Accepting request 36567 from Base:System

Copy from Base:System/ca-certificates-mozilla based on submit request 36567 from user lnussel OBS-URL: https://build.opensuse.org/request/show/36567 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ca-certificates-mozilla?expand=0&rev=1
2010-04-01 16:22:04 +00:00 · 2010-04-01 16:22:04 +00:00 · f92238c166
commit f92238c166
8 changed files with 21487 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/ca-certificates-mozilla.COPYING
+++ b/ca-certificates-mozilla.COPYING
@ -0,0 +1,36 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
--- a/ca-certificates-mozilla.changes
+++ b/ca-certificates-mozilla.changes
@ -0,0 +1,53 @@
+-------------------------------------------------------------------
+Thu Apr  1 12:14:11 UTC 2010 - lnussel@suse.de
+
+- don't output trusted certs by default as it's not supported by
+  gnutls yet and pidgin scans /etc/ssl/certs
+
+-------------------------------------------------------------------
+Thu Apr  1 11:39:01 UTC 2010 - lnussel@suse.de
+
+- update certificates to revision 1.62
+
+-------------------------------------------------------------------
+Fri Mar 26 15:27:34 UTC 2010 - lnussel@suse.de
+
+- extract trustbits as comment as Fedora does
+- convert to trusted certificates in spec file instead
+
+-------------------------------------------------------------------
+Thu Mar 25 08:16:56 UTC 2010 - lnussel@suse.de
+
+- rename to ca-certificates-mozilla
+- output trusted certificates
+- use utf8 in file names
+
+-------------------------------------------------------------------
+Tue Feb  2 16:27:35 UTC 2010 - lnussel@suse.de
+
+- update certificates to revision 1.57
+- add script to compare with previous certificates
+
+-------------------------------------------------------------------
+Wed Sep 30 13:17:45 UTC 2009 - lnussel@suse.de
+
+- update certifiates to cvs revision 1.56
+- exclude certficates that are not trusted for identifying web sites
+
+-------------------------------------------------------------------
+Tue Dec  2 11:29:03 CET 2008 - cfarrell@suse.de
+
+- Add openssl-certs.COPYING to fix bnc#441356
+ 
+
+-------------------------------------------------------------------
+Thu Oct  9 17:49:57 CEST 2008 - lnussel@suse.de
+
+- use certificates from MozillaFirefox
+
+-------------------------------------------------------------------
+Wed Jul  9 15:15:38 CEST 2008 - mkoenig@suse.de
+
+- split out the CA root certificates from the openssl certs 
+  subpackage into a package of its own. 
+
--- a/ca-certificates-mozilla.spec
+++ b/ca-certificates-mozilla.spec
@ -0,0 +1,109 @@
+#
+# spec file for package ca-certificates-mozilla (Version 1.62)
+#
+# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+#
+
+# norootforbuild
+
+%bcond_with trustedcerts
+
+BuildRequires:  openssl
+
+Name:           ca-certificates-mozilla
+%define sslusrdir %{_datadir}/ca-certificates
+License:        BSD3c(or similar) ; MPL 1.1/GPL 2.0/LGPL 2.1
+Group:          Productivity/Networking/Security
+AutoReqProv:    on
+Version:        1.62
+Release:        1
+Summary:        CA certificates for OpenSSL
+Url:            http://www.mozilla.org
+# IMPORTANT: procedure to update certificates:
+# - Check the CVS log of the cert file:
+#   http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/ckfw/builtins/certdata.txt&rev=HEAD
+# - download the new certdata.txt
+#   wget -O certdata.txt "http://mxr.mozilla.org/mozilla/source//security/nss/lib/ckfw/builtins/certdata.txt?raw=1"
+# - run compareoldnew to show fingerprints of new and changed certificates
+# - check the bugs referenced in cvs log and compare the checksum
+#   to output of compareoldnew
+# - Watch out that blacklisted or untrusted certificates are not
+#   accidentally included!
