public-mirrors/ca-certificates
1
0
Fork 0
mirror of https://git.launchpad.net/ubuntu/+source/ca-certificates synced 2025-08-05 16:59:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

20180409 (patches unapplied)

Browse source 
Imported using git-ubuntu import.
This commit is contained in:
Michael Shuler 2018-04-09 18:43:49 -05:00 committed by git-ubuntu importer
parent 47e49e1e0a
commit 7b954313d4
Notes: git-ubuntu importer 2020-07-14 23:32:26 +00:00 
  [ Michael Shuler ]
  * mozilla/{certdata.txt,nssckbi.h}:
    Update Mozilla certificate authority bundle to version 2.22.
    The following certificate authorities were added (+):
    + "GDCA TrustAUTH R5 ROOT"
    + "SSL.com EV Root Certification Authority ECC"
    + "SSL.com EV Root Certification Authority RSA R2"
    + "SSL.com Root Certification Authority ECC"
    + "SSL.com Root Certification Authority RSA"
    + "TrustCor ECA-1"
    + "TrustCor RootCert CA-1"
    + "TrustCor RootCert CA-2"
    The following certificate authorities were removed (-):
    - "ACEDICOM Root"
    - "AddTrust Low-Value Services Root"
    - "AddTrust Public Services Root"
    - "AddTrust Qualified Certificates Root"
    - "CA Disig Root R1"
    - "CNNIC ROOT"
    - "Camerfirma Chambers of Commerce Root"
    - "Camerfirma Global Chambersign Root"
    - "Certinomis - Autorité Racine"
    - "Certum Root CA"
    - "China Internet Network Information Center EV Certificates Root"
    - "Comodo Secure Services root"
    - "Comodo Trusted Services root"
    - "DST ACES CA X6"
    - "GeoTrust Global CA 2"
    - "PSCProcert"
    - "Security Communication EV RootCA1"
    - "Swisscom Root CA 1"
    - "Swisscom Root CA 2"
    - "Swisscom Root EV CA 2"
    - "TURKTRUST Certificate Services Provider Root 2007"
    - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
    - "UTN USERFirst Hardware Root CA"
  * mozilla/blacklist.txt
    Update blacklist to remove certificates no longer in certdata.txt and
    explicitly ignore distrusted certificates.
  * debian/copyright:
    Fix lintian insecure-copyright-format-uri with https URL.
  * debian/changelog:
    Fix lintian file-contains-trailing-whitespace.
  * debian/{compat,control}:
    Set to debhelper compat 11.
  * Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop
    usage of `c_rehash` script. Closes: #895075
  [ Thijs Kinkhorst ]
  * Remove Christian Perrier from uploaders at his request (closes: #894070).
  * Checked for policy 4.1.4, no changes.
10 changed files with 1466 additions and 7636 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

