20151214 (patches unapplied)

Imported using git-ubuntu import.

Makefile

@@ -3,7 +3,7 @@
 #
 
 CERTSDIR = /usr/share/ca-certificates
-SUBDIRS = mozilla spi-inc.org
+SUBDIRS = mozilla
 
 all:
 	for dir in $(SUBDIRS); do \

debian/NEWS

@@ -1,3 +1,30 @@
+ca-certificates (20151214) unstable; urgency=medium
+
+  Removed SPI CA.  Closes: #796208
+  Updated Mozilla certificate authority bundle to version 2.6.
+    The following certificate authorities were added (+):
+    + "CA WoSign ECC Root"
+    + "Certification Authority of WoSign G2"
+    + "Certinomis - Root CA"
+    + "OISTE WISeKey Global Root GB CA"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+    The following certificate authorities were removed (-):
+    - "A-Trust-nQual-03"
+    - "Buypass Class 3 CA 1"
+    - "ComSign Secured CA"
+    - "Digital Signature Trust Co. Global CA 1"
+    - "Digital Signature Trust Co. Global CA 3"
+    - "SG TRUST SERVICES RACINE"
+    - "TC TrustCenter Class 2 CA II"
+    - "TC TrustCenter Universal CA I"
+    - "TURKTRUST Certificate Services Provider Root 1"
+    - "TURKTRUST Certificate Services Provider Root 2"
+    - "UTN DATACorp SGC Root CA"
+    - "Verisign Class 4 Public Primary Certification Authority - G3"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Mon, 14 Dec 2015 18:51:50 -0600
+
 ca-certificates (20150426) unstable; urgency=medium
 
   Update Mozilla certificate authority bundle to version 2.4.

debian/README.Debian

@@ -51,9 +51,6 @@ building a local CA certificate package.
 How certificates will be accepted into the ca-certificates package
 ------------------------------------------------------------------
 
- - Get it included into Mozilla's trust store.
- - File a bug against ca-certificates stating this fact.
+ - Get it included in the Mozilla CA Certificate Store.
+   https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
 
-With the exception of SPI (http://www.spi-inc.org/), only those CAs
-included in the Mozilla trust store will be included in the ca-certificates
-package in Debian.

debian/changelog

@@ -1,3 +1,42 @@
+ca-certificates (20151214) unstable; urgency=medium
+
+  * Removed SPI CA.  Closes: #796208
+  * debian/{compat,control}:
+    Updated d/compat to version 9 and updated Build-Depends.
+  * debian/postinst:
+    Handle /usr/local/share/ca-certificates permissions and ownership on
+    upgrade.  Closes: #611501
+  * mozilla/certdata2pem.py:
+    Add Python 3 support to ca-certificates.
+    Thanks to Andrew Wilcox and Richard Ipsum for the patch!  Closes: #789753
+  * sbin/update-ca-certificates:
+    Update local certificates directory when calling --fresh.
+    Thanks for the patch, Daniel Lutz!  Closes: #783615
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.6.
+    The following certificate authorities were added (+):
+    + "CA WoSign ECC Root"
+    + "Certification Authority of WoSign G2"
+    + "Certinomis - Root CA"
+    + "OISTE WISeKey Global Root GB CA"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+    The following certificate authorities were removed (-):
+    - "A-Trust-nQual-03"
+    - "Buypass Class 3 CA 1"
+    - "ComSign Secured CA"
+    - "Digital Signature Trust Co. Global CA 1"
+    - "Digital Signature Trust Co. Global CA 3"
+    - "SG TRUST SERVICES RACINE"
+    - "TC TrustCenter Class 2 CA II"
+    - "TC TrustCenter Universal CA I"
+    - "TURKTRUST Certificate Services Provider Root 1"
+    - "TURKTRUST Certificate Services Provider Root 2"
+    - "UTN DATACorp SGC Root CA"
+    - "Verisign Class 4 Public Primary Certification Authority - G3"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Mon, 14 Dec 2015 18:51:50 -0600
+
 ca-certificates (20150426) unstable; urgency=medium
 
