From c7e45260579b2fb64e95b0822f7c1c630fc1bc6096f25dbad5325f920af25984 Mon Sep 17 00:00:00 2001
From: Ludwig Nussel <lnussel@suse.com>
Date: Wed, 24 Jul 2013 14:45:48 +0000
Subject: [PATCH] - add nssckbi.h that matches certdata.txt; make sure package
 has the   correct version number which is currently 1.93. No actual content  
 change in certdata.txt compared to 1.85, it's just that the   versioning
 scheme changed.

OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=40
---
 ca-certificates-mozilla.changes |  4 +++
 ca-certificates-mozilla.spec    | 20 +++++++----
 nssckbi.h                       | 60 +++++++++++++++++++++++++++++++++
 3 files changed, 77 insertions(+), 7 deletions(-)
 create mode 100644 nssckbi.h

diff --git a/ca-certificates-mozilla.changes b/ca-certificates-mozilla.changes
index aed507f..d5c5d59 100644
--- a/ca-certificates-mozilla.changes
+++ b/ca-certificates-mozilla.changes
@@ -3,6 +3,10 @@ Wed Jul 24 14:21:18 UTC 2013 - lnussel@suse.de
 
 - add fake basic contraints to Entrust root so p11-kit export the cert
   (bnc#829471)
+- add nssckbi.h that matches certdata.txt; make sure package has the
+  correct version number which is currently 1.93. No actual content
+  change in certdata.txt compared to 1.85, it's just that the
+  versioning scheme changed.
 
 -------------------------------------------------------------------
 Thu Jun 27 16:03:05 UTC 2013 - lnussel@suse.de
diff --git a/ca-certificates-mozilla.spec b/ca-certificates-mozilla.spec
index f8953f6..154388e 100644
--- a/ca-certificates-mozilla.spec
+++ b/ca-certificates-mozilla.spec
@@ -26,7 +26,7 @@ BuildRequires:  python
 Name:           ca-certificates-mozilla
 # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
 # https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
-Version:        1.85
+Version:        1.93
 Release:        0
 Summary:        CA certificates for OpenSSL
 License:        MPL-2.0
@@ -42,10 +42,11 @@ Url:            http://www.mozilla.org
 #   to output of compareoldnew
 # - Watch out that blacklisted or untrusted certificates are not
 #   accidentally included!
-Source:         certdata.txt
-Source1:        certdata2pem.py
-Source2:        %{name}.COPYING
-Source3:        compareoldnew
+Source:         https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
+Source1:        https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
+Source10:       certdata2pem.py
+Source11:       %{name}.COPYING
+Source12:       compareoldnew
 # make p11-kit think there are basic constraints in the Entrust
 # cert (https://bugs.freedesktop.org/show_bug.cgi?id=62064)
 # Remove after the updated cert is accepted into NSS
@@ -69,10 +70,15 @@ from MozillaFirefox
 %prep
 %setup -qcT
 /bin/cp %{SOURCE0} .
-install -m 644 %{SOURCE2} COPYING
+install -m 644 %{SOURCE11} COPYING
+ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
+if [ "%{version}" != "$ver" ]; then
+	echo "*** Version number mismatch: spec file should be version $ver"
+	false
+fi
 
 %build
-python %{SOURCE1}
+python %{SOURCE10}
 
 %install
 mkdir -p %{buildroot}/%{trustdir_static}/anchors
diff --git a/nssckbi.h b/nssckbi.h
new file mode 100644
index 0000000..0bcf17e
--- /dev/null
+++ b/nssckbi.h
@@ -0,0 +1,60 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef NSSCKBI_H
+#define NSSCKBI_H
+
+/*
+ * NSS BUILTINS Version numbers.
+ *
+ * These are the version numbers for the builtins module packaged with
+ * this release on NSS. To determine the version numbers of the builtin
+ * module you are using, use the appropriate PKCS #11 calls.
+ *
+ * These version numbers detail changes to the PKCS #11 interface. They map
+ * to the PKCS #11 spec versions.
+ */
+#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
+#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
+
+/* These version numbers detail the changes 
+ * to the list of trusted certificates.
+ *
+ * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
+ * for each NSS minor release AND whenever we change the list of
+ * trusted certificates.  10 minor versions are allocated for each
+ * NSS 3.x branch as follows, allowing us to change the list of
+ * trusted certificates up to 9 times on each branch.
+ *   - NSS 3.5 branch:  3-9
+ *   - NSS 3.6 branch:  10-19
+ *   - NSS 3.7 branch:  20-29
+ *   - NSS 3.8 branch:  30-39
+ *   - NSS 3.9 branch:  40-49
+ *   - NSS 3.10 branch: 50-59
+ *   - NSS 3.11 branch: 60-69
+ *     ...
+ *   - NSS 3.12 branch: 70-89
+ *   - NSS 3.13 branch: 90-99
+ *   - NSS 3.14 branch: 100-109
+ *     ...
+ *   - NSS 3.29 branch: 250-255
+ *
+ * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
+ * whether we may use its full range (0-255) or only 0-99 because
+ * of the comment in the CK_VERSION type definition.
+ */
+#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 93
+#define NSS_BUILTINS_LIBRARY_VERSION "1.93"
+
+/* These version numbers detail the semantic changes to the ckfw engine. */
+#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
+#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
+
+/* These version numbers detail the semantic changes to ckbi itself 
+ * (new PKCS #11 objects), etc. */
+#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
+#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
+
+#endif /* NSSCKBI_H */