aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2020-01-20 22:23:44 +0100
committerDaniel Stenberg <daniel@haxx.se>2020-01-22 10:41:31 +0100
commit1ebc53df251819086859f27f22ccfb66ddd58364 (patch)
tree36e79a53224bcac0f3e1ab8d08ceceaaf278b41b
parent599d92e7d08090d2cfe596a5c3d3acf990a306bd (diff)
mk-ca-bundle: add support for CKA_NSS_SERVER_DISTRUST_AFTER
For now, no cert in the bundle actually sets a date there... Co-Authored-by: Jay Satiro Reported-by: Christian Heimes Fixes #4834 Closes #4836
-rwxr-xr-xlib/mk-ca-bundle.pl62
1 files changed, 54 insertions, 8 deletions
diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index 33977f322..09e8e5b9b 100755
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -6,7 +6,7 @@
# * | (__| |_| | _ <| |___
# * \___|\___/|_| \_\_____|
# *
-# * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+# * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
# *
# * This software is licensed as described in the file COPYING, which
# * you should have received as part of this distribution. The terms
@@ -38,6 +38,7 @@ use warnings;
use vars qw($opt_b $opt_d $opt_f $opt_h $opt_i $opt_k $opt_l $opt_m $opt_n $opt_p $opt_q $opt_s $opt_t $opt_u $opt_v $opt_w);
use List::Util;
use Text::Wrap;
+use Time::Local;
my $MOD_SHA = "Digest::SHA";
eval "require $MOD_SHA";
if ($@) {
@@ -421,6 +422,8 @@ my $certnum = 0;
my $skipnum = 0;
my $start_of_cert = 0;
my @precert;
+my $cka_value;
+my $valid = 1;
open(TXT,"$txt") or die "Couldn't open $txt: $!\n";
while (<TXT>) {
@@ -435,6 +438,7 @@ while (<TXT>) {
}
elsif(/^# (Issuer|Serial Number|Subject|Not Valid Before|Not Valid After |Fingerprint \(MD5\)|Fingerprint \(SHA1\)):/) {
push @precert, $_;
+ $valid = 1;
next;
}
elsif(/^#|^\s*$/) {
@@ -443,6 +447,49 @@ while (<TXT>) {
}
chomp;
+ # Example:
+ # CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+ # \062\060\060\066\061\067\060\060\060\060\060\060\132
+ # END
+
+ if (/^CKA_NSS_SERVER_DISTRUST_AFTER (CK_BBOOL CK_FALSE|MULTILINE_OCTAL)/) {
+ if($1 eq "MULTILINE_OCTAL") {
+ my @timestamp;
+ while (<TXT>) {
+ last if (/^END/);
+ chomp;
+ my @octets = split(/\\/);
+ shift @octets;
+ for (@octets) {
+ push @timestamp, chr(oct);
+ }
+ }
+ # A trailing Z in the timestamp signifies UTC
+ if($timestamp[12] ne "Z") {
+ report "distrust date stamp is not using UTC";
+ }
+ # Example date: 200617000000Z
+ # Means 2020-06-17 00:00:00 UTC
+ my $distrustat =
+ timegm($timestamp[10] . $timestamp[11], # second
+ $timestamp[8] . $timestamp[9], # minute
+ $timestamp[6] . $timestamp[7], # hour
+ $timestamp[4] . $timestamp[5], # day
+ ($timestamp[2] . $timestamp[3]) - 1, # month
+ "20" . $timestamp[0] . $timestamp[1]); # year
+ if(time >= $distrustat) {
+ # not trusted anymore
+ $skipnum++;
+ report "Skipping: $caname is not trusted anymore" if ($opt_v);
+ $valid = 0;
+ }
+ else {
+ # still trusted
+ }
+ }
+ next;
+ }
+
# this is a match for the start of a certificate
if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
$start_of_cert = 1
@@ -452,21 +499,18 @@ while (<TXT>) {
}
my %trust_purposes_by_level;
if ($start_of_cert && /^CKA_VALUE MULTILINE_OCTAL/) {
- my $data;
+ $cka_value="";
while (<TXT>) {
last if (/^END/);
chomp;
my @octets = split(/\\/);
shift @octets;
for (@octets) {
- $data .= chr(oct);
+ $cka_value .= chr(oct);
}
}
- # scan forwards until the trust part
- while (<TXT>) {
- last if (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/);
- chomp;
- }
+ }
+ if(/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/ && $valid) {
# now scan the trust part to determine how we should trust this cert
while (<TXT>) {
last if (/^#/);
@@ -485,6 +529,8 @@ while (<TXT>) {
$skipnum ++;
report "Skipping: $caname" if ($opt_v);
} else {
+ my $data = $cka_value;
+ $cka_value = "";
my $encoded = MIME::Base64::encode_base64($data, '');
$encoded =~ s/(.{1,${opt_w}})/$1\n/g;
my $pem = "-----BEGIN CERTIFICATE-----\n"