- update to 2.42 state of the Mozilla NSS Certificate store (bsc#1160160)

Removed CAs: - AddTrust External CA Root - AddTrust Class 1 CA Root - LuxTrust Global Root 2 - Staat der Nederlanden Root CA - G2 - Symantec Class 1 Public Primary Certification Authority - G4 - Symantec Class 2 Public Primary Certification Authority - G4 - VeriSign Class 3 Public Primary Certification Authority - G3 Added CAs: - certSIGN Root CA G2 - e-Szigno Root CA 2017 - Microsoft ECC Root Certificate Authority 2017 - Microsoft RSA Root Certificate Authority 2017 OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=107
2020-07-29 13:57:05 +00:00 · 2020-07-29 13:57:05 +00:00 · dcae684d43
commit dcae684d43
parent f4ea507fb3
5 changed files with 683 additions and 1215 deletions
--- a/ca-certificates-mozilla.changes
+++ b/ca-certificates-mozilla.changes
@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Wed Jul 29 13:06:19 UTC 2020 - Marcus Meissner <meissner@suse.com>
+
+- update to 2.42 state of the Mozilla NSS Certificate store (bsc#1174673)
+
+  Removed CAs:
+  - AddTrust External CA Root
+  - AddTrust Class 1 CA Root
+  - LuxTrust Global Root 2
+  - Staat der Nederlanden Root CA - G2
+  - Symantec Class 1 Public Primary Certification Authority - G4
+  - Symantec Class 2 Public Primary Certification Authority - G4
+  - VeriSign Class 3 Public Primary Certification Authority - G3
+
+  Added CAs:
+  - certSIGN Root CA G2
+  - e-Szigno Root CA 2017
+  - Microsoft ECC Root Certificate Authority 2017
+  - Microsoft RSA Root Certificate Authority 2017
+
+
 -------------------------------------------------------------------
 Thu Mar 26 11:38:06 UTC 2020 - Marcus Meissner <meissner@suse.com>

--- a/ca-certificates-mozilla.spec
+++ b/ca-certificates-mozilla.spec
@ -37,7 +37,7 @@
 Name:           ca-certificates-mozilla
 # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
 # http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/nssckbi.h
-Version:        2.40
+Version:        2.42
 Release:        0
 Summary:        CA certificates for OpenSSL
 License:        MPL-2.0
--- a/certdata.txt
+++ b/certdata.txt
--- a/certdata2pem.py
+++ b/certdata2pem.py
@ -177,6 +177,11 @@ openssl_trust = {
  "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
 }

+cert_distrust_types = {
+  "CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
+  "CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
+}
+
 for tobj in objects:
    if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
        key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -369,6 +374,16 @@ for tobj in objects:
            f.write("nss-mozilla-ca-policy: true\n")
            f.write("modifiable: false\n");

+            # requires p11-kit >= 0.23.19
+            for t in list(cert_distrust_types.keys()):
+                if t in obj:
+                    value = obj[t]
+                    if value == 'CK_FALSE':
+                        value = bytearray(1)
+                    f.write(cert_distrust_types[t] + ": \"")
+                    f.write(urllib.parse.quote(value));
+                    f.write("\"\n")
+
            f.write("-----BEGIN CERTIFICATE-----\n")
            temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
            temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
--- a/nssckbi.h
+++ b/nssckbi.h
@ -46,8 +46,8 @@
 * It's recommend to switch back to 0 after having reached version 98/99.
 */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 40
-#define NSS_BUILTINS_LIBRARY_VERSION "2.40"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 42
+#define NSS_BUILTINS_LIBRARY_VERSION "2.42"

 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1