2 // mozroots.cs: Import the Mozilla's trusted root certificates into Mono
5 // Sebastien Pouliot <sebastien@ximian.com>
7 // Copyright (C) 2005 Novell, Inc (http://www.novell.com)
9 // Permission is hereby granted, free of charge, to any person obtaining
10 // a copy of this software and associated documentation files (the
11 // "Software"), to deal in the Software without restriction, including
12 // without limitation the rights to use, copy, modify, merge, publish,
13 // distribute, sublicense, and/or sell copies of the Software, and to
14 // permit persons to whom the Software is furnished to do so, subject to
15 // the following conditions:
17 // The above copyright notice and this permission notice shall be
18 // included in all copies or substantial portions of the Software.
20 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
21 // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
23 // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
24 // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
25 // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
26 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
30 using System.Collections;
33 using System.Reflection;
34 using System.Security.Cryptography;
37 using Mono.Security.Authenticode;
38 using Mono.Security.X509;
40 [assembly: AssemblyTitle ("Mozilla Roots Importer")]
41 [assembly: AssemblyDescription ("Download and import trusted root certificates from Mozilla's MXR.")]
43 namespace Mono.Tools {
47 // this URL is recommended by https://bugzilla.mozilla.org/show_bug.cgi?id=1279952#c8 and is also used as basis for curl's https://curl.haxx.se/ca/cacert.pem bundle
48 private const string defaultUrl = "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt";
51 static string inputFile;
52 static string pkcs7filename;
55 static bool confirmAddition;
56 static bool confirmRemoval;
59 static byte[] DecodeOctalString (string s)
61 string[] pieces = s.Split ('\\');
62 byte[] data = new byte[pieces.Length - 1];
63 for (int i = 1; i < pieces.Length; i++) {
64 data[i - 1] = (byte) ((pieces[i][0] - '0' << 6) + (pieces[i][1] - '0' << 3) + (pieces[i][2] - '0'));
69 static X509Certificate DecodeCertificate (string s)
71 byte[] rawdata = DecodeOctalString (s);
72 return new X509Certificate (rawdata);
75 static Stream GetFile ()
78 if (inputFile != null) {
79 return File.OpenRead (inputFile);
81 WriteLine ("Downloading from '{0}'...", url);
82 HttpWebRequest req = (HttpWebRequest) WebRequest.Create (url);
84 return req.GetResponse ().GetResponseStream ();
91 static X509CertificateCollection DecodeCollection ()
93 X509CertificateCollection roots = new X509CertificateCollection ();
94 StringBuilder sb = new StringBuilder ();
95 bool processing = false;
97 using (Stream s = GetFile ()) {
99 WriteLine ("Couldn't retrieve the file using the supplied information.");
103 StreamReader sr = new StreamReader (s);
105 string line = sr.ReadLine ();
110 if (line.StartsWith ("END")) {
112 X509Certificate root = DecodeCertificate (sb.ToString ());
115 sb = new StringBuilder ();
120 processing = line.StartsWith ("CKA_VALUE MULTILINE_OCTAL");
127 static int Process ()
129 ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, chain, sslPolicyErrors) => {
130 if (sslPolicyErrors != System.Net.Security.SslPolicyErrors.None)
131 Console.WriteLine ("WARNING: Downloading the trusted certificate list couldn't be done securely (error: {0}), continuing anyway. If you're using mozroots to bootstrap Mono's trust store on a clean system this might be OK, otherwise it could indicate a network intrusion. Please ensure you're using a trusted network or move to cert-sync.", sslPolicyErrors);
133 // this is very bad, but on a clean system without an existing trust store we don't really have a better option
137 X509CertificateCollection roots = DecodeCollection ();
140 } else if (roots.Count == 0) {
141 WriteLine ("No certificates were found.");
145 if (pkcs7filename != null) {
146 SoftwarePublisherCertificate pkcs7 = new SoftwarePublisherCertificate ();
147 pkcs7.Certificates.AddRange (roots);
149 WriteLine ("Saving root certificates into '{0}' file...", pkcs7filename);
150 using (FileStream fs = File.OpenWrite (pkcs7filename)) {
151 byte[] data = pkcs7.GetBytes ();
152 fs.Write (data, 0, data.Length);
158 WriteLine ("Importing certificates into {0} store...",
159 machine ? "machine" : "user");
161 X509Stores stores = (machine ? X509StoreManager.LocalMachine : X509StoreManager.CurrentUser);
