From 3ff724dd2350442c5ebb6ead8841d488384aad5a Mon Sep 17 00:00:00 2001 From: Ben Noordhuis Date: Sat, 10 Dec 2022 16:57:01 +0100 Subject: [PATCH] tls: remove trustcor root ca certificates Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: /~https://github.com/nodejs/node/issues/45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: /~https://github.com/nodejs/node/pull/45776 Reviewed-By: Colin Ihrig Reviewed-By: Luigi Pinca Reviewed-By: Richard Lau --- src/node_root_certs.h | 82 ------------------------------------------- tools/mk-ca-bundle.pl | 2 ++ 2 files changed, 2 insertions(+), 82 deletions(-) diff --git a/src/node_root_certs.h b/src/node_root_certs.h index 2eb13a1dcf92ce..025df5ca3320ea 100644 --- a/src/node_root_certs.h +++ b/src/node_root_certs.h @@ -2154,88 +2154,6 @@ "boPoDKi3QWwH3b08hpcv0g==\n" "-----END CERTIFICATE-----", -/* TrustCor RootCert CA-1 */ -"-----BEGIN CERTIFICATE-----\n" -"MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYDVQQGEwJQ\n" -"QTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1\n" -"c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0\n" -"ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0\n" -"MTIzMjE2WhcNMjkxMjMxMTcyMzE2WjCBpDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFt\n" -"YTEUMBIGA1UEBwwLUGFuYW1hIENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4g\n" -"ZGUgUi5MLjEnMCUGA1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYD\n" -"VQQDDBZUcnVzdENvciBSb290Q2VydCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n" -"CgKCAQEAv463leLCJhJrMxnHQFgKq1mqjQCj/IDHUHuO1CAmujIS2CNUSSUQIpidRtLByZ5O\n" -"Gy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4pQa81QBeCQryJ3pS/C3Vseq0iWEk8xoT26nP\n" -"Uu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0JEsq1pme9J7+wH5COucLlVPat2gOkEz7\n" -"cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CVEY4hgLW9oHPY0LJ3xEXqWib7ZnZ2+AYf\n" -"YW0PVcWDtxBWcgYHpfOxGgMFZA6dWorWhnAbJN7+KIor0Gqw/Hqi3LJ5DotlDwIDAQABo2Mw\n" -"YTAdBgNVHQ4EFgQU7mtJPHo/DeOxCbeKyKsZn3MzUOcwHwYDVR0jBBgwFoAU7mtJPHo/DeOx\n" -"CbeKyKsZn3MzUOcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN\n" -"AQELBQADggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5mDo4Nvu7Zp5I\n" -"/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yfke+Ri7fc\n" -"7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZyonnMlo2HD6CqFqT\n" -"vsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djtsL1Ac59v2Z3kf9YKVmgenFK+P\n" -"3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdNzl/HHk484IkzlQsPpTLWPFp5LBk=\n" -"-----END CERTIFICATE-----", - -/* TrustCor RootCert CA-2 */ -"-----BEGIN CERTIFICATE-----\n" -"MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNVBAYTAlBB\n" -"MQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVz\n" -"dENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRl\n" -"IEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMjAeFw0xNjAyMDQx\n" -"MjMyMjNaFw0zNDEyMzExNzI2MzlaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1h\n" -"MRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBk\n" -"ZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNV\n" -"BAMMFlRydXN0Q29yIFJvb3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK\n" -"AoICAQCnIG7CKqJiJJWQdsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+QVqedd2N\n" -"yuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq1+9xALgxpL56JAfD\n" -"QiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1oYxOdqHp2yqlO/rOsP9+aij9JxzIsekp\n" -"8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nKDOObXUm4TOJXsZiKQlecdu/vvdFoqNL0\n" -"Cbt3Nb4lggjEFixEIFapRBF37120Hapeaz6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