Compare commits
4 commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
5ab98366b9 | ||
|
|
8f519c239e | ||
|
|
161e288f0d | ||
|
93f12f7d1d |
6 changed files with 2561 additions and 1835 deletions
|
|
@ -35,10 +35,10 @@ Name: ca-certificates
|
|||
# to have increasing version numbers. However, the new scheme will work,
|
||||
# because all future versions will start with 2013 or larger.)
|
||||
|
||||
Version: 2018.2.26
|
||||
Version: 2020.2.40
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 3%{?dist}
|
||||
Release: 1.1%{?dist}
|
||||
License: Public Domain
|
||||
|
||||
URL: https://fedoraproject.org/wiki/CA-Certificates
|
||||
|
|
@ -71,10 +71,10 @@ Requires(post): coreutils
|
|||
Requires: bash
|
||||
Requires: grep
|
||||
Requires: sed
|
||||
Requires(post): p11-kit >= 0.23.10
|
||||
Requires(post): p11-kit-trust >= 0.23.10
|
||||
Requires: p11-kit >= 0.23.10
|
||||
Requires: p11-kit-trust >= 0.23.10
|
||||
Requires(post): p11-kit >= 0.23.19
|
||||
Requires(post): p11-kit-trust >= 0.23.19
|
||||
Requires: p11-kit >= 0.23.19
|
||||
Requires: p11-kit-trust >= 0.23.19
|
||||
|
||||
BuildRequires: perl-interpreter
|
||||
BuildRequires: python3
|
||||
|
|
@ -369,6 +369,44 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-1.1
|
||||
- Update versioned dependency on p11-kit
|
||||
|
||||
*Thu Jan 23 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-1.0
|
||||
- Update to CKBI 2.40 from NSS 3.48
|
||||
- Removing:
|
||||
- # Certificate "UTN USERFirst Email Root CA"
|
||||
- # Certificate "Certplus Class 2 Primary CA"
|
||||
- # Certificate "Deutsche Telekom Root CA 2"
|
||||
- # Certificate "Swisscom Root CA 2"
|
||||
- # Certificate "Certinomis - Root CA"
|
||||
- Adding:
|
||||
- # Certificate "Entrust Root Certification Authority - G4"
|
||||
|
||||
*Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-1.0
|
||||
- Update to CKBI 2.32 from NSS 3.44
|
||||
Removing:
|
||||
# Certificate "Visa eCommerce Root"
|
||||
# Certificate "AC Raiz Certicamara S.A."
|
||||
# Certificate "Certplus Root CA G1"
|
||||
# Certificate "Certplus Root CA G2"
|
||||
# Certificate "OpenTrust Root CA G1"
|
||||
# Certificate "OpenTrust Root CA G2"
|
||||
# Certificate "OpenTrust Root CA G3"
|
||||
Adding:
|
||||
# Certificate "GTS Root R1"
|
||||
# Certificate "GTS Root R2"
|
||||
# Certificate "GTS Root R3"
|
||||
# Certificate "GTS Root R4"
|
||||
# Certificate "UCA Global G2 Root"
|
||||
# Certificate "UCA Extended Validation Root"
|
||||
# Certificate "Certigna Root CA"
|
||||
# Certificate "emSign Root CA - G1"
|
||||
# Certificate "emSign ECC Root CA - G3"
|
||||
# Certificate "emSign Root CA - C1"
|
||||
# Certificate "emSign ECC Root CA - C3"
|
||||
# Certificate "Hongkong Post Root CA 3"
|
||||
|
||||
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
|
||||
|
||||
|
|
|
|||
4048
certdata.txt
4048
certdata.txt
File diff suppressed because it is too large
Load diff
|
|
@ -177,6 +177,11 @@ openssl_trust = {
|
|||
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
|
||||
}
|
||||
|
||||
cert_distrust_types = {
|
||||
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
|
||||
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
|
||||
}
|
||||
|
||||
for tobj in objects:
|
||||
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
|
||||
key = tobj['CKA_LABEL'] + printable_serial(tobj)
|
||||
|
|
@ -369,6 +374,16 @@ for tobj in objects:
|
|||
f.write("nss-mozilla-ca-policy: true\n")
|
||||
f.write("modifiable: false\n");
|
||||
|
||||
# requires p11-kit >= 0.23.19
|
||||
for t in list(cert_distrust_types.keys()):
|
||||
if t in obj:
|
||||
value = obj[t]
|
||||
if value == 'CK_FALSE':
|
||||
value = bytearray(1)
|
||||
f.write(cert_distrust_types[t] + ": \"")
|
||||
f.write(urllib.parse.quote(value));
|
||||
f.write("\"\n")
|
||||
|
||||
f.write("-----BEGIN CERTIFICATE-----\n")
|
||||
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
|
||||
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
|
||||
|
|
|
|||
118
check_certs.sh
Executable file
118
check_certs.sh
Executable file
|
|
@ -0,0 +1,118 @@
|
|||
#!/bin/perl
|
||||
|
||||
sub adjust {
|
||||
my $newLine = $_[0];
|
||||
my @neg = @{$_[1]};
|
||||
my @pos = @{$_[2]};
