Hello community, here is the log from the commit of package openssl-certs for openSUSE:Factory checked in at Sat Oct 3 00:00:12 CEST 2009. -------- --- openssl-certs/openssl-certs.changes 2008-12-02 11:29:17.000000000 +0100 +++ openssl-certs/openssl-certs.changes 2009-09-30 15:33:48.000000000 +0200 @@ -1,0 +2,6 @@ +Wed Sep 30 13:17:45 UTC 2009 - lnussel@suse.de + +- update certifiates to cvs revision 1.56 +- exclude certficates that are not trusted for identifying web sites + +------------------------------------------------------------------- calling whatdependson for head-i586 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openssl-certs.spec ++++++ --- /var/tmp/diff_new_pack.E2zuOF/_old 2009-10-02 23:59:33.000000000 +0200 +++ /var/tmp/diff_new_pack.E2zuOF/_new 2009-10-02 23:59:33.000000000 +0200 @@ -21,11 +21,11 @@ Name: openssl-certs %define ssletcdir %{_sysconfdir}/ssl -License: BSD 3-Clause; MPL 1.1/GPL 2.0/LGPL 2.1 +License: BSD 3-clause (or similar) ; MPL 1.1/GPL 2.0/LGPL 2.1 Group: Productivity/Networking/Security AutoReqProv: on Version: 0.9.8h -Release: 26 +Release: 27 Summary: CA certificates for OpenSSL Url: http://www.mozilla.org # wget -O certdata.txt "http://mxr.mozilla.org/mozilla/source//security/nss/lib/ckfw/builtins/certda..." ++++++ certdata.txt ++++++ ++++ 2898 lines (skipped) ++++ between openssl-certs/certdata.txt ++++ and openssl-certs/certdata.txt ++++++ extractcerts.pl ++++++ --- /var/tmp/diff_new_pack.E2zuOF/_old 2009-10-02 23:59:33.000000000 +0200 +++ /var/tmp/diff_new_pack.E2zuOF/_new 2009-10-02 23:59:33.000000000 +0200 @@ -39,9 +39,25 @@ use bytes; my $count = 0; -my @objects = (); +my @certificates = (); +my %trusts = (); my $object = undef; +sub handle_object($) +{ + my $object = shift; + return unless $object; + if($object->{'CKA_CLASS'} eq 'CKO_CERTIFICATE' && $object->{'CKA_CERTIFICATE_TYPE'} eq 'CKC_X_509') { + push @certificates, $object; + } elsif ($object->{'CKA_CLASS'} eq 'CKO_NETSCAPE_TRUST') { + my $label = $object->{'CKA_LABEL'}; + die "$label exists" if exists($trusts{$label}); + $trusts{$label} = $object; + } else { + print STDERR "class ", $object->{'CKA_CLASS'} ," not handled\n"; + } +} + while(<>) { my @fields = (); @@ -76,30 +92,40 @@ if( $fields[0] =~ /CKA_CLASS/ ) { $count++; - push @objects, $object if $object; + handle_object($object); $object = {}; } $object->{$fields[0]} = $fields[2]; } +handle_object($object); use MIME::Base64; -for $object (@objects) { - if($object->{'CKA_CLASS'} eq 'CKO_CERTIFICATE' && $object->{'CKA_CERTIFICATE_TYPE'} eq 'CKC_X_509') { - my $file = $object->{'CKA_LABEL'}; - $file =~ s/[^[:alnum:]]/_/g; - $file .= '.pem'; - open (O, '>', $file); - print "$file\n"; - my $value = $object->{'CKA_VALUE'}; - my $enc = ''; - $enc .= pack("C", oct($+)) while $value =~ /\G\\([0-3][0-7][0-7])/g; - print O "-----BEGIN CERTIFICATE-----\n"; - print O encode_base64($enc); - print O "-----END CERTIFICATE-----\n"; - close O; - } else { - # TODO: should we somehow evaluate the trust value? -# print "skipping ", $object->{'CKA_LABEL'}, "\n"; - } +for my $cert (@certificates) { + my $file = $cert->{'CKA_LABEL'}; + if(!exists($trusts{$file})) { + print STDERR "NO TRUST: $file\n"; + next; + } + # check trust. We only include certificates that are trusted for identifying + # web sites + my $trust = $trusts{$file}; + if($trust->{'CKA_TRUST_SERVER_AUTH'} ne 'CKT_NETSCAPE_TRUSTED_DELEGATOR') { + my $t = $trust->{'CKA_TRUST_SERVER_AUTH'}; + $t =~ s/CKT_NETSCAPE_//; + print STDERR "$t: $file\n"; + next; + } + + $file =~ s/[^[:alnum:]]/_/g; + $file .= '.pem'; + open (O, '>', $file); + print "$file\n"; + my $value = $cert->{'CKA_VALUE'}; + my $enc = ''; + $enc .= pack("C", oct($+)) while $value =~ /\G\\([0-3][0-7][0-7])/g; + print O "-----BEGIN CERTIFICATE-----\n"; + print O encode_base64($enc); + print O "-----END CERTIFICATE-----\n"; + close O; } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org