From a539e75c078ac28e99b25b257a0700caaae60770 Mon Sep 17 00:00:00 2001 From: Britney Fransen Date: Mon, 21 Sep 2015 13:38:23 +0000 Subject: ca-certificates: update to 20150402 --- abs/core/ca-certificates/PKGBUILD | 49 ++-- .../ca-certificates/ca-certificates-utils.install | 43 ++-- abs/core/ca-certificates/update-ca-trust | 27 +++ abs/core/ca-certificates/update-ca-trust.8.txt | 265 +++++++++++++++++++++ 4 files changed, 342 insertions(+), 42 deletions(-) create mode 100644 abs/core/ca-certificates/update-ca-trust create mode 100644 abs/core/ca-certificates/update-ca-trust.8.txt diff --git a/abs/core/ca-certificates/PKGBUILD b/abs/core/ca-certificates/PKGBUILD index a5edf22..f377a79 100644 --- a/abs/core/ca-certificates/PKGBUILD +++ b/abs/core/ca-certificates/PKGBUILD @@ -1,52 +1,45 @@ # $Id$ -# Maintainer: Pierre Schmitz +# Maintainer: Jan Alexander Steffens (heftig) +# Contributor: Pierre Schmitz pkgbase=ca-certificates pkgname=(ca-certificates-utils ca-certificates) -pkgver=20140923 -pkgrel=2 +pkgver=20150402 +pkgrel=1 pkgdesc='Common CA certificates' arch=('any') url='http://pkgs.fedoraproject.org/cgit/ca-certificates.git' license=('GPL2') -depends=('sh' 'p11-kit') -makedepends=('asciidoc') -_commit=f81c301 -source=("update-ca-trust::$url/plain/update-ca-trust?id=$_commit" - "update-ca-trust.8.txt::$url/plain/update-ca-trust.8.txt?id=$_commit") -sha256sums=('75ef2f4b0fddd2ca3c69b234a6abb66fd732e4af96814b65dcedb0dd52018381' - 'd31ac2bb5f1941aea0ac1e51861af7be224b6bb85820e30bb30793112aa785ba') - -_confdir=/etc/$pkgbase -_datadir=/usr/share/$pkgbase - -prepare() { - sed -i "s:/etc/pki/ca-trust:${_confdir}:g" update-ca-trust +makedepends=('asciidoc' 'p11-kit') +source=(update-ca-trust update-ca-trust.8.txt) +sha256sums=('746d2cce8ec107fa3b7aaa246d69a7e238c3d2ac5cd82c5aeed996fe9cb0a874' + '38c10446738c1e99bc95e42fe844a9e95ea106795059fa769f3b4ba82b395929') + +build() { + asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt + xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml } package_ca-certificates-utils() { pkgdesc+=" (utilities)" + depends=('bash' 'coreutils' 'findutils' 'p11-kit>=0.23.1') install=ca-certificates-utils.install provides=(ca-certificates ca-certificates-java) conflicts=(ca-certificates-java) replaces=(ca-certificates-java) - asciidoc.py -v -d manpage -b docbook update-ca-trust.8.txt - xsltproc --nonet -o update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl update-ca-trust.8.xml - install -D update-ca-trust "${pkgdir}/usr/bin/update-ca-trust" install -Dm644 update-ca-trust.8 "${pkgdir}/usr/share/man/man8/update-ca-trust.8" - install -d "${pkgdir}"{${_confdir},${_datadir}}/trust-source/{anchors,blacklist} + # Trust source directories + install -d "${pkgdir}"/{etc,usr/share}/${pkgbase}/trust-source/{anchors,blacklist} - _extractdir="${pkgdir}${_confdir}/extracted" - _ssldir="${pkgdir}/etc/ssl" + # Directories used by update-ca-trust (aka "trust extract-compat") + install -d "${pkgdir}"/etc/{ssl/certs/java,${pkgbase}/extracted} - install -d "${_ssldir}/certs/java" "${_extractdir}"/{openssl,pem,java} - ln -sr "${_extractdir}/openssl/ca-bundle.trust.crt" "${_ssldir}/certs/ca-bundle.trust.crt" - ln -sr "${_extractdir}/pem/tls-ca-bundle.pem" "${_ssldir}/certs/ca-bundle.crt" - ln -sr "${_extractdir}/pem/tls-ca-bundle.pem" "${_ssldir}/cert.pem" - ln -sr "${_extractdir}/java/cacerts" "${_ssldir}/certs/java/cacerts" + # Compatibility link for OpenSSL using /etc/ssl as CAdir + # Used in preference to the individual links in /etc/ssl/certs + ln -s ../${pkgbase}/extracted/tls-ca-bundle.pem "${pkgdir}/etc/ssl/cert.pem" } package_ca-certificates() { @@ -54,4 +47,4 @@ package_ca-certificates() { depends=(ca-certificates-{mozilla,cacert}) } -# vim:set noet ts=8 sw=8: +# vim:set noet ts=8 sw=8 sts=0: diff --git a/abs/core/ca-certificates/ca-certificates-utils.install b/abs/core/ca-certificates/ca-certificates-utils.install index bf18c7f..8120878 100644 --- a/abs/core/ca-certificates/ca-certificates-utils.install +++ b/abs/core/ca-certificates/ca-certificates-utils.install @@ -2,28 +2,43 @@ export LC_ALL=C post_install() { usr/bin/update-ca-trust -} -pre_upgrade() { - if (( $(vercmp $2 20140923-2) < 0 )); then - find /etc/ssl/certs -type l -print | while read symlink; do - case $(readlink $symlink) in - /usr/share/ca-certificates*) rm -f $symlink;; - esac - done - find /etc/ssl/certs -type l -print | while read symlink; do - test -f $symlink || rm -f $symlink - done - rm -f /etc/ssl/certs/ca-certificates.crt - fi + # This should be a normally packaged file, but that would + # require user intervention at upgrade + ln -srf etc/ca-certificates/extracted/tls-ca-bundle.pem \ + etc/ssl/certs/ca-certificates.crt } post_upgrade() { usr/bin/update-ca-trust + + if (( $(vercmp $2 20140923-7.1) < 0 )); then + cat <>. + +In addition, the classic PKCS#11 module +is replaced with a new PKCS#11 module (p11-kit-trust.so) that dynamically +reads the same source configuration. + + +[[sourceconf]] +SOURCE CONFIGURATION +-------------------- +The dynamic configuration feature uses several source directories that +will be scanned for any number of source files. *It is important to select +the correct subdirectory for adding files, as the subdirectory defines how +contained certificates will be trusted or distrusted, and which file formats are read.