Migrate STI to tmt

Resolves: FC-1842

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -3,3 +3,7 @@ noarch
 clog
 /.*build.log
 /ca-certificates
+certdata.txt.orig
+codesign-release.txt
+microsoft_sign_obj_ca.pem
+

README.openssl

@@ -1,18 +0,0 @@
-This directory /etc/pki/ca-trust/extracted/openssl/ contains 
-CA certificate bundle files which are automatically created
-based on the information found in the
-/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
-directories.
-
-All files are in the BEGIN/END TRUSTED CERTIFICATE file format, 
-as described in the x509(1) manual page.
-
-If your application isn't able to load the PKCS#11 module p11-kit-trust.so,
-then you can use these files in your application to load a list of global
-root CA certificates.
-
-Please never manually edit the files stored in this directory,
-because your changes will be lost and the files automatically overwritten,
-each time the update-ca-trust command gets executed.
-
-Please refer to the update-ca-trust(8) manual page for additional information.

ca-certificates.spec

@@ -1,7 +1,5 @@
 %define pkidir %{_sysconfdir}/pki
 %define catrustdir %{_sysconfdir}/pki/ca-trust
-%define classic_tls_bundle ca-bundle.crt
-%define openssl_format_trust_bundle ca-bundle.trust.crt
 %define p11_format_bundle ca-bundle.trust.p11-kit
 %define legacy_default_bundle ca-bundle.legacy.default.crt
 %define legacy_disable_bundle ca-bundle.legacy.disable.crt
@@ -35,11 +33,11 @@ Name: ca-certificates
 # to have increasing version numbers. However, the new scheme will work, 
 # because all future versions will start with 2013 or larger.)
 
-Version: 2023.2.60_v7.0.306
+Version: 2025.2.80_v9.0.304
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 2%{?dist}
-License: Public Domain
+Release: 3%{?dist}
+License: MIT AND GPL-2.0-or-later
 
 URL: https://fedoraproject.org/wiki/CA-Certificates
 
@@ -57,7 +55,6 @@ Source11: README.usr
 Source12: README.etc
 Source13: README.extr
 Source14: README.java
-Source15: README.openssl
 Source16: README.pem
 Source17: README.edk2
 Source18: README.src
@@ -66,16 +63,19 @@ Source19: README.etcssl
 BuildArch: noarch
 
 Requires(post): bash
+Requires(post): findutils
 Requires(post): grep
 Requires(post): sed
 Requires(post): coreutils
 Requires: bash
 Requires: grep
 Requires: sed
-Requires(post): p11-kit >= 0.23
-Requires(post): p11-kit-trust >= 0.23
-Requires: p11-kit >= 0.23
-Requires: p11-kit-trust >= 0.23
+Requires(post): p11-kit >= 0.24
+Requires(post): p11-kit-trust >= 0.24
+Requires: p11-kit >= 0.24
+Requires: p11-kit-trust >= 0.24
+Requires: libffi
+Requires(post): libffi
 
 BuildRequires: perl-interpreter
 BuildRequires: python3
@@ -185,16 +185,14 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
-mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
-mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
+mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
-mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
@@ -206,7 +204,6 @@ install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/REA
 install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT%{catrustdir}/README
 install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
 install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
-install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
 install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
 install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
 install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
@@ -238,36 +235,84 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
-touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
-chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 
+# Populate %%{catrustdir}/extracted/pem/directory-hash.
+#
+# First direct p11-kit-trust.so to the generated bundle (not the one
+# already present on the build system) with an overriding module
+# config. Note that we have to use a different config path based on
+# the current user: if root, ~/.config/pkcs11/modules/* are not read,
+# while if a regular user, she can't write to /etc.
+if test "$(id -u)" -eq 0; then
+   trust_module_dir=/etc/pkcs11/modules
+else
+   trust_module_dir=$HOME/.config/pkcs11/modules
+fi
+
+mkdir -p "$trust_module_dir"
+
+# It is unlikely that the directory would contain any files on a build system,
+# but let's make sure just in case.
+if [ -n "$(ls -A "$trust_module_dir")" ]; then
+        echo "Directory $trust_module_dir is not empty. Aborting build!"
+        exit 1
+fi
+
+trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
+cat >"$trust_module_config" <<EOF
+module: p11-kit-trust.so
+trust-policy: yes
+x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
+EOF
+
+# Extract the trust anchors to the directory-hash format.
+trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
+              --purpose server-auth \
+              $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+
+# Clean up the temporary module config.
+rm -f "$trust_module_config"
+
+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
+     -regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
+     -exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
+# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
+find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
+     -regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
+
+sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
+
 # /etc/ssl is provided in a Debian compatible form for (bad) code that
 # expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
-ln -s %{catrustdir}/extracted/pem/directory-hash \
+ln -s %{pkidir}/tls/certs \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
 ln -s /etc/pki/tls/openssl.cnf \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
 ln -s /etc/pki/tls/ct_log_list.cnf \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
 # legacy filenames
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
-ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 ln -s %{catrustdir}/extracted/%{java_bundle} \
     $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
 
