logo

ca-certificates

Unnamed repository; edit this file 'description' to name the repository.
commit 3ef4adaf4bbd23d345723e443e5352918f1f0688
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Sun,  7 May 2017 02:05:40 +0200

Initial Commit

Diffstat:
CertificatesAutorities.md | 46++++++++++++++++++++++++++++++++++++++++++++++
README.md | 13+++++++++++++
make.sh | 56++++++++++++++++++++++++++++++++++++++++++++++++++++++++
src/.keep | 0
4 files changed, 115 insertions(+), 0 deletions(-)

diff --git a/CertificatesAutorities.md b/CertificatesAutorities.md @@ -0,0 +1,46 @@ +## CACert.org +-recomendations: Medium + - SHA1 Fingerprint + - no ECC certificates +-signed: 1024D OpenPGP on SHA1 fingerprint +-verification: + - domains aren’t checked for modifications (verifies only once) + - uses hardcoded/whois’ed emails… not so secure (let’s register every {admin,root,webmaster}@host with public registeration) + +## immerda.ch +-note: There is something about Let’s Encrypt on the website, I hope they keep their CA until Let’s Encrypt is more trustable +-recomendations: OK +-signed: OpenPGP on root +-verification: unknow + +## sks-keyservers.net +-recomendations: OK +-signed: OpenPGP on root +-verification: OK(only for keyservers) + +## hackint.org +-signed: OpenPGP on root +-recomendations: OK +-verification: OK(only for hackint.org) + +## LetsEncrypt.org +-note: is probably too big[1], legalities are horrible (but you don’t actually accept them knownfully) +-recomendations: OK +-signed: No +-verification: OK(ACME) + +## IdenTrust.com +-note: Cross-sign of LetsEncrypt.org +-recomendations: + - SHA1 Fingerprint +-signed: No +-verification: unknow + +## Symantec.com +-recomendations: + - SHA1 Fingerprint +-signed: Fingerprint but SHA1 +-verification: unknow + +--- +1: owners/crackers/governments will do shit on it diff --git a/README.md b/README.md @@ -0,0 +1,13 @@ +# CA certificates +Notes: +* CAs are deprecated (for me), we should use alternatives (DANE is good, maybe a TLS-side HPKP, DNSSEC should be replaced with DNSCrypt or equivalent). So this is only for like… backward compatibility but still staying secure. + +## Rules +- CA root file MUST be OpenPGP signed or equivalent +- Certification Autorities SHOULD verify owning of the address/domain and MUST NOT create know fake certificates +- SHOULD follow latest recomendations/rules of cryptography (RFC, parts of : NSA, NIST, ANSSI) + +## Dependencies +* POSIX system +* Internet (downloading CA root certificates) +* OpenPGP diff --git a/make.sh b/make.sh @@ -0,0 +1,56 @@ +GET="wget -c --no-check-certificate" +OPGP="gpg --auto-key-retrieve --verify" +SRC_URI="https://hackint.org/crt/rootca.crt +https://sks-keyservers.net/sks-keyservers.netCA.pem +https://sks-keyservers.net/sks-keyservers.netCA.pem.asc +https://www.immerda.ch/assets/certs/immer-ca.crt +https://www.immerda.ch/assets/certs/immer-ca.crt.asc" + +VERIFICATIONS="openpgp-direct openpgp-fingerprint" + +openpgp-direct() { + for i in *.asc; do $OPGP ${i} || exit; done +} +openpgp-fingerprint() { + echo 'Not yet done, anyway cacert.org uses broken crypto for this verification' + exit +} + +clean() { + set -x + rm -fr src/* ca-certificates.pem +} + +install() { + echo 'I don’t know how to install… there is no standard on that' + echo " * OpenSSL/LibreSSL: put ca-certificates.pem or src/*.pem in /usr/local/share/ca-certificates and do update-ca-certificates" + echo " * GnuPG: “hkp-cacert $(pwd)/src/sks-keyservers.netCA.pem” in ${GNUPGHOME:-$HOME/.gnupg}/dirmngr.conf" + echo " * Mono (import): mozroot --import $(pwd)/ca-certificates.pem" + echo " * Mono (replace): mozroot --sync --file $(pwd)/ca-certificates.pem" +} + +main() { + set -x + + mkdir src; cd src + + for i in $SRC_URI; do $GET ${i}; done + wget -O rootca.crt.asc https://hackint.org/crt/sigs/combined.asc + for i in $VERIFICATIONS; do ${i}; done + + cd .. + + cat src/*.crt src/*.pem > ca-certificates.pem +} + +case "$1" in + clean*) + clean + ;; + install*) + install + ;; + all*|*) + main + ;; +esac diff --git a/src/.keep b/src/.keep