   * debian/postinst:

debian/compat

@@ -1 +1 @@
-8
+9

debian/control

@@ -5,7 +5,7 @@ Maintainer: Michael Shuler <michael@pbandjelly.org>
 Uploaders: Raphael Geissert <geissert@debian.org>,
            Thijs Kinkhorst <thijs@debian.org>,
            Christian Perrier <bubulle@debian.org>
-Build-Depends: debhelper (>= 8), po-debconf
+Build-Depends: debhelper (>= 9), po-debconf
 Build-Depends-Indep: python
 Standards-Version: 3.9.6
 Vcs-Git: git://anonscm.debian.org/collab-maint/ca-certificates.git

debian/copyright

@@ -6,7 +6,6 @@ Files: debian/*
        Makefile
        mozilla/*
        sbin/*
-       spi-inc.org/Makefile
 Copyright: 2003 Fumitoshi UKAI <ukai@debian.or.jp>
            2009 Philipp Kern <pkern@debian.org>
            2011 Michael Shuler <michael@pbandjelly.org>

debian/postinst

@@ -44,6 +44,11 @@ case "$1" in
             if mkdir -m $(stat -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then
                 chgrp $(stat -c %g /usr/local) /usr/local/share/ca-certificates
             fi
+        # Handle upgrades and allow local admin to override:
+        # e.g. dpkg-statoverride --add root staff 2775 /usr/local/share/ca-certificates
+        elif ! dpkg-statoverride --list /usr/local/share/ca-certificates >/dev/null; then
+            chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates
+            chown $(stat -c %u /usr/local):$(stat -c %g /usr/local) /usr/local/share/ca-certificates
         fi
 
         . /usr/share/debconf/confmodule

debian/source/lintian-overrides

@@ -1,3 +0,0 @@
-# Ignore file-without-copyright-information on SPI certificate file.
-# There is no upstream copyright or license.
-ca-certificates source: file-without-copyright-information spi-inc.org/spi-cacert-2008.crt

mozilla/certdata2pem.py

@@ -25,13 +25,19 @@ import os.path
 import re
 import sys
 import textwrap
+import io
 
 objects = []
 
 # Dirty file parser.
 in_data, in_multiline, in_obj = False, False, False
 field, type, value, obj = None, None, None, dict()
-for line in open('certdata.txt', 'r'):
+
+# Python 3 will not let us decode non-ascii characters if we
+# have not specified an encoding, but Python 2's open does not
+# have an option to set the encoding. Python 3's open is io.open
+# and io.open has been backported to Python 2.6 and 2.7, so use io.open.
+for line in io.open('certdata.txt', 'rt', encoding='utf8'):
     # Ignore the file header.
     if not in_data:
         if line.startswith('BEGINDATA'):
@@ -53,7 +59,7 @@ for line in open('certdata.txt', 'r'):
             if type == 'MULTILINE_OCTAL':
                 line = line.strip()
                 for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
-                    value += chr(int(i.group(1), 8))
+                    value.append(int(i.group(1), 8))
             else:
                 value += line
             continue
@@ -70,13 +76,13 @@ for line in open('certdata.txt', 'r'):
         field, type = line_parts
         value = None
     else:
-        raise NotImplementedError, 'line_parts < 2 not supported.'
+        raise NotImplementedError('line_parts < 2 not supported.')
     if type == 'MULTILINE_OCTAL':
         in_multiline = True
-        value = ""
+        value = bytearray()
         continue
     obj[field] = value
-if len(obj.items()) > 0:
+if len(obj) > 0:
     objects.append(obj)
 
 # Read blacklist.
@@ -95,7 +101,7 @@ for obj in objects:
     if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'):
         continue
     if obj['CKA_LABEL'] in blacklist:
-        print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']
+        print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
     elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
                                           'CKT_NSS_TRUSTED_DELEGATOR'):
         trust[obj['CKA_LABEL']] = True
@@ -104,13 +110,13 @@ for obj in objects:
         trust[obj['CKA_LABEL']] = True
     elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED',
                                           'CKT_NSS_NOT_TRUSTED'):
-        print '!'*74
-        print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
-        print '!'*74
+        print('!'*74)
+        print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'])
+        print('!'*74)
     else:
-        print "Ignoring certificate %s.  SAUTH=%s, EPROT=%s" % \
+        print("Ignoring certificate %s.  SAUTH=%s, EPROT=%s" % \
               (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
-               obj['CKA_TRUST_EMAIL_PROTECTION'])
+               obj['CKA_TRUST_EMAIL_PROTECTION']))
 