3\n" -"GIJ2SDpxsROhOdUuxTTCHWKF3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz2\n" -"7Ud+ez1m7xMTiF88oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjx\n" -"klb9tTNMg9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3\n" -"mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh8N0JqSDI\n" -"vgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAdBgNVHQ4EFgQU2f4h\n" -"QG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6UnrybPZx9mCAZ5YwwYrIwDwYD\n" -"VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAJ5Fngw7\n" -"tu/hOsh80QA9z+LqBrWyOrsGS2h60COXdKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYnd\n" -"Afrs3fnpkpfbsEZC89NiqpX+MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40\n" -"/W5ulop5A7Zv2wnL/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARpp\n" -"v9JYx1RXCI/hOWB3S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYa\n" -"ZH9bDTMJBzN7Bj8RpFxwPIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW2dCFmU2U\n" -"mw9Lje4AWkcdEQOsQRivh7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7N6a3vLqE6R5sGtRk\n" -"2tRD/pOLS/IseRYQ1JMLiI+h2IYURpFHmygk71dSTlxCnKr3Sewn6EAes6aJInKc9Q0ztFij\n" -"MDvd1GpUk74aTfOTlPf8hAs/hCBcNANExdqtvArBAs8e5ZTZ845b2EzwnexhF7sUMlQMAimT\n" -"HpKG9n/v55IFDlndmQguLvqcAFLTxWYp5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUou\n" -"wpaYT05KnJe32x+SMsj/D1Fu1uwJ\n" -"-----END CERTIFICATE-----", - -/* TrustCor ECA-1 */ -"-----BEGIN CERTIFICATE-----\n" -"MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYDVQQGEwJQ\n" -"QTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1\n" -"c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0\n" -"ZSBBdXRob3JpdHkxFzAVBgNVBAMMDlRydXN0Q29yIEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oX\n" -"DTI5MTIzMTE3MjgwN1owgZwxCzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNV\n" -"BAcMC1BhbmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4x\n" -"JzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1\n" -"c3RDb3IgRUNBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb\n" -"3w9U73NjKYKtR8aja+3+XzP4Q1HpGjORMRegdMTUpwHmspI+ap3tDvl0mEDTPwOABoJA6LHi\n" -"p1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23xFUfJ3zSCNV2HykVh0A53ThFEXXQmqc04L/N\n" -"yFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmcp0yJF4OuowReUoCLHhIlERnXDH19MURB\n" -"6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/wZ0+fyCMgMsq2JdiyIMzkX2woloPV+g7\n" -"zPIlstR8L+xNxqE6FXrntl019fZISjZFZtS6mFjBAgMBAAGjYzBhMB0GA1UdDgQWBBREnkj1\n" -"zG1I1KBLf/5ZJC+Dl5mahjAfBgNVHSMEGDAWgBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAPBgNV\n" -"HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEABT41XBVw\n" -"m8nHc2FvcivUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u/ukZMjgDfxT2\n" -"AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11FhcCF5yWP\n" -"ldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50soIipX1TH0XsJ5F9\n" -"5yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BIWJZpTdwHjFGTot+fDz2LYLSC\n" -"jaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1WitJ/X5g==\n" -"-----END CERTIFICATE-----", - /* SSL.com Root Certification Authority RSA */ "-----BEGIN CERTIFICATE-----\n" "MIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMx\n" diff --git a/tools/mk-ca-bundle.pl b/tools/mk-ca-bundle.pl index 2b07542b4d976f..4057c808bc6032 100755 --- a/tools/mk-ca-bundle.pl +++ b/tools/mk-ca-bundle.pl @@ -260,6 +260,8 @@ (%) if ( !should_output_cert(%trust_purposes_by_level) ) { $skipnum ++; + } elsif ($caname =~ /TrustCor/) { + $skipnum ++; } else { my $encoded = MIME::Base64::encode_base64($data, ''); $encoded =~ s/(.{1,${opt_w}})/"$1\\n"\n/g;