svn commit: r325572 - in head/security/ca_root_nss: . files

[Matthias Andree]

Author: mandree
Date: Thu Aug 29 08:10:09 2013
New Revision: 325572
URL: http://svnweb.freebsd.org/changeset/ports/325572

Log:
  Update extraction script to:
  
  - Only look at CKA_TRUST_SERVER_AUTH, _EMAIL_PROTECTION, and
    _CODE_SIGNING attributes.
  
  - Omit certificates that do not have any explicit trust value in these
    three attributes; at least one of the purposes must mark the
    certificate a trusted delegator.
  
  - Validate that the trust is one of three known trust values, to become
    aware of syntax changes in certdata.txt. If it is an unknown token,
    abort with an error stating that the script must be updated.
  
  - Check that we have at least 25 certificates in the output or abort.
  
  This removes these two certificates that have "unknown"
  (CKT_NSS_MUST_VERIFY_TRUST) in all three tokens, making them unfit as
  trust anchors:
  
  1 C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Universal CA,
      CN=TC TrustCenter Universal CA III
  
  2 C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network,
      OU=http://www.usertrust.com,
      CN=UTN-USERFirst-Network Applications
  
  164 trusted certificates remain.

Modified:
  head/security/ca_root_nss/Makefile
  head/security/ca_root_nss/files/MAca-bundle.pl.in

Modified: head/security/ca_root_nss/Makefile
==============================================================================
--- head/security/ca_root_nss/Makefile	Thu Aug 29 07:48:22 2013	(r325571)
+++ head/security/ca_root_nss/Makefile	Thu Aug 29 08:10:09 2013	(r325572)
@@ -3,6 +3,7 @@
 
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:U:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}

Modified: head/security/ca_root_nss/files/MAca-bundle.pl.in
==============================================================================
--- head/security/ca_root_nss/files/MAca-bundle.pl.in	Thu Aug 29 07:48:22 2013	(r325571)
+++ head/security/ca_root_nss/files/MAca-bundle.pl.in	Thu Aug 29 08:10:09 2013	(r325572)
@@ -32,6 +32,7 @@
 ##  POSSIBILITY OF SUCH DAMAGE.
 
 use strict;
+use Carp;
 use MIME::Base64;
 
 my $VERSION = '$FreeBSD$';
@@ -125,7 +126,8 @@ sub grabcert()
 sub grabtrust() {
     my $cka_label;
     my $serial;
-    my $trust = 1;
+    my $maytrust = 0;
+    my $distrust = 0;
 
     while (<>) {
 	chomp;
@@ -139,21 +141,36 @@ sub grabtrust() {
 	    $serial = graboct();
 	}
 
-	if (/^CKA_TRUST_.*\s.*_(UN|NOT_)TRUSTED/) {
-	    $trust = 0;
+	if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/)
+	{
+	    if ($2 eq      'CKT_NSS_NOT_TRUSTED') {
+		$distrust = 1;
+	    } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
+		$maytrust = 1;
+	    } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
+		confess "Unknown trust setting on line $.:\n"
+		. "$_\n"
+		. "Script must be updated:";
+	    }
 	}
     }
+
+    if (!$maytrust && !$distrust && $debug) {
+	print STDERR "line $.: no explicit trust/distrust found for $cka_label\n";
+    }
+
+    my $trust = ($maytrust and not $distrust);
     return ($serial, $cka_label, $trust);
 }
 
 while (<>) {
-    if (/^CKA_CLASS .* CKO_CERTIFICATE/) {
+    if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
 	my ($serial, $label, $certdata) = grabcert();
 	if (defined $certs{$label."\0".$serial}) {
 	    warn "Certificate $label duplicated!\n";
 	}
 	$certs{$label."\0".$serial} = $certdata;
-    } elsif (/^CKA_CLASS .* CKO_(NSS|NETSCAPE)_TRUST/) {
+    } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) {
 	my ($serial, $label, $trust) = grabtrust();
 	if (defined $trusts{$label."\0".$serial}) {
 	    warn "Trust for $label duplicated!\n";
@@ -184,7 +201,8 @@ foreach my $it (keys %trusts) {
     }
 }
 
-print "##  Untrusted certificates omitted from this bundle: $untrusted\n\n";
+print		"##  Untrusted certificates omitted from this bundle: $untrusted\n\n";
+print STDERR	"##  Untrusted certificates omitted from this bundle: $untrusted\n";
 
 my $certcount = 0;
 foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) {
@@ -197,5 +215,10 @@ foreach my $it (sort {uc($a) cmp uc($b)}
     print STDERR "Trusting $certcount: ".printlabel($it)."\n" if $debug;
 }
 
-print "##  Number of certificates: $certcount\n";
+if ($certcount < 25) {
+    die "Certificate count of $certcount is implausibly low.\nAbort";
+}
+
+print		"##  Number of certificates: $certcount\n";
+print STDERR	"##  Number of certificates: $certcount\n";
 print "##  End of file.\n";