616002 – =app-misc/ca-certificates-20161130.3.30.1 with USE="-insecure_certs" still installs 2 WoSign CAs

Bug 616002 - =app-misc/ca-certificates-20161130.3.30.1 with USE="-insecure_certs" still installs 2 WoSign CAs

Summary: =app-misc/ca-certificates-20161130.3.30.1 with USE="-insecure_certs" still in...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo's Team for Core System packages

URL:
Whiteboard:
Keywords:	PATCH

Depends on:
Blocks:

Reported:	2017-04-19 11:36 UTC by dwfreed
Modified:	2017-08-08 07:41 UTC (History)
CC List:	1 user (show)

See Also:	598072
Package list:
Runtime testing required:	---

Attachments
Proposed patch (fix_bug616002.patch,834 bytes, patch) 2017-04-26 07:30 UTC, Thomas Deutschmann (RETIRED)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description dwfreed 2017-04-19 11:36:50 UTC

The following WoSign CAs are still being installed even with USE="-insecure_certs":

CN=Certification Authority of WoSign G2, O=WoSign CA Limited, C=CN
CN=CA WoSign ECC Root, O=WoSign CA Limited, C=CN

Their canonical paths are:

/usr/share/ca-certificates/mozilla/Certification_Authority_of_WoSign_G2.crt
/usr/share/ca-certificates/mozilla/CA_WoSign_ECC_Root.crt

And here they are in the OpenSSL certificate directory:

# ls -l /etc/ssl/certs | grep -i wosign
lrwxrwxrwx 1 root root     22 Apr  6 16:16 26eaad2f.0 -> CA_WoSign_ECC_Root.pem
lrwxrwxrwx 1 root root     65 Apr  6 16:16 CA_WoSign_ECC_Root.pem -> ../../../usr/share/ca-certificates/mozilla/CA_WoSign_ECC_Root.crt
lrwxrwxrwx 1 root root     83 Apr  6 16:16 Certification_Authority_of_WoSign_G2.pem -> ../../../usr/share/ca-certificates/mozilla/Certification_Authority_of_WoSign_G2.crt
lrwxrwxrwx 1 root root     40 Apr  6 16:16 f38a011e.0 -> Certification_Authority_of_WoSign_G2.pem

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2017-04-26 07:30:24 UTC

Created attachment 470920 [details, diff]
Proposed patch

Please see my proposed patch:

When applied, users without insecure_certs USE flag will see an elog telling them why we are removing some certs and also a list of certs which were removed.

Patch is now using "find" to remove all WoSign and StartCom certs.

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2017-08-08 07:41:21 UTC

commit b2cae8b25d30cee6412433139fbc323f08cffb8a
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Tue Aug 8 09:38:15 2017

    app-misc/ca-certificates: Fixed removal of untrusted certs (#616002).
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.3