- update to 2.72:
Removed: - SecureSign RootCA11 - Security Communication RootCA3 Added: - TWCA CYBER Root CA - TWCA Global Root CA G2 - SecureSign Root CA12 - SecureSign Root CA14 - SecureSign Root CA15 - fix mozila typo in installed files intermediate root chains now with openssl 1.0.2 and also gnutls 3.5 - split out the CA root certificates from the openssl certs subpackage into a package of its own. OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=152
This commit is contained in:
commit
3bb4e89a8b
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
||||
## Default LFS
|
||||
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||
*.png filter=lfs diff=lfs merge=lfs -text
|
||||
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
.osc
|
4
_multibuild
Normal file
4
_multibuild
Normal file
@ -0,0 +1,4 @@
|
||||
<multibuild>
|
||||
<package>ca-certificates-mozilla-prebuilt</package>
|
||||
</multibuild>
|
||||
|
23
ca-certificates-mozilla-prebuilt.changes
Normal file
23
ca-certificates-mozilla-prebuilt.changes
Normal file
@ -0,0 +1,23 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 8 12:16:30 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
|
||||
|
||||
- Re-create java-cacerts with SOURCE_DATE_EPOCH set
|
||||
for reproducible builds (boo#1229003)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Apr 11 14:05:12 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
- Also mark /usr/share/factory/var/lib/ca-certificates/ as writable
|
||||
by the user during install: allow rpm to properly execute %clean
|
||||
when completed.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 30 10:23:35 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
- Create /var/lib/ca-certificates during build to ensure rpm gives
|
||||
the %ghost'ed directory proper mode attributes.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 4 14:38:44 UTC 2021 - Ludwig Nussel <lnussel@suse.de>
|
||||
|
||||
- new package for minimal base containers (jsc#SLE-22162)
|
92
ca-certificates-mozilla-prebuilt.spec
Normal file
92
ca-certificates-mozilla-prebuilt.spec
Normal file
@ -0,0 +1,92 @@
|
||||
#
|
||||
# spec file for package ca-certificates-mozilla-prebuilt
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
Name: ca-certificates-mozilla-prebuilt
|
||||
Version: %(rpm -q --qf %{version} ca-certificates-mozilla)
|
||||
Release: 0
|
||||
Summary: Pre-built CA certificates for OpenSSL
|
||||
License: MPL-2.0
|
||||
Group: Productivity/Networking/Security
|
||||
URL: https://www.mozilla.org
|
||||
BuildRequires: ca-certificates-mozilla
|
||||
BuildArch: noarch
|
||||
Requires(post): /bin/cp
|
||||
|
||||
%description
|
||||
This package contains a static set of CA root certificates for
|
||||
OpenSSL extracted from MozillaFirefox for use in containers. The
|
||||
package pre-fills /var/lib/ca-certificates with a static set of
|
||||
certificates if /var/lib/ca-certificates does not exist yet.
|
||||
|
||||
Therefore an upgrade of this package will NOT update the list of
|
||||
root CA certificates in the system.
|
||||
|
||||
It it not possible to configure additional root CA certificates
|
||||
using this package.
|
||||
|
||||
The package is only intended for use in containers that want to
|
||||
avoid installing p11-kit.
|
||||
|
||||
For all other use cases please install the
|
||||
"ca-certificates-mozilla" package.
|
||||
|
||||
%prep
|
||||
%setup -qcT
|
||||
|
||||
%build
|
||||
cp /usr/share/licenses/ca-certificates-mozilla/COPYING .
|
||||
|
||||
%install
|
||||
mkdir -p %{buildroot}/etc/ssl
|
||||
mkdir -p %{buildroot}/var/lib/ca-certificates
|
||||
ln -s /var/lib/ca-certificates/pem %{buildroot}/etc/ssl/certs
|
||||
ln -s /var/lib/ca-certificates/ca-bundle.pem %{buildroot}/etc/ssl/ca-bundle.pem
|
||||
mkdir -p %{buildroot}/usr/share/factory/var/lib
|
||||
cp -a /var/lib/ca-certificates %{buildroot}/usr/share/factory/var/lib
|
||||
cadir=%{buildroot}/usr/share/factory/var/lib/ca-certificates
|
||||
chmod 755 $cadir
|
||||
# re-create java-cacerts with SOURCE_DATE_EPOCH set for reproducible builds (boo#1229003)
|
||||
trust extract --format=java-cacerts --purpose=server-auth --filter=ca-anchors --overwrite $cadir/java-cacerts
|
||||
# need rpm needs to be able to delete the buildroot
|
||||
chmod u+w %{buildroot}/usr/share/factory/var/lib/ca-certificates{,/*}
|
||||
mkdir -p %{buildroot}%{_tmpfilesdir}
|
||||
echo "C /var/lib/ca-certificates" > %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
|
||||
%post
|
||||
if [ -z "${TRANSACTIONAL_UPDATE}" ]; then
|
||||
if [ -x /usr/bin/systemd-tmpfiles ]; then
|
||||
/usr/bin/systemd-tmpfiles --create %{_tmpfilesdir}/ca-certificates-mozilla-prebuilt.conf || :
|
||||
elif [ -x /bin/cp ] && [ ! -e /var/lib/ca-certificates ]; then
|
||||
/bin/cp -as /usr/share/factory/var/lib/ca-certificates /var/lib || :
|
||||
fi
|
||||
fi
|
||||
|
||||
%files
|
||||
%license COPYING
|
||||
/etc/ssl/ca-bundle.pem
|
||||
/etc/ssl/certs
|
||||
%{_tmpfilesdir}/%{name}.conf
|
||||
/usr/share/factory
|
||||
%ghost %dir /var/lib/ca-certificates
|
||||
%defattr(0444,root,root,0555)
|
||||
%ghost %dir /var/lib/ca-certificates/pem
|
||||
%ghost %dir /var/lib/ca-certificates/openssl
|
||||
%ghost /var/lib/ca-certificates/java-cacerts
|
||||
%ghost /var/lib/ca-certificates/ca-bundle.pem
|
||||
|
||||
%changelog
|
348
ca-certificates-mozilla.COPYING
Normal file
348
ca-certificates-mozilla.COPYING
Normal file
@ -0,0 +1,348 @@
|
||||
Mozilla Public License
|
||||
Version 2.0
|
||||
|
||||
1. Definitions
|
||||
|
||||
1.1. “Contributor”
|
||||
|
||||
means each individual or legal entity that creates, contributes to the
|
||||
creation of, or owns Covered Software.
|
||||
|
||||
1.2. “Contributor Version”
|
||||
|
||||
means the combination of the Contributions of others (if any) used by a
|
||||
Contributor and that particular Contributor’s Contribution.
|
||||
|
||||
1.3. “Contribution”
|
||||
|
||||
means Covered Software of a particular Contributor.
|
||||
|
||||
1.4. “Covered Software”
|
||||
|
||||
means Source Code Form to which the initial Contributor has attached the
|
||||
notice in Exhibit A, the Executable Form of such Source Code Form, and
|
||||
Modifications of such Source Code Form, in each case including portions
|
||||
thereof.
|
||||
|
||||
1.5. “Incompatible With Secondary Licenses”
|
||||
|
||||
means
|
||||
|
||||
a. that the initial Contributor has attached the notice described in
|
||||
Exhibit B to the Covered Software; or
|
||||
|
||||
b. that the Covered Software was made available under the terms of version
|
||||
1.1 or earlier of the License, but not also under the terms of a
|
||||
Secondary License.
|
||||
|
||||
1.6. “Executable Form”
|
||||
|
||||
means any form of the work other than Source Code Form.
|
||||
|
||||
1.7. “Larger Work”
|
||||
|
||||
means a work that combines Covered Software with other material, in a
|
||||
separate file or files, that is not Covered Software.
|
||||
|
||||
1.8. “License”
|
||||
|
||||
means this document.
|
||||
|
||||
1.9. “Licensable”
|
||||
|
||||
means having the right to grant, to the maximum extent possible, whether at
|
||||
the time of the initial grant or subsequently, any and all of the rights
|
||||
conveyed by this License.
|
||||
|
||||
1.10. “Modifications”
|
||||
|
||||
means any of the following:
|
||||
|
||||
a. any file in Source Code Form that results from an addition to, deletion
|
||||
from, or modification of the contents of Covered Software; or
|
||||
|
||||
b. any new file in Source Code Form that contains any Covered Software.
|
||||
|
||||
1.11. “Patent Claims” of a Contributor
|
||||
|
||||
means any patent claim(s), including without limitation, method, process,
|
||||
and apparatus claims, in any patent Licensable by such Contributor that
|
||||
would be infringed, but for the grant of the License, by the making, using,
|
||||
selling, offering for sale, having made, import, or transfer of either its
|
||||
Contributions or its Contributor Version.
|
||||
|
||||
1.12. “Secondary License”
|
||||
|
||||
means either the GNU General Public License, Version 2.0, the GNU Lesser
|
||||
General Public License, Version 2.1, the GNU Affero General Public License,
|
||||
Version 3.0, or any later versions of those licenses.
|
||||
|
||||
1.13. “Source Code Form”
|
||||
|
||||
means the form of the work preferred for making modifications.
|
||||
|
||||
1.14. “You” (or “Your”)
|
||||
|
||||
means an individual or a legal entity exercising rights under this License.
|
||||
For legal entities, “You” includes any entity that controls, is controlled
|
||||
by, or is under common control with You. For purposes of this definition,
|
||||
“control” means (a) the power, direct or indirect, to cause the direction
|
||||
or management of such entity, whether by contract or otherwise, or (b)
|
||||
ownership of more than fifty percent (50%) of the outstanding shares or
|
||||
beneficial ownership of such entity.
|
||||
|
||||
2. License Grants and Conditions
|
||||
|
||||
2.1. Grants
|
||||
|
||||
Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive
|
||||
license:
|
||||
|
||||
a. under intellectual property rights (other than patent or trademark)
|
||||
Licensable by such Contributor to use, reproduce, make available, modify,
|
||||
display, perform, distribute, and otherwise exploit its Contributions,
|
||||
either on an unmodified basis, with Modifications, or as part of a Larger
|
||||
Work; and
|
||||
|
||||
b. under Patent Claims of such Contributor to make, use, sell, offer for sale,
|
||||
have made, import, and otherwise transfer either its Contributions or its
|
||||
Contributor Version.
|
||||
|
||||
2.2. Effective Date
|
||||
|
||||
The licenses granted in Section 2.1 with respect to any Contribution become
|
||||
effective for each Contribution on the date the Contributor first distributes
|
||||
such Contribution.
|
||||
|
||||
2.3. Limitations on Grant Scope
|
||||
|
||||
The licenses granted in this Section 2 are the only rights granted under this
|
||||
License. No additional rights or licenses will be implied from the distribution
|
||||
or licensing of Covered Software under this License. Notwithstanding
|
||||
Section 2.1(b) above, no patent license is granted by a Contributor:
|
||||
|
||||
a. for any code that a Contributor has removed from Covered Software; or
|
||||
|
||||
b. for infringements caused by: (i) Your and any other third party’s
|
||||
modifications of Covered Software, or (ii) the combination of its
|
||||
Contributions with other software (except as part of its Contributor
|
||||
Version); or
|
||||
|
||||
c. under Patent Claims infringed by Covered Software in the absence of its
|
||||
Contributions.
|
||||
|
||||
This License does not grant any rights in the trademarks, service marks, or
|
||||
logos of any Contributor (except as may be necessary to comply with the notice
|
||||
requirements in Section 3.4).
