tls: remove trustcor root ca certificates

bnoordhuis · danielleadams · commit 979d8376bdae · 2023-01-03T08:39:14.000-05:00
Follow what Ubuntu did and simply remove the CA certificates altogether. Fixes: #45762 Refs: https://ubuntu.com/security/notices/USN-5761-2 PR-URL: #45776 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com>
diff --git a/src/node_root_certs.h b/src/node_root_certs.h
@@ -2154,88 +2154,6 @@
 "boPoDKi3QWwH3b08hpcv0g==\n"
 "-----END CERTIFICATE-----",
 
-/* TrustCor RootCert CA-1 */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYDVQQGEwJQ\n"
-"QTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1\n"
-"c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0\n"
-"ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29yIFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0\n"
-"MTIzMjE2WhcNMjkxMjMxMTcyMzE2WjCBpDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFt\n"
-"YTEUMBIGA1UEBwwLUGFuYW1hIENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4g\n"
-"ZGUgUi5MLjEnMCUGA1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYD\n"
-"VQQDDBZUcnVzdENvciBSb290Q2VydCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
-"CgKCAQEAv463leLCJhJrMxnHQFgKq1mqjQCj/IDHUHuO1CAmujIS2CNUSSUQIpidRtLByZ5O\n"
-"Gy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4pQa81QBeCQryJ3pS/C3Vseq0iWEk8xoT26nP\n"
-"Uu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0JEsq1pme9J7+wH5COucLlVPat2gOkEz7\n"
-"cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CVEY4hgLW9oHPY0LJ3xEXqWib7ZnZ2+AYf\n"
-"YW0PVcWDtxBWcgYHpfOxGgMFZA6dWorWhnAbJN7+KIor0Gqw/Hqi3LJ5DotlDwIDAQABo2Mw\n"
-"YTAdBgNVHQ4EFgQU7mtJPHo/DeOxCbeKyKsZn3MzUOcwHwYDVR0jBBgwFoAU7mtJPHo/DeOx\n"
-"CbeKyKsZn3MzUOcwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcN\n"
-"AQELBQADggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5mDo4Nvu7Zp5I\n"
-"/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yfke+Ri7fc\n"
-"7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZyonnMlo2HD6CqFqT\n"
-"vsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djtsL1Ac59v2Z3kf9YKVmgenFK+P\n"
-"3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdNzl/HHk484IkzlQsPpTLWPFp5LBk=\n"
-"-----END CERTIFICATE-----",
-
-/* TrustCor RootCert CA-2 */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNVBAYTAlBB\n"
-"MQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVz\n"
-"dENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRl\n"
-"IEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3IgUm9vdENlcnQgQ0EtMjAeFw0xNjAyMDQx\n"
-"MjMyMjNaFw0zNDEyMzExNzI2MzlaMIGkMQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1h\n"
-"MRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBk\n"
-"ZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNV\n"
-"BAMMFlRydXN0Q29yIFJvb3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK\n"
-"AoICAQCnIG7CKqJiJJWQdsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+QVqedd2N\n"
-"yuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq1+9xALgxpL56JAfD\n"
-"QiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1oYxOdqHp2yqlO/rOsP9+aij9JxzIsekp\n"
-"8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nKDOObXUm4TOJXsZiKQlecdu/vvdFoqNL0\n"
-"Cbt3Nb4lggjEFixEIFapRBF37120Hapeaz6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3\n"
-"GIJ2SDpxsROhOdUuxTTCHWKF3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz2\n"
-"7Ud+ez1m7xMTiF88oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjx\n"
-"klb9tTNMg9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3\n"
-"mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh8N0JqSDI\n"
-"vgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAdBgNVHQ4EFgQU2f4h\n"
-"QG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6UnrybPZx9mCAZ5YwwYrIwDwYD\n"
-"VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAJ5Fngw7\n"
-"tu/hOsh80QA9z+LqBrWyOrsGS2h60COXdKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYnd\n"
-"Afrs3fnpkpfbsEZC89NiqpX+MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40\n"
-"/W5ulop5A7Zv2wnL/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARpp\n"
-"v9JYx1RXCI/hOWB3S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYa\n"
-"ZH9bDTMJBzN7Bj8RpFxwPIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW2dCFmU2U\n"
-"mw9Lje4AWkcdEQOsQRivh7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7N6a3vLqE6R5sGtRk\n"
-"2tRD/pOLS/IseRYQ1JMLiI+h2IYURpFHmygk71dSTlxCnKr3Sewn6EAes6aJInKc9Q0ztFij\n"
-"MDvd1GpUk74aTfOTlPf8hAs/hCBcNANExdqtvArBAs8e5ZTZ845b2EzwnexhF7sUMlQMAimT\n"
-"HpKG9n/v55IFDlndmQguLvqcAFLTxWYp5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUou\n"
-"wpaYT05KnJe32x+SMsj/D1Fu1uwJ\n"
-"-----END CERTIFICATE-----",
-
-/* TrustCor ECA-1 */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYDVQQGEwJQ\n"
-"QTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEkMCIGA1UECgwbVHJ1\n"
-"c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0\n"
-"ZSBBdXRob3JpdHkxFzAVBgNVBAMMDlRydXN0Q29yIEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oX\n"
-"DTI5MTIzMTE3MjgwN1owgZwxCzAJBgNVBAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNV\n"
-"BAcMC1BhbmFtYSBDaXR5MSQwIgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4x\n"
-"JzAlBgNVBAsMHlRydXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1\n"
-"c3RDb3IgRUNBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb\n"
-"3w9U73NjKYKtR8aja+3+XzP4Q1HpGjORMRegdMTUpwHmspI+ap3tDvl0mEDTPwOABoJA6LHi\n"
-"p1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23xFUfJ3zSCNV2HykVh0A53ThFEXXQmqc04L/N\n"
-"yFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmcp0yJF4OuowReUoCLHhIlERnXDH19MURB\n"
-"6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/wZ0+fyCMgMsq2JdiyIMzkX2woloPV+g7\n"
-"zPIlstR8L+xNxqE6FXrntl019fZISjZFZtS6mFjBAgMBAAGjYzBhMB0GA1UdDgQWBBREnkj1\n"
-"zG1I1KBLf/5ZJC+Dl5mahjAfBgNVHSMEGDAWgBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAPBgNV\n"
-"HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEABT41XBVw\n"
-"m8nHc2FvcivUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u/ukZMjgDfxT2\n"
-"AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11FhcCF5yWP\n"
-"ldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50soIipX1TH0XsJ5F9\n"
-"5yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BIWJZpTdwHjFGTot+fDz2LYLSC\n"
-"jaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1WitJ/X5g==\n"
-"-----END CERTIFICATE-----",
-
 /* SSL.com Root Certification Authority RSA */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIF3TCCA8WgAwIBAgIIeyyb0xaAMpkwDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMx\n"
diff --git a/tools/mk-ca-bundle.pl b/tools/mk-ca-bundle.pl
@@ -260,6 +260,8 @@ (%)
 
     if ( !should_output_cert(%trust_purposes_by_level) ) {
       $skipnum ++;
+    } elsif ($caname =~ /TrustCor/) {
+      $skipnum ++;
     } else {
       my $encoded = MIME::Base64::encode_base64($data, '');
       $encoded =~ s/(.{1,${opt_w}})/"$1\\n"\n/g;