+%clean
+/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+rm -rf $RPM_BUILD_ROOT
 
 %pre
 if [ $1 -gt 1 ] ; then
+  # Remove the old symlinks
+  rm -f %{pkidir}/tls/cert.pem
+  rm -f %{pkidir}/tls/certs/ca-bundle.crt
+  rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
+  rm -f %{pkidir}/tls/certs/ca-certificates.crt
+  rm -f %{_sysconfdir}/ssl/cert.pem
+
+
   # Upgrade or Downgrade.
   # If the classic filename is a regular file, then we are upgrading
   # from an old package and we will move it to an .rpmsave backup file.
@@ -288,28 +333,6 @@ if [ $1 -gt 1 ] ; then
       fi
     fi
   fi
-
-  if ! test -e %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave; then
-    # no backup yet
-    if test -e %{pkidir}/tls/certs/%{classic_tls_bundle}; then
-      # a file exists
-      if ! test -L %{pkidir}/tls/certs/%{classic_tls_bundle}; then
-        # it's an old regular file, not a link
-        mv -f %{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}.rpmsave
-      fi
-    fi
-  fi
-
-  if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
-    # no backup yet
-    if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
-      # a file exists
-      if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
-        # it's an old regular file, not a link
-        mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
-      fi
-    fi
-  fi
 fi
 
 
@@ -338,7 +361,8 @@ fi
 %{_bindir}/ca-legacy install
 %{_bindir}/update-ca-trust
 
-%files
+# The file .files.txt contains the list of (%ghost )files in the directory-hash
+%files -f .files.txt
 %dir %{_sysconfdir}/ssl
 %dir %{pkidir}/tls
 %dir %{pkidir}/tls/certs
@@ -346,18 +370,16 @@ fi
 %dir %{catrustdir}
 %dir %{catrustdir}/source
 %dir %{catrustdir}/source/anchors
-%dir %{catrustdir}/source/blacklist
 %dir %{catrustdir}/source/blocklist
 %dir %{catrustdir}/extracted
 %dir %{catrustdir}/extracted/pem
-%dir %{catrustdir}/extracted/openssl
 %dir %{catrustdir}/extracted/java
 %dir %{_datadir}/pki
 %dir %{_datadir}/pki/ca-trust-source
 %dir %{_datadir}/pki/ca-trust-source/anchors
-%dir %{_datadir}/pki/ca-trust-source/blacklist
 %dir %{_datadir}/pki/ca-trust-source/blocklist
 %dir %{_datadir}/pki/ca-trust-legacy
+%dir %{catrustdir}/extracted/pem/directory-hash
 
 %config(noreplace) %{catrustdir}/ca-legacy.conf
 
@@ -367,21 +389,16 @@ fi
 %{catrustdir}/README
 %{catrustdir}/extracted/README
 %{catrustdir}/extracted/java/README
-%{catrustdir}/extracted/openssl/README
 %{catrustdir}/extracted/pem/README
 %{catrustdir}/extracted/edk2/README
 %{catrustdir}/source/README
 
 # symlinks for old locations
-%{pkidir}/tls/cert.pem
-%{pkidir}/tls/certs/%{classic_tls_bundle}
-%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 %{pkidir}/%{java_bundle}
 # Hybrid hash directory with bundle file for Debian compatibility
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
 %{_sysconfdir}/ssl/certs
 %{_sysconfdir}/ssl/README
-%{_sysconfdir}/ssl/cert.pem
 %{_sysconfdir}/ssl/openssl.cnf
 %{_sysconfdir}/ssl/ct_log_list.cnf
 
@@ -398,12 +415,165 @@ fi
 %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
-%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 %ghost %{catrustdir}/extracted/%{java_bundle}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
 
