public-mirrors/ca-certificates
1
0
Fork 0
mirror of https://git.launchpad.net/ubuntu/+source/ca-certificates synced 2025-04-13 09:38:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

20151214 (patches unapplied)

Browse source 
Imported using git-ubuntu import.
This commit is contained in:
Michael Shuler 2015-12-14 18:51:50 -06:00 committed by git-ubuntu importer
parent a953d62bf0
commit da14cb77ba
Notes: git-ubuntu importer 2020-07-14 23:30:42 +00:00 
  * Removed SPI CA.  Closes: #796208
  * debian/{compat,control}:
    Updated d/compat to version 9 and updated Build-Depends.
  * debian/postinst:
    Handle /usr/local/share/ca-certificates permissions and ownership on
    upgrade.  Closes: #611501
  * mozilla/certdata2pem.py:
    Add Python 3 support to ca-certificates.
    Thanks to Andrew Wilcox and Richard Ipsum for the patch!  Closes: #789753
  * sbin/update-ca-certificates:
    Update local certificates directory when calling --fresh.
    Thanks for the patch, Daniel Lutz!  Closes: #783615
  * mozilla/{certdata.txt,nssckbi.h}:
    Update Mozilla certificate authority bundle to version 2.6.
    The following certificate authorities were added (+):
    + "CA WoSign ECC Root"
    + "Certification Authority of WoSign G2"
    + "Certinomis - Root CA"
    + "OISTE WISeKey Global Root GB CA"
    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
    The following certificate authorities were removed (-):
    - "A-Trust-nQual-03"
    - "Buypass Class 3 CA 1"
    - "ComSign Secured CA"
    - "Digital Signature Trust Co. Global CA 1"
    - "Digital Signature Trust Co. Global CA 3"
    - "SG TRUST SERVICES RACINE"
    - "TC TrustCenter Class 2 CA II"
    - "TC TrustCenter Universal CA I"
    - "TURKTRUST Certificate Services Provider Root 1"
    - "TURKTRUST Certificate Services Provider Root 2"
    - "UTN DATACorp SGC Root CA"
    - "Verisign Class 4 Public Primary Certification Authority - G3"
15 changed files with 988 additions and 2197 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Makefile
View file

@ -3,7 +3,7 @@
# #
CERTSDIR = /usr/share/ca-certificates CERTSDIR = /usr/share/ca-certificates
SUBDIRS = mozilla spi-inc.org SUBDIRS = mozilla
all: all:
for dir in $(SUBDIRS); do \ for dir in $(SUBDIRS); do \

27
debian/NEWS vendored
View file

@ -1,3 +1,30 @@
ca-certificates (20151214) unstable; urgency=medium
Removed SPI CA. Closes: #796208
Updated Mozilla certificate authority bundle to version 2.6.
The following certificate authorities were added (+):
+ "CA WoSign ECC Root"
+ "Certification Authority of WoSign G2"
+ "Certinomis - Root CA"
+ "OISTE WISeKey Global Root GB CA"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
The following certificate authorities were removed (-):
- "A-Trust-nQual-03"
- "Buypass Class 3 CA 1"
- "ComSign Secured CA"
- "Digital Signature Trust Co. Global CA 1"
- "Digital Signature Trust Co. Global CA 3"
- "SG TRUST SERVICES RACINE"
- "TC TrustCenter Class 2 CA II"
- "TC TrustCenter Universal CA I"
- "TURKTRUST Certificate Services Provider Root 1"
- "TURKTRUST Certificate Services Provider Root 2"
- "UTN DATACorp SGC Root CA"
- "Verisign Class 4 Public Primary Certification Authority - G3"
-- Michael Shuler <michael@pbandjelly.org> Mon, 14 Dec 2015 18:51:50 -0600
ca-certificates (20150426) unstable; urgency=medium ca-certificates (20150426) unstable; urgency=medium
Update Mozilla certificate authority bundle to version 2.4. Update Mozilla certificate authority bundle to version 2.4.

