Accepting request 184205 from Base:System

- remove superfluous double quotes from certificate names - add fake basic contraints to Entrust root so p11-kit export the cert (bnc#829471) - add nssckbi.h that matches certdata.txt; make sure package has the correct version number which is currently 1.93. No actual content change in certdata.txt compared to 1.85, it's just that the versioning scheme changed. OBS-URL: https://build.opensuse.org/request/show/184205 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ca-certificates-mozilla?expand=0&rev=22
2013-07-25 11:18:17 +00:00 · 2013-07-25 11:18:17 +00:00 · c3f99f810e
commit c3f99f810e
parent aa2058350a a410738a83
5 changed files with 108 additions and 13 deletions
--- a/Entrust_net_Premium_2048_Secure_Server_CA.p11-kit
+++ b/Entrust_net_Premium_2048_Secure_Server_CA.p11-kit
@ -0,0 +1,8 @@
 [p11-kit-object-v1]
 label: "Add missing BasicConstraints for Entrust root"
 id: "%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70"
 class: x-certificate-extension
 object-id: 2.5.29.19
 x-critical: true
 value: "%30%03%01%01%FF"
--- a/ca-certificates-mozilla.changes
+++ b/ca-certificates-mozilla.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Wed Jul 24 15:05:31 UTC 2013 - lnussel@suse.de
 - remove superfluous double quotes from certificate names
 -------------------------------------------------------------------
 Wed Jul 24 14:21:18 UTC 2013 - lnussel@suse.de
 - add fake basic contraints to Entrust root so p11-kit export the cert
  (bnc#829471)
 - add nssckbi.h that matches certdata.txt; make sure package has the
  correct version number which is currently 1.93. No actual content
  change in certdata.txt compared to 1.85, it's just that the
  versioning scheme changed.
 -------------------------------------------------------------------
 Thu Jun 27 16:03:05 UTC 2013 - lnussel@suse.de
--- a/ca-certificates-mozilla.spec
+++ b/ca-certificates-mozilla.spec
@ -24,28 +24,35 @@ BuildRequires:  openssl
 BuildRequires:  python
 Name:           ca-certificates-mozilla
-Version:        1.85
+# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
 # https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
 Version:        1.93
 Release:        0
 Summary:        CA certificates for OpenSSL
 License:        MPL-2.0
 Group:          Productivity/Networking/Security
 Url:            http://www.mozilla.org
 # IMPORTANT: procedure to update certificates:
-# - Check the CVS log of the cert file:
+# - Check the log of the cert file:
 #   http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/ckfw/builtins/certdata.txt&rev=HEAD
 #   Alternatively hg:
 #   http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
 # - download the new certdata.txt
-#   wget -O certdata.txt "http://mxr.mozilla.org/mozilla/source//security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
+#   wget -O certdata.txt "https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
 # - run compareoldnew to show fingerprints of new and changed certificates
 # - check the bugs referenced in cvs log and compare the checksum
 #   to output of compareoldnew
 # - Watch out that blacklisted or untrusted certificates are not
 #   accidentally included!
-Source:         certdata.txt
+Source:         https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
-Source1:        certdata2pem.py
+Source1:        https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
-Source2:        %{name}.COPYING
+# from Fedora. Note: currently contains extra fix to remove quotes. Pending upstream approval.
-Source3:        compareoldnew
+Source10:       certdata2pem.py
 Source11:       %{name}.COPYING
 Source12:       compareoldnew
 # make p11-kit think there are basic constraints in the Entrust
 # cert (https://bugs.freedesktop.org/show_bug.cgi?id=62064)
 # Remove after the updated cert is accepted into NSS
 # https://bugzilla.mozilla.org/show_bug.cgi?id=694536
 Source99:       Entrust_net_Premium_2048_Secure_Server_CA.p11-kit
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 # for update-ca-certificates
@ -64,10 +71,15 @@ from MozillaFirefox
 %prep
 %setup -qcT
 /bin/cp %{SOURCE0} .
-install -m 644 %{SOURCE2} COPYING
+install -m 644 %{SOURCE11} COPYING
 ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
 if [ "%{version}" != "$ver" ]; then
 	echo "*** Version number mismatch: spec file should be version $ver"
 	false
 fi
 %build
-python %{SOURCE1}
+python %{SOURCE10}
 %install
 mkdir -p %{buildroot}/%{trustdir_static}/anchors
@ -92,7 +104,7 @@ for i in *.crt; do
 		openssl x509 -in "$i" "${args[@]}"
 	} > "%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem"
 done
-for i in *.p11-kit; do
+for i in *.p11-kit %{SOURCE99}; do
 	install -m 644 "$i" "%{buildroot}/%{trustdir_static}"
 done
 set -x
--- a/certdata2pem.py
+++ b/certdata2pem.py
@ -170,7 +170,7 @@ for tobj in objects:
        f = open(fname, 'w')
        if obj != None:
-            f.write("# alias=%s\n"%tobj['CKA_LABEL'])
+            f.write("# alias=%s\n"%tobj['CKA_LABEL'][1:-1])
            f.write("# trust=" + " ".join(trustbits) + "\n")
            f.write("# distrust=" + " ".join(distrustbits) + "\n")
            if openssl_trustflags:
--- a/nssckbi.h
+++ b/nssckbi.h
@ -0,0 +1,60 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #ifndef NSSCKBI_H
 #define NSSCKBI_H
 /*
 * NSS BUILTINS Version numbers.
 *
 * These are the version numbers for the builtins module packaged with
 * this release on NSS. To determine the version numbers of the builtin
 * module you are using, use the appropriate PKCS #11 calls.
 *
 * These version numbers detail changes to the PKCS #11 interface. They map
 * to the PKCS #11 spec versions.
 */
 #define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
 #define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
 /* These version numbers detail the changes 
 * to the list of trusted certificates.
 *
 * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
 * for each NSS minor release AND whenever we change the list of
 * trusted certificates.  10 minor versions are allocated for each
 * NSS 3.x branch as follows, allowing us to change the list of
 * trusted certificates up to 9 times on each branch.
 *   - NSS 3.5 branch:  3-9
 *   - NSS 3.6 branch:  10-19
 *   - NSS 3.7 branch:  20-29
 *   - NSS 3.8 branch:  30-39
 *   - NSS 3.9 branch:  40-49
 *   - NSS 3.10 branch: 50-59
 *   - NSS 3.11 branch: 60-69
 *     ...
 *   - NSS 3.12 branch: 70-89
 *   - NSS 3.13 branch: 90-99
 *   - NSS 3.14 branch: 100-109
 *     ...
 *   - NSS 3.29 branch: 250-255
 *
 * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
 * whether we may use its full range (0-255) or only 0-99 because
 * of the comment in the CK_VERSION type definition.
 */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
 #define NSS_BUILTINS_LIBRARY_VERSION_MINOR 93
 #define NSS_BUILTINS_LIBRARY_VERSION "1.93"
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
 /* These version numbers detail the semantic changes to ckbi itself 
 * (new PKCS #11 objects), etc. */
 #define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
 #define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
 #endif /* NSSCKBI_H */