-
 %changelog
+*Tue Sep 16 2025 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2025.2.80_v9.0.304-3
+- Migrate STI test to tmt
+
+*Tue Aug 26 2025 rhel-developer-toolbox <krenzelok.frantisek@gmail.com> - 2025.2.80_v9.0.304-2
+- Update to CKBI 2.80_v9.0.304 from NSS 3.114
+-    Adding:
+-     # Certificate "TWCA CYBER Root CA"
+-     # Certificate "TWCA Global Root CA G2"
+-     # Certificate "SecureSign Root CA12"
+-     # Certificate "SecureSign Root CA14"
+-     # Certificate "SecureSign Root CA15"
+-     # Certificate "D-TRUST BR Root CA 2 2023"
+-     # Certificate "TrustAsia SMIME ECC Root CA"
+-     # Certificate "TrustAsia SMIME RSA Root CA"
+-     # Certificate "TrustAsia TLS ECC Root CA"
+-     # Certificate "TrustAsia TLS RSA Root CA"
+-     # Certificate "D-TRUST EV Root CA 2 2023"
+-     # Certificate "SwissSign RSA SMIME Root CA 2022 - 1"
+-     # Certificate "SwissSign RSA TLS Root CA 2022 - 1"
+
+* Tue Aug 12 2025 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-8
+- update-ca-trust: Added a temporary, compatibility option `--rhbz2387674` to
+  the `extract` command. This flag restores legacy certificate
+  symlinks (e.g., `/etc/ssl/cert.pem`) to address issues with older software
+  that has not yet adapted to their removal. This essentially provides a
+  temporary way to revert the "Dropping of cert.pem file".
+
+* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2024.2.69_v8.0.401-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Wed Jul 9 2025 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-6
+- Change: Dropping of cert.pem file (Resolves: rhbz#2360110)
+  https://fedoraproject.org/wiki/Changes/dropingOfCertPemFile
+- Remove the following symlinks:
+-    # /etc/pki/tls/cert.pem
+-    # /etc/pki/tls/certs/ca-certificates.crt
+-    # /etc/pki/tls/certs/ca-bundle.trust.crt
+-    # /etc/pki/tls/certs/ca-bundle.crt
+-    # /etc/ssl/cert.pem
+-    # /etc/ssl/certs/ca-certificates.crt
+-    # /etc/ssl/certs/ca-bundle.trust.crt
+-    # /etc/ssl/certs/ca-bundle.crt
+- Directory /etc/pki/ca-trust/extracted/openssl is being deprecated,
+  it is removed upon updating unless there are files present inside it.
+
+* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 2024.2.69_v8.0.401-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+*Tue Dec 17 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-4
+- Bring back /etc/pki/tls/certs/ca-certificates.crt
+
+*Fri Sep 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-3
+- Bring back /etc/pki/tls/cert.pem
+
+*Fri Sep 27 2024 Michel Lind <salimma@fedoraproject.org> - 2024.2.69_v8.0.401-2
+- Add missing Requires(post) on findutils for update-ca-trust
+- Fixes: RHBZ#2315320
+
+*Mon Sep 23 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.401-1
+- Update to CKBI 2.69_v8.0.401 from NSS 3.103
+-    Adding:
+-     # Certificate "Sectigo Public Code Signing Root R46"
+-     # Certificate "Sectigo Public Code Signing Root E46"
+
+*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-5
+- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
+- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
+
+*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-5
+- update-ca-trust: return warnings on a unsupported argument instead of error
+
+*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-5
+- Temporarily generate the directory-hash files in %%install ...(next item)
+- Add list of ghost files from directory-hash to %%files
+
+*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-5
+- Add libffi to required packages
+
+*Thu Jul 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-4
+- Remove blacklist use blocklist-only.
+
+* Wed Jul 17 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2024.2.68_v8.0.302-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
+
+*Tue Jun 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-2
+- Update to CKBI 2.68_v8.0.302 from NSS 3.101
+-    Removing:
+-     # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
+-     # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
+-     # Certificate "Security Communication Root CA"
+-     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+-     # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
+-     # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
+-     # Certificate "TrustCor RootCert CA-1"
+-     # Certificate "TrustCor RootCert CA-2"
+-     # Certificate "TrustCor ECA-1"
+-    Adding:
+-     # Certificate "TrustAsia Global Root CA G3"
+-     # Certificate "TrustAsia Global Root CA G4"
+-     # Certificate "CommScope Public Trust ECC Root-01"
+-     # Certificate "CommScope Public Trust ECC Root-02"
+-     # Certificate "CommScope Public Trust RSA Root-01"
+-     # Certificate "CommScope Public Trust RSA Root-02"
+-     # Certificate "D-Trust SBR Root CA 1 2022"
+-     # Certificate "D-Trust SBR Root CA 2 2022"
+-     # Certificate "Telekom Security SMIME ECC Root 2021"
+-     # Certificate "Telekom Security TLS ECC Root 2020"
+-     # Certificate "Telekom Security SMIME RSA Root 2023"
+-     # Certificate "Telekom Security TLS RSA Root 2023"
+-     # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
+-     # Certificate "SECOM Trust.net"
+-     # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
+-     # Certificate "SSL.com Code Signing RSA Root CA 2022"
+-     # Certificate "SSL.com Code Signing ECC Root CA 2022"
+
+* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-4
+- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
+
+* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2023.2.62_v7.0.401-3
+- Skip %post if getopt is missing (recent change made update-ca-trust use it)
+
+*Wed Oct 04 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-2
+ - Update to CKBI 2.62_v7.0.401 from NSS 3.93
+   Removing: 
+    # Certificate "Camerfirma Chambers of Commerce Root"
+    # Certificate "Hongkong Post Root CA 1"
+    # Certificate "FNMT-RCM"
+   Adding: 
+    # Certificate "LAWtrust Root CA2 (4096)"
+    # Certificate "Sectigo Public Email Protection Root E46"
+    # Certificate "Sectigo Public Email Protection Root R46"
+    # Certificate "Sectigo Public Server Authentication Root E46"
+    # Certificate "Sectigo Public Server Authentication Root R46"
+    # Certificate "SSL.com TLS RSA Root CA 2022"
+    # Certificate "SSL.com TLS ECC Root CA 2022"
+    # Certificate "SSL.com Client ECC Root CA 2022"
+    # Certificate "SSL.com Client RSA Root CA 2022"
+    # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
+    # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
+    # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
+    # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
+    # Certificate "Chambers of Commerce Root"
+
+* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2023.2.60_v7.0.306-4
+- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
+
+*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-3
+- update License: field to SPDX
+
 *Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-2
 - Update to CKBI 2.60_v7.0.306 from NSS 3.91
 -    Removing:

