Add Ubuntu Trust Store

tests/test_nss_helper.py

@@ -0,0 +1,71 @@
+import os
+import unittest
+from pathlib import Path
+
+from trust_stores_observatory.nss_helper import CertdataEntryServerAuthTrustEnum, CertdataCertificateEntry, \
+    CertdataTrustEntry, parse_certdata
+
+
+class NssHelperTests(unittest.TestCase):
+
+    def test_mozilla_scraping(self):
+        # Given a Mozilla certdata file
+        certdata_path = Path(os.path.abspath(os.path.dirname(__file__))) / 'bin' / 'mozilla_certdata.txt'
+        with open(certdata_path) as certdata_file:
+            certdata_content = certdata_file.read()
+
+        # When scraping it
+        certdata_entries = parse_certdata(certdata_content)
+
+        # It returns the correct entries
+        self.assertEqual(len(certdata_entries), 319)
+
+        certificate_entries = [entry for entry in certdata_entries if isinstance(entry, CertdataCertificateEntry)]
+        self.assertEqual(len(certificate_entries), 157)
+
+        trust_entries = [entry for entry in certdata_entries if isinstance(entry, CertdataTrustEntry)]
+        self.assertEqual(len(trust_entries), 162)
+
+        trusted_trust_entries = [entry for entry in trust_entries
+                                 if entry.trust_enum == CertdataEntryServerAuthTrustEnum.TRUSTED]
+        self.assertEqual(len(trusted_trust_entries), 138)
+
+        not_trusted_trust_entries = [entry for entry in trust_entries
+                                     if entry.trust_enum == CertdataEntryServerAuthTrustEnum.NOT_TRUSTED]
+        self.assertEqual(len(not_trusted_trust_entries), 7)
+
+        must_verify_trust_entries = [entry for entry in trust_entries
+                                     if entry.trust_enum == CertdataEntryServerAuthTrustEnum.MUST_VERIFY]
+        self.assertEqual(len(must_verify_trust_entries), 17)
+
+    def test_ubuntu_scraping(self):
+
+        certdata_path = Path(os.path.abspath(os.path.dirname(__file__))) / 'bin' / 'ubuntu_certdata.txt'
+        with open(certdata_path) as certdata_file:
+            certdata_content = certdata_file.read()
+
+        # Parse data
+        certdata_entries = parse_certdata(certdata_content)
+        # Ensure the correct entries are returned
+        self.assertEqual(len(certdata_entries), 311)
+
+        # CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE entry
+        certificate_entries = [entry for entry in certdata_entries if isinstance(entry, CertdataCertificateEntry)]
+        self.assertEqual(len(certificate_entries), 153)
+
+        # CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST entry
+        trust_entries = [entry for entry in certdata_entries if isinstance(entry, CertdataTrustEntry)]
+        # 160 total entries with two missing a fingerprint
+        self.assertEqual(len(trust_entries), 158)
+
+        trusted_trust_entries = [entry for entry in trust_entries
+                                 if entry.trust_enum == CertdataEntryServerAuthTrustEnum.TRUSTED]
+        self.assertEqual(len(trusted_trust_entries), 133)
+
+        not_trusted_trust_entries = [entry for entry in trust_entries
+                                     if entry.trust_enum == CertdataEntryServerAuthTrustEnum.NOT_TRUSTED]
+        self.assertEqual(len(not_trusted_trust_entries), 7)
+
+        must_verify_trust_entries = [entry for entry in trust_entries
+                                     if entry.trust_enum == CertdataEntryServerAuthTrustEnum.MUST_VERIFY]
+        self.assertEqual(len(must_verify_trust_entries), 18)

tests/test_store_fetcher.py

@@ -8,43 +8,11 @@
 
 from trust_stores_observatory.certificates_repository import RootCertificatesRepository
 from trust_stores_observatory.store_fetcher import MacosTrustStoreFetcher, MicrosoftTrustStoreFetcher, \
-    AospTrustStoreFetcher, JavaTrustStoreFetcher
-from trust_stores_observatory.store_fetcher.mozilla_fetcher import MozillaTrustStoreFetcher, \
-    _CerdataEntryServerAuthTrustEnum, _CertdataCertificateEntry, _CertdataTrustEntry
+    AospTrustStoreFetcher, JavaTrustStoreFetcher, UbuntuTrustStoreFetcher, MozillaTrustStoreFetcher
 
 
 class MozillaTrustStoreFetcherTests(unittest.TestCase):
 
-    def test_scraping(self):
-        # Given a Mozilla certdata file
-        certdata_path = Path(os.path.abspath(os.path.dirname(__file__))) / 'bin' / 'mozilla_certdata.txt'
-        with open(certdata_path) as certdata_file:
-            certdata_content = certdata_file.read()
-
-        # When scraping it
-        certdata_entries = MozillaTrustStoreFetcher._scrape_certdata(certdata_content)
-
-        # It returns the correct entries
-        self.assertEqual(len(certdata_entries), 319)
-
-        certificate_entries = [entry for entry in certdata_entries if isinstance(entry, _CertdataCertificateEntry)]
-        self.assertEqual(len(certificate_entries), 157)
-
-        trust_entries = [entry for entry in certdata_entries if isinstance(entry, _CertdataTrustEntry)]
-        self.assertEqual(len(trust_entries), 162)
-
-        trusted_trust_entries = [entry for entry in trust_entries
-                                 if entry.trust_enum == _CerdataEntryServerAuthTrustEnum.TRUSTED]
-        self.assertEqual(len(trusted_trust_entries), 138)
-
-        not_trusted_trust_entries = [entry for entry in trust_entries
-                                     if entry.trust_enum == _CerdataEntryServerAuthTrustEnum.NOT_TRUSTED]
-        self.assertEqual(len(not_trusted_trust_entries), 7)
-
-        must_verify_trust_entries = [entry for entry in trust_entries
-                                     if entry.trust_enum == _CerdataEntryServerAuthTrustEnum.MUST_VERIFY]
-        self.assertEqual(len(must_verify_trust_entries), 17)
-
     def test_online(self):
         certs_repo = RootCertificatesRepository.get_default()
         store_fetcher = MozillaTrustStoreFetcher()
@@ -127,3 +95,14 @@ def test_online(self):
         self.assertTrue(fetched_store)
         self.assertGreater(len(fetched_store.trusted_certificates), 100)
         self.assertGreater(len(fetched_store.blocked_certificates), 10)
+
+
+class UbuntuTrustStoreFetcherTests(unittest.TestCase):
+
+    def test_online(self):
+        certs_repo = RootCertificatesRepository.get_default()
+        store_fetcher = UbuntuTrustStoreFetcher()
+        fetched_store = store_fetcher.fetch(certs_repo)
+        self.assertTrue(fetched_store)
+        self.assertGreater(len(fetched_store.trusted_certificates), 102)
+        self.assertGreater(len(fetched_store.blocked_certificates), 5)

