pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

pkg/49176: certdata-20140820.txt of mozilla-rootcerts missing cert marks previous cert untrusted

>Number:         49176
>Category:       pkg
>Synopsis:       certdata-20140820.txt of mozilla-rootcerts missing cert marks 
>previous cert untrusted
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 05 23:05:00 +0000 2014
>Originator:     John D. Baker
>Release:        pkgsrc-HEAD (25-Aug-2014 08:35 UTC)
NetBSD gx260a 7.99.1 NetBSD 7.99.1 (NO_DRM) #5: Sun Aug 24 20:26:20 CDT 2014  

When running 'mozilla-rootcerts' with the "extract" or "install"
options, several certificates are later flagged "untrusted" and
removed immediately after extraction.

How the 'mozilla-rootcerts' script does this depends on maintaining
the regular structure of the "certdata*.txt" input file.  Specifically:

# Certificate foo
# blah
# blah
<octal data>

# Trust for Certificate foo
# blah
# blah

# Certificate bar

The script first extracts the CKA_VALUE data, passing it to 'openssl'
to convert to PEM format and saving it in a file.

It then parses the trust data assumed to be following the certificate,
looking for something with "NOT_TRUSTED" or "UNTRUSTED" as a signal
to delete the file.  It only stops parsing trust data when it sees
a line containing only a "#" (regexp /^#$/) such as found at the start
of the next Certificate.

The "certdata-20140820.txt" file contains a trust data section without
a preceeding certificate.  The trust section indicates the missing
certificate is untrusted.  The 'mozilla-rootcerts' script parses this
extraneous trust section as though it belonged to the preceeding certificate, 
marking it untrusted and removing it.
Build and install "security/mozilla-rootcerts" from pkgsrc-HEAD after
25 August 2014 08:35UTC.

Build and install "net/clive".

Clean out or move aside "/etc/ssl/certs" and "/etc/openssl/certs" and
run 'mozilla-rootcerts install'

Attempt to fetch a video from YouTube with an "https://..."; url using

Watch it fail to authenticate due to missing root certificate.
The following patch adds a placeholder for the missing certificate
that satisfies the requirements of the 'mozilla-rootcerts' script to
stop parsing certificate trust data.

--- certdata-20140820.txt.orig  2014-09-05 17:16:28.000000000 -0500
+++ certdata-20140820.txt       2014-09-05 17:20:01.000000000 -0500
+# Certificate Placeholder for missing certificate
+# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+# Serial Number: 1407252 (0x157914)
+# Subject: CN=*,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US
+# Not Valid Before: Mon Feb 01 14:54:04 2010
+# Not Valid After : Tue Sep 30 00:00:00 2014
+# Fingerprint (MD5): 8F:46:BE:99:47:6F:93:DC:5C:01:54:50:D0:4A:BD:AC
+# Fingerprint (SHA1): 
 # Distrust "Distrust a certificate that does not comply with the 
baseline requirements."
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 1407252 (0x157914)

Home | Main Index | Thread Index | Old Index