* + +Files in subdirectories below the directory hierarchy /usr/share/ca-certificates/trust-source/ contain CA certificates and +trust settings in the PEM file format. The trust settings found here will be +interpreted with a *low priority*. + +Files in subdirectories below the directory hierarchy /etc/ca-certificates/trust-source/ contain CA certificates and +trust settings in the PEM file format. The trust settings found here will be +interpreted with a *high priority*. + +.You may use the following rules of thumb to decide, whether your configuration files should be added to the /etc or rather to the /usr directory hierarchy: +* If you are manually adding a configuration file to a system, you probably +want it to override any other default configuration, and you most likely should +add it to the respective subdirectory in the /etc hierarchy. +* If you are creating a package that provides additional root CA certificates, +that is intended for distribution to several computer systems, but you still +want to allow the administrator to override your list, then your package should +add your files to the respective subdirectory in the /usr hierarchy. +* If you are creating a package that is supposed to override the default system +trust settings, that is intended for distribution to several computer systems, then your package should install the files to the respective +subdirectory in the /etc hierarchy. + +.*QUICK HELP 1*: To add a certificate in the simple PEM or DER file formats to the list of CAs trusted on the system: +* add it as a new file to directory /etc/ca-certificates/trust-source/anchors/ +* run 'update-ca-trust extract' + +.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then: +* add it as a new file to directory /etc/ca-certificates/trust-source/ +* run 'update-ca-trust extract' + +.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. +* simple trust anchors subdirectory: /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/ +* simple blacklist (distrust) subdirectory: /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/ +* extended format directory: /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ + +.In the main directories /usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ you may install one or multiple files in the following file formats: +* certificate files that include trust flags, + in the BEGIN/END TRUSTED CERTIFICATE file format + (any file name), which have been created using the openssl x509 tool + and the -addreject -addtrust options. + Bundle files with multiple certificates are supported. +* files in the p11-kit file format using the .p11-kit file name + extension, which can (e.g.) be used to distrust certificates + based on serial number and issuer name, without having the + full certificate available. + (This is currently an undocumented format, to be extended later. + For examples of the supported formats, see the files + shipped with the ca-certificates-mozilla package.) +* certificate files without trust flags in either the DER file format or in + the PEM (BEGIN/END CERTIFICATE) file format (any file name). Such files + will be added with neutral trust, neither trusted nor distrusted. + They will simply be known to the system, which might be helpful to + assist cryptographic software in constructing chains of certificates. + (If you want a CA certificate in these file formats to be trusted, you + should remove it from this directory and move it to the + ./anchors subdirectory instead.) + +In the anchors subdirectories /usr/share/ca-certificates/trust-source/anchors/ or /etc/ca-certificates/trust-source/anchors/ +you may install one or multiple certificates in either the DER file +format or in the PEM (BEGIN/END CERTIFICATE) file format. +Each certificate will be treated as *trusted* for all purposes. + +In the blacklist subdirectories /usr/share/ca-certificates/trust-source/blacklist/ or /etc/ca-certificates/trust-source/blacklist/ +you may install one or multiple certificates in either the DER file +format or in the PEM (BEGIN/END CERTIFICATE) file format. +Each certificate will be treated as *distrusted* for all purposes. + +Please refer to the x509(1) manual page for the documentation of the +BEGIN/END CERTIFICATE and BEGIN/END TRUSTED CERTIFICATE file formats. + +Applications that rely on a static file for a list of trusted CAs +may load one of the files found in the /etc/ssl/certs or /etc/ca-certificates/extracted +directory. After modifying any file in the +/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ +directories or in any of their subdirectories, or after adding a file, +it is necessary to run the 'update-ca-trust extract' command, +in order to update the consolidated files in /etc/ssl/certs or /etc/ca-certificates/extracted/ . + +Applications that load the classic PKCS#11 module using filename libnssckbi.so +(which has been converted into a symbolic link pointing to the new module) +and