|
||||
|
||||
2.4. Subsequent Licenses
|
||||
|
||||
No Contributor makes additional grants as a result of Your choice to distribute
|
||||
the Covered Software under a subsequent version of this License (see
|
||||
Section 10.2) or under the terms of a Secondary License (if permitted under the
|
||||
terms of Section 3.3).
|
||||
|
||||
2.5. Representation
|
||||
|
||||
Each Contributor represents that the Contributor believes its Contributions are
|
||||
its original creation(s) or it has sufficient rights to grant the rights to its
|
||||
Contributions conveyed by this License.
|
||||
|
||||
2.6. Fair Use
|
||||
|
||||
This License is not intended to limit any rights You have under applicable
|
||||
copyright doctrines of fair use, fair dealing, or other equivalents.
|
||||
|
||||
2.7. Conditions
|
||||
|
||||
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
|
||||
Section 2.1.
|
||||
|
||||
3. Responsibilities
|
||||
|
||||
3.1. Distribution of Source Form
|
||||
|
||||
All distribution of Covered Software in Source Code Form, including any
|
||||
Modifications that You create or to which You contribute, must be under the
|
||||
terms of this License. You must inform recipients that the Source Code Form of
|
||||
the Covered Software is governed by the terms of this License, and how they can
|
||||
obtain a copy of this License. You may not attempt to alter or restrict the
|
||||
recipients’ rights in the Source Code Form.
|
||||
|
||||
3.2. Distribution of Executable Form
|
||||
|
||||
If You distribute Covered Software in Executable Form then:
|
||||
|
||||
a. such Covered Software must also be made available in Source Code Form, as
|
||||
described in Section 3.1, and You must inform recipients of the Executable
|
||||
Form how they can obtain a copy of such Source Code Form by reasonable
|
||||
means in a timely manner, at a charge no more than the cost of distribution
|
||||
to the recipient; and
|
||||
|
||||
b. You may distribute such Executable Form under the terms of this License, or
|
||||
sublicense it under different terms, provided that the license for the
|
||||
Executable Form does not attempt to limit or alter the recipients’ rights
|
||||
in the Source Code Form under this License.
|
||||
|
||||
3.3. Distribution of a Larger Work
|
||||
|
||||
You may create and distribute a Larger Work under terms of Your choice,
|
||||
provided that You also comply with the requirements of this License for the
|
||||
Covered Software. If the Larger Work is a combination of Covered Software with
|
||||
a work governed by one or more Secondary Licenses, and the Covered Software is
|
||||
not Incompatible With Secondary Licenses, this License permits You to
|
||||
additionally distribute such Covered Software under the terms of such Secondary
|
||||
License(s), so that the recipient of the Larger Work may, at their option,
|
||||
further distribute the Covered Software under the terms of either this License
|
||||
or such Secondary License(s).
|
||||
|
||||
3.4. Notices
|
||||
|
||||
You may not remove or alter the substance of any license notices (including
|
||||
copyright notices, patent notices, disclaimers of warranty, or limitations of
|
||||
liability) contained within the Source Code Form of the Covered Software,
|
||||
except that You may alter any license notices to the extent required to remedy
|
||||
known factual inaccuracies.
|
||||
|
||||
3.5. Application of Additional Terms
|
||||
|
||||
You may choose to offer, and to charge a fee for, warranty, support, indemnity
|
||||
or liability obligations to one or more recipients of Covered Software.
|
||||
However, You may do so only on Your own behalf, and not on behalf of any
|
||||
Contributor. You must make it absolutely clear that any such warranty, support,
|
||||
indemnity, or liability obligation is offered by You alone, and You hereby
|
||||
agree to indemnify every Contributor for any liability incurred by such
|
||||
Contributor as a result of warranty, support, indemnity or liability terms You
|
||||
offer. You may include additional disclaimers of warranty and limitations of
|
||||
liability specific to any jurisdiction.
|
||||
|
||||
4. Inability to Comply Due to Statute or Regulation
|
||||
|
||||
If it is impossible for You to comply with any of the terms of this License
|
||||
with respect to some or all of the Covered Software due to statute, judicial
|
||||
order, or regulation then You must: (a) comply with the terms of this License
|
||||
to the maximum extent possible; and (b) describe the limitations and the code
|
||||
they affect. Such description must be placed in a text file included with all
|
||||
distributions of the Covered Software under this License. Except to the extent
|
||||
prohibited by statute or regulation, such description must be sufficiently
|
||||
detailed for a recipient of ordinary skill to be able to understand it.
|
||||
|
||||
5. Termination
|
||||
|
||||
5.1. The rights granted under this License will terminate automatically if You
|
||||
fail to comply with any of its terms. However, if You become compliant, then
|
||||
the rights granted under this License from a particular Contributor are
|
||||
reinstated (a) provisionally, unless and until such Contributor explicitly and
|
||||
finally terminates Your grants, and (b) on an ongoing basis, if such
|
||||
Contributor fails to notify You of the non-compliance by some reasonable means
|
||||
prior to 60 days after You have come back into compliance. Moreover, Your
|
||||
grants from a particular Contributor are reinstated on an ongoing basis if such
|
||||
Contributor notifies You of the non-compliance by some reasonable means, this
|
||||
is the first time You have received notice of non-compliance with this License
|
||||
from such Contributor, and You become compliant prior to 30 days after Your
|
||||
receipt of the notice.
|
||||
|
||||
5.2. If You initiate litigation against any entity by asserting a patent
|
||||
infringement claim (excluding declaratory judgment actions, counter-claims, and
|
||||
cross-claims) alleging that a Contributor Version directly or indirectly
|
||||
infringes any patent, then the rights granted to You by any and all
|
||||
Contributors for the Covered Software under Section 2.1 of this License shall
|
||||
terminate.
|
||||
|
||||
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
|
||||
license agreements (excluding distributors and resellers) which have been
|
||||
validly granted by You or Your distributors under this License prior to
|
||||
termination shall survive termination.
|
||||
|
||||
6. Disclaimer of Warranty
|
||||
|
||||
Covered Software is provided under this License on an “as is” basis, without
|
||||
warranty of any kind, either expressed, implied, or statutory, including,
|
||||
without limitation, warranties that the Covered Software is free of defects,
|
||||
merchantable, fit for a particular purpose or non-infringing. The entire risk
|
||||
as to the quality and performance of the Covered Software is with You. Should
|
||||
any Covered Software prove defective in any respect, You (not any Contributor)
|
||||
assume the cost of any necessary servicing, repair, or correction. This
|
||||
disclaimer of warranty constitutes an essential part of this License. No use of
|
||||
any Covered Software is authorized under this License except under this
|
||||
disclaimer.
|
||||
|
||||
7. Limitation of Liability
|
||||
|
||||
Under no circumstances and under no legal theory, whether tort (including
|
||||
negligence), contract, or otherwise, shall any Contributor, or anyone who
|
||||
distributes Covered Software as permitted above, be liable to You for any
|
||||
direct, indirect, special, incidental, or consequential damages of any
|
||||
character including, without limitation, damages for lost profits, loss of
|
||||
goodwill, work stoppage, computer failure or malfunction, or any and all other
|
||||
commercial damages or losses, even if such party shall have been informed of
|
||||
the possibility of such damages. This limitation of liability shall not apply
|
||||
to liability for death or personal injury resulting from such party’s
|
||||
negligence to the extent applicable law prohibits such limitation. Some
|
||||
jurisdictions do not allow the exclusion or limitation of incidental or
|
||||
consequential damages, so this exclusion and limitation may not apply to You.
|
||||
|
||||
8. Litigation
|
||||
|
||||
Any litigation relating to this License may be brought only in the courts of a
|
||||
jurisdiction where the defendant maintains its principal place of business and
|
||||
such litigation shall be governed by laws of that jurisdiction, without
|
||||
reference to its conflict-of-law provisions. Nothing in this Section shall
|
||||
prevent a party’s ability to bring cross-claims or counter-claims.
|
||||
|
||||
9. Miscellaneous
|
||||
|
||||
This License represents the complete agreement concerning the subject matter
|
||||
hereof. If any provision of this License is held to be unenforceable, such
|
||||
provision shall be reformed only to the extent necessary to make it
|
||||
enforceable. Any law or regulation which provides that the language of a
|
||||
contract shall be construed against the drafter shall not be used to construe
|
||||
this License against a Contributor.
|
||||
|
||||
10. Versions of the License
|
||||
|
||||
10.1. New Versions
|
||||
|
||||
Mozilla Foundation is the license steward. Except as provided in Section 10.3,
|
||||
no one other than the license steward has the right to modify or publish new
|
||||
versions of this License. Each version will be given a distinguishing version
|
||||
number.
|
||||
|
||||
10.2. Effect of New Versions
|
||||
|
||||
You may distribute the Covered Software under the terms of the version of the
|
||||
License under which You originally received the Covered Software, or under the
|
||||
terms of any subsequent version published by the license steward.
|
||||
|
||||
10.3. Modified Versions
|
||||
|
||||
If you create software not governed by this License, and you want to create a
|
||||
new license for such software, you may create and use a modified version of
|
||||
this License if you rename the license and remove any references to the name of
|
||||
the license steward (except to note that such modified license differs from
|
||||
this License).
|
||||
|
||||
10.4. Distributing Source Code Form that is Incompatible With Secondary
|
||||
Licenses
|
||||
|
||||
If You choose to distribute Source Code Form that is Incompatible With
|
||||
Secondary Licenses under the terms of this version of the License, the notice
|
||||
described in Exhibit B of this License must be attached.
|
||||
|
||||
Exhibit A - Source Code Form License Notice
|
||||
|
||||
This Source Code Form is subject to the terms of the Mozilla Public
|
||||
License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
If it is not possible or desirable to put the notice in a particular file, then
|
||||
You may include the notice in a location (such as a LICENSE file in a relevant
|
||||
directory) where a recipient would be likely to look for such a notice.
|
||||
|
||||
You may add additional accurate notices of copyright ownership.
|
||||
|
||||
Exhibit B - “Incompatible With Secondary Licenses” Notice
|
||||
|
||||
This Source Code Form is “Incompatible With Secondary Licenses”, as defined
|
||||
by the Mozilla Public License, v. 2.0.
|
||||
|
931
ca-certificates-mozilla.changes
Normal file
931
ca-certificates-mozilla.changes
Normal file
@ -0,0 +1,931 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Dec 15 21:07:58 UTC 2024 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- update to 2.72:
|
||||
Removed:
|
||||
- SecureSign RootCA11
|
||||
- Security Communication RootCA3
|
||||
Added:
|
||||
- TWCA CYBER Root CA
|
||||
- TWCA Global Root CA G2
|
||||
- SecureSign Root CA12
|
||||
- SecureSign Root CA14
|
||||
- SecureSign Root CA15
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 8 15:19:02 UTC 2024 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- Updated to 2.68 state of Mozilla SSL root CAs (bsc#1227525)
|
||||
- Added: FIRMAPROFESIONAL CA ROOT-A WEB
|
||||
- Distrust: GLOBALTRUST 2020
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 26 12:09:12 UTC 2024 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- Updated to 2.66 state of Mozilla SSL root CAs (bsc#1220356)
|
||||
Added:
|
||||
- CommScope Public Trust ECC Root-01
|
||||
- CommScope Public Trust ECC Root-02
|
||||
- CommScope Public Trust RSA Root-01
|
||||
- CommScope Public Trust RSA Root-02
|
||||
- D-Trust SBR Root CA 1 2022
|
||||
- D-Trust SBR Root CA 2 2022
|
||||
- Telekom Security SMIME ECC Root 2021
|
||||
- Telekom Security SMIME RSA Root 2023
|
||||
- Telekom Security TLS ECC Root 2020
|
||||
- Telekom Security TLS RSA Root 2023
|
||||
- TrustAsia Global Root CA G3
|
||||
- TrustAsia Global Root CA G4
|
||||
Removed:
|
||||
- Autoridad de Certificacion Firmaprofesional CIF A62634068
|
||||
- Chambers of Commerce Root - 2008
|
||||
- Global Chambersign Root - 2008
|
||||
- Security Communication Root CA
|
||||
- Symantec Class 1 Public Primary Certification Authority - G6
|
||||
- Symantec Class 2 Public Primary Certification Authority - G6
|
||||
- TrustCor ECA-1
|
||||
- TrustCor RootCert CA-1
|
||||
- TrustCor RootCert CA-2
|
||||
- VeriSign Class 1 Public Primary Certification Authority - G3
|
||||
- VeriSign Class 2 Public Primary Certification Authority - G3
|
||||
- remove-trustcor.patch: removed, now upstream
|
||||
- do a versioned obsoletes of "openssl-certs".