7
debian/README.Debian vendored
View file

@ -51,9 +51,6 @@ building a local CA certificate package.
How certificates will be accepted into the ca-certificates package How certificates will be accepted into the ca-certificates package
------------------------------------------------------------------ ------------------------------------------------------------------
- Get it included into Mozilla's trust store. - Get it included in the Mozilla CA Certificate Store.
- File a bug against ca-certificates stating this fact. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
With the exception of SPI (http://www.spi-inc.org/), only those CAs
included in the Mozilla trust store will be included in the ca-certificates
package in Debian.

39
debian/changelog vendored
View file

@ -1,3 +1,42 @@
ca-certificates (20151214) unstable; urgency=medium
* Removed SPI CA. Closes: #796208
* debian/{compat,control}:
Updated d/compat to version 9 and updated Build-Depends.
* debian/postinst:
Handle /usr/local/share/ca-certificates permissions and ownership on
upgrade. Closes: #611501
* mozilla/certdata2pem.py:
Add Python 3 support to ca-certificates.
Thanks to Andrew Wilcox and Richard Ipsum for the patch! Closes: #789753
* sbin/update-ca-certificates:
Update local certificates directory when calling --fresh.
Thanks for the patch, Daniel Lutz! Closes: #783615
* mozilla/{certdata.txt,nssckbi.h}:
Update Mozilla certificate authority bundle to version 2.6.
The following certificate authorities were added (+):
+ "CA WoSign ECC Root"
+ "Certification Authority of WoSign G2"
+ "Certinomis - Root CA"
+ "OISTE WISeKey Global Root GB CA"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+ "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
The following certificate authorities were removed (-):
- "A-Trust-nQual-03"
- "Buypass Class 3 CA 1"
- "ComSign Secured CA"
- "Digital Signature Trust Co. Global CA 1"
- "Digital Signature Trust Co. Global CA 3"
- "SG TRUST SERVICES RACINE"
- "TC TrustCenter Class 2 CA II"
- "TC TrustCenter Universal CA I"
- "TURKTRUST Certificate Services Provider Root 1"
- "TURKTRUST Certificate Services Provider Root 2"
- "UTN DATACorp SGC Root CA"
- "Verisign Class 4 Public Primary Certification Authority - G3"
-- Michael Shuler <michael@pbandjelly.org> Mon, 14 Dec 2015 18:51:50 -0600
ca-certificates (20150426) unstable; urgency=medium ca-certificates (20150426) unstable; urgency=medium
* debian/postinst: * debian/postinst:

2
debian/compat vendored
View file

@ -1 +1 @@
8 9

2
debian/control vendored
View file

@ -5,7 +5,7 @@ Maintainer: Michael Shuler <michael@pbandjelly.org>
Uploaders: Raphael Geissert <geissert@debian.org>, Uploaders: Raphael Geissert <geissert@debian.org>,
Thijs Kinkhorst <thijs@debian.org>, Thijs Kinkhorst <thijs@debian.org>,
Christian Perrier <bubulle@debian.org> Christian Perrier <bubulle@debian.org>
Build-Depends: debhelper (>= 8), po-debconf Build-Depends: debhelper (>= 9), po-debconf
Build-Depends-Indep: python Build-Depends-Indep: python
Standards-Version: 3.9.6 Standards-Version: 3.9.6
Vcs-Git: git://anonscm.debian.org/collab-maint/ca-certificates.git Vcs-Git: git://anonscm.debian.org/collab-maint/ca-certificates.git

1
debian/copyright vendored
View file

@ -6,7 +6,6 @@ Files: debian/*
Makefile Makefile
mozilla/* mozilla/*
sbin/* sbin/*
spi-inc.org/Makefile
Copyright: 2003 Fumitoshi UKAI <ukai@debian.or.jp> Copyright: 2003 Fumitoshi UKAI <ukai@debian.or.jp>
2009 Philipp Kern <pkern@debian.org> 2009 Philipp Kern <pkern@debian.org>
2011 Michael Shuler <michael@pbandjelly.org> 2011 Michael Shuler <michael@pbandjelly.org>

