From ba1b821fcda7f9c5cf0494e1d81058ded917da9b0e293bd481de266892264fd5 Mon Sep 17 00:00:00 2001 From: Ludwig Nussel Date: Mon, 9 Dec 2013 10:01:15 +0000 Subject: [PATCH 1/2] - fix handling of certificates with same name (bnc#854163) OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=50 --- ca-certificates-mozilla.changes | 5 +++++ ca-certificates-mozilla.spec | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/ca-certificates-mozilla.changes b/ca-certificates-mozilla.changes index 4800e8a..df9ca5c 100644 --- a/ca-certificates-mozilla.changes +++ b/ca-certificates-mozilla.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Mon Dec 9 09:56:32 UTC 2013 - lnussel@suse.de + +- fix handling of certificates with same name (bnc#854163) + ------------------------------------------------------------------- Tue Oct 29 13:52:16 UTC 2013 - meissner@suse.com diff --git a/ca-certificates-mozilla.spec b/ca-certificates-mozilla.spec index 2248366..85caa3b 100644 --- a/ca-certificates-mozilla.spec +++ b/ca-certificates-mozilla.spec @@ -94,10 +94,19 @@ for i in *.crt; do [ -z "$alias" ] || args+=('-setalias' "$alias") echo "$i ${args[*]}" + fname="%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem" + if [ -e "$fname" ]; then + fname="${fname%.pem}" + j=1 + while [ -e "$fname.$j.pem" ]; do + j=$((j+1)) + done + fname="$fname.$j.pem" + fi { grep '^#' "$i" openssl x509 -in "$i" "${args[@]}" - } > "%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem" + } > "$fname" done for i in *.p11-kit ; do install -m 644 "$i" "%{buildroot}/%{trustdir_static}" From 993d8b9f9409b61bff1026d983b6e46615dbc33165bc988cfd3b1fa9a2c12568 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 9 Dec 2013 16:03:09 +0000 Subject: [PATCH 2/2] - Updated to 1.95 Distrust a sub-ca that issued google.com certificates. "Distrusted AC DG Tresor SSL" (bnc#854367) OBS-URL: https://build.opensuse.org/package/show/Base:System/ca-certificates-mozilla?expand=0&rev=51 --- ca-certificates-mozilla.changes | 7 +++++++ ca-certificates-mozilla.spec | 2 +- certdata.txt | 28 ++++++++++++++++++++++++++++ nssckbi.h | 4 ++-- 4 files changed, 38 insertions(+), 3 deletions(-) diff --git a/ca-certificates-mozilla.changes b/ca-certificates-mozilla.changes index df9ca5c..47c42f1 100644 --- a/ca-certificates-mozilla.changes +++ b/ca-certificates-mozilla.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Dec 9 16:01:29 UTC 2013 - meissner@suse.com + +- Updated to 1.95 + Distrust a sub-ca that issued google.com certificates. + "Distrusted AC DG Tresor SSL" (bnc#854367) + ------------------------------------------------------------------- Mon Dec 9 09:56:32 UTC 2013 - lnussel@suse.de diff --git a/ca-certificates-mozilla.spec b/ca-certificates-mozilla.spec index 85caa3b..f16bcf1 100644 --- a/ca-certificates-mozilla.spec +++ b/ca-certificates-mozilla.spec @@ -26,7 +26,7 @@ BuildRequires: python Name: ca-certificates-mozilla # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file: # https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h -Version: 1.94 +Version: 1.95 Release: 0 Summary: CA certificates for OpenSSL License: MPL-2.0 diff --git a/certdata.txt b/certdata.txt index 3a774de..d5a3630 100644 --- a/certdata.txt +++ b/certdata.txt @@ -12376,6 +12376,34 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +# Distrust "Distrusted AC DG Tresor SSL" +# Issuer: CN=AC DGTPE Signature Authentification,O=DGTPE,C=FR +# Serial Number: 204199 (0x31da7) +# Subject: CN=AC DG Tr..sor SSL,O=DG Tr..sor,C=FR +# Not Valid Before: Thu Jul 18 10:05:28 2013 +# Not Valid After : Fri Jul 18 10:05:28 2014 +# Fingerprint (MD5): 3A:EA:9E:FC:00:0C:E2:06:6C:E0:AC:39:C1:31:DE:C8 +# Fingerprint (SHA1): 5C:E3:39:46:5F:41:A1:E4:23:14:9F:65:54:40:95:40:4D:E6:EB:E2 +CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +CKA_TOKEN CK_BBOOL CK_TRUE +CKA_PRIVATE CK_BBOOL CK_FALSE +CKA_MODIFIABLE CK_BBOOL CK_FALSE +CKA_LABEL UTF8 "Distrusted AC DG Tresor SSL" +CKA_ISSUER MULTILINE_OCTAL +\060\113\061\013\060\011\006\003\125\004\006\023\002\106\122\061 +\016\060\014\006\003\125\004\012\023\005\104\107\124\120\105\061 +\054\060\052\006\003\125\004\003\023\043\101\103\040\104\107\124 +\120\105\040\123\151\147\156\141\164\165\162\145\040\101\165\164 +\150\145\156\164\151\146\151\143\141\164\151\157\156 +END +CKA_SERIAL_NUMBER MULTILINE_OCTAL +\002\003\003\035\247 +END +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED +CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + # # Certificate "Security Communication EV RootCA1" # diff --git a/nssckbi.h b/nssckbi.h index b19e783..8e171b6 100644 --- a/nssckbi.h +++ b/nssckbi.h @@ -45,8 +45,8 @@ * of the comment in the CK_VERSION type definition. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 94 -#define NSS_BUILTINS_LIBRARY_VERSION "1.94" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 95 +#define NSS_BUILTINS_LIBRARY_VERSION "1.95" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1