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 26 11:20:23 UTC 2024 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- use rpm 4.20 compatible patch syntax
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Feb 26 11:14:43 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
- Use %patch -P N instead of deprecated %patchN.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 16 12:59:31 UTC 2023 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- readd _multibuild
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 14 10:43:08 UTC 2023 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- Updated to 2.62 state of Mozilla SSL root CAs (bsc#1214248)
|
||||
Added:
|
||||
- Atos TrustedRoot Root CA ECC G2 2020
|
||||
- Atos TrustedRoot Root CA ECC TLS 2021
|
||||
- Atos TrustedRoot Root CA RSA G2 2020
|
||||
- Atos TrustedRoot Root CA RSA TLS 2021
|
||||
- BJCA Global Root CA1
|
||||
- BJCA Global Root CA2
|
||||
- LAWtrust Root CA2 (4096)
|
||||
- Sectigo Public Email Protection Root E46
|
||||
- Sectigo Public Email Protection Root R46
|
||||
- Sectigo Public Server Authentication Root E46
|
||||
- Sectigo Public Server Authentication Root R46
|
||||
- SSL.com Client ECC Root CA 2022
|
||||
- SSL.com Client RSA Root CA 2022
|
||||
- SSL.com TLS ECC Root CA 2022
|
||||
- SSL.com TLS RSA Root CA 2022
|
||||
|
||||
Removed CAs:
|
||||
- Chambers of Commerce Root
|
||||
- E-Tugra Certification Authority
|
||||
- E-Tugra Global Root CA ECC v3
|
||||
- E-Tugra Global Root CA RSA v3
|
||||
- Hongkong Post Root CA 1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 4 14:34:19 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
|
||||
|
||||
- Add _multibuild to define 2nd spec file as additional flavor.
|
||||
Eliminates the need for source package links in OBS.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Dec 22 10:38:47 UTC 2022 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- Updated to 2.60 state of Mozilla SSL root CAs (bsc#1206622)
|
||||
Removed CAs:
|
||||
- Global Chambersign Root
|
||||
- EC-ACC
|
||||
- Network Solutions Certificate Authority
|
||||
- Staat der Nederlanden EV Root CA
|
||||
- SwissSign Platinum CA - G2
|
||||
|
||||
Added CAs:
|
||||
- DIGITALSIGN GLOBAL ROOT ECDSA CA
|
||||
- DIGITALSIGN GLOBAL ROOT RSA CA
|
||||
- Security Communication ECC RootCA1
|
||||
- Security Communication RootCA3
|
||||
|
||||
Changed trust:
|
||||
- TrustCor certificates only trusted up to Nov 30 (bsc#1206212)
|
||||
|
||||
- Removed CAs (bsc#1206212) as most code does not handle "valid before nov 30 2022"
|
||||
and it is not clear how many certs were issued for SSL middleware by TrustCor:
|
||||
- TrustCor RootCert CA-1
|
||||
- TrustCor RootCert CA-2
|
||||
- TrustCor ECA-1
|
||||
Patch: remove-trustcor.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 29 11:46:01 UTC 2022 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- Updated to 2.56 state of Mozilla SSL root CAs (bsc#1202868)
|
||||
Added:
|
||||
- Certainly Root E1
|
||||
- Certainly Root R1
|
||||
- DigiCert SMIME ECC P384 Root G5
|
||||
- DigiCert SMIME RSA4096 Root G5
|
||||
- DigiCert TLS ECC P384 Root G5
|
||||
- DigiCert TLS RSA4096 Root G5
|
||||
- E-Tugra Global Root CA ECC v3
|
||||
- E-Tugra Global Root CA RSA v3
|
||||
Removed:
|
||||
- Hellenic Academic and Research Institutions RootCA 2011
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon May 2 11:35:33 UTC 2022 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- Updated to 2.54 state of Mozilla SSL root CAs (bsc#1199079)
|
||||
Added:
|
||||
- Autoridad de Certificacion Firmaprofesional CIF A62634068
|
||||
- D-TRUST BR Root CA 1 2020
|
||||
- D-TRUST EV Root CA 1 2020
|
||||
- GlobalSign ECC Root CA R4
|
||||
- GTS Root R1
|
||||
- GTS Root R2
|
||||
- GTS Root R3
|
||||
- GTS Root R4
|
||||
- HiPKI Root CA - G1
|
||||
- ISRG Root X2
|
||||
- Telia Root CA v2
|
||||
- vTrus ECC Root CA
|
||||
- vTrus Root CA
|
||||
|
||||
Removed:
|
||||
- Cybertrust Global Root
|
||||
- DST Root CA X3
|
||||
- DigiNotar PKIoverheid CA Organisatie - G2
|
||||
- GlobalSign ECC Root CA R4
|
||||
- GlobalSign Root CA R2
|
||||
- GTS Root R1
|
||||
- GTS Root R2
|
||||
- GTS Root R3
|
||||
- GTS Root R4
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Oct 2 07:33:52 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
|
||||
- Added CAs:
|
||||
+ HARICA Client ECC Root CA 2021
|
||||
+ HARICA Client RSA Root CA 2021
|
||||
+ HARICA TLS ECC Root CA 2021
|
||||
+ HARICA TLS RSA Root CA 2021
|
||||
+ TunTrust Root CA
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 24 13:56:30 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- remove the DST_Root_CA_X3.pem trust, as it expires september 30th 2021.
|
||||
(bsc#1190858)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jul 5 12:16:33 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- updated to 2.50 state of the Mozilla NSS Certificate store (bsc#1188006)
|
||||
Added CAs:
|
||||
|
||||
* AC RAIZ FNMT-RCM SERVIDORES SEGUROS
|
||||
* ANF Secure Server Root CA
|
||||
* Certum EC-384 CA
|
||||
* Certum Trusted Root CA
|
||||
* GlobalSign Root E46
|
||||
* GlobalSign Root R46
|
||||
* GlobalSign Secure Mail Root E45
|
||||
* GlobalSign Secure Mail Root R45
|
||||
* GLOBALTRUST 2020
|
||||
|
||||
Removed CAs:
|
||||
|
||||
* GeoTrust Primary Certification Authority - G2
|
||||
* QuoVadis Root Certification Authority
|
||||
* Sonera Class2 CA
|
||||
* Trustis FPS Root CA
|
||||
* VeriSign Universal Root Certification Authority
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Jul 4 09:14:00 UTC 2021 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- fix mozila typo in installed files
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 9 13:11:37 UTC 2021 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- Updated to 2.46 state of the Mozilla NSS Certificate store (bsc#1181994)
|
||||
- Added new root CAs:
|
||||
- NAVER Global Root Certification Authority
|
||||
- Removed old root CA:
|
||||
- GeoTrust Global CA
|
||||
- GeoTrust Primary Certification Authority
|
||||
- GeoTrust Primary Certification Authority - G3
|
||||
- GeoTrust Universal CA
|
||||
- GeoTrust Universal CA 2
|
||||
- thawte Primary Root CA
|
||||
- thawte Primary Root CA - G2
|
||||
- thawte Primary Root CA - G3
|
||||
- VeriSign Class 3 Public Primary Certification Authority - G4
|
||||
- VeriSign Class 3 Public Primary Certification Authority - G5
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 19 09:09:39 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- Updated to 2.44 state of the Mozilla NSS Certificate store (bsc#1177864)
|
||||
|
||||
- Removed CAs:
|
||||
- EE Certification Centre Root CA
|
||||
- Taiwan GRCA
|
||||
|
||||
- Added CAs:
|
||||
- Trustwave Global Certification Authority
|
||||
- Trustwave Global ECC P256 Certification Authority
|
||||
- Trustwave Global ECC P384 Certification Authority
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 29 13:06:19 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
|
||||
|
||||
Removed CAs:
|
||||
- AddTrust External CA Root
|
||||
- AddTrust Class 1 CA Root
|
||||
- LuxTrust Global Root 2
|
||||
- Staat der Nederlanden Root CA - G2
|
||||
- Symantec Class 1 Public Primary Certification Authority - G4
|
||||
- Symantec Class 2 Public Primary Certification Authority - G4
|
||||
- VeriSign Class 3 Public Primary Certification Authority - G3
|
||||
|
||||
Added CAs:
|
||||
- certSIGN Root CA G2
|
||||
- e-Szigno Root CA 2017
|
||||
- Microsoft ECC Root Certificate Authority 2017
|
||||
- Microsoft RSA Root Certificate Authority 2017
|
||||
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 26 11:38:06 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- also run update-ca-certificates in %posttrans
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 14 07:07:51 UTC 2020 - Marcus Meissner <meissner@suse.com>
|
||||
|
||||
- update to 2.40 state of the Mozilla NSS Certificate store (bsc#1160160)
|
||||
- removed:
|
||||
- Certplus Class 2 Primary CA
|
||||
- Deutsche Telekom Root CA 2
|
||||
- CN=Swisscom Root CA 2
|
||||
- UTN-USERFirst-Client Authentication and Email
|
||||
|
||||
- added:
|
||||
- Entrust Root Certification Authority - G4
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 18 10:53:59 UTC 2019 - Ludwig Nussel <lnussel@suse.de>
|
||||
|
||||
- make sure p11-kit with patches is installed on SLE (boo#1154871)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 12 09:58:01 UTC 2019 - Ludwig Nussel <lnussel@suse.de>
|
||||
|
||||
- export correct p11kit trust attributes so Firefox detects built in
|
||||
certificates (boo#1154871). Courtesy of Fedora.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sun Aug 4 14:17:45 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||
|
||||
- update to 2.34 state of the Mozilla NSS Certificate store (bsc#1144169)
|
||||
- Removed CAs:
|
||||
- Certinomis - Root CA
|
||||
- includes added root CAs from the 2.32 version:
|
||||
- emSign ECC Root CA - C3 (email and server auth)
|
||||
- emSign ECC Root CA - G3 (email and server auth)
|
||||
- emSign Root CA - C1 (email and server auth)
|
||||
- emSign Root CA - G1 (email and server auth)
|
||||
- Hongkong Post Root CA 3 (server auth)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 17 06:17:05 UTC 2019 - meissner@suse.com
|
||||
|
||||
- updated to 2.30 state of the Mozilla NSS Certificate store. (bsc#1121446)
|
||||
- Removed CAs:
|
||||
- AC Raiz Certicamara S.A.
