Merge ~jsquyres-cisco/ubuntu/+source/shim:pr/better-make-cert-field-values into ubuntu/+source/shim:ubuntu/devel

Proposed by Jeff Squyres
Status: Needs review
Proposed branch: ~jsquyres-cisco/ubuntu/+source/shim:pr/better-make-cert-field-values
Merge into: ubuntu/+source/shim:ubuntu/devel
Diff against target: 71 lines (+10/-13)
1 file modified
make-certs (+10/-13)
Reviewer Review Type Date Requested Status
Ubuntu Server Dev import team Pending
Review via email: mp+395923@code.launchpad.net

Description of the change

My group recently had a somewhat-alarming day when we noticed a basically-unlabeled MOK on our machines. After several hours, we finally tracked the cert down to https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197.

This merge proposal simply updates the certificate meta data in an attempt to help future admins who notice this MOK be able to track it down and see that it is, indeed, a legitimate / necessary certificate.

To post a comment you must log in.
Revision history for this message
Jeff Squyres (jsquyres-cisco) wrote :

Could someone from the review team have a look at this PR? Thanks!

Unmerged commits

b74e498... by Jeff Squyres <email address hidden>

make-certs: improve locality, org, and comments

Use something slightly less generic than "SomeCity" / "SomeOrg" for
meta data given to new certs. The intent to be help a curious
sysadmin who stumbles across a MOK on their system that was created by
an ephemeral certificate have a better/easier chance of tracking down
exactly what that MOK is / is for (see
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1880197).

Signed-off-by: Jeff Squyres <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/make-certs b/make-certs
index 3e9293b..990884b 100755
--- a/make-certs
+++ b/make-certs
@@ -219,9 +219,8 @@ subjectKeyIdentifier=hash
219219
220[req_ca_name]220[req_ca_name]
221C=US221C=US
222#stateOrProvinceName=SomeState222localityName=Internal
223localityName=SomeCity223O=Ubuntu shim package build system
224O=SomeOrg
225EOF224EOF
226#echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf225#echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
227cat >> openssl.cnf <<- EOF226cat >> openssl.cnf <<- EOF
@@ -233,7 +232,7 @@ authorityKeyIdentifier=keyid:always
233#authorityKeyIdentifier=keyid:always,issuer:always232#authorityKeyIdentifier=keyid:always,issuer:always
234keyUsage=nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign233keyUsage=nonRepudiation,digitalSignature,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign
235basicConstraints=critical,CA:TRUE234basicConstraints=critical,CA:TRUE
236nsComment="Testing CA Certificate"235nsComment="CA Certificate from Ubuntu shim package build system"
237EOF236EOF
238if test -n "$aia" ; then237if test -n "$aia" ; then
239 echo "authorityInfoAccess = ${aia}" >> openssl.cnf238 echo "authorityInfoAccess = ${aia}" >> openssl.cnf
@@ -254,9 +253,8 @@ default_md = $DIGEST
254253
255[req_ocsp_name]254[req_ocsp_name]
256C=US255C=US
257#stateOrProvinceName=SomeState256localityName=Internal
258localityName=SomeOrg257O=Ubuntu shim package build system
259O=SomeOrg
260EOF258EOF
261#echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf259#echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
262cat >> openssl.cnf <<- EOF260cat >> openssl.cnf <<- EOF
@@ -270,7 +268,7 @@ keyUsage=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgr
270extendedKeyUsage=1.3.6.1.5.5.7.3.9268extendedKeyUsage=1.3.6.1.5.5.7.3.9
271#basicConstraints=CA:FALSE269#basicConstraints=CA:FALSE
272basicConstraints=CA:TRUE270basicConstraints=CA:TRUE
273nsComment="Testing OCSP Certificate"271nsComment="OCSP Certificate from Ubuntu shim package build system"
2741.3.6.1.5.5.7.48.1.5=ASN1:NULL2721.3.6.1.5.5.7.48.1.5=ASN1:NULL
275EOF273EOF
276if test -n "$aia" ; then274if test -n "$aia" ; then
@@ -289,9 +287,8 @@ default_md = $DIGEST
289287
290[req_issued_name]288[req_issued_name]
291C=US289C=US
292#stateOrProvinceName=SomeState290localityName=Internal
293localityName=SomeCity291O=Ubuntu shim package build system
294O=SomeOrg
295EOF292EOF
296#echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf293#echo $DOMAIN | awk 'BEGIN {FS="."}{for(i=NF;i>0;i--){print NF-i ".domainComponent="$i;}}' >> openssl.cnf
297#mail = $GIVENUSER294#mail = $GIVENUSER
@@ -322,10 +319,10 @@ if test -n "$eku" ; then
322fi319fi
323if test "x$CA" = xTRUE ; then320if test "x$CA" = xTRUE ; then
324 echo "basicConstraints=critical,CA:TRUE" >> openssl.cnf321 echo "basicConstraints=critical,CA:TRUE" >> openssl.cnf
325 echo 'nsComment="Testing CA Certificate for '"$commonname"'"' >> openssl.cnf322 echo 'nsComment="CA Certificate from Ubuntu shim package build system for '"$commonname"'"' >> openssl.cnf
326else323else
327 echo "basicConstraints=CA:FALSE" >> openssl.cnf324 echo "basicConstraints=CA:FALSE" >> openssl.cnf
328 echo 'nsComment="Testing Certificate for '"$commonname"'"' >> openssl.cnf325 echo 'nsComment="Certificate from Ubuntu shim package build system for '"$commonname"'"' >> openssl.cnf
329fi326fi
330for value in $principals; do327for value in $principals; do
331 user=`echo "$value" | cut -f1 -d@`328 user=`echo "$value" | cut -f1 -d@`

Subscribers

People subscribed via source and target branches