fetch.sh

@@ -94,6 +94,21 @@ if [ `basename ${cwd}` = rawhide ]; then
 else
     release="1.0"
 fi
+
+
+# fetch the codesigning certs now so we can get
+# the code signing version number
+if [ ${skip_signed_obj} -eq 0 ]; then
+   ./fetch_objsign.sh
+   if [ -f codesign-release.txt ]; then
+      mcs_version=$(cat codesign-release.txt)
+      if [[ $ms_version != "unknown" ]]; then
+          ckbi_version="${ckbi_version}_${mcs_version}"
+      fi
+      signobjects="and Microsoft Signed Objects version $ms_version"
+   fi
+fi
+
 version=${year}.${ckbi_version}
 
 #make sure the the current version is newer than what is already there
@@ -113,13 +128,15 @@ if [ $? -ne 0 ]; then
    exit 1;
 fi
 
+# merge the signing certs into the normal certdata.txt file.
 if [ ${skip_signed_obj} -eq 0 ]; then
-   ./fetch_objsign.sh
+   cp certdata.txt certdata.txt.orig
+   python3 ./mergepem2certdata.py -c "certdata.txt.orig" -p "microsoft_sign_obj_ca.pem" -o "certdata.txt" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate" -x "NEVER"
 fi
 
 # Verify everything is good with the user
 echo -e "Upgrading ${current_version} -> ${version}:"
-echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
+echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}${sign_objects}"
 ./check_certs.sh
 echo ""
 

fetch_objsign.sh

@@ -3,16 +3,62 @@
 # This script fetches the object signing list from the Microsoft list. It then
 # mergest that list into the fetched certdata.txt.
 #
-baseurl="https://ccadb-public.secure.force.com/microsoft/IncludedRootsPEMTxtForMSFT?TrustBitsInclude=Code%20Signing"
-target="microsoft_code_siging.pem"
+giturl="https://github.com/dotnet/sdk"
+gitrawurl="https://raw.githubusercontent.com/dotnet/sdk"
+release="latest"
+treedir="src/Layout/redist/trustedroots/codesignctl.pem"
+target="microsoft_sign_obj_ca.pem"
 certdata="./certdata.txt"
+baseurl=""
 merge=1
 diff=0
+
+function getlatest
+{
+    local url=$1
+    local latest="0"
+    local tags=($(git ls-remote --tags ${url}))
+    for tag in "${tags[@]}"
+    do
+        if [[ ! ${tag} =~ refs/.* ]];  then
+            continue # skip hashes
+        fi
+        if [[ ${tag} =~ .*preview.* ]];  then
+            continue # skip preview tags, we only want release tags
+        fi
+        if [[ ${tag} =~ .*rc.* ]];  then
+            continue # skip release candidate tags, we only want release tags
+        fi
+        if [[ ${latest} < ${tag} ]]; then
+            latest=$tag
+        fi
+    done
+    latest=${latest##refs/tags/}
+    echo $latest
+}
+
 while [ -n "$1" ]; do
    case $1 in
+   "-g")
+        shift
+	giturl=$1
+	;;
+   "-r")
+        shift
+	gitrawurl=$1
+	;;
+   "-t")
+        shift
+	treedir=$1
+	;;
+   "-r")
+        shift
+	release=$1
+	;;
    "-u")
         shift
 	baseurl=$1
+        release="unknown"
 	;;
    "-o")
         shift
@@ -26,11 +72,16 @@ while [ -n "$1" ]; do
         merge=0
         ;;
    "-d")
+        shift
         diff=1
         difffile=$1
         ;;
     *)
 	echo "usage: $0 [-u URL] [-o target] [-c certdata] [-n]"
+	echo "-g URL      git URL to fetch code signing list"
+	echo "-r URL      raw git URL to fetch code signing list"
+	echo "-t URL      git tree directory to fetch code signing list"
+	echo "-r release  code signing list release version"
 	echo "-u URL      base URL to fetch code signing list"
 	echo "-o target   name of the codesigning target"
 	echo "-c certdata patch to certdata.txt to merge with"
@@ -42,6 +93,17 @@ while [ -n "$1" ]; do
     shift
 done
 
