From: Arkadiusz Miśkiewicz Date: Fri, 1 Oct 2021 10:36:07 +0000 (+0200) Subject: Rel 6; make sure we don't include expired certs X-Git-Tag: auto/th/ca-certificates-20210119-6 X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=0818a4328225cca2d41e43f0fa816f38bb3cbe69;p=packages%2Fca-certificates.git Rel 6; make sure we don't include expired certs --- diff --git a/ca-certificates.spec b/ca-certificates.spec index a2ee45b..ed7d196 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -13,7 +13,7 @@ Summary(pl.UTF-8): Pliki PEM popularnych certyfikatów CA Name: ca-certificates %define ver_date 20210119 Version: %{ver_date} -Release: 5 +Release: 6 License: GPL v2 (scripts), MPL v2 (mozilla certs), distributable (other certs) Group: Base Source0: http://ftp.debian.org/debian/pool/main/c/ca-certificates/%{name}_%{version}.tar.xz @@ -150,6 +150,32 @@ sed 's/\r//' %{SOURCE36} > terena/$(basename %{SOURCE36} .pem).crt # We have those and more in specific dirs %{__rm} mozilla/Certum*.crt +make_sure_expired_and_rm() { + cert="$1" + rm -rf pld-tests + install -d pld-tests + cat "$cert" | awk '/^-+BEGIN/ { i++; } /^-+BEGIN/, /^-+END/ { print > "pld-tests/" i ".extracted.crt" }' + for tmpcert in pld-tests/*.extracted.crt; do + # check expiration date + EXPDATE=$(openssl x509 -enddate -noout -in "$tmpcert") + EXPDATE=${EXPDATE#notAfter=} + EXPDATETIMESTAMP=$(date +"%s" -d "$EXPDATE") + NOWTIMESTAMP=$(date +"%s") + # mksh is 32bit only + if /usr/bin/test "$EXPDATETIMESTAMP" -ge "$NOWTIMESTAMP"; then + echo "$cert ($tmpcert): not expired! ${EXPDATE}" + return 1 + fi + done + rm "$cert" + return 0 +} + +# expired +make_sure_expired_and_rm mozilla/Sonera_Class_2_Root_CA.crt +make_sure_expired_and_rm mozilla/DST_Root_CA_X3.crt +make_sure_expired_and_rm mozilla/QuoVadis_Root_CA.crt + # See TODO # %{__rm} mozilla/RSA_Security_1024_v3.crt @@ -182,7 +208,23 @@ cd pld-tests cat $RPM_BUILD_ROOT%{certsdir}/ca-certificates.crt | awk '/^-+BEGIN/ { i++; } /^-+BEGIN/, /^-+END/ { print > i ".extracted.crt" }' for cert in *.extracted.crt; do openssl x509 -in "$cert" -noout -sha1 -fingerprint > "$cert.fingerprint" + + + # check expiration date + EXPDATE=$(openssl x509 -enddate -noout -in "$cert") + EXPDATE=${EXPDATE#notAfter=} + EXPDATETIMESTAMP=$(date +"%s" -d "$EXPDATE") + NOWTIMESTAMP=$(date +"%s") + # mksh is 32bit only + if /usr/bin/test "$EXPDATETIMESTAMP" -lt "$NOWTIMESTAMP"; then + echo "!!! Expired certificate: $cert" + openssl x509 -subject -issuer -startdate -enddate -email -alias -noout -in "$cert" + echo "Fingerprint: $(cat "$cert.fingerprint")" + echo "\n\n" + exit 1 + fi done + DUPLICATES=$(sort *.fingerprint | uniq -c | sort -nr | awk ' { if ($1 != 1) { print $0; } } ') if [ -n "$DUPLICATES" ]; then echo -e "\n\nFound duplicates for certificates (count, type, fingerprint):\n\n$DUPLICATES\n\nFailing..."