20230311 (patches unapplied)

Imported using git-ubuntu import.

.gitignore

@@ -1,13 +0,0 @@
-*.swp
-build-stamp
-configure-stamp
-debian/.debhelper
-debian/ca-certificates
-debian/ca-certificates.debhelper.log
-debian/ca-certificates.substvars
-debian/ca-certificates-udeb
-debian/ca-certificates-udeb.debhelper.log
-debian/ca-certificates-udeb.substvars
-debian/config
-debian/files
-mozilla/*.crt

debian/changelog

@@ -1,3 +1,48 @@
+ca-certificates (20230311) unstable; urgency=medium
+
+  [ Đoàn Trần Công Danh ]
+  * ca-certificates: compat with non-GNU mktemp (closes: #1000847)
+
+  [ Ilya Lipnitskiy ]
+  * certdata2pem.py: use UTC time when checking cert validity
+
+  [ Julien Cristau ]
+  * Update Mozilla certificate authority bundle to version 2.60
+    The following certificate authorities were added (+):
+    + "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+    + "Certainly Root E1"
+    + "Certainly Root R1"
+    + "D-TRUST BR Root CA 1 2020"
+    + "D-TRUST EV Root CA 1 2020"
+    + "DigiCert TLS ECC P384 Root G5"
+    + "DigiCert TLS RSA4096 Root G5"
+    + "E-Tugra Global Root CA ECC v3"
+    + "E-Tugra Global Root CA RSA v3"
+    + "HARICA TLS ECC Root CA 2021"
+    + "HARICA TLS RSA Root CA 2021"
+    + "HiPKI Root CA - G1"
+    + "ISRG Root X2"
+    + "Security Communication ECC RootCA1"
+    + "Security Communication RootCA3"
+    + "Telia Root CA v2"
+    + "TunTrust Root CA"
+    + "vTrus ECC Root CA"
+    + "vTrus Root CA"
+    The following certificate authorities were removed (-):
+    - "Cybertrust Global Root" (expired)
+    - "EC-ACC"
+    - "GlobalSign Root CA - R2" (expired)
+    - "Hellenic Academic and Research Institutions RootCA 2011"
+    - "Network Solutions Certificate Authority"
+    - "Staat der Nederlanden EV Root CA" (expired)
+  * Drop trailing space from debconf template causing misformatting
+    (closes: #980821)
+
+  [ Wataru Ashihara ]
+  * Make certdata2pem.py compatible with cryptography >= 35 (closes: #1008244)
+
+ -- Julien Cristau <jcristau@debian.org>  Sat, 11 Mar 2023 09:47:05 +0100
+
 ca-certificates (20211016) unstable; urgency=low
 
   [ Michael Shuler ]

debian/templates

@@ -37,7 +37,7 @@ Choices: ${enable_crts}
 _Description: Certificates to activate:
  This package installs common CA (Certificate Authority) certificates in
  /usr/share/ca-certificates.
- . 
+ .
  Please select the certificate authorities you trust so that their
  certificates are installed into /etc/ssl/certs. They will be compiled
  into a single /etc/ssl/certs/ca-certificates.crt file.

mozilla/Makefile

@@ -12,3 +12,8 @@ install:
 	for p in *.crt; do \
 	 install -m 644 $$p $(CERTSDIR)/$$p ; \
 	done
+
+update:
+	wget -Ocertdata.txt https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
+	wget -Onssckbi.h https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
+	false

mozilla/blacklist.txt

@@ -2,11 +2,5 @@
 
 # Blacklist explicitly distrusted certificates to explicitly ignore them and prevent build errors
 "Explicitly Distrust DigiNotar Root CA"
-"Explicitly Distrusted DigiNotar PKIoverheid G2"
-"MITM subCA 1 issued by Trustwave"
-"MITM subCA 2 issued by Trustwave"
-"TURKTRUST Mis-issued Intermediate CA 1"
-"TURKTRUST Mis-issued Intermediate CA 2"
 
-# Expired CA (#995432)
-"DST Root CA X3"
+# Expired CAs

mozilla/certdata2pem.py

@@ -122,8 +122,8 @@ for obj in objects:
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
             continue
 
-        cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
-        if cert.not_valid_after < datetime.datetime.now():
+        cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+        if cert.not_valid_after < datetime.datetime.utcnow():
             print('!'*74)
             print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
             print('!'*74)

mozilla/nssckbi.h

@@ -46,8 +46,8 @@
  * It's recommend to switch back to 0 after having reached version 98/99.
  */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 50
-#define NSS_BUILTINS_LIBRARY_VERSION "2.50"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 60
+#define NSS_BUILTINS_LIBRARY_VERSION "2.60"
 
 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

sbin/update-ca-certificates

@@ -81,8 +81,8 @@ trap cleanup 0
 # Helper files.  (Some of them are not simple arrays because we spawn
 # subshells later on.)
 TEMPBUNDLE="${ETCCERTSDIR}/${CERTBUNDLE}.new"
-ADDED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
-REMOVED="$(mktemp --tmpdir "ca-certificates.tmp.XXXXXX")"
+ADDED="$(mktemp -p "${TMPDIR:-/tmp}" "ca-certificates.tmp.XXXXXX")"
+REMOVED="$(mktemp -p "${TMPDIR:-/tmp}" "ca-certificates.tmp.XXXXXX")"
 
 # Adds a certificate to the list of trusted ones.  This includes a symlink
 # in /etc/ssl/certs to the certificate file and its inclusion into the