|
||||
- Certplus Root CA G1
|
||||
- Certplus Root CA G2
|
||||
- OpenTrust Root CA G1
|
||||
- OpenTrust Root CA G2
|
||||
- OpenTrust Root CA G3
|
||||
- Visa eCommerce Root
|
||||
|
||||
- Added Root CAs:
|
||||
- Certigna Root CA (email and server auth)
|
||||
- GTS Root R1 (server auth)
|
||||
- GTS Root R2 (server auth)
|
||||
- GTS Root R3 (server auth)
|
||||
- GTS Root R4 (server auth)
|
||||
- OISTE WISeKey Global Root GC CA (email and server auth)
|
||||
- UCA Extended Validation Root (server auth)
|
||||
- UCA Global G2 Root (email and server auth)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Aug 16 08:42:38 UTC 2018 - meissner@suse.com
|
||||
|
||||
- updated to 2.26 state of the Mozilla NSS Certificate store. (bsc#1104780)
|
||||
- removed server auth
|
||||
- Certplus Root CA G1
|
||||
- Certplus Root CA G2
|
||||
- OpenTrust Root CA G1
|
||||
- OpenTrust Root CA G2
|
||||
- OpenTrust Root CA G3
|
||||
- remove CA
|
||||
- ComSign CA
|
||||
- added new CA
|
||||
- GlobalSign
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jul 6 14:40:58 UTC 2018 - meissner@suse.com
|
||||
|
||||
- Updated to 2.24 state of the Mozilla NSS Certificate store. (bsc#1100415)
|
||||
- Removed CAs:
|
||||
* S-TRUST_Universal_Root_CA:2.16.96.86.197.75.35.64.91.100.212.237.37.218.217.214.30.30.crt
|
||||
* TC_TrustCenter_Class_3_CA_II:2.14.74.71.0.1.0.2.229.160.93.214.63.0.81.191.crt
|
||||
* TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5:2.7.0.142.23.254.36.32.129.crt
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Mar 20 13:12:37 CET 2018 - kukuk@suse.de
|
||||
|
||||
- Use %license instead of %doc [bsc#1082318]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 25 09:43:25 UTC 2018 - meissner@suse.com
|
||||
|
||||
- Updated to 2.22 state of the Mozilla NSS Certificate store (bsc#1071152,
|
||||
bsc#1071390, bsc#1010996)
|
||||
- Removed CAs:
|
||||
|
||||
* ACEDICOM Root
|
||||
* AddTrust Public CA Root
|
||||
* AddTrust Qualified CA Root
|
||||
* ApplicationCA - Japanese Government
|
||||
* CA Disig Root R1
|
||||
* CA WoSign ECC Root
|
||||
* Certification Authority of WoSign G2
|
||||
* Certinomis - Autorité Racine
|
||||
* China Internet Network Information Center EV Certificates Root
|
||||
* CNNIC ROOT
|
||||
* Comodo Secure Certificate Services
|
||||
* Comodo Trusted Certificate Services
|
||||
* ComSign Secured CA
|
||||
* DST ACES CA X6
|
||||
* GeoTrust Global CA 2
|
||||
* StartCom Certification Authority
|
||||
* StartCom Certification Authority
|
||||
* StartCom Certification Authority G2
|
||||
* Swisscom Root CA 1
|
||||
* TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
|
||||
* TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
|
||||
* TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
|
||||
* UTN USERFirst Hardware Root CA
|
||||
* UTN USERFirst Object Root CA
|
||||
* VeriSign Class 3 Secure Server CA - G2
|
||||
* WellsSecure Public Root Certificate Authority
|
||||
* Certification Authority of WoSign
|
||||
* WoSign China
|
||||
|
||||
- Added CAs:
|
||||
|
||||
* D-TRUST Root CA 3 2013
|
||||
* GDCA TrustAUTH R5 ROOT
|
||||
* SSL.com EV Root Certification Authority ECC
|
||||
* SSL.com EV Root Certification Authority RSA R2
|
||||
* SSL.com Root Certification Authority ECC
|
||||
* SSL.com Root Certification Authority RSA
|
||||
* TrustCor RootCert CA-1
|
||||
* TrustCor RootCert CA-2
|
||||
* TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 25 12:40:36 UTC 2017 - jmatejek@suse.com
|
||||
|
||||
- convert processing script to Python 3
|
||||
- ensure a stable conversion of UTF8 hex-encoded certificate names
|
||||
- ensure a stable ordering of trust/distrust bits in headers
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 24 12:46:29 UTC 2017 - meissner@suse.com
|
||||
|
||||
- updated to 2.11 state of the Mozilla NSS Certificate store.
|
||||
- removed CAs:
|
||||
- Buypass_Class_2_CA_1:2.1.1.crt
|
||||
serverAuth
|
||||
- EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı:2.8.76.175.115.66.28.142.116.2.crt
|
||||
codeSigning emailProtection serverAuth
|
||||
- Equifax_Secure_CA:2.4.53.222.244.207.crt
|
||||
emailProtection
|
||||
- Equifax_Secure_eBusiness_CA_1:2.1.4.crt
|
||||
emailProtection
|
||||
- Equifax_Secure_Global_eBusiness_CA:2.1.1.crt
|
||||
emailProtection
|
||||
- IGC_A:2.5.57.17.69.16.148.crt
|
||||
codeSigning emailProtection serverAuth
|
||||
- Juur-SK:2.4.59.142.75.252.crt
|
||||
codeSigning serverAuth
|
||||
- Root_CA_Generalitat_Valenciana:2.4.59.69.229.104.crt
|
||||
codeSigning emailProtection serverAuth
|
||||
- RSA_Security_2048_v3:2.16.10.1.1.1.0.0.2.124.0.0.0.10.0.0.0.2.crt
|
||||
codeSigning emailProtection serverAuth
|
||||
- Sonera_Class_1_Root_CA:2.1.36.crt
|
||||
emailProtection
|
||||
- S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN:2.16.55.25.24.230.83.84.124.26.181.184.203.89.90.219.53.183.crt
|
||||
emailProtection
|
||||
- Verisign_Class_1_Public_Primary_Certification_Authority:2.16.63.105.30.129.156.240.154.74.243.115.255.185.72.162.228.221.crt
|
||||
emailProtection
|
||||
- Verisign_Class_2_Public_Primary_Certification_Authority_-_G2:2.17.0.185.47.96.204.136.159.161.122.70.9.184.91.112.108.138.175.crt
|
||||
emailProtection
|
||||
- Verisign_Class_3_Public_Primary_Certification_Authority:2.16.112.186.228.29.16.217.41.52.182.56.202.123.3.204.186.191.crt
|
||||
emailProtection
|
||||
- added CAs:
|
||||
+ AC_RAIZ_FNMT-RCM:2.15.93.147.141.48.103.54.200.6.29.26.199.84.132.105.7.crt
|
||||
serverAuth
|
||||
+ Amazon_Root_CA_1:2.19.6.108.159.207.153.191.140.10.57.226.240.120.138.67.230.150.54.91.202.crt
|
||||
emailProtection serverAuth
|
||||
+ Amazon_Root_CA_2:2.19.6.108.159.210.150.53.134.159.10.15.229.134.120.248.91.38.187.138.55.crt
|
||||
emailProtection serverAuth
|
||||
+ Amazon_Root_CA_3:2.19.6.108.159.213.116.151.54.102.63.59.11.154.217.232.158.118.3.242.74.crt
|
||||
emailProtection serverAuth
|
||||
+ Amazon_Root_CA_4:2.19.6.108.159.215.193.187.16.76.41.67.229.113.123.123.44.200.26.193.14.crt
|
||||
emailProtection serverAuth
|
||||
+ Certplus_Root_CA_G1:2.18.17.32.85.131.228.45.62.84.86.133.45.131.55.183.44.220.70.17.crt
|
||||
emailProtection serverAuth
|
||||
+ Certplus_Root_CA_G2:2.18.17.32.217.145.206.174.163.232.197.231.255.233.2.175.207.115.188.85.crt
|
||||
emailProtection serverAuth
|
||||
+ Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015:2.1.0.crt
|
||||
emailProtection serverAuth
|
||||
+ Hellenic_Academic_and_Research_Institutions_RootCA_2015:2.1.0.crt
|
||||
emailProtection serverAuth
|
||||
+ ISRG_Root_X1:2.17.0.130.16.207.176.210.64.227.89.68.99.224.187.99.130.139.0.crt (bsc#1010996)
|
||||
serverAuth
|
||||
+ LuxTrust_Global_Root_2:2.20.10.126.166.223.75.68.158.218.106.36.133.158.230.184.21.211.22.127.187.177.crt
|
||||
serverAuth
|
||||
+ OpenTrust_Root_CA_G1:2.18.17.32.179.144.85.57.125.127.54.109.100.194.167.159.107.99.142.103.crt
|
||||
emailProtection serverAuth
|
||||
+ OpenTrust_Root_CA_G2:2.18.17.32.161.105.27.191.189.185.189.82.150.143.35.232.72.191.38.17.crt
|
||||
emailProtection serverAuth
|
||||
+ OpenTrust_Root_CA_G3:2.18.17.32.230.248.76.252.36.176.190.5.64.172.218.131.27.52.96.63.crt
|
||||
emailProtection serverAuth
|
||||
+ Symantec_Class_1_Public_Primary_Certification_Authority_-_G4:2.16.33.110.51.165.203.211.136.164.111.41.7.180.39.60.196.216.crt
|
||||
emailProtection
|
||||
+ Symantec_Class_1_Public_Primary_Certification_Authority_-_G6:2.16.36.50.117.242.29.47.210.9.51.247.180.106.202.208.243.152.crt
|
||||
emailProtection
|
||||
+ Symantec_Class_2_Public_Primary_Certification_Authority_-_G4:2.16.52.23.101.18.64.59.183.86.128.45.128.203.121.85.166.30.crt
|
||||
emailProtection
|
||||
+ Symantec_Class_2_Public_Primary_Certification_Authority_-_G6:2.16.100.130.158.252.55.30.116.93.252.151.255.151.200.177.255.65.crt
|
||||
emailProtection
|
||||
|
||||
- diff-from-upstream-2.7.patch: removed as we should be able to do
|
||||
intermediate root chains now with openssl 1.0.2 and also gnutls 3.5
|
||||
is able to do so.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Apr 6 11:21:32 UTC 2016 - meissner@suse.com
|
||||
|
||||
- diff-from-upstream-2.7.patch: restore some important legacy
|
||||
CAs, otherwise Pidgin fails to talk to Google Talk for instance.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 31 13:07:40 UTC 2016 - meissner@suse.com
|
||||
|
||||
- Updated to 2.7 (bsc#973042).
|
||||
- diff-from-upstream-2.2.patch: removed as openssl 1.0.2 can do
|
||||
immediate root CAs.
|
||||
|
||||
- Removed server trust from:
|
||||
AC Raíz Certicámara S.A.
|
||||
ComSign Secured CA
|
||||
NetLock Uzleti (Class B) Tanusitvanykiado
|
||||
NetLock Business (Class B) Root
|
||||
NetLock Expressz (Class C) Tanusitvanykiado
|
||||
TC TrustCenter Class 3 CA II
|
||||
TURKTRUST Certificate Services Provider Root 1
|
||||
TURKTRUST Certificate Services Provider Root 2
|
||||
Equifax Secure Global eBusiness CA-1
|
||||
Verisign Class 4 Public Primary Certification Authority G3
|
||||
- enable server trust
|
||||
Actalis Authentication Root CA
|
||||
- Deleted CAs:
|
||||
A Trust nQual 03
|
||||
Buypass Class 3 CA 1
|
||||
CA Disig
|
||||
Digital Signature Trust Co Global CA 1
|
||||
Digital Signature Trust Co Global CA 3
|
||||
E Guven Kok Elektronik Sertifika Hizmet Saglayicisi
|
||||
NetLock Expressz (Class C) Tanusitvanykiado
|
||||
NetLock Kozjegyzoi (Class A) Tanusitvanykiado
|
||||
NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
|
||||
NetLock Uzleti (Class B) Tanusitvanykiado
|
||||
SG TRUST SERVICES RACINE
|
||||
Staat der Nederlanden Root CA
|
||||
TC TrustCenter Class 2 CA II
|
||||
TC TrustCenter Universal CA I
|
||||
TDC Internet Root CA
|
||||
UTN DATACorp SGC Root CA
|
||||
Verisign Class 1 Public Primary Certification Authority - G2
|
||||
Verisign Class 3 Public Primary Certification Authority
|
||||
Verisign Class 3 Public Primary Certification Authority - G2
|
||||
|
||||
- New added CAs:
|
||||
CA WoSign ECC Root
|
||||
Certification Authority of WoSign
|
||||
Certification Authority of WoSign G2
|
||||
Certinomis - Root CA
|
||||
Certum Trusted Network CA 2
|
||||
CFCA EV ROOT
|
||||
COMODO RSA Certification Authority
|
||||
DigiCert Assured ID Root G2
|
||||
DigiCert Assured ID Root G3
|
||||
DigiCert Global Root G2
|
||||
DigiCert Global Root G3
|
||||
DigiCert Trusted Root G4
|
||||
Entrust Root Certification Authority - EC1
|
||||
Entrust Root Certification Authority - G2
|
||||
GlobalSign
|
||||
GlobalSign
|
||||
IdenTrust Commercial Root CA 1
|
||||
IdenTrust Public Sector Root CA 1
|
||||
OISTE WISeKey Global Root GB CA
|
||||
QuoVadis Root CA 1 G3
|
||||
QuoVadis Root CA 2 G3
|
||||
QuoVadis Root CA 3 G3
|
||||
Staat der Nederlanden EV Root CA
|
||||
Staat der Nederlanden Root CA - G3
|
||||
S-TRUST Universal Root CA
|
||||
SZAFIR ROOT CA2
|
||||
TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5
|
||||
TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
|
||||
USERTrust ECC Certification Authority
|
||||
USERTrust RSA Certification Authority
|
||||
沃通根证书
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 14 09:40:00 UTC 2015 - meissner@suse.com
|
||||
|
||||
- diff-from-upstream-2.2.patch:
|
||||
Temporary reenable some root ca trusts, as openssl/gnutls
|
||||
have trouble using intermediates as root CA.
|
||||
|
||||
- GTE CyberTrust Global Root
|
||||
- Thawte Server CA
|
||||
- Thawte Premium Server CA
|
||||
- ValiCert Class 1 VA
|
||||
- ValiCert Class 2 VA
|
||||
- RSA Root Certificate 1
|
||||
- Entrust.net Secure Server CA
|
||||
- America Online Root Certification Authority 1
|
||||
- America Online Root Certification Authority 2
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 12 16:45:23 UTC 2015 - meissner@suse.com
|
||||
|
||||
- Updated to 2.2 (bnc#888534)
|
||||
- The following CAs were removed:
|
||||
+ America_Online_Root_Certification_Authority_1
|
||||
+ America_Online_Root_Certification_Authority_2
|
||||
+ GTE_CyberTrust_Global_Root
|
||||
+ Thawte_Premium_Server_CA
|
||||
+ Thawte_Server_CA
|
||||
- The following CAs were added:
|
||||
+ COMODO_RSA_Certification_Authority
|
||||
codeSigning emailProtection serverAuth
|
||||
+ GlobalSign_ECC_Root_CA_-_R4
|
||||
codeSigning emailProtection serverAuth
|
||||
+ GlobalSign_ECC_Root_CA_-_R5
|
||||
codeSigning emailProtection serverAuth
|
||||
+ USERTrust_ECC_Certification_Authority
|
||||
codeSigning emailProtection serverAuth
|
||||
+ USERTrust_RSA_Certification_Authority
|
||||
codeSigning emailProtection serverAuth
|
||||
+ VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
|
||||
- The following CAs were changed:
|
||||
+ Equifax_Secure_eBusiness_CA_1
|
||||
remote code signing and https trust, leave email trust
|
||||
+ Verisign_Class_3_Public_Primary_Certification_Authority_-_G2
|
||||
only trust emailProtection
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 26 13:30:12 UTC 2014 - meissner@suse.com
|
||||
|
||||
- Updated to 2.1 (bnc#888534)
|
||||
|
||||
- The following 1024-bit CA certificates were removed
|
||||
- Entrust.net Secure Server Certification Authority
|
||||
- ValiCert Class 1 Policy Validation Authority
|
||||
- ValiCert Class 2 Policy Validation Authority
|
||||
- ValiCert Class 3 Policy Validation Authority
|
||||
- TDC Internet Root CA
|
||||
- The following CA certificates were added:
|
||||
- Certification Authority of WoSign
|
||||
- CA 沃通根证书
|
||||
- DigiCert Assured ID Root G2
|
||||
- DigiCert Assured ID Root G3
|
||||
- DigiCert Global Root G2
|
||||
- DigiCert Global Root G3
|
||||
- DigiCert Trusted Root G4
|
||||
- QuoVadis Root CA 1 G3
|
||||
- QuoVadis Root CA 2 G3
|
||||
- QuoVadis Root CA 3 G3
|
||||
- The Trust Bits were changed for the following CA certificates
|
||||
- Class 3 Public Primary Certification Authority
|
||||
- Class 3 Public Primary Certification Authority
|
||||
- Class 2 Public Primary Certification Authority - G2
|
||||
- VeriSign Class 2 Public Primary Certification Authority - G3
|
||||
- AC Raíz Certicámara S.A.
|
||||
- NetLock Uzleti (Class B) Tanusitvanykiado
|
||||
- NetLock Expressz (Class C) Tanusitvanykiado
|
||||
|
||||
- certdata-temporary-1024.patch: restore some certificates removed
|
||||
from NSS as these are still used for some major sites.
|
||||
openssl is not as clever as NSS in selecting the new ones in the
|
||||
chain correctly.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 18 15:05:23 UTC 2014 - meissner@suse.com
|
||||
|
||||
- do not provide openssl-certs, just obsolete it.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jun 10 12:52:29 UTC 2014 - meissner@suse.com
|
||||
|
||||
- in sle11 we bumped openssl-certs version to match the NSS version,
|
||||
so provide/obsolete the current version.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 4 08:21:33 UTC 2014 - lnussel@suse.de
|
||||
|
||||
- updated certificates to revision 1.97 (bnc#881241)
|
||||
new: "Atos TrustedRoot 2011" (codeSigning emailProtection serverAuth)
|
||||
new: "Tugra Certification Authority" (codeSigning serverAuth)
|
||||
removed: "Firmaprofesional Root CA"
|
||||
removed: "TDC OCES Root CA"
|
||||
new: "TeliaSonera Root CA v1" (emailProtection serverAuth)
|
||||
new: "T-TeleSec GlobalRoot Class 2" (emailProtection serverAuth)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Feb 21 16:18:35 UTC 2014 - meissner@suse.com
|
||||
|
||||
- updated certificates to revision 1.96 (bnc#865080)
|
||||
new: ACCVRAIZ1.pem (Spain) (all trusts)
|
||||
new: SG_TRUST_SERVICES_RACINE.pem (Singapore) (email signing only)
|
||||
new: TWCA_Global_Root_CA.pem (Taiwanese) (all trusts)
|
||||
removed: Wells_Fargo_Root_CA.pem
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 9 16:01:29 UTC 2013 - meissner@suse.com
|
||||
|
||||
- Updated to 1.95
|
||||
Distrust a sub-ca that issued google.com certificates.
|
||||
"Distrusted AC DG Tresor SSL" (bnc#854367)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 9 09:56:32 UTC 2013 - lnussel@suse.de
|
||||
|
||||
- fix handling of certificates with same name (bnc#854163)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 29 13:52:16 UTC 2013 - meissner@suse.com
|
||||
|
||||
- Updated to 1.94
|
||||
* new: CA_Disig_Root_R1:2.9.0.195.3.154.238.80.144.110.40.crt
|
||||
server auth, code signing, email signing
|
||||
* new: CA_Disig_Root_R2:2.9.0.146.184.136.219.176.138.193.99.crt
|
||||
server auth, code signing, email signing
|
||||
* new: China_Internet_Network_Information_Center_EV_Certificates_Root:2.4.72.159.0.1.crt
|
||||
server auth
|
||||
* changed: Digital_Signature_Trust_Co._Global_CA_1:2.4.54.112.21.150.crt
|
||||
removed code signing and server auth abilities
|
||||
* changed: Digital_Signature_Trust_Co._Global_CA_3:2.4.54.110.211.206.crt
|
||||
removed code signing and server auth abilities
|
||||
* new: D-TRUST_Root_Class_3_CA_2_2009:2.3.9.131.243.crt
|
||||
server auth
|
||||
* new: D-TRUST_Root_Class_3_CA_2_EV_2009:2.3.9.131.244.crt
|
||||
server auth
|
||||
* removed: Entrust.net_Premium_2048_Secure_Server_CA:2.4.56.99.185.102.crt
|
||||
* new: Entrust.net_Premium_2048_Secure_Server_CA:2.4.56.99.222.248.crt
|
||||
I think the missing flags were adjusted.
|
||||
* removed: Equifax_Secure_eBusiness_CA_2:2.4.55.112.207.181.crt
|
||||
* new: PSCProcert:2.1.11.crt
|
||||
server auth, code signing, email signing
|
||||
* new: Swisscom_Root_CA_2:2.16.30.158.40.232.72.242.229.239.195.124.74.30.90.24.103.182.crt
|
||||
server auth, code signing, email signing
|
||||
* new: Swisscom_Root_EV_CA_2:2.17.0.242.250.100.226.116.99.211.141.253.16.29.4.31.118.202.88.crt
|
||||
server auth, code signing
|
||||
* changed: TC_TrustCenter_Universal_CA_III:2.14.99.37.0.1.0.2.20.141.51.21.2.228.108.244.crt
|
||||
removed all abilities
|
||||
* new: TURKTRUST_Certificate_Services_Provider_Root_2007:2.1.1.crt
|
||||
server auth, code signing
|
||||
* changed: TWCA_Root_Certification_Authority:2.1.1.crt
|
||||
added code signing ability
|
||||
- removed temporary Entrust.net_Premium_2048_Secure_Server_CA.p11-kit override.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Aug 19 13:07:07 UTC 2013 - lnussel@suse.de
|
||||
|
||||
- update Entrust root attributes to new format used by p11-kit
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 24 15:05:31 UTC 2013 - lnussel@suse.de
|
||||
|
||||
- remove superfluous double quotes from certificate names
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 24 14:21:18 UTC 2013 - lnussel@suse.de
|
||||
|
||||
- add fake basic contraints to Entrust root so p11-kit export the cert
|
||||
(bnc#829471)
|
||||
- add nssckbi.h that matches certdata.txt; make sure package has the
|
||||
correct version number which is currently 1.93. No actual content
|
||||
change in certdata.txt compared to 1.85, it's just that the
|
||||
versioning scheme changed.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jun 27 16:03:05 UTC 2013 - lnussel@suse.de
|
||||
|
||||
- use certdata2pem.py from Fedora to extract all certs
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 21 12:59:53 UTC 2013 - lnussel@suse.de
|
||||
|
||||
- use correct 'anchors' subdirectory
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jun 19 09:30:00 UTC 2013 - lnussel@suse.de
|
||||
|
||||
- new location of CA certificate anchors is
|
||||
/usr/share/ca-certificates/anchors
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 3 19:16:01 UTC 2013 - idonmez@suse.com
|
||||
|
||||
- update certificates to revision 1.87 (bnc#796628)
|
||||
* new "EE Certification Centre Root CA"
|
||||
* new "T-TeleSec GlobalRoot Class 3"
|
||||
* revoke mis-issued intermediate CAs from TURKTRUST
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 10 14:50:00 UTC 2012 - meissner@suse.com
|
||||
|
||||
- updated certificates to revision 1.85 (bnc#783509)
|
||||
* new "Actalis Authentication Root CA"
|
||||
* new "Trustis FPS Root CA"
|
||||
* new "StartCom Certification Authority"
|
||||
* new "StartCom Certification Authority G2"
|
||||
* new "Buypass Class 2 Root CA"
|
||||
* new "Buypass Class 3 Root CA"
|
||||
* updated: "Sonera Class2 CA": remove code-signing
|
||||
* updated: "thawte Primary Root CA": added code-signing
|
||||
* updated: "Trustis_FPS_Root_CA.pem": added code-signing
|
||||
* updated: VeriSign Class 3 Public Primary Certification Authority - G5":
|
||||
added code-signing, email-protection
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 3 12:13:20 UTC 2012 - lnussel@suse.de
|
||||
|
||||
- update certificates to revision 1.83 (bnc#760503)
|
||||
* new: EC_ACC.pem
|
||||
* new: Hellenic_Academic_and_Research_Institutions_RootCA_2011.pem
|
||||
* new: Security_Communication_RootCA2.pem
|
||||
* removed: TC_TrustCenter_Germany_Class_2_CA.pem
|
||||
* removed: TC_TrustCenter_Germany_Class_3_CA.pem
|
||||
* removed: Verisign_Class_1_Public_Primary_Certification_Authority.1.pem
|
||||
* removed: Verisign_Class_2_Public_Primary_Certification_Authority.pem
|
||||
* removed: Verisign_Class_4_Public_Primary_Certification_Authority_G2.pem
|
||||
- license change to MPL-2.0
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jan 13 08:52:29 UTC 2012 - cfarrell@suse.com
|
||||
|
||||
- license update: MPL-1.1 or GPL-2.0+ or LGPL-2.1+
|
||||
SPDX format and correct GPL and LGPL tags to include or later
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Jan 12 11:30:31 UTC 2012 - coolo@suse.com
|
||||
|
||||
- change license to be in spdx.org format
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Sep 17 21:58:34 UTC 2011 - jengelh@medozas.de
|
||||
|
||||
- Remove redundant tags/sections from specfile
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Aug 31 09:02:10 UTC 2011 - lnussel@suse.de
|
||||
|
||||
- update certificates to revision 1.76
|
||||
* new: Go_Daddy_Root_Certificate_Authority_G2.pem
|
||||
* new: Starfield_Root_Certificate_Authority_G2.pem
|
||||
* new: Starfield_Services_Root_Certificate_Authority_G2.pem
|
||||
* new: AffirmTrust_Commercial.pem
|
||||
* new: AffirmTrust_Networking.pem
|
||||
* new: AffirmTrust_Premium.pem
|
||||
* new: AffirmTrust_Premium_ECC.pem
|
||||
* new: Certum_Trusted_Network_CA.pem
|
||||
* new: Certinomis_Autorit_Racine.pem
|
||||
* new: Root_CA_Generalitat_Valenciana.pem
|
||||
* new: A_Trust_nQual_03.pem
|
||||
* new: TWCA_Root_Certification_Authority.pem
|
||||
* removed: DigiNotar_Root_CA.pem (bnc#714931)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 31 13:43:23 UTC 2011 - lnussel@suse.de
|
||||
|
||||
- update certificates to revision 1.70
|
||||
* new: AddTrust_Qualified_Certificates_Root.pem
|
||||
* new: Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
|
||||
* new: Chambers_of_Commerce_Root_2008.pem
|
||||
* new: Global_Chambersign_Root_2008.pem
|
||||
* new: Izenpe_com.pem
|
||||
* new: TC_TrustCenter_Universal_CA_III.pem
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 27 14:27:52 UTC 2010 - lnussel@suse.de
|
||||
|
||||
- update certificates to revision 1.65
|
||||
* new: E_Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.pem
|
||||
* new: GlobalSign_Root_CA_R3.pem
|
||||
* new: Microsec_e_Szigno_Root_CA_2009.pem
|
||||
* new: Verisign_Class_1_Public_Primary_Certification_Authority.1.pem
|
||||
* new: Verisign_Class_3_Public_Primary_Certification_Authority.1.pem
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri May 21 12:30:01 UTC 2010 - lnussel@suse.de
|
||||
|
||||
- update certificates to revision 1.64
|
||||
* removed "RSA Security 1024 V3" certificate
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 8 09:24:37 UTC 2010 - lnussel@suse.de
|
||||
|
||||
- require ca-certificates also for postun
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 1 12:14:11 UTC 2010 - lnussel@suse.de
|
||||
|
||||
- don't output trusted certs by default as it's not supported by
|
||||
gnutls yet and pidgin scans /etc/ssl/certs
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 1 11:39:01 UTC 2010 - lnussel@suse.de
|
||||
|
||||
- update certificates to revision 1.62
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 26 15:27:34 UTC 2010 - lnussel@suse.de
|
||||
|
||||
- extract trustbits as comment as Fedora does
|
||||
- convert to trusted certificates in spec file instead
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 25 08:16:56 UTC 2010 - lnussel@suse.de
|
||||
|
||||
- rename to ca-certificates-mozilla
|
||||
- output trusted certificates
|
||||
- use utf8 in file names
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Feb 2 16:27:35 UTC 2010 - lnussel@suse.de
|
||||
|
||||
- update certificates to revision 1.57
|
||||
- add script to compare with previous certificates
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 30 13:17:45 UTC 2009 - lnussel@suse.de
|
||||
|
||||
- update certifiates to cvs revision 1.56
|
||||
- exclude certficates that are not trusted for identifying web sites
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 2 11:29:03 CET 2008 - cfarrell@suse.de
|
||||
|
||||
- Add openssl-certs.COPYING to fix bnc#441356
|
||||
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 9 17:49:57 CEST 2008 - lnussel@suse.de
|
||||
|
||||
- use certificates from MozillaFirefox
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 9 15:15:38 CEST 2008 - mkoenig@suse.de
|
||||
|
||||
- split out the CA root certificates from the openssl certs
|
||||
subpackage into a package of its own.
|
||||
|
133
ca-certificates-mozilla.spec
Normal file
133
ca-certificates-mozilla.spec
Normal file
@ -0,0 +1,133 @@
|
||||
#
|
||||
# spec file for package ca-certificates-mozilla
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
# upon. The license for this file, and modifications and additions to the
|
||||
# file, is the same license as for the pristine package itself (unless the
|
||||
# license for the pristine package is not an Open Source License, in which
|
||||
# case the license is the MIT License). An "Open Source License" is a
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
# ensure p11-kit has the required features on SLE for
|
||||
# https://bugzilla.suse.com/show_bug.cgi?id=1154871
|
||||
%if 0%{?suse_version} == 1500
|
||||
%if 0%{?is_opensuse}
|
||||
# Leap 15.1
|
||||
%define p11_kit_min 0.23.2-lp151.4.3.1
|
||||
%else
|
||||
# 15GA
|
||||
%define p11_kit_min 0.23.2-4.5.2
|
||||
%endif
|
||||
%else
|
||||
%if 0%{?suse_version} == 1315 && 0%{?sle_version} > 120300
|
||||
# 12SP3
|
||||
%define p11_kit_min 0.20.7-3.3.1
|
||||
%endif
|
||||
%endif
|
||||
#
|
||||
%define certdir %{trustdir_static}
|
||||
Name: ca-certificates-mozilla
|
||||
# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
|
||||
# http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/nssckbi.h
|
||||
Version: 2.72
|
||||
Release: 0
|
||||
Summary: CA certificates for OpenSSL
|
||||
License: MPL-2.0
|
||||
Group: Productivity/Networking/Security
|
||||
URL: https://www.mozilla.org
|
||||
# IMPORTANT: procedure to update certificates:
|
||||
# - Check the log of the cert file:
|
||||
# http://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt
|
||||
# - download the new certdata.txt
|
||||
# wget -O certdata.txt "http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/certdata.txt"
|
||||
# - run compareoldnew to show fingerprints of new and changed certificates
|
||||
# - check the bugs referenced in hg log and compare the checksum
|
||||
# to output of compareoldnew
|
||||
# - Watch out that blacklisted or untrusted certificates are not
|
||||
# accidentally included!
|
||||
Source: https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
|
||||
Source1: https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
|
||||
#Source10: https://src.fedoraproject.org/rpms/ca-certificates/raw/master/f/certdata2pem.py
|
||||
Source10: certdata2pem.py
|
||||
Source11: %{name}.COPYING
|
||||
Source12: compareoldnew
|
||||
BuildRequires: ca-certificates
|
||||
BuildRequires: openssl
|
||||
BuildRequires: p11-kit-devel
|
||||
BuildRequires: python3-base
|
||||
# for update-ca-certificates
|
||||
Requires(post): ca-certificates
|
||||
Requires(postun): ca-certificates
|
||||
#
|
||||
# replaces this package from SLE11 times
|
||||
Obsoletes: openssl-certs < %version
|
||||
BuildArch: noarch
|
||||
%if %{defined p11_kit_min}
|
||||
Conflicts: p11-kit-tools < %p11_kit_min
|
||||
%endif
|
||||
|
||||
%description
|
||||
This package contains some CA root certificates for OpenSSL extracted
|
||||
from MozillaFirefox
|
||||
|
||||
%prep
|
||||
%setup -qcT
|
||||
|
||||
mkdir certs
|
||||
cp %{SOURCE0} certs
|
||||
|
||||
install -m 644 %{SOURCE11} COPYING
|
||||
ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
|
||||
if [ "%{version}" != "$ver" ]; then
|
||||
echo "*** Version number mismatch: spec file should be version $ver"
|
||||
false
|
||||
fi
|
||||
|
||||
%build
|
||||
export LANG=en_US.UTF-8
|
||||
cd certs
|
||||
python3 %{SOURCE10}
|
||||
cd ..
|
||||
(
|
||||
cat <<-EOF
|
||||
# This is a bundle of X.509 certificates of public Certificate
|
||||
# Authorities. It was generated from the Mozilla root CA list.
|
||||
# These certificates and trust/distrust attributes use the file format accepted
|
||||
# by the p11-kit-trust module.
|
||||
#
|
||||
# Source: nss/lib/ckfw/builtins/certdata.txt
|
||||
# Source: nss/lib/ckfw/builtins/nssckbi.h
|
||||
#
|
||||
# Generated from:
|
||||
EOF
|
||||
awk '$2 = "NSS_BUILTINS_LIBRARY_VERSION" {print "# " $2 " " $3}';
|
||||
echo '#';
|
||||
ls -1 certs/*.tmp-p11-kit | sort | xargs cat
|
||||
) > %{name}.trust.p11-kit
|
||||
|
||||
%install
|
||||
mkdir -p %{buildroot}/%{trustdir_static}
|
||||
install -m 644 %{name}.trust.p11-kit "%{buildroot}/%{trustdir_static}/%{name}.trust.p11-kit"
|
||||
|
||||
%post
|
||||
update-ca-certificates || true
|
||||
|
||||
%postun
|
||||
update-ca-certificates || true
|
||||
|
||||
%posttrans
|
||||
update-ca-certificates || true
|
||||
|
||||
%files
|
||||
%license COPYING
|
||||
%{trustdir_static}
|
||||
|
||||
%changelog
|
25972
certdata.txt
Normal file
25972
certdata.txt
Normal file
File diff suppressed because it is too large
Load Diff
413
certdata2pem.py
Normal file
413
certdata2pem.py
Normal file
@ -0,0 +1,413 @@
|
||||
#!/usr/bin/python
|
||||
# vim:set et sw=4:
|
||||
#
|
||||
# certdata2pem.py - splits certdata.txt into multiple files
|
||||
#
|
||||
# Copyright (C) 2009 Philipp Kern <pkern@debian.org>
|
||||
# Copyright (C) 2013 Kai Engert <kaie@redhat.com>
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program; if not, write to the Free Software
|
||||
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
|
||||
# USA.
|
||||
|
||||
import base64
|
||||
import os.path
|
||||
import re
|
||||
import sys
|
||||
import textwrap
|
||||
import urllib.request, urllib.parse, urllib.error
|
||||
import subprocess
|
||||
|
||||
objects = []
|
||||
|
||||
def printable_serial(obj):
|
||||
return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])
|
||||
|
||||
# Dirty file parser.
|
||||
in_data, in_multiline, in_obj = False, False, False
|
||||
field, ftype, value, binval, obj = None, None, None, bytearray(), dict()
|
||||
for line in open('certdata.txt', 'r'):
|
||||
# Ignore the file header.
|
||||
if not in_data:
|
||||
if line.startswith('BEGINDATA'):
|
||||
in_data = True
|
||||
continue
|
||||
# Ignore comment lines.
|
||||
if line.startswith('#'):
|
||||
continue
|
||||
# Empty lines are significant if we are inside an object.
|
||||
if in_obj and len(line.strip()) == 0:
|
||||
objects.append(obj)
|
||||
obj = dict()
|
||||
in_obj = False
|
||||
continue
|
||||
if len(line.strip()) == 0:
|
||||
continue
|
||||
if in_multiline:
|
||||
if not line.startswith('END'):
|
||||
if ftype == 'MULTILINE_OCTAL':
|
||||
line = line.strip()
|
||||
for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
|
||||
integ = int(i.group(1), 8)
|
||||
binval.extend((integ).to_bytes(1, sys.byteorder))
|
||||
obj[field] = binval
|
||||
else:
|
||||
value += line
|
||||
obj[field] = value
|
||||
continue
|
||||
in_multiline = False
|
||||
continue
|
||||
if line.startswith('CKA_CLASS'):
|
||||
in_obj = True
|
||||
line_parts = line.strip().split(' ', 2)
|
||||
if len(line_parts) > 2:
|
||||
field, ftype = line_parts[0:2]
|
||||
value = ' '.join(line_parts[2:])
|
||||
elif len(line_parts) == 2:
|
||||
field, ftype = line_parts
|
||||
value = None
|
||||
else:
|
||||
raise NotImplementedError('line_parts < 2 not supported.\n' + line)
|
||||
if ftype == 'MULTILINE_OCTAL':
|
||||
in_multiline = True
|
||||
value = ""
|
||||
binval = bytearray()
|
||||
continue
|
||||
obj[field] = value
|
||||
if len(list(obj.items())) > 0:
|
||||
objects.append(obj)
|
||||
|
||||
# Build up trust database.
|
||||
trustmap = dict()
|
||||
for obj in objects:
|
||||
if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
|
||||
continue
|
||||
key = obj['CKA_LABEL'] + printable_serial(obj)
|
||||
trustmap[key] = obj
|
||||
print(" added trust", key)
|
||||
|
||||
# Build up cert database.
|
||||
certmap = dict()
|
||||
for obj in objects:
|
||||
if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
|
||||
continue
|
||||
key = obj['CKA_LABEL'] + printable_serial(obj)
|
||||
certmap[key] = obj
|
||||
print(" added cert", key)
|
||||
|
||||
def obj_to_filename(obj):
|
||||
label = obj['CKA_LABEL'][1:-1]
|
||||
label = label.replace('/', '_')\
|
||||
.replace(' ', '_')\
|
||||
.replace('(', '=')\
|
||||
.replace(')', '=')\
|
||||
.replace(',', '_')
|
||||
labelbytes = bytearray()
|
||||
i = 0
|
||||
imax = len(label)
|
||||
while i < imax:
|
||||
if i < imax-3 and label[i] == '\\' and label[i+1] == 'x':
|
||||
labelbytes.extend(bytes.fromhex(label[i+2:i+4]))
|
||||
i += 4
|
||||
continue
|
||||
labelbytes.extend(str.encode(label[i]))
|
||||
i = i+1
|
||||
continue
|
||||
label = labelbytes.decode('utf-8')
|
||||
serial = printable_serial(obj)
|
||||
return label + ":" + serial
|
||||
|
||||
def write_cert_ext_to_file(f, oid, value, public_key):
|
||||
f.write("[p11-kit-object-v1]\n")
|
||||
f.write("label: ");
|
||||
f.write(tobj['CKA_LABEL'])
|
||||
f.write("\n")
|
||||
f.write("class: x-certificate-extension\n");
|
||||
f.write("object-id: " + oid + "\n")
|
||||
f.write("value: \"" + value + "\"\n")
|
||||
f.write("modifiable: false\n");
|
||||
f.write(public_key)
|
||||
|
||||
trust_types = {
|
||||
"CKA_TRUST_DIGITAL_SIGNATURE": "digital-signature",
|
||||
"CKA_TRUST_NON_REPUDIATION": "non-repudiation",
|
||||
"CKA_TRUST_KEY_ENCIPHERMENT": "key-encipherment",
|
||||
"CKA_TRUST_DATA_ENCIPHERMENT": "data-encipherment",
|
||||
"CKA_TRUST_KEY_AGREEMENT": "key-agreement",
|
||||
"CKA_TRUST_KEY_CERT_SIGN": "cert-sign",
|
||||
"CKA_TRUST_CRL_SIGN": "crl-sign",
|
||||
"CKA_TRUST_SERVER_AUTH": "server-auth",
|
||||
"CKA_TRUST_CLIENT_AUTH": "client-auth",
|
||||
"CKA_TRUST_CODE_SIGNING": "code-signing",
|
||||
"CKA_TRUST_EMAIL_PROTECTION": "email-protection",
|
||||
"CKA_TRUST_IPSEC_END_SYSTEM": "ipsec-end-system",
|
||||
"CKA_TRUST_IPSEC_TUNNEL": "ipsec-tunnel",
|
||||
"CKA_TRUST_IPSEC_USER": "ipsec-user",
|
||||
"CKA_TRUST_TIME_STAMPING": "time-stamping",
|
||||
"CKA_TRUST_STEP_UP_APPROVED": "step-up-approved",
|
||||
}
|
||||
|
||||
legacy_trust_types = {
|
||||
"LEGACY_CKA_TRUST_SERVER_AUTH": "server-auth",
|
||||
"LEGACY_CKA_TRUST_CODE_SIGNING": "code-signing",
|
||||
"LEGACY_CKA_TRUST_EMAIL_PROTECTION": "email-protection",
|
||||
}
|
||||
|
||||
legacy_to_real_trust_types = {
|
||||
"LEGACY_CKA_TRUST_SERVER_AUTH": "CKA_TRUST_SERVER_AUTH",
|
||||
"LEGACY_CKA_TRUST_CODE_SIGNING": "CKA_TRUST_CODE_SIGNING",
|
||||
"LEGACY_CKA_TRUST_EMAIL_PROTECTION": "CKA_TRUST_EMAIL_PROTECTION",
|
||||
}
|
||||
|
||||
openssl_trust = {
|
||||
"CKA_TRUST_SERVER_AUTH": "serverAuth",
|
||||
"CKA_TRUST_CLIENT_AUTH": "clientAuth",
|
||||
"CKA_TRUST_CODE_SIGNING": "codeSigning",
|
||||
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
|
||||
}
|
||||
|
||||
cert_distrust_types = {
|
||||
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
|
||||
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
|
||||
}
|
||||
|
||||
for tobj in objects:
|
||||
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
|
||||
key = tobj['CKA_LABEL'] + printable_serial(tobj)
|
||||
print("producing trust for " + key)
|
||||
trustbits = []
|
||||
distrustbits = []
|
||||
openssl_trustflags = []
|
||||
openssl_distrustflags = []
|
||||
legacy_trustbits = []
|
||||
legacy_openssl_trustflags = []
|
||||
for t in list(trust_types.keys()):
|
||||
if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
|
||||
trustbits.append(t)
|
||||
if t in openssl_trust:
|
||||
openssl_trustflags.append(openssl_trust[t])
|
||||
if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
|
||||
distrustbits.append(t)
|
||||
if t in openssl_trust:
|
||||
openssl_distrustflags.append(openssl_trust[t])
|
||||
|
||||
for t in list(legacy_trust_types.keys()):
|
||||
if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
|
||||
real_t = legacy_to_real_trust_types[t]
|
||||
legacy_trustbits.append(real_t)
|
||||
if real_t in openssl_trust:
|
||||
legacy_openssl_trustflags.append(openssl_trust[real_t])
|
||||
if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
|
||||
raise NotImplementedError('legacy distrust not supported.\n' + line)
|
||||
|
||||
fname = obj_to_filename(tobj)
|
||||
try:
|
||||
obj = certmap[key]
|
||||
except:
|
||||
obj = None
|
||||
|
||||
# optional debug code, that dumps the parsed input to files
|
||||
#fulldump = "dump-" + fname
|
||||
#dumpf = open(fulldump, 'w')
|
||||
#dumpf.write(str(obj));
|
||||
#dumpf.write(str(tobj));
|
||||
#dumpf.close();
|
||||
|
||||
is_legacy = 0
|
||||
if 'LEGACY_CKA_TRUST_SERVER_AUTH' in tobj or 'LEGACY_CKA_TRUST_EMAIL_PROTECTION' in tobj or 'LEGACY_CKA_TRUST_CODE_SIGNING' in tobj:
|
||||
is_legacy = 1
|
||||
if obj == None:
|
||||
raise NotImplementedError('found legacy trust without certificate.\n' + line)
|
||||
|
||||
legacy_fname = "legacy-default/" + fname + ".crt"
|
||||
f = open(legacy_fname, 'w')
|
||||
f.write("# alias=%s\n"%tobj['CKA_LABEL'])
|
||||
f.write("# trust=" + " ".join(legacy_trustbits) + "\n")
|
||||
if legacy_openssl_trustflags:
|
||||
f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n")
|
||||
f.write("-----BEGIN CERTIFICATE-----\n")
|
||||
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
|
||||
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
|
||||
f.write("\n".join(temp_wrapped))
|
||||
f.write("\n-----END CERTIFICATE-----\n")
|
||||
f.close()
|
||||
|
||||
if 'CKA_TRUST_SERVER_AUTH' in tobj or 'CKA_TRUST_EMAIL_PROTECTION' in tobj or 'CKA_TRUST_CODE_SIGNING' in tobj:
|
||||
legacy_fname = "legacy-disable/" + fname + ".crt"
|
||||
f = open(legacy_fname, 'w')
|
||||
f.write("# alias=%s\n"%tobj['CKA_LABEL'])
|
||||
f.write("# trust=" + " ".join(trustbits) + "\n")
|
||||
if openssl_trustflags:
|
||||
f.write("# openssl-trust=" + " ".join(openssl_trustflags) + "\n")
|
||||
f.write("-----BEGIN CERTIFICATE-----\n")
|
||||
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
|
||||
f.write("\n-----END CERTIFICATE-----\n")
|
