From abed6a95f8fe5f3e824b3b4b92d8409aebe547b04e38617f81be5adb8a7b6ca6 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Wed, 24 Jul 2013 14:32:44 +0000 Subject: [PATCH 1/3] - add fake basic contraints to Entrust root so p11-kit export the cert (bnc#829471) OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=39 --- Entrust_net_Premium_2048_Secure_Server_CA.p11-kit | 8 ++++++++ ca-certificates-mozilla.changes | 6 ++++++ ca-certificates-mozilla.spec | 15 ++++++++++----- 3 files changed, 24 insertions(+), 5 deletions(-) create mode 100644 Entrust_net_Premium_2048_Secure_Server_CA.p11-kit diff --git a/Entrust_net_Premium_2048_Secure_Server_CA.p11-kit b/Entrust_net_Premium_2048_Secure_Server_CA.p11-kit new file mode 100644 index 0000000..b965a99 --- /dev/null +++ b/Entrust_net_Premium_2048_Secure_Server_CA.p11-kit @@ -0,0 +1,8 @@ +[p11-kit-object-v1] +label: "Add missing BasicConstraints for Entrust root" +id: "%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70" +class: x-certificate-extension +object-id: 2.5.29.19 +x-critical: true +value: "%30%03%01%01%FF" + diff --git a/ca-certificates-mozilla.changes b/ca-certificates-mozilla.changes index 0b76653..aed507f 100644 --- a/ca-certificates-mozilla.changes +++ b/ca-certificates-mozilla.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Jul 24 14:21:18 UTC 2013 - lnussel@suse.de + +- add fake basic contraints to Entrust root so p11-kit export the cert + (bnc#829471) + ------------------------------------------------------------------- Thu Jun 27 16:03:05 UTC 2013 - lnussel@suse.de diff --git a/ca-certificates-mozilla.spec b/ca-certificates-mozilla.spec index fcd9004..f8953f6 100644 --- a/ca-certificates-mozilla.spec +++ b/ca-certificates-mozilla.spec @@ -24,6 +24,8 @@ BuildRequires: openssl BuildRequires: python Name: ca-certificates-mozilla +# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file: +# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h Version: 1.85 Release: 0 Summary: CA certificates for OpenSSL @@ -31,12 +33,10 @@ License: MPL-2.0 Group: Productivity/Networking/Security Url: http://www.mozilla.org # IMPORTANT: procedure to update certificates: -# - Check the CVS log of the cert file: -# http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/ckfw/builtins/certdata.txt&rev=HEAD -# Alternatively hg: +# - Check the log of the cert file: # http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt # - download the new certdata.txt -# wget -O certdata.txt "http://mxr.mozilla.org/mozilla/source//security/nss/lib/ckfw/builtins/certdata.txt?raw=1" +# wget -O certdata.txt "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt" # - run compareoldnew to show fingerprints of new and changed certificates # - check the bugs referenced in cvs log and compare the checksum # to output of compareoldnew @@ -46,6 +46,11 @@ Source: certdata.txt Source1: certdata2pem.py Source2: %{name}.COPYING Source3: compareoldnew +# make p11-kit think there are basic constraints in the Entrust +# cert (https://bugs.freedesktop.org/show_bug.cgi?id=62064) +# Remove after the updated cert is accepted into NSS +# https://bugzilla.mozilla.org/show_bug.cgi?id=694536 +Source99: Entrust_net_Premium_2048_Secure_Server_CA.p11-kit BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch # for update-ca-certificates @@ -92,7 +97,7 @@ for i in *.crt; do openssl x509 -in "$i" "${args[@]}" } > "%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem" done -for i in *.p11-kit; do +for i in *.p11-kit %{SOURCE99}; do install -m 644 "$i" "%{buildroot}/%{trustdir_static}" done set -x From c7e45260579b2fb64e95b0822f7c1c630fc1bc6096f25dbad5325f920af25984 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Wed, 24 Jul 2013 14:45:48 +0000 Subject: [PATCH 2/3] - add nssckbi.h that matches certdata.txt; make sure package has the correct version number which is currently 1.93. No actual content change in certdata.txt compared to 1.85, it's just that the versioning scheme changed. OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=40 --- ca-certificates-mozilla.changes | 4 +++ ca-certificates-mozilla.spec | 20 +++++++---- nssckbi.h | 60 +++++++++++++++++++++++++++++++++ 3 files changed, 77 insertions(+), 7 deletions(-) create mode 100644 nssckbi.h diff --git a/ca-certificates-mozilla.changes b/ca-certificates-mozilla.changes index aed507f..d5c5d59 100644 --- a/ca-certificates-mozilla.changes +++ b/ca-certificates-mozilla.changes @@ -3,6 +3,10 @@ Wed Jul 24 14:21:18 UTC 2013 - lnussel@suse.de - add fake basic contraints to Entrust root so p11-kit export the cert (bnc#829471) +- add nssckbi.h that matches certdata.txt; make sure package has the + correct version number which is currently 1.93. No actual content + change in certdata.txt compared to 1.85, it's just that the + versioning scheme changed. ------------------------------------------------------------------- Thu Jun 27 16:03:05 UTC 2013 - lnussel@suse.de diff --git a/ca-certificates-mozilla.spec b/ca-certificates-mozilla.spec index f8953f6..154388e 100644 --- a/ca-certificates-mozilla.spec +++ b/ca-certificates-mozilla.spec @@ -26,7 +26,7 @@ BuildRequires: python Name: ca-certificates-mozilla # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file: # https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h -Version: 1.85 +Version: 1.93 Release: 0 Summary: CA certificates for OpenSSL License: MPL-2.0 @@ -42,10 +42,11 @@ Url: http://www.mozilla.org # to output of compareoldnew # - Watch out that blacklisted or untrusted certificates are not # accidentally included! -Source: certdata.txt -Source1: certdata2pem.py -Source2: %{name}.COPYING -Source3: compareoldnew +Source: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt +Source1: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h +Source10: certdata2pem.py +Source11: %{name}.COPYING +Source12: compareoldnew # make p11-kit think there are basic constraints in the Entrust # cert (https://bugs.freedesktop.org/show_bug.cgi?id=62064) # Remove after the updated cert is accepted into NSS @@ -69,10 +70,15 @@ from MozillaFirefox %prep %setup -qcT /bin/cp %{SOURCE0} . -install -m 644 %{SOURCE2} COPYING +install -m 644 %{SOURCE11} COPYING +ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"` +if [ "%{version}" != "$ver" ]; then + echo "*** Version number mismatch: spec file should be version $ver" + false +fi %build -python %{SOURCE1} +python %{SOURCE10} %install mkdir -p %{buildroot}/%{trustdir_static}/anchors diff --git a/nssckbi.h b/nssckbi.h new file mode 100644 index 0000000..0bcf17e --- /dev/null +++ b/nssckbi.h @@ -0,0 +1,60 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef NSSCKBI_H +#define NSSCKBI_H + +/* + * NSS BUILTINS Version numbers. + * + * These are the version numbers for the builtins module packaged with + * this release on NSS. To determine the version numbers of the builtin + * module you are using, use the appropriate PKCS #11 calls. + * + * These version numbers detail changes to the PKCS #11 interface. They map + * to the PKCS #11 spec versions. + */ +#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2 +#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20 + +/* These version numbers detail the changes + * to the list of trusted certificates. + * + * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped + * for each NSS minor release AND whenever we change the list of + * trusted certificates. 10 minor versions are allocated for each + * NSS 3.x branch as follows, allowing us to change the list of + * trusted certificates up to 9 times on each branch. + * - NSS 3.5 branch: 3-9 + * - NSS 3.6 branch: 10-19 + * - NSS 3.7 branch: 20-29 + * - NSS 3.8 branch: 30-39 + * - NSS 3.9 branch: 40-49 + * - NSS 3.10 branch: 50-59 + * - NSS 3.11 branch: 60-69 + * ... + * - NSS 3.12 branch: 70-89 + * - NSS 3.13 branch: 90-99 + * - NSS 3.14 branch: 100-109 + * ... + * - NSS 3.29 branch: 250-255 + * + * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear + * whether we may use its full range (0-255) or only 0-99 because + * of the comment in the CK_VERSION type definition. + */ +#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1 +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 93 +#define NSS_BUILTINS_LIBRARY_VERSION "1.93" + +/* These version numbers detail the semantic changes to the ckfw engine. */ +#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 +#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0 + +/* These version numbers detail the semantic changes to ckbi itself + * (new PKCS #11 objects), etc. */ +#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1 +#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0 + +#endif /* NSSCKBI_H */ From a410738a83f6f79bff5ed5148643fb0a6f42dc85c3b0d065acc53e89d9f677ce Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Wed, 24 Jul 2013 15:07:12 +0000 Subject: [PATCH 3/3] - remove superfluous double quotes from certificate names OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=41 --- ca-certificates-mozilla.changes | 5 +++++ ca-certificates-mozilla.spec | 1 + certdata2pem.py | 2 +- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ca-certificates-mozilla.changes b/ca-certificates-mozilla.changes index d5c5d59..0dbfb6b 100644 --- a/ca-certificates-mozilla.changes +++ b/ca-certificates-mozilla.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Jul 24 15:05:31 UTC 2013 - lnussel@suse.de + +- remove superfluous double quotes from certificate names + ------------------------------------------------------------------- Wed Jul 24 14:21:18 UTC 2013 - lnussel@suse.de diff --git a/ca-certificates-mozilla.spec b/ca-certificates-mozilla.spec index 154388e..c6f58ac 100644 --- a/ca-certificates-mozilla.spec +++ b/ca-certificates-mozilla.spec @@ -44,6 +44,7 @@ Url: http://www.mozilla.org # accidentally included! Source: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt Source1: https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h +# from Fedora. Note: currently contains extra fix to remove quotes. Pending upstream approval. Source10: certdata2pem.py Source11: %{name}.COPYING Source12: compareoldnew diff --git a/certdata2pem.py b/certdata2pem.py index ccaac69..04cdfcc 100644 --- a/certdata2pem.py +++ b/certdata2pem.py @@ -170,7 +170,7 @@ for tobj in objects: f = open(fname, 'w') if obj != None: - f.write("# alias=%s\n"%tobj['CKA_LABEL']) + f.write("# alias=%s\n"%tobj['CKA_LABEL'][1:-1]) f.write("# trust=" + " ".join(trustbits) + "\n") f.write("# distrust=" + " ".join(distrustbits) + "\n") if openssl_trustflags: