indexwritings › journal

grawity's journal

blacklisting CAs on Arch Linux

People have been writing about how to mark the BlueCoat CA as untrusted on OS X and Windows. Most Linux distros do not have anything like that – although internally OpenSSL and Mozilla's NSS can store trust information (e.g. both Firefox & Chromium show DigiNotar as explicitly distrusted), the system-wide /etc/ssl/certs has always been a plain dumb whitelist.

However, a blacklist feature is partially present on Fedora and Arch Linux, which have moved from Debian-style ca-certificates tools to the new p11-kit. After Fedora's Shared System Certificates project (Arch switched to the same tools in 2014), all programs which use p11-kit will know about blacklisted certificates just as they know about trusted ones.

The process for marking a certificate as untrusted via p11-kit is:

  1. Download the actual certificate (e.g. BlueCoat's) as a DER or PEM file.
  2. Copy the file to /etc/ca-certificates/trust-source/blacklist/. (The path is different on Fedora; it's probably somewhere under /etc/pki/.)
  3. Run update-ca-trust as root.

Firefox and Chromium will now show the certificate as untrusted:

Screenshot – Chromium's certificate list
Chromium's certificate manager showing an untrusted CA

GnuTLS tools such as gnutls-cli also recognize the blacklisting and will complain that affected certificates have been "revoked".

In theory it should work with OpenSSL as long as the correct CAfile was specified. The existing default, /etc/ssl/certs/, is just a raw list of trusted CAs, but p11-kit also generates /etc/ca-certificates/extracted/ containing trust information in OpenSSL's own format. Un­for­tu­nate­ly, even when told to use the new CAfile, OpenSSL seems to completely ignore the "rejected purposes" stored within. Oh well. Hopefully that'll get fixed sometime this decade.

Opera's OBML format

A while ago, I came across old backups of my previous phone and the one before it; among them, several dozen of Opera Mini's "saved webpages" in .obml format. The problem is, OBML is an undocumented binary format – it's not recognized by the desktop Opera browser, it's not very portable across devices (the W760i had troubles loading pages saved on the S68), and older format versions aren't even supported by newer Opera Mini releases (I used to keep 3–4 old releases installed for that).

The usual method used by other people to read their old .obml saves was to run the actual Opera Mini client inside MicroEmulator, but it still has the format version problem, and there's no way to export long texts from the emulated app into the host (not even copy & paste). Aside from MicroEmu, the only app I've found that understands the format was OBML Viewer, which does work well, but is still limited to fairly old format versions, it's also Windows-only and closed-source, and Chrome keeps telling me that the website is really shady.

So I ended up writing my own OBML parser – at first only to extract original URLs from the pages, but as some have been taken down by now, I eventually extended it to dump the body text; now it fully converts the OBML files to regular HTML pages, with embedded images, layouts, forms, and everything. (It's not a perfect conversion, as OBML layouts are entirely pixel-positioned and depend on the device's font metrics, but it's probably as close as I could get.)

Along with the parser code, there's some basic documentation on the file structure. There are still a few unknown-purpose chunks and several unrecognized header fields, but it's enough to reproduce the page layout. Right now the parser and format documentation are in my hacks repo, though I'll eventually Git-ify them properly.


year 2015

year 2014

year 2013

year 2012

year 2011

year 2010

year 2009