Mail Archives: cygwin/2017/07/18/12:31:08

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2017/07/18/12:31:08

X-Recipient: archive-cygwin AT delorie DOT com

DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:from:date

:message-id:subject:to:content-type; q=dns; s=default; b=Bmp1AFx

HSbis3im91Dmi5mlH6kadLGJRsO58Ncn+kumROn9SQzUqM7gFOMZMN4R44C4dalZ

KIUk1hbzvdu9MlTlUGu/KZjoxWizqFbUFwdBq/WN2YHkdos3FHnTDpysw7KwDMs0

82havUzvfGWzri/aCP+QATubnnxT4xM539+U=

DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id

:list-unsubscribe:list-subscribe:list-archive:list-post

:list-help:sender:mime-version:in-reply-to:references:from:date

:message-id:subject:to:content-type; s=default; bh=YeX+pAekXGLUc

PXPkRqAUsJY4Qo=; b=t+W0bT+ExphIwvWMELWYDJDihpdSmu20PXBD0X0gOAFGT

AOpDg7IrlTJvmlrEK8y9oVCEaWrx8Up14R/KkCXuHEq8650RIpJiEwVq5feZkVZj

XTSVXBQ0Y6y8qbYOAaqyntLJgGXkXirVcwNSvdVg0bJ76+1EPtw5PHtOYwkiXs=

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Authentication-Results: sourceware.org; auth=none

X-Virus-Found: No

X-Spam-SWARE-Status: No, score=-1.1 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=auditor, Feedback, ROOT, Serial

X-HELO: mail-io0-f171.google.com

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=dCC+l9IB66gJk5LuQQsaPqZBWviGSIFeHImehGRJgOA=; b=I5G9e2QcyDhdYEku/At5ddzLEKGGNSvepxy2aYqrKlGx9x7EgJEUgD5Ly25sWWb1/I fF6hHIS35NysMSb7BUjk9cPdNXdulHlo7OzXUqh8PzTTg0lspplcP5+fY3t5gg1xA5+5 B+qNHy/xHbaR6nha5kcljuiQYnrgScDGHA+ngnvL3cpGWq6Fur8nj9fncMRaOYd0Bbi1 2I05rY4CwdSUDHAkkpGYi2T+shKVMFNDuP/RTN5r37UubEJScyNDMviV0nDWNuN816r/ fMS2FmJWTOYQLUW3oqQXQTFN0jTOZHQnNzy1DXJXVOW94FVAsRDl5QGKmH8VQGRJeBek +naQ==

X-Gm-Message-State: AIVw112Qhd16Bn/LR357wMyeNhpDz1RbIQqZXGlfS2iwVDJy2A/zokzu viflYu6fMx2clBgIdcySNLM4FJKUPw==

X-Received: by 10.107.12.28 with SMTP id w28mr2656722ioi.150.1500395419617; Tue, 18 Jul 2017 09:30:19 -0700 (PDT)

MIME-Version: 1.0

In-Reply-To: <CAD8GWssNeQxTrLim_kO+2nhSzRXR6Kq9h12Sjw2Pg5bVJ0BkTw@mail.gmail.com>

References: <CAD8GWsvT9rgHz+vcdBmX-opfckZS8g06_Px57JCNG_xCT_ku6A AT mail DOT gmail DOT com> <okef84$e7f$1 AT blaine DOT gmane DOT org> <CAD8GWsuvpZqOmajdyBBSNza20un_BZuJOdRH15XhKFqzx4H3OA AT mail DOT gmail DOT com> <okesn6$agb$1 AT blaine DOT gmane DOT org> <CAD8GWsuMuda5O2X-1N_q8TpZ_wZQBhEEJpfdA1eQO+x1iDLH5A AT mail DOT gmail DOT com> <okgfdb$n59$1 AT blaine DOT gmane DOT org> <CAD8GWssNeQxTrLim_kO+2nhSzRXR6Kq9h12Sjw2Pg5bVJ0BkTw AT mail DOT gmail DOT com>

From: Lee <ler762 AT gmail DOT com>

Date: Tue, 18 Jul 2017 12:30:18 -0400

Message-ID: <CAD8GWsvTt59wL8ZUJkzDP1MLeA3UawE6q0mfSUQ8uiGeUU2DWQ@mail.gmail.com>

Subject: Re: gpg ca-cert-file=[which file???]