+if [ "${release}" = "latest" ]; then
+     release=$(getlatest ${giturl} )
+fi
+
+if [ "${baseurl}" = "" ]; then
+     baseurl="${gitrawurl}/${release}/${treedir}"
+fi
+
+echo $release > "./codesign-release.txt"
+
+echo "Fetching release=${release}, ${target} from ${baseurl}"
 
 wget ${baseurl} -O ${target}
 
@@ -53,7 +115,6 @@ out=${certdata}
 if [ ${diff} -eq 1 ]; then
    out=${certdata}.out
 fi
-
 python3 ./mergepem2certdata.py -c "${certdata}" -p "${target}" -o "${out}" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate"
 
 if [ ${diff} -eq 1 ]; then

mergepem2certdata.py

@@ -30,7 +30,7 @@ import subprocess
 import getopt
 import asn1
 from cryptography import x509
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
 from datetime import datetime
 from dateutil.parser import parse
 
@@ -118,6 +118,40 @@ def isDistrusted(obj) :
         return False
     return obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'
 
+
+def stripQuotes(label) :
+    if label[:1] == "\"" :
+        label=label[1:]
+    if label[-1] == "\"" :
+        label = label[:-1]
+    return label
+
+# another object of the same class has the same label
+def labelExists(objlist, obj) :
+    for iobj in objlist:
+        if obj['CKA_CLASS'] == iobj['CKA_CLASS'] and obj['CKA_LABEL'] == iobj['CKA_LABEL']:
+            return True
+    return False
+
+# add an object, make sure that label is unique
+def addObj(objlist, newObj, specialLabel, drop) :
+    label = stripQuotes(newObj['CKA_LABEL'])
+    count=1
+    if specialLabel != None :
+        count=0
+        label=label+' '+specialLabel
+    # make sure the label is unique
+    while labelExists(objlist, newObj) :
+        if drop :
+            return 'DROPPED'
+        if count != 0 :
+            newObj['CKA_LABEL'] = "\"%s %d\""%(label,count)
+        else :
+            newObj['CKA_LABEL'] = "\"%s\""%label
+        count=count+1
+    objlist.append(obj)
+    return stripQuotes(newObj['CKA_LABEL'])
+
 try:
     opts, args = getopt.getopt(sys.argv[1:],"c:o:p:t:l:x:",)
 except getopt.GetoptError as err:
@@ -146,11 +180,13 @@ for opt, arg in opts:
         dateString = arg
 
 # parse dateString
+print ("datastring=",dateString)
 verifyDate = True
 if dateString.upper() == "NEVER":
    verifyDate = False
 else:
    date = getdate(dateString)
+print ("verifyDate=",verifyDate)
 
 
 # read the pem file
@@ -193,7 +229,7 @@ for line in open(certdata, 'r'):
         # collect all the inline comments in this object
         obj['Comment'] += comment
         comment = ""
-        objects.append(obj)
+        addObj(objects, obj, None, False)
         obj = dict()
         in_obj = False
         continue
@@ -232,14 +268,15 @@ for line in open(certdata, 'r'):
         binval = bytearray()
         continue
     obj[field] = value
+
 if len(list(obj.items())) > 0:
-    objects.append(obj)
+    addObj(objects, obj, None, False)
 
 # strip out expired certificates from certdata.txt
 if verifyDate :
     for obj in objects:
         if obj['CKA_CLASS'] == 'CKO_CERTIFICATE' :
-            cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
+            cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
             if (cert.not_valid_after <= date) :
                 trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])
                 # we don't remove distrusted expired certificates
@@ -265,11 +302,12 @@ for certval in pemcerts:
                 label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value
             except:
                 label="Unknown Certificate"
-    if cert.not_valid_after <= date:
-        print("  Skipping code signing cert %s"%label)
-        print("     Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
-        print("     Prune time %s: "%date.strftime("%m/%d/%Y"))
-        continue
+    if verifyDate :
+        if cert.not_valid_after <= date:
+            print("  Skipping code signing cert %s"%label)
+            print("     Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
+            print("     Prune time %s: "%date.strftime("%m/%d/%Y"))
+            continue
     certhashsha1 = cert.fingerprint(hashes.SHA1())
     certhashmd5 =  cert.fingerprint(hashes.MD5())
     
