20180409 (patches unapplied)

Imported using git-ubuntu import.

debian/changelog

@@ -1,3 +1,59 @@
+ca-certificates (20180409) unstable; urgency=medium
+
+  [ Michael Shuler ]
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.22.
+    The following certificate authorities were added (+):
+    + "GDCA TrustAUTH R5 ROOT"
+    + "SSL.com EV Root Certification Authority ECC"
+    + "SSL.com EV Root Certification Authority RSA R2"
+    + "SSL.com Root Certification Authority ECC"
+    + "SSL.com Root Certification Authority RSA"
+    + "TrustCor ECA-1"
+    + "TrustCor RootCert CA-1"
+    + "TrustCor RootCert CA-2"
+    The following certificate authorities were removed (-):
+    - "ACEDICOM Root"
+    - "AddTrust Low-Value Services Root"
+    - "AddTrust Public Services Root"
+    - "AddTrust Qualified Certificates Root"
+    - "CA Disig Root R1"
+    - "CNNIC ROOT"
+    - "Camerfirma Chambers of Commerce Root"
+    - "Camerfirma Global Chambersign Root"
+    - "Certinomis - Autorité Racine"
+    - "Certum Root CA"
+    - "China Internet Network Information Center EV Certificates Root"
+    - "Comodo Secure Services root"
+    - "Comodo Trusted Services root"
+    - "DST ACES CA X6"
+    - "GeoTrust Global CA 2"
+    - "PSCProcert"
+    - "Security Communication EV RootCA1"
+    - "Swisscom Root CA 1"
+    - "Swisscom Root CA 2"
+    - "Swisscom Root EV CA 2"
+    - "TURKTRUST Certificate Services Provider Root 2007"
+    - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
+    - "UTN USERFirst Hardware Root CA"
+  * mozilla/blacklist.txt
+    Update blacklist to remove certificates no longer in certdata.txt and
+    explicitly ignore distrusted certificates.
+  * debian/copyright:
+    Fix lintian insecure-copyright-format-uri with https URL.
+  * debian/changelog:
+    Fix lintian file-contains-trailing-whitespace.
+  * debian/{compat,control}:
+    Set to debhelper compat 11.
+  * Update openssl dependency to >= 1.1.0 to support `openssl rehash` and drop
+    usage of `c_rehash` script. Closes: #895075
+
+  [ Thijs Kinkhorst ]
+  * Remove Christian Perrier from uploaders at his request (closes: #894070).
+  * Checked for policy 4.1.4, no changes.
+
+ -- Michael Shuler <michael@pbandjelly.org>  Mon, 09 Apr 2018 18:43:49 -0500
+
 ca-certificates (20170717) unstable; urgency=medium
 
   * Update to Standards-Version: 4.0.1

debian/compat

@@ -1 +1 @@
-10
+11

debian/control

@@ -4,16 +4,15 @@ Priority: optional
 Maintainer: Michael Shuler <michael@pbandjelly.org>
 Uploaders: Raphael Geissert <geissert@debian.org>,
            Thijs Kinkhorst <thijs@debian.org>,
-           Christian Perrier <bubulle@debian.org>
-Build-Depends: debhelper (>= 10), po-debconf
+Build-Depends: debhelper (>= 11), po-debconf
 Build-Depends-Indep: python, openssl
-Standards-Version: 4.0.1
-Vcs-Git: https://anonscm.debian.org/git/collab-maint/ca-certificates.git
-Vcs-Browser: https://anonscm.debian.org/cgit/collab-maint/ca-certificates.git
+Standards-Version: 4.1.4
+Vcs-Git: https://salsa.debian.org/debian/ca-certificates.git
+Vcs-Browser: https://salsa.debian.org/debian/ca-certificates
 
 Package: ca-certificates
 Architecture: all
-Depends: openssl (>= 1.0.0), ${misc:Depends}
+Depends: openssl (>= 1.1.0), ${misc:Depends}
 Enhances: openssl
 Multi-Arch: foreign
 Breaks: ca-certificates-java (<<20121112+nmu1)

debian/copyright

@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://ftp.debian.org/debian/pool/main/c/ca-certificates/
 
 Files: debian/*

debian/rules

@@ -60,7 +60,7 @@ install: build
 	install -d -m 0755 "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
 	(cd mozilla; \
 	 $(MAKE) install CERTSDIR="$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs")
-	c_rehash -v "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
+	openssl rehash -v "$(CURDIR)/debian/ca-certificates-udeb/etc/ssl/certs"
 
 # Build architecture-independent files here.
 binary-indep: build install

mozilla/blacklist.txt

@@ -1,23 +1,13 @@
 # One blacklist entry per line, corresponding to the label in certdata.txt.
 
-# MD5 Collision Proof of Concept CA
-"MD5 Collisions Forged Rogue CA 25c3"
+# Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors
+"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
+"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
+"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
+"Explicitly Distrust DigiNotar Root CA"
+"Explicitly Distrusted DigiNotar PKIoverheid G2"
+"MITM subCA 1 issued by Trustwave"
+"MITM subCA 2 issued by Trustwave"
+"TURKTRUST Mis-issued Intermediate CA 1"
+"TURKTRUST Mis-issued Intermediate CA 2"
 
-# DigiNotar Root CA (see debbug#639744)
-"DigiNotar Root CA"
-
-# StartCom and WoSign certificates are now untrusted by the major browser
-# vendors[0]. See [1] for discussion. The list was generated by:
-#
-#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
-#         | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
-#
-# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
-# [1] https://bugs.debian.org/858539
-#
-"StartCom Certification Authority"
-"StartCom Certification Authority G2"
-"WoSign"
-"WoSign China"
-"Certification Authority of WoSign G2"
-"CA WoSign ECC Root"

mozilla/nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 14
-#define NSS_BUILTINS_LIBRARY_VERSION "2.14"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22
+#define NSS_BUILTINS_LIBRARY_VERSION "2.22"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

sbin/update-ca-certificates

@@ -174,9 +174,9 @@ then
   # only run if set of files has changed
   if [ "$verbose" = 0 ]
   then
-    c_rehash . > /dev/null
+    openssl rehash . > /dev/null
   else
-    c_rehash .
+    openssl rehash .
   fi
 fi
 

sbin/update-ca-certificates.8

@@ -50,7 +50,7 @@ A summary of options is included below.
 Show summary of options.
 .TP
 .B \-v, \-\-verbose
-Be verbose. Output \fBc_rehash\fP.
+Be verbose. Output \fBopenssl rehash\fP.
 .TP
 .B \-f, \-\-fresh
 Fresh updates.  Remove symlinks in /etc/ssl/certs directory.
@@ -69,7 +69,7 @@ Directory of CA certificates.
 .I /usr/local/share/ca-certificates
 Directory of local CA certificates (with .crt extension).
 .SH SEE ALSO
-.BR c_rehash (1)
+.BR openssl (1)
 .SH AUTHOR
 This manual page was written by Fumitoshi UKAI <ukai@debian.or.jp>,
 for the Debian project (but may be used by others).