Passing the `-SHA1` flag instead of `-sha1` for these commands preserves
the expected capitalization of the output for later processing.
Signed-off-by: Patrick McCarty <patrick.mccarty@intel.com>
This link, in combination with the /etc/ssl/certs symlink through tmpfiles,
will create the compatibility path /etc/ssl/certs/ca-certificates.crt.
This will help with statically linked (and hardcoded) programs such as
Go binaries or the Steam client.
Signed-off-by: Ikey Doherty <ikey.doherty@intel.com>
getopt returns an int rather than a char. We should we not be relying on
automatic type casting. Further, some compilers have char as unsigned
which will break the program at the ((c = getopt(argc, argv, "fs")) != -1)
evaluation with default compiler options.
Signed-off-by: California Sullivan <california.l.sullivan@intel.com>
Instead of launching 'openssl x509' for each file, use small binary to
process files in bulk. This optimization improves performance more than
7 times (measured on store generation). Performance of 'clrtrust
generate' is important for first-time booting.
Empty store is a sign of trouble. A corner case is when all the certificates are
distrusted. Make sure a set of trusted certificates is present before generating
the store. This only applies to the system store.
Also, add '--force' (or '-f') option to be able to force the generation of the
store.
In case the store being generated is the system store, ignore HUP, INT and TERM
while it's being generated and serialize store write section of the code.
This gets rid of hard dependency on external c_rehash implementation. If
there's an external command available, it will be used, otherwise
clrtrust will use its own implementation of c_rehash.
An option is added (-c or --internal-rehash) to force use of the
internal implementation.
Mozilla stores information on the distrusted certificates as SHA1 and
no certificate file itself. In order to make easier to support
Mozilla-distrusted certificates in the future, use the same digest as
the primary source of the trust information (Mozilla) does.
Allow adding trust to non-root certificate. Adding leaf or intermediate
certificates can cause inconsistent behavior, depending on the
implementation of cert chain verification. However, it might be
necessary in some cases of very broken implementation of peers (e.g.
badly configured web servers).
Robert Dower