162 X509CertificateCollection trusted = stores.TrustedRoot.Certificates;
164 foreach (X509Certificate root in roots) {
165 if (!trusted.Contains (root)) {
166 if (!confirmAddition || AskConfirmation ("add", root)) {
167 stores.TrustedRoot.Import (root);
169 WriteLine ("Certificate added.{0}", Environment.NewLine);
175 WriteLine ("{0} new root certificates were added to your trust store.", additions);
177 X509CertificateCollection removed = new X509CertificateCollection ();
178 foreach (X509Certificate trust in trusted) {
179 if (!roots.Contains (trust)) {
183 if (removed.Count > 0) {
184 if (confirmRemoval) {
185 WriteLine ("{0} previously trusted certificates were not part of the update.", removed.Count);
187 WriteLine ("{0} previously trusted certificates were removed.", removed.Count);
190 foreach (X509Certificate old in removed) {
191 if (!confirmRemoval || AskConfirmation ("remove", old)) {
192 stores.TrustedRoot.Remove (old);
194 WriteLine ("Certificate removed.{0}", Environment.NewLine);
198 WriteLine ("Import process completed.{0}", Environment.NewLine);
203 static string Thumbprint (string algorithm, X509Certificate certificate)
205 HashAlgorithm hash = HashAlgorithm.Create (algorithm);
206 byte[] digest = hash.ComputeHash (certificate.RawData);
207 return BitConverter.ToString (digest);
210 static bool AskConfirmation (string action, X509Certificate certificate)
212 // the quiet flag is ignored for confirmations
213 Console.WriteLine ();
214 Console.WriteLine ("Issuer: {0}", certificate.IssuerName);
215 Console.WriteLine ("Serial number: {0}", BitConverter.ToString (certificate.SerialNumber));
216 Console.WriteLine ("Valid from {0} to {1}", certificate.ValidFrom, certificate.ValidUntil);
217 Console.WriteLine ("Thumbprint SHA-1: {0}", Thumbprint ("SHA1", certificate));
218 Console.WriteLine ("Thumbprint MD5: {0}", Thumbprint ("MD5", certificate));
220 Console.Write ("Are you sure you want to {0} this certificate ? ", action);
221 string s = Console.ReadLine ().ToLower ();
229 static bool ParseOptions (string[] args)
236 confirmAddition = true;
237 confirmRemoval = true;
239 for (int i = 0; i < args.Length; i++) {
242 if (i >= args.Length - 1)
247 if (i >= args.Length - 1)
249 inputFile = args[++i];
252 if (i >= args.Length - 1)
254 pkcs7filename = args[++i];
263 confirmAddition = false;
264 confirmRemoval = false;
267 confirmAddition = true;
268 confirmRemoval = true;
271 confirmAddition = true;
272 confirmRemoval = false;
275 confirmAddition = false;
276 confirmRemoval = true;
282 WriteLine ("Unknown option '{0}'.");
289 static void Header ()
291 Console.WriteLine (new AssemblyInfo ().ToString ());
292 Console.WriteLine ("WARNING: mozroots is deprecated, please move to cert-sync instead.");
293 Console.WriteLine ();
298 Console.WriteLine ("Usage: mozroots [--import [--machine] [--sync | --ask | --ask-add | --ask-remove]]");
299 Console.WriteLine ("Where the basic options are:");
300 Console.WriteLine (" --import\tImport the certificates into the trust store.");
301 Console.WriteLine (" --sync\t\tSynchronize (add/remove) the trust store with the certificates.");
302 Console.WriteLine (" --ask\t\tAlways confirm before adding or removing trusted certificates.");
303 Console.WriteLine (" --ask-add\tAlways confirm before adding a new trusted certificate.");
304 Console.WriteLine (" --ask-remove\tAlways confirm before removing an existing trusted certificate.");
305 Console.WriteLine ("{0}and the advanced options are", Environment.NewLine);
306 Console.WriteLine (" --url url\tSpecify an alternative URL for downloading the trusted");
307 Console.WriteLine ("\t\tcertificates (MXR source format).");
308 Console.WriteLine (" --file name\tDo not download but use the specified file.");
309 Console.WriteLine (" --pkcs7 name\tExport the certificates into a PKCS#7 file.");
310 Console.WriteLine (" --machine\tImport the certificate in the machine trust store.");
311 Console.WriteLine ("\t\tThe default is to import into the user store.");
312 Console.WriteLine (" --quiet\tLimit console output to errors and confirmations messages.");
315 static void WriteLine (string str)
318 Console.WriteLine (str);
321 static void WriteLine (string format, params object[] args)
324 Console.WriteLine (format, args);
327 static int Main (string[] args)
330 if (!ParseOptions (args)) {
340 catch (Exception e) {
341 // ignore quiet on exception
342 Console.WriteLine ("Error: {0}", e);