 for obj in objects:
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
@@ -121,13 +127,32 @@ for obj in objects:
                                       .replace('(', '=')\
                                       .replace(')', '=')\
                                       .replace(',', '_')
-        bname = bname.decode('string_escape')
-        fname = bname + '.crt'
+
+        # this is the only way to decode the way NSS stores multi-byte UTF-8
+        # and we need an escaped string for checking existence of things
+        # otherwise we're dependant on the user's current locale.
+        if bytes != str:
+            # We're in python 3, convert the utf-8 string to a
+            # sequence of bytes that represents this utf-8 string
+            # then encode the byte-sequence as an escaped string that
+            # can be passed to open() and os.path.exists()
+            bname = bname.encode('utf-8').decode('unicode_escape').encode('latin-1')
+        else:
+            # Python 2
+            # Convert the unicode string back to its original byte form
+            # (contents of files returned by io.open are returned as
+            #  unicode strings)
+            # then to an escaped string that can be passed to open()
+            # and os.path.exists()
+            bname = bname.encode('utf-8').decode('string_escape')
+
+        fname = bname + b'.crt'
         if os.path.exists(fname):
-            print "Found duplicate certificate name %s, renaming." % bname
-            fname = bname + '_2.crt'
+            print("Found duplicate certificate name %s, renaming." % bname)
+            fname = bname + b'_2.crt'
         f = open(fname, 'w')
         f.write("-----BEGIN CERTIFICATE-----\n")
-        f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+        encoded = base64.b64encode(obj['CKA_VALUE']).decode('utf-8')
+        f.write("\n".join(textwrap.wrap(encoded, 64)))
         f.write("\n-----END CERTIFICATE-----\n")
 

mozilla/nssckbi.h

@@ -45,8 +45,8 @@
  * of the comment in the CK_VERSION type definition.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 4
-#define NSS_BUILTINS_LIBRARY_VERSION "2.4"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 6
+#define NSS_BUILTINS_LIBRARY_VERSION "2.6"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

sbin/update-ca-certificates

@@ -117,7 +117,7 @@ if [ "$fresh" = 1 ]; then
   find . -type l -print | while read symlink
   do
     case $(readlink "$symlink") in
-      $CERTSDIR*) rm -f "$symlink";;
+      $CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
     esac
   done
   find . -type l -print | while read symlink

spi-inc.org/Makefile

@@ -1,13 +0,0 @@
-#
-# Makefile
-#
-
-all:
-
-clean:
-
-install:
-	for p in *.crt; do \
-	 install -m 644 $$p $(CERTSDIR)/$$p ; \
-	done
-