100
debian/changelog vendored
View file

@ -1,3 +1,59 @@
ca-certificates (20180409) unstable; urgency=medium
[ Michael Shuler ]
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.22.
The following certificate authorities were added (+):
+ "GDCA TrustAUTH R5 ROOT"
+ "SSL.com EV Root Certification Authority ECC"
+ "SSL.com EV Root Certification Authority RSA R2"
+ "SSL.com Root Certification Authority ECC"
+ "SSL.com Root Certification Authority RSA"
+ "TrustCor ECA-1"
+ "TrustCor RootCert CA-1"
+ "TrustCor RootCert CA-2"
The following certificate authorities were removed (-):
- "ACEDICOM Root"
- "AddTrust Low-Value Services Root"
- "AddTrust Public Services Root"
- "AddTrust Qualified Certificates Root"
- "CA Disig Root R1"
- "CNNIC ROOT"
- "Camerfirma Chambers of Commerce Root"
- "Camerfirma Global Chambersign Root"
- "Certinomis - Autorité Racine"
- "Certum Root CA"
- "China Internet Network Information Center EV Certificates Root"
- "Comodo Secure Services root"
- "Comodo Trusted Services root"
- "DST ACES CA X6"
- "GeoTrust Global CA 2"
- "PSCProcert"
- "Security Communication EV RootCA1"
- "Swisscom Root CA 1"
- "Swisscom Root CA 2"
- "Swisscom Root EV CA 2"
- "TURKTRUST Certificate Services Provider Root 2007"
- "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
- "UTN USERFirst Hardware Root CA"
* mozilla/blacklist.txt
Update blacklist to remove certificates no longer in certdata.txt and
explicitly ignore distrusted certificates.
* debian/copyright:
Fix lintian insecure-copyright-format-uri with https URL.
* debian/changelog:
Fix lintian file-contains-trailing-whitespace.
* debian/{compat,control}:
Set to debhelper compat 11.
* Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop
usage of `c_rehash` script. Closes: #895075
[ Thijs Kinkhorst ]
* Remove Christian Perrier from uploaders at his request (closes: #894070).
* Checked for policy 4.1.4, no changes.
-- Michael Shuler <michael@pbandjelly.org> Mon, 09 Apr 2018 18:43:49 -0500
ca-certificates (20170717) unstable; urgency=medium
* Update to Standards-Version: 4.0.1
@ -338,7 +394,7 @@ ca-certificates (20130610) unstable; urgency=low
* Update to machine-readable debian/copyright file v1.0
[ Thijs Kinkhorst ]
* Drop upgrading code for upgrades from Debian Etch and earlier.
* Drop upgrading code for upgrades from Debian Etch and earlier.
* Remove obsolete debconf.org CA certificate. DebConf now uses an
intermediate certificate signed by SPI. (Closes: #693405)
* Remove obsolete SPI CA certiticate.
@ -915,7 +971,7 @@ ca-certificates (20061027) unstable; urgency=low
closes: Bug#386806
* debian/po/da.po: updated
closes: Bug#388018
-- Fumitoshi UKAI <ukai@debian.or.jp> Sat, 28 Oct 2006 02:28:50 +0900
ca-certificates (20060816) unstable; urgency=low
@ -962,18 +1018,18 @@ ca-certificates (20050518) unstable; urgency=high
closes: Bug#296212
* update mozilla/certdata.txt
add: "Certum Root CA", "Comodo AAA Services root"
"Comodo Secure Services root",
"Comodo Trusted Services root",
"IPS Chained CAs root", "IPS CLASE1 root", "IPS CLASE3 root",
"IPS CLASEA1 root", "IPS CLASEA3 root", "IPS Servidores root"
"IPS Timestamping root",
"QuoVadis Root CA",
"Security Communication Root CA",
"Sonera Class 1 Root CA", "Sonera Class 2 Root CA",
"Staat der Nederlanden Root CA",
"TDC Internet Root CA", "TDC OCES Root CA",
"UTN DATACorp SGC Root CA", "UTN USERFirst Email Root CA",
"UTN USERFirst Hardware Root CA", "UTN USERFirst Object Root CA"
"Comodo Secure Services root",
"Comodo Trusted Services root",
"IPS Chained CAs root", "IPS CLASE1 root", "IPS CLASE3 root",
"IPS CLASEA1 root", "IPS CLASEA3 root", "IPS Servidores root"
"IPS Timestamping root",
"QuoVadis Root CA",
"Security Communication Root CA",
"Sonera Class 1 Root CA", "Sonera Class 2 Root CA",
"Staat der Nederlanden Root CA",
"TDC Internet Root CA", "TDC OCES Root CA",
"UTN DATACorp SGC Root CA", "UTN USERFirst Email Root CA",
"UTN USERFirst Hardware Root CA", "UTN USERFirst Object Root CA"
* add CACert.org's Root CA
closes: Bug#213086, Bug#288293
* add debian/po/vi.po
@ -982,13 +1038,13 @@ ca-certificates (20050518) unstable; urgency=high
closes: Bug#309019
* write "How certificate will be accepted in ca-certificates package"
in README.Debain
-- Fumitoshi UKAI <ukai@debian.or.jp> Wed, 18 May 2005 00:40:54 +0900
ca-certificates (20040809) unstable; urgency=low
* previous version was not fixed Bug#255933 correctly.
update-ca-certificates now remove symlinks of deselected entries
update-ca-certificates now remove symlinks of deselected entries
in ca-certificates.conf
closes: Bug#255933
@ -998,7 +1054,7 @@ ca-certificates (20040808) unstable; urgency=low
* run update-ca-certificates by /bin/sh -e
closes: Bug#247581
* update-ca-certificates remove symlinks of deselected entries
* update-ca-certificates remove symlinks of deselected entries
in ca-certificates.conf
closes: Bug#255933
* change default of trust_new_crts from 'ask' to 'yes'
@ -1086,17 +1142,17 @@ ca-certificates (20030415) unstable; urgency=medium
-- Fumitoshi UKAI <ukai@debian.or.jp> Mon, 14 Apr 2003 23:00:58 +0900
ca-certificates (20030414) unstable; urgency=medium
* certificates are installed in /usr/share/ca-certificates
you can find md5sum of certs files. closes: Bug#170777
* debconf to generate /etc/ca-certificates.conf
* update-ca-certificates update /etc/ssl/certs according
* update-ca-certificates update /etc/ssl/certs according
/etc/ca-certificates.conf
It also generate /etc/ssl/certs/ca-certificates.crt
which is single-file version of certs.
closes: Bug#158904
* change extension from .pem to .crt in /usr/share/ca-certificates
- /etc/mime.types:
application/x-x509-ca-cert crt
@ -1105,7 +1161,7 @@ ca-certificates (20030414) unstable; urgency=medium
c_rehash requires .pem extension
* Update certificate from mozilla 2:1.3-4
mozilla/security/nss/lib/ckfw/builtins/certdata.txt
mozilla/security/nss/lib/ckfw/builtins/certdata.txt
cefd05b299ea683fc6b1ce9ff1e23a3f mozilla/certdata.txt
* Add spi-inc.org/spi-ca.crt from http://www.spi-inc.org/secretary/

