Commit 51f0b798 authored by Guenter Knauf's avatar Guenter Knauf
Browse files

Skip more untrusted certificates. 

Christian Heimes brought to our attention that the certdata.txt
format has recently changed [1], causing ca-bundle.crt created
with mk-ca-bundle.[pl|vbs] to include untrusted certs.

[1] http://lists.debian.org/debian-release/2012/11/msg00411.html
parent 6b27703b

lib/mk-ca-bundle.pl

+4 −3
Original line number Diff line number Diff line
@@ -40,7 +40,7 @@ my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/ 
# If the OpenSSL commandline is not in search path you can configure it here!

my $openssl = 'openssl';



my $version = '1.18';

my $version = '1.19';



$opt_w = 76; # default base64 encoded lines length
@@ -185,7 +185,8 @@ while (<TXT>) { 
    while (<TXT>) {

      last if (/^#/);

      if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/

          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/) {

          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/

          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_MUST_VERIFY_TRUST/) {

        $untrusted = 1;

      }

    }

lib/mk-ca-bundle.vbs

+3 −2
Original line number Diff line number Diff line
@@ -26,7 +26,7 @@ 
'* Hacked by Guenter Knauf

'***************************************************************************

Option Explicit

Const myVersion = "0.3.7"

Const myVersion = "0.3.8"



Const myUrl = "http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
@@ -131,7 +131,8 @@ For i = 0 To UBound(myLines) 
      While (i < UBound(myLines)) And Not (myLines(i) = "#")

        i = i + 1

        If (InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED") Or _

           InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN")) Then

           InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN") Or _

           InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST")) Then

          myUntrusted = TRUE

        End If

      Wend