Hello community,
here is the log from the commit of package ca-certificates-mozilla for
openSUSE:Factory checked in at 2013-07-25 13:18:17
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/ca-certificates-mozilla (Old)
and /work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ca-certificates-mozilla"
Changes:
--------
---
/work/SRC/openSUSE:Factory/ca-certificates-mozilla/ca-certificates-mozilla.changes
2013-07-03 10:15:10.000000000 +0200
+++
/work/SRC/openSUSE:Factory/.ca-certificates-mozilla.new/ca-certificates-mozilla.changes
2013-07-25 13:18:19.000000000 +0200
@@ -1,0 +2,15 @@
+Wed Jul 24 15:05:31 UTC 2013 - [email protected]
+
+- remove superfluous double quotes from certificate names
+
+-------------------------------------------------------------------
+Wed Jul 24 14:21:18 UTC 2013 - [email protected]
+
+- add fake basic contraints to Entrust root so p11-kit export the cert
+ (bnc#829471)
+- add nssckbi.h that matches certdata.txt; make sure package has the
+ correct version number which is currently 1.93. No actual content
+ change in certdata.txt compared to 1.85, it's just that the
+ versioning scheme changed.
+
+-------------------------------------------------------------------
New:
----
Entrust_net_Premium_2048_Secure_Server_CA.p11-kit
nssckbi.h
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ ca-certificates-mozilla.spec ++++++
--- /var/tmp/diff_new_pack.kNIjM0/_old 2013-07-25 13:18:21.000000000 +0200
+++ /var/tmp/diff_new_pack.kNIjM0/_new 2013-07-25 13:18:21.000000000 +0200
@@ -24,28 +24,35 @@
BuildRequires: python
Name: ca-certificates-mozilla
-Version: 1.85
+# Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
+#
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
+Version: 1.93
Release: 0
Summary: CA certificates for OpenSSL
License: MPL-2.0
Group: Productivity/Networking/Security
Url: http://www.mozilla.org
# IMPORTANT: procedure to update certificates:
-# - Check the CVS log of the cert file:
-#
http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/ckfw/builtins/certdata.txt&rev=HEAD
-# Alternatively hg:
+# - Check the log of the cert file:
#
http://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt
# - download the new certdata.txt
-# wget -O certdata.txt
"http://mxr.mozilla.org/mozilla/source//security/nss/lib/ckfw/builtins/certdata.txt?raw=1";
+# wget -O certdata.txt
"https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt";
# - run compareoldnew to show fingerprints of new and changed certificates
# - check the bugs referenced in cvs log and compare the checksum
# to output of compareoldnew
# - Watch out that blacklisted or untrusted certificates are not
# accidentally included!
-Source: certdata.txt
-Source1: certdata2pem.py
-Source2: %{name}.COPYING
-Source3: compareoldnew
+Source:
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
+Source1:
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
+# from Fedora. Note: currently contains extra fix to remove quotes. Pending
upstream approval.
+Source10: certdata2pem.py
+Source11: %{name}.COPYING
+Source12: compareoldnew
+# make p11-kit think there are basic constraints in the Entrust
+# cert (https://bugs.freedesktop.org/show_bug.cgi?id=62064)
+# Remove after the updated cert is accepted into NSS
+# https://bugzilla.mozilla.org/show_bug.cgi?id=694536
+Source99: Entrust_net_Premium_2048_Secure_Server_CA.p11-kit
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
# for update-ca-certificates
@@ -64,10 +71,15 @@
%prep
%setup -qcT
/bin/cp %{SOURCE0} .
-install -m 644 %{SOURCE2} COPYING
+install -m 644 %{SOURCE11} COPYING
+ver=`sed -ne '/NSS_BUILTINS_LIBRARY_VERSION /s/.*"\(.*\)"/\1/p' < "%{SOURCE1}"`
+if [ "%{version}" != "$ver" ]; then
+ echo "*** Version number mismatch: spec file should be version $ver"
+ false
+fi
%build
-python %{SOURCE1}
+python %{SOURCE10}
%install
mkdir -p %{buildroot}/%{trustdir_static}/anchors
@@ -92,7 +104,7 @@
openssl x509 -in "$i" "${args[@]}"
} > "%{buildroot}/%{trustdir_static}$d/${i%%:*}.pem"
done
-for i in *.p11-kit; do
+for i in *.p11-kit %{SOURCE99}; do
install -m 644 "$i" "%{buildroot}/%{trustdir_static}"
done
set -x
++++++ Entrust_net_Premium_2048_Secure_Server_CA.p11-kit ++++++
[p11-kit-object-v1]
label: "Add missing BasicConstraints for Entrust root"
id: "%55%e4%81%d1%11%80%be%d8%89%b9%08%a3%31%f9%a1%24%09%16%b9%70"
class: x-certificate-extension
object-id: 2.5.29.19
x-critical: true
value: "%30%03%01%01%FF"
++++++ certdata2pem.py ++++++
--- /var/tmp/diff_new_pack.kNIjM0/_old 2013-07-25 13:18:21.000000000 +0200
+++ /var/tmp/diff_new_pack.kNIjM0/_new 2013-07-25 13:18:21.000000000 +0200
@@ -170,7 +170,7 @@
f = open(fname, 'w')
if obj != None:
- f.write("# alias=%s\n"%tobj['CKA_LABEL'])
+ f.write("# alias=%s\n"%tobj['CKA_LABEL'][1:-1])
f.write("# trust=" + " ".join(trustbits) + "\n")
f.write("# distrust=" + " ".join(distrustbits) + "\n")
if openssl_trustflags:
++++++ nssckbi.h ++++++
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef NSSCKBI_H
#define NSSCKBI_H
/*
* NSS BUILTINS Version numbers.
*
* These are the version numbers for the builtins module packaged with
* this release on NSS. To determine the version numbers of the builtin
* module you are using, use the appropriate PKCS #11 calls.
*
* These version numbers detail changes to the PKCS #11 interface. They map
* to the PKCS #11 spec versions.
*/
#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
/* These version numbers detail the changes
* to the list of trusted certificates.
*
* The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
* for each NSS minor release AND whenever we change the list of
* trusted certificates. 10 minor versions are allocated for each
* NSS 3.x branch as follows, allowing us to change the list of
* trusted certificates up to 9 times on each branch.
* - NSS 3.5 branch: 3-9
* - NSS 3.6 branch: 10-19
* - NSS 3.7 branch: 20-29
* - NSS 3.8 branch: 30-39
* - NSS 3.9 branch: 40-49
* - NSS 3.10 branch: 50-59
* - NSS 3.11 branch: 60-69
* ...
* - NSS 3.12 branch: 70-89
* - NSS 3.13 branch: 90-99
* - NSS 3.14 branch: 100-109
* ...
* - NSS 3.29 branch: 250-255
*
* NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE. It's not clear
* whether we may use its full range (0-255) or only 0-99 because
* of the comment in the CK_VERSION type definition.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 93
#define NSS_BUILTINS_LIBRARY_VERSION "1.93"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
/* These version numbers detail the semantic changes to ckbi itself
* (new PKCS #11 objects), etc. */
#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
#endif /* NSSCKBI_H */
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