2
debian/compat vendored
View file

@ -1 +1 @@
10
11

11
debian/control vendored
View file

@ -4,16 +4,15 @@ Priority: optional
Maintainer: Michael Shuler <michael@pbandjelly.org>
Uploaders: Raphael Geissert <geissert@debian.org>,
Thijs Kinkhorst <thijs@debian.org>,
Christian Perrier <bubulle@debian.org>
Build-Depends: debhelper (>= 10), po-debconf
Build-Depends: debhelper (>= 11), po-debconf
Build-Depends-Indep: python, openssl
Standards-Version: 4.0.1
Vcs-Git: https://anonscm.debian.org/git/collab-maint/ca-certificates.git
Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git
Standards-Version: 4.1.4
Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
Package: ca-certificates
Architecture: all
Depends: openssl (>= 1.0.0), ${misc:Depends}
Depends: openssl (>= 1.1.0), ${misc:Depends}
Enhances: openssl
Multi-Arch: foreign
Breaks: ca-certificates-java (<<20121112+nmu1)

2
debian/copyright vendored
View file

@ -1,4 +1,4 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Source: http://ftp.debian.org/debian/pool/main/c/ca-certificates/
Files: debian/*

2
debian/rules vendored
View file

@ -60,7 +60,7 @@ install: build
install -d -m 0755 "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
(cd mozilla; \
$(MAKE) install CERTSDIR="$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs")
c_rehash -v "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
openssl rehash -v "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
# Build architecture-independent files here.
binary-indep: build install

30
mozilla/blacklist.txt
View file

@ -1,23 +1,13 @@
# One blacklist entry per line, corresponding to the label in certdata.txt.
# MD5 Collision Proof of Concept CA
"MD5 Collisions Forged Rogue CA 25c3"
# Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors
"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
"Explicitly Distrust DigiNotar Root CA"
"Explicitly Distrusted DigiNotar PKIoverheid G2"
"MITM subCA 1 issued by Trustwave"
"MITM subCA 2 issued by Trustwave"
"TURKTRUST Mis-issued Intermediate CA 1"
"TURKTRUST Mis-issued Intermediate CA 2"
# DigiNotar Root CA (see debbug#639744)
"DigiNotar Root CA"
# StartCom and WoSign certificates are now untrusted by the major browser
# vendors[0]. See [1] for discussion. The list was generated by:
#
# $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
#
# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
# [1] https://bugs.debian.org/858539
#
"StartCom Certification Authority"
"StartCom Certification Authority G2"
"WoSign"
"WoSign China"
"Certification Authority of WoSign G2"
"CA WoSign ECC Root"

8943
mozilla/certdata.txt
View file

File diff suppressed because it is too large Load diff

4
mozilla/nssckbi.h
View file

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14
#define NSS_BUILTINS_LIBRARY_VERSION "2.14"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22
#define NSS_BUILTINS_LIBRARY_VERSION "2.22"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

4
sbin/update-ca-certificates
View file

@ -174,9 +174,9 @@ then
# only run if set of files has changed
if [ "$verbose" = 0 ]
then
c_rehash . > /dev/null
openssl rehash . > /dev/null
else
c_rehash .
openssl rehash .
fi
fi

4
sbin/update-ca-certificates.8
View file

@ -50,7 +50,7 @@ A summary of options is included below.
Show summary of options.
.TP
.B \-v, \-\-verbose
Be verbose. Output \fBc_rehash\fP.
Be verbose. Output \fBopenssl rehash\fP.
.TP
.B \-f, \-\-fresh
Fresh updates. Remove symlinks in /etc/ssl/certs directory.
@ -69,7 +69,7 @@ Directory of CA certificates.
.I /usr/local/share/ca-certificates
Directory of local CA certificates (with .crt extension).
.SH SEE ALSO
.BR c_rehash (1)
.BR openssl (1)
.SH AUTHOR
This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>,
for the Debian project (but may be used by others).