summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authorBrLi2019-07-23 10:53:26 +0800
committerBrLi2019-07-23 10:53:26 +0800
commitfcf2cadcec77239f83282871e11980740752546f (patch)
treedab30817f45ce761bced0efa6ee0a3e00df9a137
downloadaur-fcf2cadcec77239f83282871e11980740752546f.tar.gz
initial commit
Diffstat
-rw-r--r--.SRCINFO17
-rw-r--r--PKGBUILD45
-rw-r--r--certdata2pem.py200
3 files changed, 262 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..6e17802780c2
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,17 @@
+pkgbase = ca-certificates-blacklist-anti-china
+ pkgdesc = A set of Chinese CAs' certificates which should be avoided
+ pkgver = 3.45
+ pkgrel = 1
+ url = https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
+ arch = any
+ license = MPL
+ license = GPL
+ makedepends = python2
+ depends = ca-certificates-utils
+ source = https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_45_RTM/src/nss-3.45.tar.gz
+ source = certdata2pem.py
+ sha256sums = 112f05223d1fde902c170966bfc6f011b24a838be16969b110ecf2bb7bc24e8b
+ sha256sums = 2a2ff9131c21fa3b23ad7c7a2f069eabc783e56c6eb05419ac5f365f48dea0fc
+
+pkgname = ca-certificates-blacklist-anti-china
+
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..64ebebb4a5d7
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,45 @@
+# Maintainer: BrLi <brli at chakralinux dot org>
+# Contributor: hexchain <i at hexchain dot org>
+
+pkgname=ca-certificates-blacklist-anti-china
+pkgver=3.45
+pkgrel=1
+pkgdesc="A set of Chinese CAs' certificates which should be avoided"
+url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
+arch=(any)
+license=('MPL' 'GPL')
+depends=('ca-certificates-utils')
+makedepends=('python2')
+source=("https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz"
+ "certdata2pem.py")
+sha256sums=('112f05223d1fde902c170966bfc6f011b24a838be16969b110ecf2bb7bc24e8b'
+ '2a2ff9131c21fa3b23ad7c7a2f069eabc783e56c6eb05419ac5f365f48dea0fc')
+
+prepare() {
+ mkdir -p certs
+
+ cd "nss-$pkgver"
+ ln -sfr nss/lib/ckfw/builtins/certdata.txt ../certs/
+}
+
+
+build() {
+ cd certs
+ python2 ../certdata2pem.py
+}
+
+package() {
+ cd "$srcdir/certs"
+ install -Dm644 -t "$pkgdir/usr/share/ca-certificates/trust-source/blacklist/" \
+ Certum_Root_CA:2.3.1.0.32.crt \
+ Certum_Trusted_Network_CA:2.3.4.68.192.crt \
+ Certum_Trusted_Network_CA_2:2.16.33.214.208.74.79.37.15.201.50.55.252.170.94.18.141.233.crt \
+ GDCA_TrustAUTH_R5_ROOT:2.8.125.9.151.254.240.71.234.122.crt \
+ CFCA_EV_ROOT:2.4.24.74.204.214.crt \
+ VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4:2.16.47.128.254.35.140.14.34.15.72.103.18.40.145.135.172.179.crt \
+ VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5:2.16.24.218.209.158.38.125.232.187.74.33.88.205.204.107.59.74.crt \
+ VeriSign_Universal_Root_Certification_Authority:2.16.64.26.196.100.33.179.19.33.3.14.187.228.18.26.197.29.crt \
+ Verisign_Class_1_Public_Primary_Certification_Authority_-_G3:2.17.0.139.91.117.86.132.84.133.11.0.207.175.56.72.206.177.164.crt \
+ Verisign_Class_2_Public_Primary_Certification_Authority_-_G3:2.16.97.112.203.73.140.95.152.69.41.231.176.166.217.80.91.122.crt \
+ Verisign_Class_3_Public_Primary_Certification_Authority_-_G3:2.17.0.155.126.6.73.163.62.98.185.213.238.144.72.113.41.239.87.crt
+}
diff --git a/certdata2pem.py b/certdata2pem.py
new file mode 100644
index 000000000000..021772aea1ab
--- /dev/null
+++ b/certdata2pem.py
@@ -0,0 +1,200 @@
+#!/usr/bin/python
+# vim:set et sw=4:
+#
+# certdata2pem.py - splits certdata.txt into multiple files
+#
+# Copyright (C) 2009 Philipp Kern <pkern@debian.org>
+# Copyright (C) 2013 Kai Engert <kaie@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
+# USA.
+
+import base64
+import os.path
+import re
+import sys
+import textwrap
+import urllib
+
+objects = []
+
+def printable_serial(obj):
+ return ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER']))
+
+# Dirty file parser.
+in_data, in_multiline, in_obj = False, False, False
+field, type, value, obj = None, None, None, dict()
+for line in open('certdata.txt', 'r'):
+ # Ignore the file header.
+ if not in_data:
+ if line.startswith('BEGINDATA'):
+ in_data = True
+ continue
+ # Ignore comment lines.
+ if line.startswith('#'):
+ continue
+ # Empty lines are significant if we are inside an object.