5
debian/postinst vendored
View file

@ -44,6 +44,11 @@ case "$1" in
if mkdir -m $(stat -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then if mkdir -m $(stat -c %a /usr/local) /usr/local/share/ca-certificates 2>/dev/null; then
chgrp $(stat -c %g /usr/local) /usr/local/share/ca-certificates chgrp $(stat -c %g /usr/local) /usr/local/share/ca-certificates
fi fi
# Handle upgrades and allow local admin to override:
# e.g. dpkg-statoverride --add root staff 2775 /usr/local/share/ca-certificates
elif ! dpkg-statoverride --list /usr/local/share/ca-certificates >/dev/null; then
chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates
chown $(stat -c %u /usr/local):$(stat -c %g /usr/local) /usr/local/share/ca-certificates
fi fi
. /usr/share/debconf/confmodule . /usr/share/debconf/confmodule

3
debian/source/lintian-overrides vendored
View file

@ -1,3 +0,0 @@
# Ignore file-without-copyright-information on SPI certificate file.
# There is no upstream copyright or license.
ca-certificates source: file-without-copyright-information spi-inc.org/spi-cacert-2008.crt

2975
mozilla/certdata.txt
View file

File diff suppressed because it is too large Load diff

57
mozilla/certdata2pem.py
View file

@ -25,13 +25,19 @@ import os.path
import re import re
import sys import sys
import textwrap import textwrap
import io
objects = [] objects = []
# Dirty file parser. # Dirty file parser.
in_data, in_multiline, in_obj = False, False, False in_data, in_multiline, in_obj = False, False, False
field, type, value, obj = None, None, None, dict() field, type, value, obj = None, None, None, dict()
for line in open('certdata.txt', 'r'):
# Python 3 will not let us decode non-ascii characters if we
# have not specified an encoding, but Python 2's open does not
# have an option to set the encoding. Python 3's open is io.open
# and io.open has been backported to Python 2.6 and 2.7, so use io.open.
for line in io.open('certdata.txt', 'rt', encoding='utf8'):
# Ignore the file header. # Ignore the file header.
if not in_data: if not in_data:
if line.startswith('BEGINDATA'): if line.startswith('BEGINDATA'):
@ -53,7 +59,7 @@ for line in open('certdata.txt', 'r'):
if type == 'MULTILINE_OCTAL': if type == 'MULTILINE_OCTAL':
line = line.strip() line = line.strip()
for i in re.finditer(r'\\([0-3][0-7][0-7])', line): for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
value += chr(int(i.group(1), 8)) value.append(int(i.group(1), 8))
else: else:
value += line value += line
continue continue
@ -70,13 +76,13 @@ for line in open('certdata.txt', 'r'):
field, type = line_parts field, type = line_parts
value = None value = None
else: else:
raise NotImplementedError, 'line_parts < 2 not supported.' raise NotImplementedError('line_parts < 2 not supported.')
if type == 'MULTILINE_OCTAL': if type == 'MULTILINE_OCTAL':
in_multiline = True in_multiline = True
value = "" value = bytearray()
continue continue
obj[field] = value obj[field] = value
if len(obj.items()) > 0: if len(obj) > 0:
objects.append(obj) objects.append(obj)
# Read blacklist. # Read blacklist.
@ -95,7 +101,7 @@ for obj in objects:
if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'): if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'):
continue continue
if obj['CKA_LABEL'] in blacklist: if obj['CKA_LABEL'] in blacklist:
print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'] print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
'CKT_NSS_TRUSTED_DELEGATOR'): 'CKT_NSS_TRUSTED_DELEGATOR'):
trust[obj['CKA_LABEL']] = True trust[obj['CKA_LABEL']] = True
@ -104,13 +110,13 @@ for obj in objects:
trust[obj['CKA_LABEL']] = True trust[obj['CKA_LABEL']] = True
elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED', elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED',
'CKT_NSS_NOT_TRUSTED'): 'CKT_NSS_NOT_TRUSTED'):
print '!'*74 print('!'*74)
print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'] print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'])
print '!'*74 print('!'*74)
else: else:
print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ print("Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \
(obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'], (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
obj['CKA_TRUST_EMAIL_PROTECTION']) obj['CKA_TRUST_EMAIL_PROTECTION']))
for obj in objects: for obj in objects:
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
@ -121,13 +127,32 @@ for obj in objects:
.replace('(', '=')\ .replace('(', '=')\
.replace(')', '=')\ .replace(')', '=')\
.replace(',', '_') .replace(',', '_')
bname = bname.decode('string_escape')
fname = bname + '.crt' # this is the only way to decode the way NSS stores multi-byte UTF-8
# and we need an escaped string for checking existence of things
# otherwise we're dependant on the user's current locale.
if bytes != str:
# We're in python 3, convert the utf-8 string to a
# sequence of bytes that represents this utf-8 string
# then encode the byte-sequence as an escaped string that
# can be passed to open() and os.path.exists()
bname = bname.encode('utf-8').decode('unicode_escape').encode('latin-1')
else:
# Python 2
# Convert the unicode string back to its original byte form
# (contents of files returned by io.open are returned as
# unicode strings)
# then to an escaped string that can be passed to open()
# and os.path.exists()
bname = bname.encode('utf-8').decode('string_escape')
fname = bname + b'.crt'
if os.path.exists(fname): if os.path.exists(fname):
print "Found duplicate certificate name %s, renaming." % bname print("Found duplicate certificate name %s, renaming." % bname)
fname = bname + '_2.crt' fname = bname + b'_2.crt'
f = open(fname, 'w') f = open(fname, 'w')
f.write("-----BEGIN CERTIFICATE-----\n") f.write("-----BEGIN CERTIFICATE-----\n")
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) encoded = base64.b64encode(obj['CKA_VALUE']).decode('utf-8')
f.write("\n".join(textwrap.wrap(encoded, 64)))
f.write("\n-----END CERTIFICATE-----\n") f.write("\n-----END CERTIFICATE-----\n")

