git: ef0a3916cedb - main - security/ca_root_nss: only add SERVER_AUTH certs,

Matthias Andree mandree at FreeBSD.org
Fri Sep 3 14:34:01 UTC 2021 

The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ef0a3916cedb43beb7d256d89a8de56038d65ded

commit ef0a3916cedb43beb7d256d89a8de56038d65ded
Author:     Matthias Andree <mandree at FreeBSD.org>
AuthorDate: 2021-08-26 16:57:56 +0000
Commit:     Matthias Andree <mandree at FreeBSD.org>
CommitDate: 2021-09-03 14:33:49 +0000

    security/ca_root_nss: only add SERVER_AUTH certs,
    
    and support CKA_NSS_SERVER_DISTRUST_AFTER to not include
    certificates if the extracted bundle of certificates
    is generated later than the expiration date.
    
    This script no longer emits trust certificates for
    * EMAIL_PROTECTION
    * CODE_SIGNING
    
    because the default certificate bundle in FreeBSD is supposed to
    be used for server authentication.
    
    Reported by:    Christian Heimes <christian at python.org>
    via:            Gordon Tetlow
    
    Approved by:    ports-secteam (riggs@) (maintainer)
---
 security/ca_root_nss/Makefile                |  1 +
 security/ca_root_nss/files/MAca-bundle.pl.in | 49 ++++++++++++++++++++++------
 2 files changed, 40 insertions(+), 10 deletions(-)

diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile
index c0eb7da53802..65181152eed6 100644
--- a/security/ca_root_nss/Makefile
+++ b/security/ca_root_nss/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
diff --git a/security/ca_root_nss/files/MAca-bundle.pl.in b/security/ca_root_nss/files/MAca-bundle.pl.in
index 092c2b445031..b94ca54ba2d1 100644
--- a/security/ca_root_nss/files/MAca-bundle.pl.in
+++ b/security/ca_root_nss/files/MAca-bundle.pl.in
@@ -44,6 +44,8 @@ print <<EOH;
 ##  Authorities (CA). These were automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt').
 ##
+##  It contains certificates trusted for server authentication.
+##
 ##  Extracted from nss-%%VERSION_NSS%%
 ##
 EOH
@@ -55,6 +57,13 @@ $debug++
 my %certs;
 my %trusts;
 
+# returns a string like YYMMDDhhmmssZ of current time in GMT zone
+sub timenow()
+{
+	my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
+	return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
+}
+
 sub printcert_plain($$)
 {
     my ($label, $certdata) = @_;
@@ -80,6 +89,8 @@ sub printcert($$) {
     printcert_info($a, $b);
 }
 
+# converts a datastream that is to be \177-style octal constants
+# from <> to a (binary) string and returns it
 sub graboct()
 {
     my $data;
@@ -94,12 +105,12 @@ sub graboct()
     return $data;
 }
 
-
 sub grabcert()
 {
     my $certdata;
-    my $cka_label;
-    my $serial;
+    my $cka_label = '';
+    my $serial = 0;
+    my $distrust = 0;
 
     while (<>) {
 	chomp;
@@ -116,6 +127,19 @@ sub grabcert()
 	if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
 	    $serial = graboct();
 	}
+
+	if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
+	{
+	    my $distrust_after = graboct();
+	    my $time_now = timenow();
+	    if ($time_now >= $distrust_after) { $distrust = 1; }
+	    if ($debug) {
+		printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
+	    }
+	    if ($distrust) {
+		return undef;
+	    }
+	}
     }
     return ($serial, $cka_label, $certdata);
 }
@@ -138,13 +162,13 @@ sub grabtrust() {
 	    $serial = graboct();
 	}
 
-	if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/)
+	if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/)
 	{
-	    if ($2 eq      'CKT_NSS_NOT_TRUSTED') {
+	    if ($1 eq      'CKT_NSS_NOT_TRUSTED') {
 		$distrust = 1;
-	    } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
+	    } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
 		$maytrust = 1;
-	    } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
+	    } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
 		confess "Unknown trust setting on line $.:\n"
 		. "$_\n"
 		. "Script must be updated:";
@@ -160,13 +184,19 @@ sub grabtrust() {
     return ($serial, $cka_label, $trust);
 }
 
+my $untrusted = 0;
+
 while (<>) {
     if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
 	my ($serial, $label, $certdata) = grabcert();
 	if (defined $certs{$label."\0".$serial}) {
 	    warn "Certificate $label duplicated!\n";
 	}
-	$certs{$label."\0".$serial} = $certdata;
+	if (defined $certdata) {
+	    $certs{$label."\0".$serial} = $certdata;
+	} else { # $certdata undefined? distrust_after in effect
+	    $untrusted ++;
+	}
     } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) {
 	my ($serial, $label, $trust) = grabtrust();
 	if (defined $trusts{$label."\0".$serial}) {
@@ -180,12 +210,11 @@ while (<>) {
 
 sub printlabel(@) {
     my @res = @_;
-    map { s/\0.*//; s/[^[:print:]]/_/g; $_ = "\"$_\""; } @res;
+    map { s/\0.*//; s/[^[:print:]]/_/g; "\"$_\""; } @res;
     return wantarray ? @res : $res[0];
 }
 
 # weed out untrusted certificates
-my $untrusted = 0;
 foreach my $it (keys %trusts) {
     if (!$trusts{$it}) {
 	if (!exists($certs{$it})) {

More information about the dev-commits-ports-all mailing list