To: cygwin AT cygwin DOT com

X-IsSubscribed: yes

On 7/17/17, Lee  wrote:
>
> I don't care about EV right now.  I don't want to trust any
> certificate issued by CNNIC & a few other CAs.  How do I do that?

I didn't realize just how big a can of worms I'd opened.  But I'm
close enuf to where I wanted to be that I'm done for now.

https://bugzilla.redhat.com/show_bug.cgi?id=873373#c3
  Feedback from people who know would be good.

Which is why I've been so verbose - I was hoping for feedback from
Someone Who Knows :)

My code auditor skillz leave much to be desired, so my gpg.conf now has
  keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.crt
  ## keyserver-options ca-cert-file=/usr/ssl/certs/ca-bundle.trust.crt
  ##   ca-bundle.crt       = trusted root certs
  ##   ca-bundle.trust.crt = trusted root certs + explicitly UNtrusted
root certs
  ## does gpg check the trust bits in the certs??? need to figure that out
  ## before using ca-bundle.trust.crt

To see all the certificates in a bundle:
$ ./listcerts.sh | head -5
subject= /CN=ACCVRAIZ1/OU=PKIACCV/O=ACCV/C=ES
subject= /CN=ACEDICOM Root/OU=PKI/O=EDICOM/C=ES
subject= /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
subject= /C=IT/L=Milan/O=Actalis S.p.A./03358520967/CN=Actalis
Authentication Root CA
subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP
Network/CN=AddTrust External CA Root

$ cat listcerts.sh
#!/bin/sh
# ref: https://serverfault.com/questions/590870/how-to-view-all-ssl-certificates-in-a-bundle

FILE="/etc/pki/tls/certs/ca-bundle.crt"
# FILE="/etc/pki/tls/certs/ca-bundle.trust.crt"

cat $FILE |\
awk -v cmd="openssl x509 -noout -subject " '
/^-----BEGIN/ { c = $0; next }
{ c = c "\n" $0 }
/^-----END/ { print c|cmd; close(cmd); c = "" }
'

# openssl x509 -noout -text
#  to see all the certificate info

$

to blacklist a cert - in this case
$ ./listcerts.sh | grep CNNIC
subject= /C=CN/O=CNNIC/CN=CNNIC ROOT

- find the specific cert in the bundle
- extract just that cert and save it to a file
- verify you extracted the right cert
$ openssl x509 -noout -text -in ~/t/CNNIC.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1228079105 (0x49330001)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, O=CNNIC, CN=CNNIC ROOT
        Validity
            Not Before: Apr 16 07:09:14 2007 GMT
            Not After : Apr 16 07:09:14 2027 GMT
        Subject: C=CN, O=CNNIC, CN=CNNIC ROOT
        Subject Public Key Info:
  <.. snip ..>

- copy the cert to /etc/pki/ca-trust/source/blacklist
$ mv ~/t/CNNIC.pem /etc/pki/ca-trust/source/blacklist/

- update the trust db
$ update-ca-trust

- verify the unstrusted cert has been blacklisted:
$ ./listcerts.sh | grep CNNIC

- make an oopsie?
$ mv /etc/pki/ca-trust/source/blacklist/CNNIC.pem ~/t
$ update-ca-trust
$ ./listcerts.sh | grep CNNIC
subject= /C=CN/O=CNNIC/CN=CNNIC ROOT

