@@ -21,7 +21,8 @@ clean_man:
 	rm -f make-ca.8
 	chmod 0644 help2man
 
-install: all install_bin install_man install_systemd install_conf install_cs
+install: all install_bin install_man install_systemd install_conf \
+         install_cs install_mozilla_ca_root
 
 install_bin:
 	install -vdm755 $(DESTDIR)$(SBINDIR)
@@ -52,6 +53,10 @@ install_conf:
 	install -vdm755 $(DESTDIR)$(ETCDIR)
 	install -vm644 make-ca.conf.dist $(DESTDIR)$(ETCDIR)
 
+install_mozilla_ca_root:
+	install -vdm755 $(DESTDIR)$(ETCDIR)
+	install -vm644 mozilla-ca-root.pem $(DESTDIR)$(ETCDIR)
+
 uninstall:
 	rm -f $(DESTDIR)$(SBINDIR)/make-ca
 	rm -f $(DESTDIR)$(MANDIR)/man8/make-ca.8

make-ca

@@ -11,9 +11,12 @@
 
 shopt -s extglob;
 
-VERSION="1.10"
+VERSION="1.11"
 MAKE_CA_CONF="/etc/make-ca.conf"
 
+# CA root for hg.mozilla.org
+MOZILLA_CA_ROOT="/etc/make-ca/mozilla-ca-root.pem"
+
 # Get/set defaults
 if test -f "${MAKE_CA_CONF}"; then
     . "${MAKE_CA_CONF}"
@@ -658,7 +661,11 @@ if test "${GET}" == "1"; then
   echo -n "Checking for new version of certdata.txt..."
   HOST=$(echo "${URL}" | /usr/bin/cut -d / -f 3)
   _url=$(echo "${URL}" | sed 's@raw-file@log@')
-  SARGS="-ign_eof -connect ${HOST}:443"
+  SARGS="-ign_eof -connect ${HOST}:443 -verifyCAfile ${MOZILLA_CA_ROOT}"
+  if test -d /etc/ssl/certs; then
+    SARGS="${SARGS} -verifyCApath ${CERTDIR}"
+  fi
+  SARGS="${SARGS} -verify_return_error"
   if test "${PROXY}x" != "x"; then
     SARGS="${SARGS} -proxy ${PROXY}"
   fi

mozilla-ca-root.pem

@@ -0,0 +1,23 @@
+-----BEGIN TRUSTED CERTIFICATE-----
+MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
+b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
+CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
+nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
+43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
+T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
+gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
+BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
+TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
+DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
+hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
+06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
+PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
+YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
+CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4wLzAUBggrBgEFBQcD
+BAYIKwYBBQUHAwEMF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENB
+-----END TRUSTED CERTIFICATE-----