4
mozilla/nssckbi.h
View file

@ -45,8 +45,8 @@
* of the comment in the CK_VERSION type definition. * of the comment in the CK_VERSION type definition.
*/ */
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 4 #define NSS_BUILTINS_LIBRARY_VERSION_MINOR 6
#define NSS_BUILTINS_LIBRARY_VERSION "2.4" #define NSS_BUILTINS_LIBRARY_VERSION "2.6"
/* These version numbers detail the semantic changes to the ckfw engine. */ /* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

2
sbin/update-ca-certificates
View file

@ -117,7 +117,7 @@ if [ "$fresh" = 1 ]; then
find . -type l -print | while read symlink find . -type l -print | while read symlink
do do
case $(readlink "$symlink") in case $(readlink "$symlink") in
$CERTSDIR*) rm -f "$symlink";; $CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
esac esac
done done
find . -type l -print | while read symlink find . -type l -print | while read symlink

13
spi-inc.org/Makefile
View file

@ -1,13 +0,0 @@
#
# Makefile
#
all:
clean:
install:
for p in *.crt; do \
install -m 644 $$p $(CERTSDIR)/$$p ; \
done

46
spi-inc.org/spi-cacert-2008.crt
View file

@ -1,46 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIIDjCCBfagAwIBAgIJAOiOtsn4KhQoMA0GCSqGSIb3DQEBBQUAMIG8MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHSW5kaWFuYTEVMBMGA1UEBxMMSW5kaWFuYXBvbGlz
MSgwJgYDVQQKEx9Tb2Z0d2FyZSBpbiB0aGUgUHVibGljIEludGVyZXN0MRMwEQYD
VQQLEwpob3N0bWFzdGVyMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
JTAjBgkqhkiG9w0BCQEWFmhvc3RtYXN0ZXJAc3BpLWluYy5vcmcwHhcNMDgwNTEz
MDgwNzU2WhcNMTgwNTExMDgwNzU2WjCBvDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UEChMfU29mdHdh
cmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDETMBEGA1UECxMKaG9zdG1hc3RlcjEe
MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcNAQkBFhZo
b3N0bWFzdGVyQHNwaS1pbmMub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEA3DbmR0LCxFF1KYdAw9iOIQbSGE7r7yC9kDyFEBOMKVuUY/b0LfEGQpG5
GcRCaQi/izZF6igFM0lIoCdDkzWKQdh4s/Dvs24t3dHLfer0dSbTPpA67tfnLAS1
fOH1fMVO73e9XKKTM5LOfYFIz2u1IiwIg/3T1c87Lf21SZBb9q1NE8re06adU1Fx