+Source:         certdata.txt
+Source1:        extractcerts.pl
+Source2:        %{name}.COPYING
+Source3:        compareoldnew
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+BuildArch:      noarch
+# for update-ca-certificates
+PreReq:         ca-certificates
+#
+Provides:       openssl-certs = 0.9.9
+Obsoletes:      openssl-certs < 0.9.9
+
+%description
+This package contains some CA root certificates for OpenSSL extracted
+from MozillaFirefox
+
+
+
+%prep
+%setup -qcT
+install -m 644 %{S:1} COPYING
+
+%build
+perl %{SOURCE1} --trustbits < %{SOURCE0}
+
+%install
+mkdir -p %{buildroot}/%{sslusrdir}/mozilla
+set +x
+for i in *.pem; do
+	args=()
+	trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"`
+	alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' "$i"`
+%if %{with trustedcerts}
+	args+=('-trustout')
+	for t in $trust; do
+		args+=("-addtrust" "$t")
+	done
+	[ -z "$alias" ] || args+=('-setalias' "$alias")
+%else
+	case "$trust" in
+		*serverAuth*) ;;
+		*) echo "skipping $i, not trusted for serverAuth"; continue ;;
+	esac
+%endif
+	echo "$i"
+	{
+		grep '^#' "$i"
+		openssl x509 -in "$i" "${args[@]}"
+	} > "%{buildroot}/%{sslusrdir}/mozilla/$i"
+done
+set -x
+
+%clean
+rm -rf %{buildroot}
+
+%post
+update-ca-certificates || true
+
+%postun
+update-ca-certificates || true
+
+%files
+%defattr(-, root, root)
+%doc COPYING
+%{sslusrdir}/mozilla
+
+%changelog
--- a/certdata.txt
+++ b/certdata.txt
--- a/40
+++ b/40
@ -0,0 +1,40 @@
+#!/bin/bash
+# print fingerprints of new or changed certificates
+set -e
+cleanup()
+{
+	rm -rf new{,.files} old{,.files}
+}
+showcert()
+{
+	openssl x509 -in "$1" -noout -subject -fingerprint -nameopt multiline,utf8,-esc_msb \
+	| sed -ne 's/ *commonName *= /   CN: /p; s/.*Fingerprint=/ sha1: /p'
+}
+cleanup
+trap cleanup EXIT
+mkdir old new
+cd old
+echo old...
+VERBOSE=1 ../extractcerts.pl < ../.osc/certdata.txt | sort > ../old.files
+cd ..
+cd new
+echo new...
+VERBOSE=1 ../extractcerts.pl < ../certdata.txt | sort > ../new.files
+cd ..
+echo '----------------------------'
+while read line; do
+	IFS='#' eval set -- \$line
+	old="$1"
+	new="$2"
+	common="$3"
+	if [ -n "$old" ]; then
+		echo "$old has been deleted"
+	elif [ -n "$new" ]; then
+		echo "new:   $new"
+		showcert new/$new
+	elif ! cmp "old/$common" "new/$common"; then
+		echo "*** $common differs!"
+		showcert old/$common
+		showcert old/$common
+	fi
+done < <(comm --output-delimiter='#' old.files new.files)
--- a/extractcerts.pl
+++ b/extractcerts.pl
@ -0,0 +1,202 @@
+#!/usr/bin/perl -w
+# 
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is the Netscape security libraries.
+#
+# The Initial Developer of the Original Code is
+# Netscape Communications Corporation.
+# Portions created by the Initial Developer are Copyright (C) 1994-2000
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+use strict;
+use Encode;
+
+my $count = 0;
+my @certificates = ();
+my %trusts = ();
+my $object = undef;
+my $output_trustbits;
+
+my %trust_types = (
+  "CKA_TRUST_DIGITAL_SIGNATURE" => "digital-signature",
+  "CKA_TRUST_NON_REPUDIATION" => "non-repudiation",
+  "CKA_TRUST_KEY_ENCIPHERMENT" => "key-encipherment",
+  "CKA_TRUST_DATA_ENCIPHERMENT" => "data-encipherment",
+  "CKA_TRUST_KEY_AGREEMENT" => "key-agreement",
+  "CKA_TRUST_KEY_CERT_SIGN" => "cert-sign",
+  "CKA_TRUST_CRL_SIGN" => "crl-sign",
+  "CKA_TRUST_SERVER_AUTH" => "server-auth",
+  "CKA_TRUST_CLIENT_AUTH" => "client-auth",
+  "CKA_TRUST_CODE_SIGNING" => "code-signing",
+  "CKA_TRUST_EMAIL_PROTECTION" => "email-protection",
+  "CKA_TRUST_IPSEC_END_SYSTEM" => "ipsec-end-system",
+  "CKA_TRUST_IPSEC_TUNNEL" => "ipsec-tunnel",
+  "CKA_TRUST_IPSEC_USER" => "ipsec-user",
+  "CKA_TRUST_TIME_STAMPING" => "time-stamping",
+  "CKA_TRUST_STEP_UP_APPROVED" => "step-up-approved",
+);
+
+my %openssl_trust = (
+  CKA_TRUST_SERVER_AUTH => 'serverAuth',
+  CKA_TRUST_CLIENT_AUTH => 'clientAuth',
+  CKA_TRUST_EMAIL_PROTECTION => 'emailProtection',
+  CKA_TRUST_CODE_SIGNING => 'codeSigning',
+);
+
+if (@ARGV && $ARGV[0] eq '--trustbits') {
+	shift @ARGV;
+	$output_trustbits = 1;
+}
+
+sub handle_object($)
+{
+  my $object = shift;
+  return unless $object;
+  if($object->{'CKA_CLASS'} eq 'CKO_CERTIFICATE' && $object->{'CKA_CERTIFICATE_TYPE'} eq 'CKC_X_509') {
+    push @certificates, $object;
+  } elsif ($object->{'CKA_CLASS'} eq 'CKO_NETSCAPE_TRUST') {
+    my $label = $object->{'CKA_LABEL'};
+    die "$label exists" if exists($trusts{$label});
+    $trusts{$label} = $object;
+  } elsif ($object->{'CKA_CLASS'} eq 'CKO_NETSCAPE_BUILTIN_ROOT_LIST') {
+    # ignore
+  } else {
+    print STDERR "class ", $object->{'CKA_CLASS'} ," not handled\n";
+  }
+}
+
+while(<>) {
+  my @fields = ();
+
+  s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/;
+  next if (/^\s*$/);
+
+  if( /(^CVS_ID\s+)(.*)/ ) {
+    next;
+  }
+
+  # This was taken from the perl faq #4.
+  my $text = $_;
+  push(@fields, $+) while $text =~ m{
+      "([^\"\\]*(?:\\.[^\"\\]*)*)"\s?  # groups the phrase inside the quotes
+    | ([^\s]+)\s?
+    | \s
+  }gx;
+  push(@fields, undef) if substr($text,-1,1) eq '\s';
+
+  if( $fields[0] =~ /BEGINDATA/ ) {
+    next;
+  }
+
+  if( $fields[1] =~ /MULTILINE/ ) {
+    $fields[2] = "";
+    while(<>) {
+      last if /END/;
+      chomp;
+      $fields[2] .= $_;
+    }
+  }
+
+  if( $fields[0] =~ /CKA_CLASS/ ) {
+    $count++;
+    handle_object($object);
+    $object = {};
+  }
+
+  $object->{$fields[0]} = $fields[2];
+}
+handle_object($object);
+
+use MIME::Base64;
+for my $cert (@certificates) {
+  my $alias = $cert->{'CKA_LABEL'};
+  if(!exists($trusts{$alias})) {
+    print STDERR "NO TRUST: $alias\n";
+    next;
+  }
+  # check trust. We only include certificates that are trusted for identifying
+  # web sites
+  my $trust = $trusts{$alias};
+  my @addtrust;
+  my @addtrust_openssl;
+  my $trusted;
+  if ($output_trustbits) {
+	  for my $type (keys %trust_types) {
+		  if (exists $trust->{$type}
+		  && $trust->{$type} eq 'CKT_NETSCAPE_TRUSTED_DELEGATOR') {
+			  push @addtrust, $trust_types{$type};
+			  if (exists $openssl_trust{$type}) {
+				  push @addtrust_openssl, $openssl_trust{$type};
+			  }
+			  $trusted = 1;
+		  }
+	  }
+  } else {
+	  if($trust->{'CKA_TRUST_SERVER_AUTH'} eq 'CKT_NETSCAPE_TRUSTED_DELEGATOR') {
+		  $trusted = 1;
+	  }
+  }
+
+  if (!$trusted) {
+	  my $t = $trust->{'CKA_TRUST_SERVER_AUTH'};
+	  $t =~ s/CKT_NETSCAPE_//;
+	  print STDERR "$t: $alias\n";
+	  next;
+  }
+
+  if ($alias =~ /\\x[0-9a-fA-F]{2}/) {
+	  $alias =~ s/\\x([0-9a-fA-F]{2})/chr(hex($1))/ge; # thanks mls!
+	  $alias = Encode::decode("UTF-8", $alias);
+  }
+  my $file = $alias;
+  $alias =~ s/'/-/g;
+  $file =~ s/[^[:alnum:]\\]+/_/g;
+  $file .= '.pem';
+  $file = Encode::encode("UTF-8", $file);
+  if (!open(O, '>', $file)) {
+	  print STDERR "$file: $!\n";
+	  next;
+  }
+  print "$file\n" if $ENV{'VERBOSE'};
+  my $value = $cert->{'CKA_VALUE'};
+  my $enc = '';
+  $enc .= pack("C", oct($+)) while $value =~ /\G\\([0-3][0-7][0-7])/g;
+  if ($output_trustbits) {
+	  print O "# alias=",Encode::encode("UTF-8", $alias),"\n";
+	  print O "# trust=",join(" ", @addtrust),"\n";
+	  if (@addtrust_openssl) {
+		  print O "# openssl-trust=",join(" ", @addtrust_openssl),"\n";
+	  }
+  }
+  print O "-----BEGIN CERTIFICATE-----\n";
+  print O encode_base64($enc);
+  print O "-----END CERTIFICATE-----\n";
+  close O;
+}