|
||||
my $found = 0;
|
||||
my @newneg = ();
|
||||
|
||||
foreach my $cline (@neg) {
|
||||
if ($cline eq $newLine) {
|
||||
$found = 1;
|
||||
} else {
|
||||
push(@newneg ,$cline );
|
||||
}
|
||||
}
|
||||
if (! $found ) {
|
||||
push(@pos, $newLine);
|
||||
}
|
||||
@neg=@newneg;
|
||||
}
|
||||
|
||||
sub removeLine {
|
||||
my $newLine = $_[0];
|
||||
my @neg = @{$_[1]};
|
||||
my $found = 0;
|
||||
my @newneg = ();
|
||||
|
||||
foreach my $cline (@neg) {
|
||||
if ($found) {
|
||||
push(@newneg ,$cline );
|
||||
} elsif ($cline eq $newLine) {
|
||||
$found = 1;
|
||||
} else {
|
||||
push(@newneg ,$cline );
|
||||
}
|
||||
}
|
||||
return @newneg;
|
||||
}
|
||||
|
||||
sub filter {
|
||||
my @list = @{$_[0]};
|
||||
my $string = $_[1];
|
||||
my @filteredList = ();
|
||||
foreach my $cline (@list) {
|
||||
if ($cline =~ m/$string/) {
|
||||
push(@filteredList ,$cline );
|
||||
}
|
||||
}
|
||||
return @filteredList;
|
||||
}
|
||||
|
||||
sub lineExists {
|
||||
my $newLine = $_[0];
|
||||
my @neg = @{$_[1]};
|
||||
|
||||
foreach my $cline (@neg) {
|
||||
if ($cline eq $newLine) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
sub lineExists {
|
||||
my $newLine = $_[0];
|
||||
my @neg = @{$_[1]};
|
||||
|
||||
foreach my $cline (@neg) {
|
||||
if ($cline eq $newLine) {
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
sub printeach {
|
||||
my @args = @{$_[0]};
|
||||
foreach my $arg (@args) {
|
||||
chomp $arg;
|
||||
print " $arg\n";
|
||||
}
|
||||
}
|
||||
|
||||
open my $handle, "git diff certdata.txt|";
|
||||
my @diff_lines = <$handle>;
|
||||
close $handle;
|
||||
my @adds = ();
|
||||
my @subs = ();
|
||||
foreach my $line (@diff_lines) {
|
||||
$type = substr $line,0,1;
|
||||
$lline = substr $line,1;
|
||||
if ($type eq "+") {
|
||||
if (lineExists($lline, \@subs)) {
|
||||
@subs = removeLine($lline,\@subs);
|
||||
} else {
|
||||
push(@adds, $lline);
|
||||
}
|
||||
};
|
||||
if ($type eq "-") {
|
||||
if (lineExists($lline, \@adds)) {
|
||||
@adds = removeLine($lline,\@adds);
|
||||
} else {
|
||||
push(@subs, $lline);
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
my @tmp = filter(\@subs, "# Certificate");
|
||||
if (@tmp) {
|
||||
print " Removing: \n";
|
||||
printeach(\@tmp);
|
||||
}
|
||||
my @tmp = filter(\@adds, "# Certificate");
|
||||
if (@tmp) {
|
||||
print " Adding: \n";
|
||||
printeach(\@tmp);
|
||||
}
|
||||
161
fetch.sh
161
fetch.sh
|
|
@ -1,4 +1,159 @@
|
|||
#!/bin/sh
|
||||
exec cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot \
|
||||
co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt \
|
||||
> certdata.txt
|
||||
#
|
||||
# This script fetches the latest released certdata.txt and updates the
|
||||
# ca-certificates.spec file
|
||||
#
|
||||
baseurl="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib"
|
||||
force=0
|
||||
release_type="RTM"
|
||||
release="3_43"
|
||||
while [ -n "$1" ]; do
|
||||
case $1 in
|
||||
"-d")
|
||||
baseurl="https://hg.mozilla.org/projects/nss/raw-file/default/lib"
|
||||
;;
|
||||
-t*)
|
||||
release_type=`echo $1 | sed -e 's;-t;;'`
|
||||
if [ "${release_type}" = "" ]; then
|
||||
shift
|
||||
release_type=$1
|
||||
fi
|
||||
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
|
||||
;;
|
||||
-n*)
|
||||
release=`echo $1 | sed -e 's;-n;;'`
|
||||
if [ "${release}" = "" ]; then
|
||||
shift
|
||||
release=$1
|
||||
fi
|
||||
release=`echo ${release} | sed -e 's;\\.;_;g'`
|
||||
baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
|
||||
;;
|
||||
"-f")
|
||||
force=1
|
||||
;;
|
||||
*)
|
||||
echo "usage: $0 [-r] [-n release] [-f]"
|
||||
echo "-d use the development tip rather than the latest release"
|
||||
echo "-n release fetch a specific nss release"
|
||||
echo "-f skip the verify check"
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
shift
|
||||
done
|
||||
|
||||
# get the current certdata version number
|
||||
# nss version number
|
||||
# user making the change
|
||||
# email of user
|
||||
#
|
||||
# versions from the latest nss code in mozilla
|
||||
echo "Getting CKBI version number"
|
||||
ckbi_version=`wget ${baseurl}/ckfw/builtins/nssckbi.h -O - | grep "NSS_BUILTINS_LIBRARY_VERSION " | awk '{print $NF}' | sed -e "s;\";;g" `