Regards,
Lee

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
DomainKey-Signature:	a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type; q=dns; s=default; b=Bmp1AFx
	HSbis3im91Dmi5mlH6kadLGJRsO58Ncn+kumROn9SQzUqM7gFOMZMN4R44C4dalZ
	KIUk1hbzvdu9MlTlUGu/KZjoxWizqFbUFwdBq/WN2YHkdos3FHnTDpysw7KwDMs0
	82havUzvfGWzri/aCP+QATubnnxT4xM539+U=
DKIM-Signature:	v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:from:date
	:message-id:subject:to:content-type; s=default; bh=YeX+pAekXGLUc
	PXPkRqAUsJY4Qo=; b=t+W0bT+ExphIwvWMELWYDJDihpdSmu20PXBD0X0gOAFGT
	AOpDg7IrlTJvmlrEK8y9oVCEaWrx8Up14R/KkCXuHEq8650RIpJiEwVq5feZkVZj
	XTSVXBQ0Y6y8qbYOAaqyntLJgGXkXirVcwNSvdVg0bJ76+1EPtw5PHtOYwkiXs=
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com
Authentication-Results:	sourceware.org; auth=none
X-Virus-Found:	No
X-Spam-SWARE-Status:	No, score=-1.1 required=5.0 tests=AWL,BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SPF_PASS autolearn=no version=3.3.2 spammy=auditor, Feedback, ROOT, Serial
X-HELO:	mail-io0-f171.google.com
X-Google-DKIM-Signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=dCC+l9IB66gJk5LuQQsaPqZBWviGSIFeHImehGRJgOA=; b=I5G9e2QcyDhdYEku/At5ddzLEKGGNSvepxy2aYqrKlGx9x7EgJEUgD5Ly25sWWb1/I fF6hHIS35NysMSb7BUjk9cPdNXdulHlo7OzXUqh8PzTTg0lspplcP5+fY3t5gg1xA5+5 B+qNHy/xHbaR6nha5kcljuiQYnrgScDGHA+ngnvL3cpGWq6Fur8nj9fncMRaOYd0Bbi1 2I05rY4CwdSUDHAkkpGYi2T+shKVMFNDuP/RTN5r37UubEJScyNDMviV0nDWNuN816r/ fMS2FmJWTOYQLUW3oqQXQTFN0jTOZHQnNzy1DXJXVOW94FVAsRDl5QGKmH8VQGRJeBek +naQ==
X-Gm-Message-State:	AIVw112Qhd16Bn/LR357wMyeNhpDz1RbIQqZXGlfS2iwVDJy2A/zokzu viflYu6fMx2clBgIdcySNLM4FJKUPw==
X-Received:	by 10.107.12.28 with SMTP id w28mr2656722ioi.150.1500395419617; Tue, 18 Jul 2017 09:30:19 -0700 (PDT)
MIME-Version:	1.0
In-Reply-To:	<CAD8GWssNeQxTrLim_kO+2nhSzRXR6Kq9h12Sjw2Pg5bVJ0BkTw@mail.gmail.com>
References:	<CAD8GWsvT9rgHz+vcdBmX-opfckZS8g06_Px57JCNG_xCT_ku6A AT mail DOT gmail DOT com> <okef84$e7f$1 AT blaine DOT gmane DOT org> <CAD8GWsuvpZqOmajdyBBSNza20un_BZuJOdRH15XhKFqzx4H3OA AT mail DOT gmail DOT com> <okesn6$agb$1 AT blaine DOT gmane DOT org> <CAD8GWsuMuda5O2X-1N_q8TpZ_wZQBhEEJpfdA1eQO+x1iDLH5A AT mail DOT gmail DOT com> <okgfdb$n59$1 AT blaine DOT gmane DOT org> <CAD8GWssNeQxTrLim_kO+2nhSzRXR6Kq9h12Sjw2Pg5bVJ0BkTw AT mail DOT gmail DOT com>
From:	Lee <ler762 AT gmail DOT com>
Date:	Tue, 18 Jul 2017 12:30:18 -0400
Message-ID:	<CAD8GWsvTt59wL8ZUJkzDP1MLeA3UawE6q0mfSUQ8uiGeUU2DWQ@mail.gmail.com>
Subject:	Re: gpg ca-cert-file=[which file???]
To:	cygwin AT cygwin DOT com
X-IsSubscribed:	yes