@@ -292,6 +330,32 @@ for certval in pemcerts:
         break
     if  found :
         continue
+
+    # check for almost duplicates, certs with the same subject and key, but
+    # different values. If they exist, treat them as the same certificate
+    for obj in objects:
+        if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
+            continue
+        # do they have the same subject?
+        if obj['CKA_SUBJECT'] != cert.subject.public_bytes():
+            continue
+        # do they have the same public key?
+        cert2 = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+        if cert2.public_key().public_bytes(serialization.Encoding.DER,serialization.PublicFormat.SubjectPublicKeyInfo) != cert.public_key().public_bytes(serialization.Encoding.DER,serialization.PublicFormat.SubjectPublicKeyInfo) :
+            continue
+        #found now update trust record
+        trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])
+        if trust_obj is None :
+            print('Couldn\'t find trust object for "'+obj['CKA_LABEL']);
+            exit
+        trust_obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR'
+        found = True
+        print('Updating sister certificate "'+obj['CKA_LABEL']+'" with code signing based on Microsoft "'+label+'"');
+        break
+        if found :
+            break
+    if  found :
+        continue
     # append this certificate
     obj=dict()
     time='%a %b %d %H:%M:%S %Y'
@@ -323,7 +387,9 @@ for certval in pemcerts:
     obj['CKA_NSS_MOZILLA_CA_POLICY'] = 'CK_FALSE'
     obj['CKA_NSS_SERVER_DISTRUST_AFTER'] = 'CK_FALSE'
     obj['CKA_NSS_EMAIL_DISTRUST_AFTER'] = 'CK_FALSE'
-    objects.append(obj)
+    label = addObj(objects, obj, 'CodeSigning', True)
+    if label == 'DROPPED' :
+        continue
 
     # append the trust values
     obj=dict()
@@ -343,7 +409,7 @@ for certval in pemcerts:
        else:
           obj[t] = 'CKT_NSS_MUST_VERIFY_TRUST'
     obj['CKA_TRUST_STEP_UP_APPROVED'] = 'CK_FALSE'
-    objects.append(obj)
+    label = addObj(objects, obj, 'CodeSigning', True)
     print('Adding code signing cert "'+label+'"');
 
 # now dump the results

nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
-#define NSS_BUILTINS_LIBRARY_VERSION "2.60"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 80
+#define NSS_BUILTINS_LIBRARY_VERSION "2.80"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

plans/smoke.fmf

@@ -0,0 +1,4 @@
+ discover:
+     how: fmf
+ execute:
+     how: tmt

tests/smoke-test/Makefile

@@ -1,64 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/ca-certificates/Sanity/smoke-test
-#   Description: Check presence of Verisign root.
-#   Author: Ondrej Moris <omoris@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2010 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/ca-certificates/Sanity/smoke-test
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Ondrej Moris <omoris@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     Check presence of Verisign root." >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        5m" >> $(METADATA)
-	@echo "RunFor:          ca-certificates" >> $(METADATA)
-	@echo "Requires:        ca-certificates" >> $(METADATA)
-	@echo "Requires:        wget" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/smoke-test/PURPOSE

@@ -1,3 +0,0 @@
-PURPOSE of /CoreOS/ca-certificates/Sanity/smoke-test
-Description: Check presence of Verisign root.
-Author: Ondrej Moris <omoris@redhat.com>

tests/smoke-test/main.fmf

@@ -0,0 +1,5 @@
+summary: Check presence of Verisign root.
+test: bash ./runtest.sh
+framework: beakerlib
+recommend:
+  - beakerlib

tests/smoke-test/runtest.sh

@@ -27,7 +27,7 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # Include rhts environment
-. /usr/lib/beakerlib/beakerlib.sh
+. /usr/share/beakerlib/beakerlib.sh || exit 1
 
 PACKAGE="ca-certificates"
 

tests/tests.yml

@@ -1,13 +0,0 @@
----
-# This first play always runs on the local staging system
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - atomic
-    - classic
-    - container
-    tests:
-    - smoke-test
-    required_packages:
-    - findutils         # beakerlib needs find command

update-ca-trust

@@ -1,31 +1,183 @@
 #!/bin/sh
 
 #set -vx
+set -eu
 
-# At this time, while this script is trivial, we ignore any parameters given.
-# However, for backwards compatibility reasons, future versions of this script must 
-# support the syntax "update-ca-trust extract" trigger the generation of output 
+# For backwards compatibility reasons, future versions of this script must
+# support the syntax "update-ca-trust extract" trigger the generation of output
 # files in $DEST.
 
