Merge pull request debops#19 from drybjed/ca-certificates-management

Support for /etc/ca-certificate.conf management

CHANGES.rst

@@ -0,0 +1,19 @@
+Changelog
+=========
+
+v0.1.0
+------
+
+*Unreleased*
+
+- Add support for managing the list of active Root CA Certificates in
+  ``/etc/ca-certificates.conf``. Current set of active Root CA Certificates is
+  preserved. [drybjed]
+
+- Blacklist CNNIC Root CA following the `Google decision to remove CNNIC`_ from
+  their Root CA store. [drybjed]
+
+.. _Google decision to remove CNNIC: http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
+
+- Add Changelog. [drybjed]
+

defaults/main.yml

@@ -397,3 +397,42 @@ pki_inject_public_files: []
 # Add content of variables to private files
 pki_inject_private_files: []
 
+
+# ---- System CA certificate store management ----
+
+# Set default trust policy for new certificates added to 'ca-certificates'
+# system package. Choices: 'yes', 'no'
+pki_system_ca_certificates_trust_new: 'yes'
+
+# List of blacklisted CA certificates. You can specify either exact names of
+# certificate files, or simple regexps with wildcards. If a certificate is
+# found in both lists, it will be blacklisted.
+pki_system_ca_certificates_blacklist:
+
+  # Blacklist CNNIC Root Certificates
+  # http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html
+  - 'mozilla/CNNIC_ROOT.crt'
+  - 'mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt'
+
+  # Blacklist all certificates
+  #- '.*'
+
+  # Blacklist all Mozilla certificates
+  #- 'mozilla/.*'
+
+  # Blacklist specific group of certificates
+  #- 'mozilla/VeriSign_.*'
+
+# List of whitelisted CA certificates. You can specify either exact names of
+# certificate files, or simple regexps with wildcards.
+pki_system_ca_certificates_whitelist: []
+
+  # Whitelist all certificates
+  #- '.*'
+
+  # Whitelist all Mozilla certificates
+  #- 'mozilla/.*'
+
+  # Whitelist specific group of certificates
+  #- 'mozilla/VeriSign_.*'
+

handlers/main.yml

@@ -11,6 +11,13 @@
   command: update-ca-certificates --fresh
   notify: [ 'Install ca-certificates.crt into Postfix chroot' ]
 
+- name: Reconfigure ca-certificates
+  environment:
+    DEBIAN_FRONTEND: 'noninteractive'
+    DEBCONF_NONINTERACTIVE_SEEN: 'true'
+  command: dpkg-reconfigure --frontend=noninteractive ca-certificates
+  notify: [ 'Install ca-certificates.crt into Postfix chroot' ]
+
 - name: Install ca-certificates.crt into Postfix chroot
   shell: test -d /var/spool/postfix &&
          cp -f /etc/ssl/certs/ca-certificates.crt /var/spool/postfix/etc/ssl/certs/ca-certificates.crt || true

tasks/ca_certificates.yml

@@ -0,0 +1,45 @@
+---
+
+- name: Set default trust policy for new certificates
+  debconf:
+    name: 'ca-certificates'
+    question: 'ca-certificates/trust_new_crts'
+    vtype: 'select'
+    value: '{{ pki_system_ca_certificates_trust_new }}'
+
+- name: Get list of known certificates
+  shell: grep -E -e '^[^#].*$' /etc/ca-certificates.conf | sed -e 's/^!//'
+  register: pki_register_ca_certificates_known
+  changed_when: False
+
+- name: Get list of untrusted certificates
+  shell: grep -E -e '^!+' /etc/ca-certificates.conf | sed -e 's/^!//'
+  register: pki_register_ca_certificates_untrusted
+  changed_when: False
+
+- name: Get list of trusted certificates
+  shell: grep -E -e '^[^#!].*$' /etc/ca-certificates.conf | sed -e 's/^!//'
+  register: pki_register_ca_certificates_trusted
+  changed_when: False
+
+- name: Get list of blacklisted certificates
+  shell: grep -E -e '{{ pki_system_ca_certificates_blacklist | join("' -e '") }}' /etc/ca-certificates.conf | sed -e 's/^!//'
+  register: pki_register_ca_certificates_blacklist
+  changed_when: False
+  when: pki_system_ca_certificates_blacklist is defined and pki_system_ca_certificates_blacklist
+
+- name: Get list of whitelisted certificates
+  shell: grep -E -e '{{ pki_system_ca_certificates_whitelist | join("' -e '") }}' /etc/ca-certificates.conf | sed -e 's/^!//'
+  register: pki_register_ca_certificates_whitelist
+  changed_when: False
+  when: pki_system_ca_certificates_whitelist is defined and pki_system_ca_certificates_whitelist
+
+- name: Configure system CA certificates
+  template:
+    src: 'etc/ca-certificates.conf.j2'
+    dest: '/etc/ca-certificates.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  notify: [ 'Reconfigure ca-certificates' ]
+

tasks/main.yml

@@ -84,3 +84,5 @@
   when: ((pki_register_snapshot is defined and pki_register_snapshot.changed) or
          (pki_register_facts is defined and pki_register_facts.changed))
 
+- include: ca_certificates.yml
+

templates/etc/ca-certificates.conf.j2

@@ -0,0 +1,28 @@
+# This file is managed remotely, some changes might be overwritten
+#
+# This file lists certificates that you wish to use or to ignore to be
+# installed in /etc/ssl/certs.
+# update-ca-certificates(8) will update /etc/ssl/certs by reading this file.
+#
+# This is autogenerated by dpkg-reconfigure ca-certificates.
+# Certificates should be installed under /usr/share/ca-certificates
+# and files with extension '.crt' is recognized as available certs.
+#
+# line begins with # is comment.
+# line begins with ! is certificate filename to be deselected.
+#
+{% for rootca in pki_register_ca_certificates_known.stdout_lines|d([]) %}
+{% if rootca in (pki_register_ca_certificates_blacklist.stdout_lines|d([]) | intersect(pki_register_ca_certificates_whitelist.stdout_lines|d([]))) %}
+!{{ rootca }}
+{% else %}
+{% if rootca in (pki_register_ca_certificates_blacklist.stdout_lines|d([]) | difference(pki_register_ca_certificates_whitelist.stdout_lines|d([]))) %}
+!{{ rootca }}
+{% elif rootca in pki_register_ca_certificates_whitelist.stdout_lines|d([]) %}
+{{ rootca }}
+{% elif rootca in pki_register_ca_certificates_untrusted.stdout_lines|d([]) %}
+!{{ rootca }}
+{% elif rootca in pki_register_ca_certificates_trusted.stdout_lines|d([]) %}
+{{ rootca }}
+{% endif %}
+{% endif %}
+{% endfor %}