Y0b4ShZcmO4tbZoWoXaQ4mBDmdaJ1mwuepiyCwMs43pPx93jzONKao15Uvr0wa8u
jyoIyxspgpJyQ7zOiKmqp4pRQ1WFmjcDeJPI8L20QcgHQprLNZd6ioFl3h1UCAHx
ZFy3FxpRvB7DWYd2GBaY7r/2Z4GLBjXFS21ZGcfSxki+bhQog0oQnBv1b7ypjvVp
/rLBVcznFMn5WxRTUQfqzj3kTygfPGEJ1zPSbqdu1McTCW9rXRTunYkbpWry9vjQ
co7qch8vNGopCsUK7BxAhRL3pqXTT63AhYxMfHMgzFMY8bJYTAH1v+pk1Vw5xc5s
zFNaVrpBDyXfa1C2x4qgvQLCxTtVpbJkIoRRKFauMe5e+wsWTUYFkYBE7axt8Feo
+uthSKDLG7Mfjs3FIXcDhB78rKNDCGOM7fkn77SwXWfWT+3Qiz5dW8mRvZYChD3F
TbxCP3T9PF2sXEg2XocxLxhsxGjuoYvJWdAY4wCAs1QnLpnwFVMCAwEAAaOCAg8w
ggILMB0GA1UdDgQWBBQ0cdE41xU2g0dr1zdkQjuOjVKdqzCB8QYDVR0jBIHpMIHm
gBQ0cdE41xU2g0dr1zdkQjuOjVKdq6GBwqSBvzCBvDELMAkGA1UEBhMCVVMxEDAO
BgNVBAgTB0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UEChMf
U29mdHdhcmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDETMBEGA1UECxMKaG9zdG1h
c3RlcjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcN
AQkBFhZob3N0bWFzdGVyQHNwaS1pbmMub3JnggkA6I62yfgqFCgwDwYDVR0TAQH/
BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADAuBglghkgBhvhC
AQ0EIRYfU29mdHdhcmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDAwBglghkgBhvhC
AQQEIxYhaHR0cHM6Ly9jYS5zcGktaW5jLm9yZy9jYS1jcmwucGVtMDIGCWCGSAGG
+EIBAwQlFiNodHRwczovL2NhLnNwaS1pbmMub3JnL2NlcnQtY3JsLnBlbTAhBgNV
HREEGjAYgRZob3N0bWFzdGVyQHNwaS1pbmMub3JnMA4GA1UdDwEB/wQEAwIBBjAN
BgkqhkiG9w0BAQUFAAOCAgEAtM294LnqsgMrfjLp3nI/yUuCXp3ir1UJogxU6M8Y
PCggHam7AwIvUjki+RfPrWeQswN/2BXja367m1YBrzXU2rnHZxeb1NUON7MgQS4M
AcRb+WU+wmHo0vBqlXDDxm/VNaSsWXLhid+hoJ0kvSl56WEq2dMeyUakCHhBknIP
qxR17QnwovBc78MKYiC3wihmrkwvLo9FYyaW8O4x5otVm6o6+YI5HYg84gd1GuEP
sTC8cTLSOv76oYnzQyzWcsR5pxVIBcDYLXIC48s9Fmq6ybgREOJJhcyWR2AFJS7v
dVkz9UcZFu/abF8HyKZQth3LZjQl/GaD68W2MEH4RkRiqMEMVObqTFoo5q7Gt/5/
O5aoLu7HaD7dAD0prypjq1/uSSotxdz70cbT0ZdWUoa2lOvUYFG3/B6bzAKb1B+P
+UqPti4oOxfMxaYF49LTtcYDyeFIQpvLP+QX4P4NAZUJurgNceQJcHdC2E3hQqlg
g9cXiUPS1N2nGLar1CQlh7XU4vwuImm9rWgs/3K1mKoGnOcqarihk3bOsPN/nOHg
T7jYhkalMwIsJWE3KpLIrIF0aGOHM3a9BX9e1dUCbb2v/ypaqknsmHlHU5H2DjRa
yaXG67Ljxay2oHA1u8hRadDytaIybrw/oDc5fHE2pgXfDBLkFqfF1stjo5VwP+YE
o2A=
-----END CERTIFICATE-----