diff --git a/src/certificate-roots.toit b/src/certificate-roots.toit index 478afdd..233db38 100644 --- a/src/certificate-roots.toit +++ b/src/certificate-roots.toit @@ -10692,6 +10692,7 @@ The certificates can also be used for the --root-certificates argument of TLS sockets. */ MAP ::= { + "AAA Certificate Services": COMODO-AAA-SERVICES-ROOT, "AC RAIZ FNMT-RCM": AC-RAIZ-FNMT-RCM, "AC RAIZ FNMT-RCM SERVIDORES SEGUROS": AC-RAIZ-FNMT-RCM-SERVIDORES-SEGUROS, "ACCVRAIZ1": ACCVRAIZ1, @@ -10843,7 +10844,6 @@ MAP ::= { "emSign Root CA - G1": EMSIGN-ROOT-CA-G1, "vTrus ECC Root CA": VTRUS-ECC-ROOT-CA, "vTrus Root CA": VTRUS-ROOT-CA, - "AAA Certificate Services": COMODO-AAA-SERVICES-ROOT, } /** @@ -11017,7 +11017,7 @@ ALL ::= [ EMSIGN-ROOT-CA-C1, EMSIGN-ROOT-CA-G1, VTRUS-ECC-ROOT-CA, - VTRUS-ROOT-CA, + VTRUS-ROOT-CA ] /** diff --git a/tools/to_toit_source.toit b/tools/to_toit_source.toit index e72e44b..3aa09b3 100644 --- a/tools/to_toit_source.toit +++ b/tools/to_toit_source.toit @@ -31,12 +31,13 @@ class Cert: constructor .mixed-case-name .name .sha-fingerprint .data --.expiry=null --.subject=null --.comment=null --.is-deprecated=false: print-on-stdout -> none: - print "/**" - print "$(mixed-case-name)." - print "This certificate can be added to an HTTP client or a TLS socket with" - print " the --root_certificates argument." - print "It can also be installed on the Toit process, to be used by all TLS" - print " sockets that do not have explicit roots, using its install method." + print """ + /** + $(mixed-case-name). + This certificate can be added to an HTTP client or a TLS socket with + the --root_certificates argument. + It can also be installed on the Toit process, to be used by all TLS + sockets that do not have explicit roots, using its install method.""" if comment: print comment if sha-fingerprint != null: print "SHA256 fingerprint: $sha-fingerprint" @@ -48,8 +49,9 @@ class Cert: print "*/" if is-deprecated: - print "$name ::= $(name)_" - print "$(name)_ ::= tls.RootCertificate --fingerprint=0x$(%x hash) $(name)-BYTES_" + print """ + $name ::= $(name)_ + $(name)_ ::= tls.RootCertificate --fingerprint=0x$(%x hash) $(name)-BYTES_""" else: print "$name ::= tls.RootCertificate --fingerprint=0x$(%x hash) $(name)-BYTES_" print "" @@ -80,6 +82,15 @@ encode-byte_ byte/int --extra/int=0 [report-extra]-> string: return alt unreachable +to-json-map-string map/Map -> string: + result := "{\n" + map.keys.sort.map: | key | + result += " \"$key\": $(map[key]),\n" + return result + "}" + +to-json-list-string list/List -> string: + return "[\n $(list.join ",\n ")\n]" + main args/List: in-cert-data := false name := null @@ -90,22 +101,23 @@ main args/List: all-certs := {:} // Mapping from name in the input to Cert object. cert-code := [] - print "/// Root certificates, automatically extracted from Mozilla's NSS" - print "" - print "// This file was autogenerated from certdata.txt, which carried the" - print "// following copyright message:" - print "" - print "// This Source Code Form is subject to the terms of the Mozilla Public" - print "// License, v. 2.0. If a copy of the MPL was not distributed with this" - print "// file, You can obtain one at http://mozilla.org/MPL/2.0/." - print "" - print "import encoding.base64" - print "import net.x509 as net" - print "import tls" - print "" - print "import .get-root" - print "export get-root-from-exception" - print "" + print """ + /// Root certificates, automatically extracted from Mozilla's NSS + + // This file was autogenerated from certdata.txt, which carried the + // following copyright message: + + // This Source Code Form is subject to the terms of the Mozilla Public + // License, v. 2.0. If a copy of the MPL was not distributed with this + // file, You can obtain one at http://mozilla.org/MPL/2.0/. + + import encoding.base64 + import net.x509 as net + import tls + + import .get-root + export get-root-from-exception + """ tr := Translator "a-z ._" "A-Z-" squeeze := Translator --squeeze "-" "-" @@ -151,85 +163,88 @@ main args/List: cert/Cert := all-certs[mixed-case-name] cert.print-on-stdout - print "" - print "/**" - print "A map from certificate name to \$tls.RootCertificate objects." - print "The certificates can be installed as globally trusted" - print " roots using their \$tls.RootCertificate.install method." - print "The certificates can also be used for the --root-certificates" - print " argument of TLS sockets." - print "*/" - print "MAP ::= {" + out-map := {:} names.do: | mixed-case-name | - cert := all-certs[mixed-case-name] + cert/Cert := all-certs[mixed-case-name] if not cert.name.contains "TUNTRUST": - print " \"$mixed-case-name\": $(cert.name)," - print " \"AAA Certificate Services\": COMODO-AAA-SERVICES-ROOT," - print "}" - print "" - print "/**" - print "All the trusted roots in the collection. If you are running" - print " on a non-embedded platform with plenty of memory you can just" - print " use them all." - print "" - print "# Note" - print "The TunTrust cert is only intended for .tn domains, but" - print " currently we do not support this restriction in our TLS code," - print " therefore it is currently omitted here, and in \$MAP, but is" - print " available on an opt-in basis." - print "" - print "# Examples" - print "Explicitly pass the root certificates to a TLS socket." - print "(Typically, you would use \$install-all-trusted-roots instead.)" - print "```" - print " socket := tls.Socket.client tcp" - print " --server-name=host" - print " --root-certificates=certificate-roots.ALL" - print "```" - print "*/" - print "ALL ::= [" + out-map[mixed-case-name] = cert.name + out-map["AAA Certificate Services"] = "COMODO-AAA-SERVICES-ROOT" + + out-list := [] names.do: | mixed-case-name | - cert := all-certs[mixed-case-name] + cert/Cert := all-certs[mixed-case-name] if not cert.name.contains "TUNTRUST": if cert.is-deprecated: - print " $(cert.name)_," + out-list.add "$(cert.name)_" else: - print " $cert.name," - print "]" - print "" - print "/**" - print "Installs all certificate roots on this process so that they are used" - print " for any TLS connections that do not have explicit root certificates." - print "This adds about 180k to the program size." - print "*/" - print "install-all-trusted-roots -> none:" - names.do: | mixed-case-name | - cert/Cert := all-certs[mixed-case-name] - hash := tls.add-global-root-certificate_ cert.data - print " $(cert.name).install" - print "" - print "/**" - print "Common certificate roots." - print "*/" - print "COMMON-TRUSTED-ROOTS ::= [" - print " DIGICERT-GLOBAL-ROOT-G2," - print " DIGICERT-GLOBAL-ROOT-CA," - print " GLOBALSIGN-ROOT-CA," - print " GLOBALSIGN-ROOT-CA-R3," - print " COMODO-RSA-CERTIFICATION-AUTHORITY," - print " BALTIMORE-CYBERTRUST-ROOT," - print " USERTRUST-ECC-CERTIFICATION-AUTHORITY," - print " USERTRUST-RSA-CERTIFICATION-AUTHORITY," - print " DIGICERT-HIGH-ASSURANCE-EV-ROOT-CA," - print " ISRG-ROOT-X1," - print " STARFIELD-CLASS-2-CA," - print " COMODO-AAA-SERVICES-ROOT," - print "]" + out-list.add cert.name + print "" - print "/**" - print "Installs common certificate roots on this process so that they are used" - print " for any TLS connections that do not have explicit root certificates." - print "This adds about 14k to the program size." - print "*/" - print "install-common-trusted-roots -> none:" - print " COMMON-TRUSTED-ROOTS.do: it.install" + print """ + /** + A map from certificate name to \$tls.RootCertificate objects. + The certificates can be installed as globally trusted + roots using their \$tls.RootCertificate.install method. + The certificates can also be used for the --root-certificates + argument of TLS sockets. + */ + MAP ::= $(to-json-map-string out-map) + + /** + All the trusted roots in the collection. If you are running + on a non-embedded platform with plenty of memory you can just + use them all. + + # Note + The TunTrust cert is only intended for .tn domains, but + currently we do not support this restriction in our TLS code, + therefore it is currently omitted here, and in \$MAP, but is + available on an opt-in basis. + + # Examples + Explicitly pass the root certificates to a TLS socket. + (Typically, you would use \$install-all-trusted-roots instead.) + ``` + socket := tls.Socket.client tcp + --server-name=host + --root-certificates=certificate-roots.ALL + ``` + */ + ALL ::= $(to-json-list-string out-list) + + /** + Installs all certificate roots on this process so that they are used + for any TLS connections that do not have explicit root certificates. + This adds about 180k to the program size. + */ + install-all-trusted-roots -> none: + $((names.map: | mixed-case-name | + cert/Cert := all-certs[mixed-case-name] + hash := tls.add-global-root-certificate_ cert.data + "$(cert.name).install").join "\n ") + + /** + Common certificate roots. + */ + COMMON-TRUSTED-ROOTS ::= [ + DIGICERT-GLOBAL-ROOT-G2, + DIGICERT-GLOBAL-ROOT-CA, + GLOBALSIGN-ROOT-CA, + GLOBALSIGN-ROOT-CA-R3, + COMODO-RSA-CERTIFICATION-AUTHORITY, + BALTIMORE-CYBERTRUST-ROOT, + USERTRUST-ECC-CERTIFICATION-AUTHORITY, + USERTRUST-RSA-CERTIFICATION-AUTHORITY, + DIGICERT-HIGH-ASSURANCE-EV-ROOT-CA, + ISRG-ROOT-X1, + STARFIELD-CLASS-2-CA, + COMODO-AAA-SERVICES-ROOT, + ] + + /** + Installs common certificate roots on this process so that they are used + for any TLS connections that do not have explicit root certificates. + This adds about 14k to the program size. + */ + install-common-trusted-roots -> none: + COMMON-TRUSTED-ROOTS.do: it.install"""