spi-inc.org/spi-cacert-2008.crt

@@ -1,46 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIIDjCCBfagAwIBAgIJAOiOtsn4KhQoMA0GCSqGSIb3DQEBBQUAMIG8MQswCQYD
-VQQGEwJVUzEQMA4GA1UECBMHSW5kaWFuYTEVMBMGA1UEBxMMSW5kaWFuYXBvbGlz
-MSgwJgYDVQQKEx9Tb2Z0d2FyZSBpbiB0aGUgUHVibGljIEludGVyZXN0MRMwEQYD
-VQQLEwpob3N0bWFzdGVyMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
-JTAjBgkqhkiG9w0BCQEWFmhvc3RtYXN0ZXJAc3BpLWluYy5vcmcwHhcNMDgwNTEz
-MDgwNzU2WhcNMTgwNTExMDgwNzU2WjCBvDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
-B0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UEChMfU29mdHdh
-cmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDETMBEGA1UECxMKaG9zdG1hc3RlcjEe
-MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcNAQkBFhZo
-b3N0bWFzdGVyQHNwaS1pbmMub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
-CgKCAgEA3DbmR0LCxFF1KYdAw9iOIQbSGE7r7yC9kDyFEBOMKVuUY/b0LfEGQpG5
-GcRCaQi/izZF6igFM0lIoCdDkzWKQdh4s/Dvs24t3dHLfer0dSbTPpA67tfnLAS1
-fOH1fMVO73e9XKKTM5LOfYFIz2u1IiwIg/3T1c87Lf21SZBb9q1NE8re06adU1Fx
-Y0b4ShZcmO4tbZoWoXaQ4mBDmdaJ1mwuepiyCwMs43pPx93jzONKao15Uvr0wa8u
-jyoIyxspgpJyQ7zOiKmqp4pRQ1WFmjcDeJPI8L20QcgHQprLNZd6ioFl3h1UCAHx
-ZFy3FxpRvB7DWYd2GBaY7r/2Z4GLBjXFS21ZGcfSxki+bhQog0oQnBv1b7ypjvVp
-/rLBVcznFMn5WxRTUQfqzj3kTygfPGEJ1zPSbqdu1McTCW9rXRTunYkbpWry9vjQ
-co7qch8vNGopCsUK7BxAhRL3pqXTT63AhYxMfHMgzFMY8bJYTAH1v+pk1Vw5xc5s
-zFNaVrpBDyXfa1C2x4qgvQLCxTtVpbJkIoRRKFauMe5e+wsWTUYFkYBE7axt8Feo
-+uthSKDLG7Mfjs3FIXcDhB78rKNDCGOM7fkn77SwXWfWT+3Qiz5dW8mRvZYChD3F
-TbxCP3T9PF2sXEg2XocxLxhsxGjuoYvJWdAY4wCAs1QnLpnwFVMCAwEAAaOCAg8w
-ggILMB0GA1UdDgQWBBQ0cdE41xU2g0dr1zdkQjuOjVKdqzCB8QYDVR0jBIHpMIHm
-gBQ0cdE41xU2g0dr1zdkQjuOjVKdq6GBwqSBvzCBvDELMAkGA1UEBhMCVVMxEDAO
-BgNVBAgTB0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UEChMf
-U29mdHdhcmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDETMBEGA1UECxMKaG9zdG1h
-c3RlcjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcN
-AQkBFhZob3N0bWFzdGVyQHNwaS1pbmMub3JnggkA6I62yfgqFCgwDwYDVR0TAQH/
-BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADAuBglghkgBhvhC
-AQ0EIRYfU29mdHdhcmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDAwBglghkgBhvhC
-AQQEIxYhaHR0cHM6Ly9jYS5zcGktaW5jLm9yZy9jYS1jcmwucGVtMDIGCWCGSAGG
-+EIBAwQlFiNodHRwczovL2NhLnNwaS1pbmMub3JnL2NlcnQtY3JsLnBlbTAhBgNV
-HREEGjAYgRZob3N0bWFzdGVyQHNwaS1pbmMub3JnMA4GA1UdDwEB/wQEAwIBBjAN
-BgkqhkiG9w0BAQUFAAOCAgEAtM294LnqsgMrfjLp3nI/yUuCXp3ir1UJogxU6M8Y
-PCggHam7AwIvUjki+RfPrWeQswN/2BXja367m1YBrzXU2rnHZxeb1NUON7MgQS4M
-AcRb+WU+wmHo0vBqlXDDxm/VNaSsWXLhid+hoJ0kvSl56WEq2dMeyUakCHhBknIP
-qxR17QnwovBc78MKYiC3wihmrkwvLo9FYyaW8O4x5otVm6o6+YI5HYg84gd1GuEP
-sTC8cTLSOv76oYnzQyzWcsR5pxVIBcDYLXIC48s9Fmq6ybgREOJJhcyWR2AFJS7v
-dVkz9UcZFu/abF8HyKZQth3LZjQl/GaD68W2MEH4RkRiqMEMVObqTFoo5q7Gt/5/
-O5aoLu7HaD7dAD0prypjq1/uSSotxdz70cbT0ZdWUoa2lOvUYFG3/B6bzAKb1B+P
-+UqPti4oOxfMxaYF49LTtcYDyeFIQpvLP+QX4P4NAZUJurgNceQJcHdC2E3hQqlg
-g9cXiUPS1N2nGLar1CQlh7XU4vwuImm9rWgs/3K1mKoGnOcqarihk3bOsPN/nOHg
-T7jYhkalMwIsJWE3KpLIrIF0aGOHM3a9BX9e1dUCbb2v/ypaqknsmHlHU5H2DjRa
-yaXG67Ljxay2oHA1u8hRadDytaIybrw/oDc5fHE2pgXfDBLkFqfF1stjo5VwP+YE
-o2A=
------END CERTIFICATE-----