any application capable of +loading PKCS#11 modules and loading p11-kit-trust.so, will benefit from +the dynamically merged set of certificates and trust information stored in the +/usr/share/ca-certificates/trust-source/ and /etc/ca-certificates/trust-source/ directories. + + +[[extractconf]] +EXTRACTED CONFIGURATION +----------------------- +The directories /etc/ssl/certs and /etc/ca-certificates/extracted/ contains generated CA certificate +bundle files which are created and updated, based on the <> +by running the 'update-ca-trust extract' command. + +If your application isn't able to load the PKCS#11 module p11-kit-trust.so, +then you can use these files in your application to load a list of global +root CA certificates. + +Please never manually edit the files stored in these directories, +because your changes will be lost and the files automatically overwritten, +each time the 'update-ca-trust extract' command gets executed. + +In order to install new trusted or distrusted certificates, +please rather install them in the respective subdirectory below the +/usr/share/ca-certificates/trust-source/ or /etc/ca-certificates/trust-source/ +directories, as described in the <> section. + +The directory /etc/ssl/certs contains a OpenSSL-cadir-style hash farm. +Distrust information cannot be represented in this format, +and distrusted certificates are missing from these files. + +The directory /etc/ssl/certs/java contains +a CA certificate bundle in the java keystore file format. +Distrust information cannot be represented in this file format, +and distrusted certificates are missing from these files. +File cacerts contains CA certificates trusted for TLS server authentication. + +The directory /etc/ca-certificates/extracted contains +CA certificate bundle files in the simple BEGIN/END CERTIFICATE file format, +as decribed in the x509(1) manual page. +Distrust information cannot be represented in this file format, +and distrusted certificates are missing from these files. +File tls-ca-bundle.pem contains CA certificates +trusted for TLS server authentication. +File email-ca-bundle.pem contains CA certificates +trusted for E-Mail protection. +File objsign-ca-bundle.pem contains CA certificates +trusted for code signing. +File ca-bundle.trust.crt contains certificates in the extended +BEGIN/END TRUSTED CERTIFICATE file format, as described in the x509(1) manual page. +This bundle contains the full set of all trusted +and distrusted certificates, including the associated trust flags. + + +COMMANDS +-------- +(absent/empty command):: + Same as the *extract* command described below. (However, the command may + print fewer warnings, as this command is being run during package + installation, where non-fatal status output is undesired.) + +*extract*:: + Instruct update-ca-trust to scan the <> and produce + updated versions of the consolidated configuration files stored below + the /etc/ssl/certs and /etc/ca-certificates/extracted directory + hierarchies. + +FILES +----- +/usr/share/ca-certificates/trust-source:: + Contains multiple, low priority source configuration files as explained in section <>. Please pay attention to the specific meanings of the respective subdirectories. + +/etc/ca-certificates/trust-source:: + Contains multiple, high priority source configuration files as explained in section <>. Please pay attention to the specific meanings of the respective subdirectories. + +/etc/ca-certificates/extracted:: + Contains consolidated and automatically generated configuration files for consumption by applications, + which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten. + See section <> for additional details. + +/etc/ca-certificates/extracted/tls-ca-bundle.pem:: + Contains a list of CA certificates trusted for TLS server authentication, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + +/etc/ca-certificates/extracted/email-ca-bundle.pem:: + Contains a list of CA certificates trusted for E-Mail protection, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + +/etc/ca-certificates/extracted/objsign-ca-bundle.pem:: + Contains a list of CA certificates trusted for code signing, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + +/etc/ca-certificates/extracted/ca-bundle.trust.crt:: + Contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage. + +/etc/ca-certificates/extracted/cadir:: + Contains individual CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information. + Also includes the necessary hash symlinks expected by OpenSSL. + +/etc/ssl/certs:: + Classic directory, contains symlinks into /etc/ca-certificates/extracted/cadir which are maintained by the update-ca-trust command. + +/etc/ssl/certs/ca-certificates.crt:: + Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. + +/etc/ssl/cert.pem:: + Classic filename, a symlink to /etc/ca-certificates/extracted/tls-ca-bundle.pem. + +/etc/ssl/java/cacerts:: + Classic filename, contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information. + This file is consolidated output created by the update-ca-trust command. + +AUTHOR +------ +Written by Kai Engert and Stef Walter. -- cgit v0.12