20211004 (patches unapplied)

Imported using git-ubuntu import.

debian/changelog

@@ -1,3 +1,39 @@
+ca-certificates (20211004) unstable; urgency=low
+
+  [ Debian Janitor ]
+  * Fix day-of-week for changelog entry 20090624.
+
+  [ Julien Cristau ]
+  * Create temporary ca-certificates.crt on the same file system.
+    Closes: #923784
+  * Don't remove ca-certificates.crt before updating it, so it doesn't
+    go missing for a short while (closes: #920348).  Thanks, Dimitris
+    Aragiorgis!
+  * Bump package priority from optional to standard.
+  * mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
+    bundle to version 2.50
+    The following certificate authorities were added (+):
+    + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
+    + "GlobalSign Root R46"
+    + "GlobalSign Root E46"
+    + "GLOBALTRUST 2020"
+    + "ANF Secure Server Root CA"
+    + "Certum EC-384 CA"
+    + "Certum Trusted Root CA"
+    The following certificate authorities were removed (-):
+    - "QuoVadis Root CA"
+    - "Sonera Class 2 Root CA"
+    - "GeoTrust Primary Certification Authority - G2"
+    - "VeriSign Universal Root Certification Authority"
+    - "Chambers of Commerce Root - 2008"
+    - "Global Chambersign Root - 2008"
+    - "Trustis FPS Root CA"
+    - "Staat der Nederlanden Root CA - G3"
+  * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
+  * mozilla/certdata2pem.py: print a warning for expired certificates.
+
+ -- Julien Cristau <jcristau@debian.org>  Thu, 07 Oct 2021 17:12:47 +0200
+
 ca-certificates (20210119) unstable; urgency=medium
 
   [ Julien Cristau ]
@@ -903,7 +939,7 @@ ca-certificates (20090624) unstable; urgency=low
     hooks will be empty, though.  Failure exit codes of hooks will not
     tear down the upgrade process anymore.  They are printed but ignored.
 
- -- Philipp Kern <pkern@debian.org>  Tue, 24 Jun 2009 21:04:08 +0200
+ -- Philipp Kern <pkern@debian.org>  Wed, 24 Jun 2009 21:04:08 +0200
 
 ca-certificates (20081127) unstable; urgency=low
 

debian/control

@@ -3,12 +3,13 @@ Section: misc
 Priority: optional
 Maintainer: Julien Cristau <jcristau@debian.org>
 Build-Depends: debhelper-compat (= 13), po-debconf
-Build-Depends-Indep: python3, openssl
+Build-Depends-Indep: python3, openssl, python3-cryptography
 Standards-Version: 4.5.0.2
 Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
 Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
 
 Package: ca-certificates
+Priority: standard
 Architecture: all
 Depends: openssl (>= 1.1.1), ${misc:Depends}
 Enhances: openssl

mozilla/blacklist.txt

@@ -7,3 +7,6 @@
 "MITM subCA 2 issued by Trustwave"
 "TURKTRUST Mis-issued Intermediate CA 1"
 "TURKTRUST Mis-issued Intermediate CA 2"
+
+# Expired CA (#995432)
+"DST Root CA X3"

mozilla/certdata2pem.py

@@ -21,12 +21,16 @@
 # USA.
 
 import base64
+import datetime
 import os.path
 import re
 import sys
 import textwrap
 import io
 
+from cryptography import x509
+
+
 objects = []
 
 # Dirty file parser.
@@ -117,6 +121,13 @@ for obj in objects:
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
             continue
+
+        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
+        if cert.not_valid_after < datetime.datetime.now():
+            print('!'*74)
+            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
+            print('!'*74)
+
         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                       .replace(' ', '_')\
                                       .replace('(', '=')\

mozilla/nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 46
-#define NSS_BUILTINS_LIBRARY_VERSION "2.46"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 50
+#define NSS_BUILTINS_LIBRARY_VERSION "2.50"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

sbin/Makefile

@@ -3,9 +3,12 @@
 #
 #
 
+SBINDIR = /usr/sbin
+
 all:
 
 clean:
 
 install:
-	install -m755 update-ca-certificates $(DESTDIR)/usr/sbin/
+	install -d $(DESTDIR)$(SBINDIR)
+	install -m755 update-ca-certificates $(DESTDIR)$(SBINDIR)/

sbin/update-ca-certificates

@@ -80,9 +80,9 @@ trap cleanup 0
 
 # Helper files.  (Some of them are not simple arrays because we spawn
 # subshells later on.)
-TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
-ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
-REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"
+ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
+REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
 
 # Adds a certificate to the list of trusted ones.  This includes a symlink
 # in /etc/ssl/certs to the certificate file and its inclusion into the
@@ -164,8 +164,6 @@ then
   done
 fi
 
-rm -f "$CERTBUNDLE"
-
 ADDED_CNT=$(wc -l < "$ADDED")
 REMOVED_CNT=$(wc -l < "$REMOVED")