# script for securely downloading and massaging the officially sanctioned root ca certificate blob from mozilla # created by ismael ferreras morezuelas aka swyter (swyterzone+ros@gmail.com) cmake_minimum_required(VERSION 2.8.11) set(remote https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1) set(flocal ./mozilla-certdata.txt) message(STATUS "[+] downloading Mozilla's Certificate Authority Store bundle over HTTPS...") # fixme: remove this and switch to https up there once ROSBE-61 is fixed # right now we surpass irony level 9000! it's just plain silly. # message(WARNING " [!] we should be using HTTPS to get it securely, fix ROSBE-61! :(") file(DOWNLOAD ${remote} ${flocal} STATUS status LOG log SHOW_PROGRESS TLS_VERIFY on TLS_CAINFO ${CMAKE_CURRENT_SOURCE_DIR}/curl-ca-bundle.crt) list(GET status 0 status_code) list(GET status 1 status_string) if(NOT status_code EQUAL 0) message(FATAL_ERROR "[!] error: downloading Mozilla's Root CA list from '${remote}' failed status_code: ${status_code} status_string: ${status_string} log: ${log} ") endif() set(foutput ./mozilla-certdata.inf) message(STATUS "[+] reading its contents into memory...") # +1mb of text file into a single string? why not? file(READ ${flocal} flocal_mem) message(STATUS "[+] line-splitting it into an iterable list...") # turn the string into a loop-able list and reverse it. string(REPLACE "\n" ";" flocal_list "${flocal_mem}") list(REVERSE flocal_list) # replace any possibly existing output file (note the WRITE instead of using APPEND) file(WRITE ${foutput} "; Automatically-generated list of fresh Root CA certificates\n") file(APPEND ${foutput} "; with the data coming from Mozilla's NSS library.\n") # add a timestamp for good measure string(TIMESTAMP cur_time UTC) file(APPEND ${foutput} "; --\n; Created on ${cur_time} UTC with swyter's script.\n") file(APPEND ${foutput} "; Data licensed under MPL 2.0 \n") file(APPEND ${foutput} "\n[Version]\nSignature = \"$ReactOS$\"\n\n[AddReg]") message(STATUS "[+] converting into a handy registry dump file...") # procedurally-generated octal->hex lookup table, or, well... list. set(lut 00 01 02 03 04 05 06 07 -- -- 08 09 0A 0B 0C 0D 0E 0F -- -- 10 11 12 13 14 15 16 17 -- -- 18 19 1A 1B 1C 1D 1E 1F -- -- 20 21 22 23 24 25 26 27 -- -- 28 29 2A 2B 2C 2D 2E 2F -- -- 30 31 32 33 34 35 36 37 -- -- 38 39 3A 3B 3C 3D 3E 3F -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 40 41 42 43 44 45 46 47 -- -- 48 49 4A 4B 4C 4D 4E 4F -- -- 50 51 52 53 54 55 56 57 -- -- 58 59 5A 5B 5C 5D 5E 5F -- -- 60 61 62 63 64 65 66 67 -- -- 68 69 6A 6B 6C 6D 6E 6F -- -- 70 71 72 73 74 75 76 77 -- -- 78 79 7A 7B 7C 7D 7E 7F -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 80 81 82 83 84 85 86 87 -- -- 88 89 8A 8B 8C 8D 8E 8F -- -- 90 91 92 93 94 95 96 97 -- -- 98 99 9A 9B 9C 9D 9E 9F -- -- A0 A1 A2 A3 A4 A5 A6 A7 -- -- A8 A9 AA AB AC AD AE AF -- -- B0 B1 B2 B3 B4 B5 B6 B7 -- -- B8 B9 BA BB BC BD BE BF -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- C0 C1 C2 C3 C4 C5 C6 C7 -- -- C8 C9 CA CB CC CD CE CF -- -- D0 D1 D2 D3 D4 D5 D6 D7 -- -- D8 D9 DA DB DC DD DE DF -- -- E0 E1 E2 E3 E4 E5 E6 E7 -- -- E8 E9 EA EB EC ED EE EF -- -- F0 F1 F2 F3 F4 F5 F6 F7 -- -- F8 F9 FA FB FC FD FE FF) function(octal_to_hex OUT LEN IN) # turn the string into a loop-able list. string(REPLACE "\\" ";" val_list "${IN}") # loop and process each octal number individually, # using a lookup table to find its corresponding value. foreach(val_loop ${val_list}) list(GET lut ${val_loop} val_lut) # finally, concat them together. set(val_out "${val_out}0x${val_lut},") endforeach(val_loop) list(LENGTH val_list val_len) set("${OUT}" "${val_out}" PARENT_SCOPE) set("${LEN}" "${val_len}" PARENT_SCOPE) endfunction(octal_to_hex) # procedurally-generated decim->hex lookup table, or, well... list. set(lut_dec 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F 40 41 42 43 44 45 46 47 48 49 4A 4B 4C 4D 4E 4F 50 51 52 53 54 55 56 57 58 59 5A 5B 5C 5D 5E 5F 60 61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72 73 74 75 76 77 78 79 7A 7B 7C 7D 7E 7F 80 81 82 83 84 85 86 87 88 89 8A 8B 8C 8D 8E 8F 90 91 92 93 94 95 96 97 98 99 9A 9B 9C 9D 9E 9F A0 A1 A2 A3 A4 A5 A6 A7 A8 A9 AA AB AC AD AE AF B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 BA BB BC BD BE BF C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF D0 D1 D2 D3 D4 D5 D6 D7 D8 D9 DA DB DC DD DE DF E0 E1 E2 E3 E4 E5 E6 E7 E8 E9 EA EB EC ED EE EF F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF) function(decim_to_hex OUT IN) # split the number in the four decomposed bytes of a 32bit uint. math(EXPR byte_a "(${IN} & 255) >> 0") # 0x000000FF >> 0") math(EXPR byte_b "(${IN} & 65280) >> 8") # 0x0000FF00 >> 8") math(EXPR byte_c "(${IN} & 16711680) >> 16") # 0x00FF0000 >> 16") math(EXPR byte_d "(${IN} & 4278190080) >> 24") # 0xFF000000 >> 24") # process the four bytes linearly, and as the possible range is 0-255 # we use a lookup table to find its corresponding value. list(GET lut_dec ${byte_a} bhex_a) list(GET lut_dec ${byte_b} bhex_b) list(GET lut_dec ${byte_c} bhex_c) list(GET lut_dec ${byte_d} bhex_d) set("${OUT}" "0x${bhex_a},0x${bhex_b},0x${bhex_c},0x${bhex_d}," PARENT_SCOPE) endfunction(decim_to_hex) # now program a state machine for parsing the structured contents. set(sm_inside_cert 0) set(sm_inside_data 0) set(sm_inside_trust 0) set(certcount 0) set(certname "Unknown name (???)") # loop every single line foreach(loop_var ${flocal_list}) # 1- conditions for when we're inside of a trust block if(sm_inside_trust EQUAL 1) # 1a- test for the beginning (the end for us) of the block, and exit if needed if(${loop_var} STREQUAL "CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST") set(sm_inside_trust 0) # 1b- do we need to parse the possible cert block over this trust block? # if not, don't bother anymore, skip and wait for a new trust block elseif(${loop_var} STREQUAL "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR") set(sm_parse_next_cert 1) # 1c- we're nearing the sha-1 block, two lines to go! elseif((sm_parse_next_cert EQUAL 1) AND (${loop_var} STREQUAL "CKA_CERT_MD5_HASH MULTILINE_OCTAL")) set(sm_next_up_sha1_end 1) # 1c- one line to go, almost there! elseif((sm_next_up_sha1_end EQUAL 1) AND (${loop_var} STREQUAL "END")) set(sm_next_up_sha1_end 0) set(sm_next_up_sha1_block 1) # 1d- we've arrived! grab the next available sha-1 hash! elseif(sm_next_up_sha1_block EQUAL 1) # evaluate if the sha-1 block has ended, if so, clean it up and save it for later if(${loop_var} STREQUAL "CKA_CERT_SHA1_HASH MULTILINE_OCTAL") set(sm_next_up_sha1_block 0) string(REPLACE "0x" "" certhash "${certhash}") string(REPLACE "," "" certhash "${certhash}") # still going on? else() # convert from octal into hex ... octal_to_hex(loop_var_hex loop_var_len ${loop_var}) # ... and concat the two lines together set(certhash "${loop_var_hex}${certhash}") endif() endif() # 2- conditions for entering the trust block elseif(${loop_var} STREQUAL "CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE") set(sm_inside_trust 1) set(sm_parse_next_cert 0) # reset everything for a possible new cert unset(certname) unset(certhash) unset(certdata) set(certsize 0) # -- # 3- conditions for when we're inside of a cert block elseif(sm_inside_cert EQUAL 1) # 3a- search for the end of the octal block if(${loop_var} STREQUAL "CKA_VALUE MULTILINE_OCTAL") set(sm_reached_final_of_cert_block 1) # 3b- parse every octal line, convert them and stitch them together, hot spot elseif(NOT sm_reached_final_of_cert_block EQUAL 1) # convert from octal into hex octal_to_hex(loop_var_hex loop_var_len ${loop_var}) # concat the lines together set(certdata " ${loop_var_hex}\\\n${certdata}") # sum the size in bytes math(EXPR certsize "${certsize} + (${loop_var_len} - 1)") # 3c- once we've finished converting find the very start of the cert, one line to go! elseif(${loop_var} STREQUAL "#") set(sm_next_up_certname 1) # 3d- have we reached the end of an encoded cert? # restart the state machine and append it to our file elseif(sm_next_up_certname EQUAL 1) # grab the cert name from the comment at the start of the block string(SUBSTRING ${loop_var} 14 -1 certname) # reset everything for the next run unset(sm_reached_final_of_cert_block) unset(sm_next_up_certname) unset(sm_inside_cert) decim_to_hex(certsize_hex ${certsize}) # print it just for kicks :) message(" \\__ ${certname}: ${certsize} bytes") # remove useless stuff at the end of the script # cmake is stupid and can't process negative SUBSTRING ranges :D string(LENGTH ${certdata} certdatalength) math(EXPR certdatalength "${certdatalength} - 3") string(SUBSTRING ${certdata} 0 ${certdatalength} certdata) # save it all to the output .inf thingie # (the blob is wrapped, or preceded, by a silly WINE_CERT_PROP_HEADER struct header) file(APPEND ${foutput} "\n; ${certname} (${certsize} bytes)\n" "HKLM,\"SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\${certhash}\",\"Blob\",0x00000001,\\\n" " 0x20,0x00,0x00,0x00,\\\n" # propid: always cert = 32 (0x20) " 0x01,0x00,0x00,0x00,\\\n" # number of certificates in blob: 1 " ${certsize_hex}\\\n" # cert data size in bytes: variable (1 uint, 4 bytes) "${certdata}\n") # count the number of saved certs, just for kicks math(EXPR certcount "${certcount} + 1") endif() # 4- conditions for entering the cert block; # only add trusted certificates, there are some in the source list # that are intentionally blacklisted, leave them out! elseif((sm_parse_next_cert EQUAL 1) AND (${loop_var} STREQUAL "END")) set(sm_inside_cert 1) endif() endforeach(loop_var) message(STATUS "[+] done... ${certcount} freshly baked Root CA certificates ready for ReactOS...")