cloudflare / cfssl_trust Goto Github PK

There is a new intermediate available:

• ref: https://www.cybertrust.co.jp/info/2023/1208-new-intermediate-certificates.html

I used to use format.go to create a directory of certificates from a bundle. It looks like the CLI tool has seen some major improvements, but I'm curious what the sanest way to replicate that functionality is. It appears the most naive way would be to dump the release-info and then loop with the dump command, but that feels inefficient compared to the single command.

Originally filed as cloudflare/cfssl#589 but should have been filed here:

git clone https://github.com/cloudflare/cfssl.git cftest
Cloning into 'cftest'...
remote: Counting objects: 6855, done.
remote: Compressing objects: 100% (71/71), done.
Receiving objects: 100% (6855/6855), 8.10 MiB | 423.00 KiB/s, done.1

Resolving deltas: 100% (2913/2913), done.
Checking connectivity... done.
error: unable to create file vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA.crt (Invalid argument)
error: unable to create file vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA_2.crt (Invalid argument)
Checking out files: 100% (3122/3122), done.
fatal: unable to checkout working tree
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry the checkout with 'git checkout -f HEAD'

Suggestion was made to also change https://github.com/cloudflare/cfssl_trust/blob/master/cmd/format/format.go to work around windows file name restrictions. I could submit a PR if you like to strip out colons for example.

This would fix #23 and #26.

We have the certificates imported into the trust database and we're using this to produce the {ca,int}-bundle.crt now. We should be able to remove the individual certificates.

Found a CA (Symantec Class 3 Secure Server CA - G4) that was missing here, but existed in the Chromium CA code.

The PEM bundles in trusted_roots appear to be missing Android versions Lollipop and Marshmallow. NSS is up to v3.22.2. Not sure about the OS bundles, but they probably need updating, too.

Not sure if you want to do this when you do #19 but per #21 you need to re-generate the bundles to support windows.

After a recent bug that was based on a typo in a json file ( f04b7a9 ) it would be useful to get this set up under TravisCI with some basic tests running.

cfssl imports from cffsl_trust which imports from cfssl. Fortunately, the cfssl packages imported by cfssl_trust don't depend on cfssl_trust. Otherwise, it wouldn't build. It's still not a great situation to be in, and we should try to sever the dependency of cfssl_trust on cfssl.

The easiest way to do this would be to just merge the two repos. cfssl_trust would still be go gettable as an individual package inside the cfssl repo. We'd have to deprecate the cfssl_trust repo and update the README to point people to the cloudflare/cfssl/trust package.

What do you think?

Also, it will be good to avoid hardcoding package name. We can parse the package name and find the latest one, fetch it along with the dsc file and verify it.

1. try to resolve dependency with go mod enable
2. go build ...

the following error appears:

github.com/cloudflare/cfssl_trust/@v/v0.0.0-20160211195630-555f7ac5ef2b.zip: malformed file path "ca-bundle/S-TRUSTAuthenticationandEncryptionRootCA2005:PN_2005-6-22_SHA1WithRSA.crt": invalid char ':'
go: extracting github.com/cloudflare/go-metrics v0.0.0-20151117154305-6a9aea36fb41
go: extracting github.com/cloudflare/redoctober v0.0.0-20160202033125-18b5ac859f0a
{
  "status": "failure",
  "totals": {
    "success": 0,
    "failure": 1
  }
}

Hi, this is a very initial report as we're not yet fully aware of which package is exactly affected.
However, we are getting 404s In our of our bootstrap scripts. If it's possible for you guys to restore the previous directory structure, we can investigate where this comes from without affecting server bootstraps.

There is at least one file in this repo which has a colon its filename which means as part of revendoring the docker engine http://GitHub.com/docker/docker (which incorporates part of this repo in its vendor structure), the revendoring process using the vndr tool (https://github.com/LK4D4/vndr) by @LK4D4 fails on Windows (colon is not a valid character in a filename).

Unfortunately git clone attempts to clone the entire repo, and I can't just add the directory to the .gitignore.

Would it be possible to rename this file? (Or others which similarly have invalid Windows characters in their filenames?)

2016/11/06 13:31:49 Errors on clone:
github.com/cloudflare/cfssl: Err: exit status 128, out: Cloning into 'E:\go\src\github.com\docker\docker\vendor\github.com\cloudflare\cfssl'...
error: unable to create file vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA.crt: Invalid argument
error: unable to create file vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA_2.crt: Invalid argument

trying to check this out on windows and it appears to fail:

C:\Users\klauer\Downloads> git clone [email protected]:cloudflare/cfssl_trust.git
Cloning into 'cfssl_trust'...
remote: Counting objects: 6496, done.
remote: Total 6496 (delta 0), reused 0 (delta 0), pack-reused 6496R
Receiving objects: 100% (6496/6496), 29.76 MiB | 8.40 MiB/s, done.
Resolving deltas: 100% (1217/1217), done.
error: unable to create file vendor/github.com/cloudflare/cfssl/vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA.crt: Invalid argument
error: unable to create file vendor/github.com/cloudflare/cfssl/vendor/github.com/cloudflare/cfssl_trust/ca-bundle/SwissSignCA(RSAIKMay6199918:00:58)_2000-11-26_SHA1WithRSA_2.crt: Invalid argument
Checking out files: 100% (6524/6524), done.
fatal: unable to checkout working tree
warning: Clone succeeded, but checkout failed.
You can inspect what was checked out with 'git status'
and retry the checkout with 'git checkout -f HEAD'

We would like to add SSL.com's 4 Roots to the Nimbus accepted roots. All roots are currently trusted by Mozilla and Microsoft.
The certificates for the aforementioned roots can be found at:
https://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.pem
https://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.pem
https://www.ssl.com/repository/SSLcomRootCertificationAuthorityECC.pem
https://www.ssl.com/repository/SSLcomEVRootCertificationAuthorityECC.pem

Thank you.

After landing cloudflare/cfssl#812, please re-vendor that. Currently this repo can't be checked out on filesystems that disallow the colon (:) character in names.

(Separately I have to wonder why there is a circular dependency between these two repositories.)