trust_stores/google_aosp.yaml

@@ -1,17 +1,15 @@
 platform: GOOGLE_AOSP
-version: 8.1.0_r9
+version: 9.0.0_r3
 url: https://android.googlesource.com/platform/system/ca-certificates
-date_fetched: 2018-01-25
-trusted_certificates_count: 135
+date_fetched: 2018-08-09
+trusted_certificates_count: 137
 trusted_certificates:
 - subject_name: AAA Certificate Services
   fingerprint: d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef4
 - subject_name: AC RAIZ FNMT-RCM
   fingerprint: ebc5570c29018c4d67b1aa127baf12f703b4611ebc17b7dab5573894179b93fa
 - subject_name: ACCVRAIZ1
   fingerprint: 9a6ec012e1a7da9dbe34194d478ad7c0db1822fb071df12981496ed104384113
-- subject_name: ACEDICOM Root
-  fingerprint: 03950fb49a531f3e1991942398dfa9e0ea32d7ba1cdd9bc85db57ed9400b434a
 - subject_name: Actalis Authentication Root CA
   fingerprint: 55926084ec963a64b96e2abe01ce0ba86a64fbfebcc7aab5afc155b37fd76066
 - subject_name: AddTrust External CA Root
@@ -56,16 +54,12 @@ trusted_certificates:
   fingerprint: 52f0e1c4e58ec629291b60317f074671b85d7ea80d5b07273463534b32b40234
 - subject_name: Certigna
   fingerprint: e3b6a2db2ed7ce48842f7ac53241c7b71d54144bfb40c11f3f1d0b42f5eea12d
-- subject_name: "Certinomis - Autorit\xE9 Racine"
-  fingerprint: fcbfe2886206f72b27593c8b070297e12d769ed10ed7930705a8098effc14d17
 - subject_name: Certinomis - Root CA
   fingerprint: 2a99f5bc1174b73cbb1d620884e01c34e51ccb3978da125f0e33268883bf4158
 - subject_name: Certplus Root CA G1
   fingerprint: 152a402bfcdf2cd548054d2275b39c7fca3ec0978078b0f0ea76e561a6c7433e
 - subject_name: Certplus Root CA G2
   fingerprint: 6cc05041e6445e74696c4cfbc9f80f543b7eabbb44b4ce6f787c6a9971c42f17
-- subject_name: Certum CA
-  fingerprint: d8e0febc1db2e38d00940f37d27d41344d993e734b99d5656d9778d4d8143624
 - subject_name: Certum Trusted Network CA
   fingerprint: 5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e
 - subject_name: Certum Trusted Network CA 2
@@ -82,8 +76,6 @@ trusted_certificates:
   fingerprint: 49e7a442acf0ea6287050054b52564b650e4f49e42e348d6aa38e039e957b1c1
 - subject_name: D-TRUST Root Class 3 CA 2 EV 2009
   fingerprint: eec5496b988ce98625b934092eec2908bed0b0f316c2d4730c84eaf1f3d34881
-- subject_name: DST ACES CA X6
-  fingerprint: 767c955a76412c89af688e90a1c70f556cfd6b6025dbea10416d7eb6831f8c40
 - subject_name: DST Root CA X3
   fingerprint: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
 - subject_name: Deutsche Telekom Root CA 2
@@ -118,6 +110,8 @@ trusted_certificates:
   fingerprint: 43df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f339
 - subject_name: Entrust.net Certification Authority (2048)
   fingerprint: 6dc47172e01cbcb0bf62580d895fe2b8ac9ad4f873801e0c10b9c837d21eb177
+- subject_name: GDCA TrustAUTH R5 ROOT
+  fingerprint: bfff8fd04433487d6a8aa60c1a29767a9fc2bbb05e420f713a13b992891d3893
 - subject_name: GeoTrust Global CA
   fingerprint: ff856a2d251dcd88d36656f450126798cfabaade40799c722de4d2b5db36a73a
 - subject_name: GeoTrust Primary Certification Authority
@@ -196,6 +190,14 @@ trusted_certificates:
   fingerprint: 88ef81de202eb018452e43f864725cea5fbd1fc2d9d205730709c5d8b8690f46
 - subject_name: QuoVadis Root Certification Authority
   fingerprint: a45ede3bbbf09c8ae15c72efc07268d693a21c996fd51e67ca079460fd6d8873
+- subject_name: SSL.com EV Root Certification Authority ECC
+  fingerprint: 22a2c1f7bded704cc1e701b5f408c310880fe956b5de2a4a44f99c873a25a7c8
+- subject_name: SSL.com EV Root Certification Authority RSA R2
+  fingerprint: 2e7bf16cc22485a7bbe2aa8696750761b0ae39be3b2fe9d0cc6d4ef73491425c
+- subject_name: SSL.com Root Certification Authority ECC
+  fingerprint: 3417bb06cc6007da1b961c920b8ab4ce3fad820e4aa30b9acbc4a74ebdcebc65
+- subject_name: SSL.com Root Certification Authority RSA
+  fingerprint: 85666a562ee0be5ce925c1d8890a6f76a87ec16d4d7d5f29ea7419cf20123b69
 - subject_name: SZAFIR ROOT CA2
   fingerprint: a1339d33281a0b56e557d3d32b1ce7f9367eb094bd5fa72a7e5004c8ded7cafe
 - subject_name: Secure Global CA
@@ -240,14 +242,14 @@ trusted_certificates:
   fingerprint: bfd88fe1101c41ae3e801bf8be56350ee9bad1a6b9bd515edc5c6d5b8711ac44
 - subject_name: TeliaSonera Root CA v1
   fingerprint: dd6936fe21f8f077c123a1a521c12224f72255b73e03a7260693e8a24b0fa389
+- subject_name: TrustCor ECA-1
+  fingerprint: 5a885db19c01d912c5759388938cafbbdf031ab2d48e91ee15589b42971d039c
+- subject_name: TrustCor RootCert CA-1
+  fingerprint: d40e9c86cd8fe468c1776959f49ea774fa548684b6c406f3909261f4dce2575c
+- subject_name: TrustCor RootCert CA-2
+  fingerprint: 0753e940378c1bd5e3836e395daea5cb839e5046f1bd0eae1951cf10fec7c965
 - subject_name: Trustis FPS Root CA
   fingerprint: c1b48299aba5208fe9630ace55ca68a03eda5a519c8802a0d3a673be8f8e557d
-- subject_name: "T\xDCB\u0130TAK UEKAE K\xF6k Sertifika Hizmet Sa\u011Flay\u0131c\u0131\
-    s\u0131 - S\xFCr\xFCm 3"
-  fingerprint: e4c73430d7a5b50925df43370a0d216e9a79b9d6db8373a0c69eb1cc31c7c52a
-- subject_name: "T\xDCRKTRUST Elektronik Sertifika Hizmet Sa\u011Flay\u0131c\u0131\
-    s\u0131"
-  fingerprint: 978cd966f2faa07ba7aa9500d9c02e9d77f2cdada6ad6ba74af4b91c66593c50
 - subject_name: "T\xDCRKTRUST Elektronik Sertifika Hizmet Sa\u011Flay\u0131c\u0131\
     s\u0131 H5"
   fingerprint: 49351b903444c185ccdc5c693d24d8555cb208d6a8141307699f4af063199d78