Accepting request 281262 from Base:System

- diff-from-upstream-2.2.patch:
  Temporary reenable some root ca trusts, as openssl/gnutls
  have trouble using intermediates as root CA.
  - GTE CyberTrust Global Root
  - Thawte Server CA
  - Thawte Premium Server CA
  - ValiCert Class 1 VA
  - ValiCert Class 2 VA
  - RSA Root Certificate 1
  - Entrust.net Secure Server CA
  - America Online Root Certification Authority 1
  - America Online Root Certification Authority 2

- Updated to 2.2 (bnc#888534)
  - The following CAs were removed:
    + America_Online_Root_Certification_Authority_1
    + America_Online_Root_Certification_Authority_2
    + GTE_CyberTrust_Global_Root
    + Thawte_Premium_Server_CA
    + Thawte_Server_CA
  - The following CAs were added:
    + COMODO_RSA_Certification_Authority
      codeSigning emailProtection serverAuth
    + GlobalSign_ECC_Root_CA_-_R4
      codeSigning emailProtection serverAuth
    + GlobalSign_ECC_Root_CA_-_R5
      codeSigning emailProtection serverAuth
    + USERTrust_ECC_Certification_Authority
      codeSigning emailProtection serverAuth
    + USERTrust_RSA_Certification_Authority

OBS-URL: https://build.opensuse.org/request/show/281262
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ca-certificates-mozilla?expand=0&rev=33

ca-certificates-mozilla.changes

@@ -1,3 +1,84 @@
+-------------------------------------------------------------------
+Wed Jan 14 09:40:00 UTC 2015 - meissner@suse.com
+
+- diff-from-upstream-2.2.patch:
+  Temporary reenable some root ca trusts, as openssl/gnutls
+  have trouble using intermediates as root CA.
+
+  - GTE CyberTrust Global Root
+  - Thawte Server CA
+  - Thawte Premium Server CA
+  - ValiCert Class 1 VA
+  - ValiCert Class 2 VA
+  - RSA Root Certificate 1
+  - Entrust.net Secure Server CA
+  - America Online Root Certification Authority 1
+  - America Online Root Certification Authority 2
+
+-------------------------------------------------------------------
+Mon Jan 12 16:45:23 UTC 2015 - meissner@suse.com
+
+- Updated to 2.2 (bnc#888534)
+  - The following CAs were removed:
+    + America_Online_Root_Certification_Authority_1
+    + America_Online_Root_Certification_Authority_2
+    + GTE_CyberTrust_Global_Root
+    + Thawte_Premium_Server_CA
+    + Thawte_Server_CA
+  - The following CAs were added:
+    + COMODO_RSA_Certification_Authority
+      codeSigning emailProtection serverAuth
+    + GlobalSign_ECC_Root_CA_-_R4
+      codeSigning emailProtection serverAuth
+    + GlobalSign_ECC_Root_CA_-_R5
+      codeSigning emailProtection serverAuth
+    + USERTrust_ECC_Certification_Authority
+      codeSigning emailProtection serverAuth
+    + USERTrust_RSA_Certification_Authority
+      codeSigning emailProtection serverAuth
+    + VeriSign-C3SSA-G2-temporary-intermediate-after-1024bit-removal
+  - The following CAs were changed:
+    + Equifax_Secure_eBusiness_CA_1
+      remote code signing and https trust, leave email trust
+    + Verisign_Class_3_Public_Primary_Certification_Authority_-_G2
+      only trust emailProtection
+
+-------------------------------------------------------------------
+Tue Aug 26 13:30:12 UTC 2014 - meissner@suse.com
+
+- Updated to 2.1 (bnc#888534)
+
+- The following 1024-bit CA certificates were removed
+  - Entrust.net Secure Server Certification Authority
+  - ValiCert Class 1 Policy Validation Authority
+  - ValiCert Class 2 Policy Validation Authority
+  - ValiCert Class 3 Policy Validation Authority
+  - TDC Internet Root CA
+- The following CA certificates were added:
+  - Certification Authority of WoSign
+  - CA 沃通根证书
+  - DigiCert Assured ID Root G2
+  - DigiCert Assured ID Root G3
+  - DigiCert Global Root G2
+  - DigiCert Global Root G3
+  - DigiCert Trusted Root G4
+  - QuoVadis Root CA 1 G3
+  - QuoVadis Root CA 2 G3
+  - QuoVadis Root CA 3 G3
+- The Trust Bits were changed for the following CA certificates
+  - Class 3 Public Primary Certification Authority
+  - Class 3 Public Primary Certification Authority
+  - Class 2 Public Primary Certification Authority - G2
+  - VeriSign Class 2 Public Primary Certification Authority - G3
+  - AC Raíz Certicámara S.A.
+  - NetLock Uzleti (Class B) Tanusitvanykiado
+  - NetLock Expressz (Class C) Tanusitvanykiado
+
+- certdata-temporary-1024.patch: restore some certificates removed
+  from NSS as these are still used for some major sites.
+  openssl is not as clever as NSS in selecting the new ones in the
+  chain correctly.
+
 -------------------------------------------------------------------
 Wed Jun 18 15:05:23 UTC 2014 - meissner@suse.com
 

ca-certificates-mozilla.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ca-certificates-mozilla
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,8 +25,8 @@ BuildRequires:  python
 
 Name:           ca-certificates-mozilla
 # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
-# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
-Version:        1.97
+# http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/nssckbi.h
+Version:        2.2
 Release:        0
 Summary:        CA certificates for OpenSSL
 License:        MPL-2.0
@@ -34,22 +34,24 @@ Group:          Productivity/Networking/Security
 Url:            http://www.mozilla.org
 # IMPORTANT: procedure to update certificates:
 # - Check the log of the cert file:
-#   http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
+#   http://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt
 # - download the new certdata.txt
-#   wget -O certdata.txt "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
+#   wget -O certdata.txt "http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/certdata.txt"
 # - run compareoldnew to show fingerprints of new and changed certificates
 # - check the bugs referenced in hg log and compare the checksum
 #   to output of compareoldnew
-#   The correct history of the file is actually in the nss repo:
-#   http://hg.mozilla.org/projects/nss/log/8f026c806587/lib/ckfw/builtins/certdata.txt
 # - Watch out that blacklisted or untrusted certificates are not
 #   accidentally included!
-Source:         https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
-Source1:        https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
+Source:         http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
+Source1:        http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
 # from Fedora. Note: currently contains extra fix to remove quotes. Pending upstream approval.
 Source10:       certdata2pem.py
 Source11:       %{name}.COPYING
 Source12:       compareoldnew
+
+# temporary legacy patch
+Patch0:         diff-from-upstream-2.2.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 # for update-ca-certificates
@@ -67,7 +69,10 @@ from MozillaFirefox
 
 %prep
 %setup -qcT
+
 /bin/cp %{SOURCE0} .
+patch <%{PATCH0}
+
 install -m 644 %{SOURCE11} COPYING
 ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
 if [ "%{version}" != "$ver" ]; then

nssckbi.h

@@ -44,9 +44,9 @@
  * whether we may use its full range (0-255) or only 0-99 because
  * of the comment in the CK_VERSION type definition.
  */
-#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 97
-#define NSS_BUILTINS_LIBRARY_VERSION "1.97"
+#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 2
+#define NSS_BUILTINS_LIBRARY_VERSION "2.2"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1