|
||||
if [ "${ckbi_version}" = "" ]; then
|
||||
echo "Didn't find ckbi version from ${baseurl}"
|
||||
exit 1;
|
||||
fi
|
||||
echo "Getting NSS version number"
|
||||
nss_version=`wget ${baseurl}/nss/nss.h -O - | grep "NSS_VERSION" | awk '{print $3}' | sed -e "s;\";;g" `
|
||||
if [ "${nss_version}" = "" ]; then
|
||||
echo "Didn't find nss version from ${baseurl}"
|
||||
exit 1;
|
||||
fi
|
||||
# date from the current system date on this machine
|
||||
echo "Creating change log"
|
||||
export LANG=C
|
||||
year=`date +%Y`
|
||||
log_date=`date +"%a %b %d %Y"`
|
||||
# user name from the environment, fallback to git, fallback to the current user
|
||||
username=`whoami`
|
||||
name=${NAME}
|
||||
if [ "${name}" = "" ]; then
|
||||
name=`git config user.name`
|
||||
fi
|
||||
if [ "${name}" = "" ]; then
|
||||
name=`getent passwd $username`
|
||||
fi
|
||||
email=${EMAIL}
|
||||
if [ "${email}" = "" ]; then
|
||||
email=`git config user.email`
|
||||
fi
|
||||
if [ "${email}" = "" ]; then
|
||||
email=$username@`hostname`
|
||||
fi
|
||||
# rawhide >=2, branches 1.x
|
||||
cwd=$(pwd)
|
||||
if [ `basename ${cwd}` = master ]; then
|
||||
release="2"
|
||||
else
|
||||
release="1.0"
|
||||
fi
|
||||
version=${year}.${ckbi_version}
|
||||
|
||||
#make sure the the current version is newer than what is already there
|
||||
current_version=`grep ^Version: ca-certificates.spec | awk '{ print $NF }'`
|
||||
if [ ${current_version} \> ${version} -o ${current_version} = ${version} ]; then
|
||||
echo "Can't downgrade current version: ${current_version} new version: ${version}"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
# now get our new certdata.txt
|
||||
echo "Fetching new certdata.txt"
|
||||
wget ${baseurl}/ckfw/builtins/certdata.txt -O certdata.txt
|
||||
if [ $? -ne 0 ]; then
|
||||
echo fetching certdata.text from ${baseurl} failed!
|
||||
echo " To restore the old certdata.txt use:"
|
||||
echo " git checkout -- certdata.txt"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
# Verify everything is good with the user
|
||||
echo -e "Upgrading ${current_version} -> ${version}:"
|
||||
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
|
||||
./check_certs.sh
|
||||
echo ""
|
||||
|
||||
yn=""
|
||||
if [ ! ${force} ]; then
|
||||
echo -n "Do you want to continue (Y/N default Y)? "
|
||||
read yn
|
||||
echo ""
|
||||
fi
|
||||
if [ "${yn}" != "" -a "${yn}" != "y" -a "${yn}" != "Y" -a "${yn}" != "yes" -a "${yn}" != "YES" ]; then
|
||||
echo "Skipping ca-certificate.spec upgrade."
|
||||
echo " NOTE: certdata.txt has been upgraded."
|
||||
echo " To restore the old certdata.txt use:"
|
||||
echo " git checkout -- certdata.txt"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
echo "Updating .spec file"
|
||||
cat ca-certificates.spec | while IFS= read -r line
|
||||
do
|
||||
echo $line | grep "^Version: " 1>&2
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "Version: ${version}"
|
||||
echo "New Version: ${version}" 1>&2
|
||||
continue
|
||||
fi
|
||||
echo $line | grep "^Release: " 1>&2
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "Release: ${release}%{?dist}"
|
||||
echo "New Release: ${release}%{?dist}" 1>&2
|
||||
continue
|
||||
fi
|
||||
echo $line | grep "^%changelog" 1>&2
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "$line"
|
||||
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
|
||||
echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}" 1>&2
|
||||
./check_certs.sh
|
||||
echo ""
|
||||
continue
|
||||
fi
|
||||
echo "$line"
|
||||
done > /tmp/ca-certificates.spec.$$
|
||||
mv /tmp/ca-certificates.spec.$$ ca-certificates.spec
|
||||
git status
|
||||
exit 0
|
||||
|
|
|
|||
|
|
@ -46,8 +46,8 @@
|
|||
* It's recommend to switch back to 0 after having reached version 98/99.
|
||||
*/
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 26
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "2.26"
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 40
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "2.40"
|
||||
|
||||
/* These version numbers detail the semantic changes to the ckfw engine. */
|
||||
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue