- add fake basic contraints to Entrust root so p11-kit export the cert

(bnc#829471)

OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=39

Entrust_net_Premium_2048_Secure_Server_CA.p11-kit

@@ -0,0 +1,8 @@
+[p11-kit-object-v1]
+label: "Add missing BasicConstraints for Entrust root"
+id: "%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70"
+class: x-certificate-extension
+object-id: 2.5.29.19
+x-critical: true
+value: "%30%03%01%01%FF"
+

ca-certificates-mozilla.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jul 24 14:21:18 UTC 2013 - lnussel@suse.de
+
+- add fake basic contraints to Entrust root so p11-kit export the cert
+  (bnc#829471)
+
 -------------------------------------------------------------------
 Thu Jun 27 16:03:05 UTC 2013 - lnussel@suse.de
 

ca-certificates-mozilla.spec

@@ -24,6 +24,8 @@ BuildRequires:  openssl
 BuildRequires:  python
 
 Name:           ca-certificates-mozilla
+# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
+# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
 Version:        1.85
 Release:        0
 Summary:        CA certificates for OpenSSL
@@ -31,12 +33,10 @@ License:        MPL-2.0
 Group:          Productivity/Networking/Security
 Url:            http://www.mozilla.org
 # IMPORTANT: procedure to update certificates:
-# - Check the CVS log of the cert file:
-#   http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/ckfw/builtins/certdata.txt&rev=HEAD
-#   Alternatively hg:
+# - Check the log of the cert file:
 #   http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
 # - download the new certdata.txt
-#   wget -O certdata.txt "http://mxr.mozilla.org/mozilla/source//security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
+#   wget -O certdata.txt "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
 # - run compareoldnew to show fingerprints of new and changed certificates
 # - check the bugs referenced in cvs log and compare the checksum
 #   to output of compareoldnew
@@ -46,6 +46,11 @@ Source:         certdata.txt
 Source1:        certdata2pem.py
 Source2:        %{name}.COPYING
 Source3:        compareoldnew
+# make p11-kit think there are basic constraints in the Entrust
+# cert (https://bugs.freedesktop.org/show_bug.cgi?id=62064)
+# Remove after the updated cert is accepted into NSS
+# https://bugzilla.mozilla.org/show_bug.cgi?id=694536
+Source99:       Entrust_net_Premium_2048_Secure_Server_CA.p11-kit
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 # for update-ca-certificates
@@ -92,7 +97,7 @@ for i in *.crt; do
 		openssl x509 -in "$i" "${args[@]}"
 	} > "%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem"
 done
-for i in *.p11-kit; do
+for i in *.p11-kit %{SOURCE99}; do
 	install -m 644 "$i" "%{buildroot}/%{trustdir_static}"
 done
 set -x