+ if in_obj and len(line.strip()) == 0:
+ objects.append(obj)
+ obj = dict()
+ in_obj = False
+ continue
+ if len(line.strip()) == 0:
+ continue
+ if in_multiline:
+ if not line.startswith('END'):
+ if type == 'MULTILINE_OCTAL':
+ line = line.strip()
+ for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
+ value += chr(int(i.group(1), 8))
+ else:
+ value += line
+ continue
+ obj[field] = value
+ in_multiline = False
+ continue
+ if line.startswith('CKA_CLASS'):
+ in_obj = True
+ line_parts = line.strip().split(' ', 2)
+ if len(line_parts) > 2:
+ field, type = line_parts[0:2]
+ value = ' '.join(line_parts[2:])
+ elif len(line_parts) == 2:
+ field, type = line_parts
+ value = None
+ else:
+ raise NotImplementedError, 'line_parts < 2 not supported.\n' + line
+ if type == 'MULTILINE_OCTAL':
+ in_multiline = True
+ value = ""
+ continue
+ obj[field] = value
+if len(obj.items()) > 0:
+ objects.append(obj)
+
+# Build up trust database.
+trustmap = dict()
+for obj in objects:
+ if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
+ continue
+ key = obj['CKA_LABEL'] + printable_serial(obj)
+ trustmap[key] = obj
+ print " added trust", key
+
+# Build up cert database.
+certmap = dict()
+for obj in objects:
+ if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
+ continue
+ key = obj['CKA_LABEL'] + printable_serial(obj)
+ certmap[key] = obj
+ print " added cert", key
+
+def obj_to_filename(obj):
+ label = obj['CKA_LABEL'][1:-1]
+ label = label.replace('/', '_')\
+ .replace(' ', '_')\
+ .replace('(', '=')\
+ .replace(')', '=')\
+ .replace(',', '_')
+ label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label)
+ serial = printable_serial(obj)
+ return label + ":" + serial
+
+trust_types = {
+ "CKA_TRUST_DIGITAL_SIGNATURE": "digital-signature",
+ "CKA_TRUST_NON_REPUDIATION": "non-repudiation",
+ "CKA_TRUST_KEY_ENCIPHERMENT": "key-encipherment",
+ "CKA_TRUST_DATA_ENCIPHERMENT": "data-encipherment",
+ "CKA_TRUST_KEY_AGREEMENT": "key-agreement",
+ "CKA_TRUST_KEY_CERT_SIGN": "cert-sign",
+ "CKA_TRUST_CRL_SIGN": "crl-sign",
+ "CKA_TRUST_SERVER_AUTH": "server-auth",
+ "CKA_TRUST_CLIENT_AUTH": "client-auth",
+ "CKA_TRUST_CODE_SIGNING": "code-signing",
+ "CKA_TRUST_EMAIL_PROTECTION": "email-protection",
+ "CKA_TRUST_IPSEC_END_SYSTEM": "ipsec-end-system",
+ "CKA_TRUST_IPSEC_TUNNEL": "ipsec-tunnel",
+ "CKA_TRUST_IPSEC_USER": "ipsec-user",
+ "CKA_TRUST_TIME_STAMPING": "time-stamping",
+ "CKA_TRUST_STEP_UP_APPROVED": "step-up-approved",
+}
+
+openssl_trust = {
+ "CKA_TRUST_SERVER_AUTH": "serverAuth",
+ "CKA_TRUST_CLIENT_AUTH": "clientAuth",
+ "CKA_TRUST_CODE_SIGNING": "codeSigning",
+ "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
+}
+
+for tobj in objects:
+ if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
+ key = tobj['CKA_LABEL'] + printable_serial(tobj)
+ print "producing trust for " + key
+ trustbits = []
+ distrustbits = []
+ openssl_trustflags = []
+ openssl_distrustflags = []
+ for t in trust_types.keys():
+ if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
+ trustbits.append(t)
+ if t in openssl_trust:
+ openssl_trustflags.append(openssl_trust[t])
+ if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
+ distrustbits.append(t)
+ if t in openssl_trust:
+ openssl_distrustflags.append(openssl_trust[t])
+
+ fname = obj_to_filename(tobj)
+ try:
+ obj = certmap[key]
+ except:
+ obj = None
+
+ if obj != None:
+ fname += ".crt"
+ else:
+ fname += ".p11-kit"
+
+ f = open(fname, 'w')
+ if obj != None:
+ f.write("# alias=%s\n"%tobj['CKA_LABEL'])
+ f.write("# trust=" + " ".join(trustbits) + "\n")
+ f.write("# distrust=" + " ".join(distrustbits) + "\n")
+ if openssl_trustflags:
+ f.write("# openssl-trust=" + " ".join(openssl_trustflags) + "\n")
+ if openssl_distrustflags:
+ f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n")
+ f.write("-----BEGIN CERTIFICATE-----\n")
+ f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+ f.write("\n-----END CERTIFICATE-----\n")
+ else:
+ f.write("[p11-kit-object-v1]\n")
+ f.write("label: ");
+ f.write(tobj['CKA_LABEL']);
+ f.write("\n")
+ f.write("class: certificate\n")
+ f.write("certificate-type: x-509\n")
+ f.write("issuer: \"");
+ f.write(urllib.quote(tobj['CKA_ISSUER']));
+ f.write("\"\n")
+ f.write("serial-number: \"");
+ f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER']));
+ f.write("\"\n")
+ if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
+ f.write("x-distrusted: true\n")
+ f.write("\n\n")
+ f.close()
+ print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)