 DEST=/etc/pki/ca-trust/extracted
+DEST_CERTS=/etc/pki/tls/certs
 
 # Prevent p11-kit from reading user configuration files.
 export P11_KIT_NO_USER_CONFIG=1
 
-# OpenSSL PEM bundle that includes trust flags
-# (BEGIN TRUSTED CERTIFICATE)
-/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
-/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
-/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
-# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
-# by GnuTLS)
-/usr/bin/p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/directory-hash
-# Debian compatibility: their /etc/ssl/certs has this bundle
-/usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-certificates.crt
-# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
-# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
-/usr/bin/ln -s ../tls-ca-bundle.pem $DEST/pem/directory-hash/ca-bundle.crt
+usage() {
+	fold -s -w 76 >&2 <<-EOF
+		Usage: $0 [extract] [-o DIR|--output DIR]
 
+		Update the system trust store in $DEST.
+
+		COMMANDS
+		(absent/empty command): Same as the extract command without arguments.
+
+		extract: Instruct update-ca-trust to scan the source configuration in
+		/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
+		updated versions of the consolidated configuration files stored below
+		the $DEST directory hierarchy.
+
+		EXTRACT OPTIONS
+		-o DIR, --output DIR: Write the extracted trust store into the given
+		directory instead of updating $DEST. (Note: This option will not
+		populate the ../pki/tls/certs with the directory-hash symbolic links.)
+
+		--rhbz2387674: A temporary compatibility option that restores several
+		legacy certificate-bundle symlinks (e.g., /etc/ssl/cert.pem) to
+		address issues with older software.
+		These symlinks will be removed on ca-certificate updates or reinstalls,
+		so you'll have to re-run this command after ca-certificates updates if
+		the issue is still not fixed.
+		WARNING: Do not use in automation or build scripts. This flag
+		is going to be removed in a future release, and any scripts relying on
+		it will inevitably break!
+	EOF
+}
+
+rhbz2387674_msg() {
+	fold -s -w 76 >&2 <<-EOF
+	----------------------------------------------------------------------------
+	** DEPRECATION WARNING **
+	----------------------------------------------------------------------------
+	The option --rhbz2387674 is a temporary workaround and will be removed in a
+	future release. Please do not use it in build scripts or automation.
+
+	----------------------------------------------------------------------------
+	** ACTION REQUIRED **
+	----------------------------------------------------------------------------
+	To ensure the affected package works correctly in the future, a bug report must
+	be filed.
+
+	1.  Check if a bug already exists for the affected package: https://bugzilla.redhat.com/buglist.cgi?component=ca-certificates&product=Fedora&short_desc=droppingOfCertPemFile%20package%3A&short_desc_type=allwordssubstr
+
+	2.  If no bug exists, please file a new one using this template: https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=ca-certificates&version=rawhide&short_desc=droppingOfCertPemFile+package:+<<package_name>>+is+affected
+
+	Thank you for helping improve Fedora.
+	EOF
+}
+
+extract() {
+	USER_DEST=
+	compat=
+
+        # can't use getopt here. ca-certificates can't depend on a lot
+        # of other libraries since openssl depends on ca-certificates
+        # just fail when we hand parse
+
+        while [ $# -ne 0 ]; do
+	    case "$1" in
+		"-o"|"--output")
+		  if [ $# -lt 2 ]; then
+			  echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
+			  echo >&2
+			  exit 1
+		  fi
+	          USER_DEST=$2
+		  shift 2
+		  continue
+		  ;;
+		"--rhbz2387674")
+		  compat="true"
+		  shift
+		  continue
+		  ;;
+		"--")
+		  shift
+		  break
+		  ;;
+		*)
+		  echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
+		  exit 1
+		  ;;
+	    esac
+	done
+
+	if [[ "$compat" = "true" && -n "$USER_DEST" ]]; then
+		echo "Error: arguments '-o DIR|--output DIR' and '--rhbz2387674' can't be used together"
+		exit 1
+	
+	fi
+
+	if [ -n "$USER_DEST" ]; then
+		DEST=$USER_DEST
+	        # Attempt to create the directories if they do not exist
+                # yet (rhbz#2241240)
+	        /usr/bin/mkdir -p \
+		    "$DEST"/openssl \
+		    "$DEST"/pem \
+		    "$DEST"/java \
+		    "$DEST"/edk2
+	fi
+
+
+	# Delete all directory hash symlinks from the cert directory
+	if [ -z "$USER_DEST" ]; then
+		find "$DEST_CERTS" -type l -regextype posix-extended \
+		     -regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \;
+	fi
+
+	# OpenSSL PEM bundle that includes trust flags
+	# (BEGIN TRUSTED CERTIFICATE)
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
+	/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
+	/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
+	# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
+	# by GnuTLS)
+	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
+
+
+	if [ -n "$compat" ]; then
+		# print warning message
+		rhbz2387674_msg
+
+		# bring back bundle in openssl trust format
+		/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST_CERTS/ca-bundle.trust.crt"
+
+		# create symlinks to /etc/pki/tls/..
+		ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/../cert.pem"
+		ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-certificates.crt"
+		ln -sf "$DEST/pem/tls-ca-bundle.pem" "$DEST_CERTS/ca-bundle.crt"
+
+		# create symlinks to /etc/ssl/ the certs folder is already sym-linked
+		ln -sf "$DEST/pem/tls-ca-bundle.pem" "/etc/ssl/cert.pem"
+	fi
+
+	if [ -z "$USER_DEST" ]; then
+		find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
+		     -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
+			target=$(readlink -f "$link")
+			new_link="$DEST_CERTS/$(basename "$link")"
+			ln -s "$target" "$new_link"
+		done
+	fi
+}
+if [ $# -lt 1 ]; then
+    set -- extract
+fi
+
+case "$1" in
+	"extract")
+		shift
+		extract "$@"
+	;;
+	"--help")
+		usage
+		exit 0
+	;;
+	*)
+		echo >&2 "Error: unknown command: '$1', see 'update-ca-trust --help' for usage."
+		exit 1
+	;;
+esac