||||
f.close()
|
||||
|
||||
# don't produce p11-kit output for legacy certificates
|
||||
continue
|
||||
|
||||
pk = ''
|
||||
cert_comment = ''
|
||||
if obj != None:
|
||||
# must extract the public key from the cert, let's use openssl
|
||||
cert_fname = "cert-" + fname
|
||||
fc = open(cert_fname, 'w')
|
||||
fc.write("-----BEGIN CERTIFICATE-----\n")
|
||||
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
|
||||
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
|
||||
fc.write("\n".join(temp_wrapped))
|
||||
fc.write("\n-----END CERTIFICATE-----\n")
|
||||
fc.close();
|
||||
pk_fname = "pubkey-" + fname
|
||||
fpkout = open(pk_fname, "w")
|
||||
dump_pk_command = ["openssl", "x509", "-in", cert_fname, "-noout", "-pubkey"]
|
||||
subprocess.call(dump_pk_command, stdout=fpkout)
|
||||
fpkout.close()
|
||||
with open (pk_fname, "r") as myfile:
|
||||
pk=myfile.read()
|
||||
# obtain certificate information suitable as a comment
|
||||
comment_fname = "comment-" + fname
|
||||
fcout = open(comment_fname, "w")
|
||||
comment_command = ["openssl", "x509", "-in", cert_fname, "-noout", "-text"]
|
||||
subprocess.call(comment_command, stdout=fcout)
|
||||
fcout.close()
|
||||
sed_command = ["sed", "--in-place", "s/^/#/", comment_fname]
|
||||
subprocess.call(sed_command)
|
||||
with open (comment_fname, "r", errors = 'replace') as myfile:
|
||||
cert_comment=myfile.read()
|
||||
|
||||
fname += ".tmp-p11-kit"
|
||||
f = open(fname, 'w')
|
||||
|
||||
if obj != None:
|
||||
is_distrusted = False
|
||||
has_server_trust = False
|
||||
has_email_trust = False
|
||||
has_code_trust = False
|
||||
|
||||
if 'CKA_TRUST_SERVER_AUTH' in tobj:
|
||||
if tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED':
|
||||
is_distrusted = True
|
||||
elif tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR':
|
||||
has_server_trust = True
|
||||
|
||||
if 'CKA_TRUST_EMAIL_PROTECTION' in tobj:
|
||||
if tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED':
|
||||
is_distrusted = True
|
||||
elif tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR':
|
||||
has_email_trust = True
|
||||
|
||||
if 'CKA_TRUST_CODE_SIGNING' in tobj:
|
||||
if tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED':
|
||||
is_distrusted = True
|
||||
elif tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_TRUSTED_DELEGATOR':
|
||||
has_code_trust = True
|
||||
|
||||
if is_distrusted:
|
||||
trust_ext_oid = "1.3.6.1.4.1.3319.6.10.1"
|
||||
trust_ext_value = "0.%06%0a%2b%06%01%04%01%99w%06%0a%01%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
|
||||
write_cert_ext_to_file(f, trust_ext_oid, trust_ext_value, pk)
|
||||
|
||||
trust_ext_oid = "2.5.29.37"
|
||||
if has_server_trust:
|
||||
if has_email_trust:
|
||||
if has_code_trust:
|
||||
# server + email + code
|
||||
trust_ext_value = "0%2a%06%03U%1d%25%01%01%ff%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
|
||||
else:
|
||||
# server + email
|
||||
trust_ext_value = "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01"
|
||||
else:
|
||||
if has_code_trust:
|
||||
# server + code
|
||||
trust_ext_value = "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
|
||||
else:
|
||||
# server
|
||||
trust_ext_value = "0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%01"
|
||||
else:
|
||||
if has_email_trust:
|
||||
if has_code_trust:
|
||||
# email + code
|
||||
trust_ext_value = "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%03"
|
||||
else:
|
||||
# email
|
||||
trust_ext_value = "0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%04"
|
||||
else:
|
||||
if has_code_trust:
|
||||
# code
|
||||
trust_ext_value = "0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%03"
|
||||
else:
|
||||
# none
|
||||
trust_ext_value = "0%18%06%03U%1d%25%01%01%ff%04%0e0%0c%06%0a%2b%06%01%04%01%99w%06%0a%10"
|
||||
|
||||
# no 2.5.29.37 for neutral certificates
|
||||
if (is_distrusted or has_server_trust or has_email_trust or has_code_trust):
|
||||
write_cert_ext_to_file(f, trust_ext_oid, trust_ext_value, pk)
|
||||
|
||||
pk = ''
|
||||
f.write("\n")
|
||||
|
||||
f.write("[p11-kit-object-v1]\n")
|
||||
f.write("label: ");
|
||||
f.write(tobj['CKA_LABEL'])
|
||||
f.write("\n")
|
||||
if is_distrusted:
|
||||
f.write("x-distrusted: true\n")
|
||||
elif has_server_trust or has_email_trust or has_code_trust:
|
||||
f.write("trusted: true\n")
|
||||
else:
|
||||
f.write("trusted: false\n")
|
||||
|
||||
# requires p11-kit >= 0.23.4
|
||||
f.write("nss-mozilla-ca-policy: true\n")
|
||||
f.write("modifiable: false\n");
|
||||
|
||||
# requires p11-kit >= 0.23.19
|
||||
for t in list(cert_distrust_types.keys()):
|
||||
if t in obj:
|
||||
value = obj[t]
|
||||
if value == 'CK_FALSE':
|
||||
value = bytearray(1)
|
||||
f.write(cert_distrust_types[t] + ": \"")
|
||||
f.write(urllib.parse.quote(value));
|
||||
f.write("\"\n")
|
||||
|
||||
f.write("-----BEGIN CERTIFICATE-----\n")
|
||||
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
|
||||
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
|
||||
f.write("\n".join(temp_wrapped))
|
||||
f.write("\n-----END CERTIFICATE-----\n")
|
||||
f.write(cert_comment)
|
||||
f.write("\n")
|
||||
|
||||
else:
|
||||
f.write("[p11-kit-object-v1]\n")
|
||||
f.write("label: ");
|
||||
f.write(tobj['CKA_LABEL']);
|
||||
f.write("\n")
|
||||
f.write("class: certificate\n")
|
||||
f.write("certificate-type: x-509\n")
|
||||
f.write("modifiable: false\n");
|
||||
f.write("issuer: \"");
|
||||
f.write(urllib.parse.quote(tobj['CKA_ISSUER']));
|
||||
f.write("\"\n")
|
||||
f.write("serial-number: \"");
|
||||
f.write(urllib.parse.quote(tobj['CKA_SERIAL_NUMBER']));
|
||||
f.write("\"\n")
|
||||
if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
|
||||
f.write("x-distrusted: true\n")
|
||||
f.write("\n\n")
|
||||
f.close()
|
||||
print(" -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags))
|
47
compareoldnew
Normal file
47
compareoldnew
Normal file
@ -0,0 +1,47 @@
|
||||
#!/bin/bash
|
||||
# print fingerprints of new or changed certificates
|
||||
set -e
|
||||
cleanup()
|
||||
{
|
||||
rm -rf new{,.files} old{,.files}
|
||||
}
|
||||
showcert()
|
||||
{
|
||||
openssl x509 -in "$1" -noout -subject -fingerprint -nameopt multiline,utf8,-esc_msb \
|
||||
| sed -ne 's/ *commonName *= / CN=/p; s/.*Fingerprint=/ sha1=/p'
|
||||
sed -ne '/^# \(openssl\|distrust\|alias\)/s/^#/ /p' < "$1"
|
||||
}
|
||||
cleanup
|
||||
trap cleanup EXIT
|
||||
mkdir old new
|
||||
cd old
|
||||
echo old...
|
||||
ln -s ../.osc/certdata.txt
|
||||
python3 ../certdata2pem.py > stdout 2> stderr
|
||||
ls -1 cert-* | sort > ../old.files
|
||||
cd ..
|
||||
cd new
|
||||
echo new...
|
||||
ln -s ../certdata.txt
|
||||
python3 ../certdata2pem.py > stdout 2> stderr
|
||||
ls -1 cert-* | sort > ../new.files
|
||||
cd ..
|
||||
echo '----------------------------'
|
||||
while read line; do
|
||||
IFS='#' eval set -- \$line
|
||||
old="$1"
|
||||
new="$2"
|
||||
common="$3"
|
||||
if [ -n "$old" ]; then
|
||||
echo "- $old"
|
||||
showcert old/$old
|
||||
elif [ -n "$new" ]; then
|
||||
echo "+ $new"
|
||||
showcert new/$new
|
||||
elif ! cmp "old/$common" "new/$common"; then
|
||||
echo "~ $common"
|
||||
showcert old/$common
|
||||
showcert new/$common
|
||||
diff -u old/$common new/$common || true
|
||||
fi
|
||||
done < <(comm --output-delimiter='#' old.files new.files)
|
61
nssckbi.h
Normal file
61
nssckbi.h
Normal file
@ -0,0 +1,61 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#ifndef NSSCKBI_H
|
||||
#define NSSCKBI_H
|
||||
|
||||
/*
|
||||
* NSS BUILTINS Version numbers.
|
||||
*
|
||||
* These are the version numbers for the builtins module packaged with
|
||||
* this release on NSS. To determine the version numbers of the builtin
|
||||
* module you are using, use the appropriate PKCS #11 calls.
|
||||
*
|
||||
* These version numbers detail changes to the PKCS #11 interface. They map
|
||||
* to the PKCS #11 spec versions.
|
||||
*/
|
||||
#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
|
||||
#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
|
||||
|
||||
/* These version numbers detail the changes
|
||||
* to the list of trusted certificates.
|
||||
*
|
||||
* The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
|
||||
* whenever we change the list of trusted certificates.
|
||||
*
|
||||
* Please use the following rules when increasing the version number:
|
||||
*
|
||||
* - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR
|
||||
* must always be an EVEN number (e.g. 16, 18, 20 etc.)
|
||||
*
|
||||
* - whenever possible, if older branches require a modification to the
|
||||
* list, these changes should be made on the main line of development (trunk),
|
||||
* and the older branches should update to the most recent list.
|
||||
*
|
||||
* - ODD minor version numbers are reserved to indicate a snapshot that has
|
||||
* deviated from the main line of development, e.g. if it was necessary
|
||||
* to modify the list on a stable branch.
|
||||
* Once the version has been changed to an odd number (e.g. 2.13) on a branch,
|
||||
* it should remain unchanged on that branch, even if further changes are
|
||||
* made on that branch.
|
||||
*
|
||||
* NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
|
||||
* whether we may use its full range (0-255) or only 0-99 because
|
||||
* of the comment in the CK_VERSION type definition.
|
||||
* It's recommend to switch back to 0 after having reached version 98/99.
|
||||
*/
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 72
|
||||
#define NSS_BUILTINS_LIBRARY_VERSION "2.72"
|
||||
|
||||
/* These version numbers detail the semantic changes to the ckfw engine. */
|
||||
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
|
||||
#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
|
||||
|
||||
/* These version numbers detail the semantic changes to ckbi itself
|
||||
* (new PKCS #11 objects), etc. */
|
||||
#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
|
||||
#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
|
||||
|
||||
#endif /* NSSCKBI_H */
|
Loading…
Reference in New Issue
Block a user