update-ca-trust.8.txt

@@ -27,7 +27,7 @@ certificates and associated trust
 
 SYNOPSIS
 --------
-*update-ca-trust* ['COMMAND']
+*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
 
 
 DESCRIPTION
@@ -214,26 +214,27 @@ server authentication.
 
 COMMANDS
 --------
-(absent/empty command)::
-    Same as the *extract* command described below. (However, the command may
-    print fewer warnings, as this command is being run during rpm package 
-    installation, where non-fatal status output is undesired.)
+(absent/empty command)
+~~~~~~~~~~~~~~~~~~~~~~
+Same as the *extract* command described below. (However, the command may print
+fewer warnings, as this command is being run during rpm package installation,
+where non-fatal status output is undesired.)
 
-*extract*::
-    Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
-    updated versions of the consolidated configuration files stored below
-    the /etc/pki/ca-trust/extracted directory hierarchy.
+extract
+~~~~~~~
+Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
+produce updated versions of the consolidated configuration files stored below
+the /etc/pki/ca-trust/extracted directory hierarchy.
+
+EXTRACT OPTIONS
+^^^^^^^^^^^^^^^
+*-o DIR*, *--output=DIR*::
+	Write the extracted trust store into the given directory instead of
+	updating /etc/pki/ca-trust/extracted. (Note: This option will not
+	populate the ../pki/tls/certs with the directory-hash symbolic links.)
 
 FILES
 -----
-/etc/pki/tls/certs/ca-bundle.crt::
-	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the simple BEGIN/END CERTIFICATE file format, without distrust information.
-	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
-
-/etc/pki/tls/certs/ca-bundle.trust.crt::
-	Classic filename, file contains a list of CA certificates in the extended BEGIN/END TRUSTED CERTIFICATE file format, which includes trust (and/or distrust) flags specific to certificate usage.
-	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
-
 /etc/pki/java/cacerts::
 	Classic filename, file contains a list of CA certificates trusted for TLS server authentication usage, in the Java keystore file format, without distrust information.
 	This file is a symbolic link that refers to the consolidated output created by the update-ca-trust command.
@@ -249,6 +250,27 @@ FILES
 	which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
 	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
 
+/etc/pki/tls/certs::
+	Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command, they are inteded as a internal format for OpenSSL and not to be used directly by the other crypto libraries or applications.
+
+LEGACY FILES
+------------
+The following file paths were used in legacy versions of the utility
+and have since been replaced. Scripts and configurations referencing
+these old paths should be updated.
+
+/etc/pki/cert.pem::
+    This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
+
+/etc/pki/tls/certs/ca-certificates.crt::
+    This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
+
+/etc/pki/tls/certs/ca-bundle.crt::
+    This file has been replaced by /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem.
+
+/etc/pki/tls/certs/ca-bundle.trust.crt::
+    This has been replaced by the directory-hash format certificates stored in /etc/pki/ca-trust/extracted/pem/directory-hash/ directory.
+
 AUTHOR
 ------
 Written by Kai Engert and Stef Walter.