Hello community, here is the log from the commit of package ca-certificates-mozilla for openSUSE:Factory checked in at Thu Apr 1 18:21:59 CEST 2010. -------- New Changes file: --- /dev/null 2009-09-30 08:50:26.000000000 +0200 +++ /mounts/work_src_done/STABLE/ca-certificates-mozilla/ca-certificates-mozilla.changes 2010-04-01 14:57:10.000000000 +0200 @@ -0,0 +1,53 @@ +------------------------------------------------------------------- +Thu Apr 1 12:14:11 UTC 2010 - lnussel@suse.de + +- don't output trusted certs by default as it's not supported by + gnutls yet and pidgin scans /etc/ssl/certs + +------------------------------------------------------------------- +Thu Apr 1 11:39:01 UTC 2010 - lnussel@suse.de + +- update certificates to revision 1.62 + +------------------------------------------------------------------- +Fri Mar 26 15:27:34 UTC 2010 - lnussel@suse.de + +- extract trustbits as comment as Fedora does +- convert to trusted certificates in spec file instead + +------------------------------------------------------------------- +Thu Mar 25 08:16:56 UTC 2010 - lnussel@suse.de + +- rename to ca-certificates-mozilla +- output trusted certificates +- use utf8 in file names + +------------------------------------------------------------------- +Tue Feb 2 16:27:35 UTC 2010 - lnussel@suse.de + +- update certificates to revision 1.57 +- add script to compare with previous certificates + +------------------------------------------------------------------- +Wed Sep 30 13:17:45 UTC 2009 - lnussel@suse.de + +- update certifiates to cvs revision 1.56 +- exclude certficates that are not trusted for identifying web sites + +------------------------------------------------------------------- +Tue Dec 2 11:29:03 CET 2008 - cfarrell@suse.de + +- Add openssl-certs.COPYING to fix bnc#441356 + + +------------------------------------------------------------------- +Thu Oct 9 17:49:57 CEST 2008 - lnussel@suse.de + +- use certificates from MozillaFirefox + +------------------------------------------------------------------- +Wed Jul 9 15:15:38 CEST 2008 - mkoenig@suse.de + +- split out the CA root certificates from the openssl certs + subpackage into a package of its own. + calling whatdependson for head-i586 New: ---- ca-certificates-mozilla.COPYING ca-certificates-mozilla.changes ca-certificates-mozilla.spec certdata.txt compareoldnew extractcerts.pl ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ca-certificates-mozilla.spec ++++++ # # spec file for package ca-certificates-mozilla (Version 1.62) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # # norootforbuild %bcond_with trustedcerts BuildRequires: openssl Name: ca-certificates-mozilla %define sslusrdir %{_datadir}/ca-certificates License: BSD3c(or similar) ; MPL 1.1/GPL 2.0/LGPL 2.1 Group: Productivity/Networking/Security AutoReqProv: on Version: 1.62 Release: 1 Summary: CA certificates for OpenSSL Url: http://www.mozilla.org # IMPORTANT: procedure to update certificates: # - Check the CVS log of the cert file: # http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/ckfw/builtins/certdata.txt&rev=HEAD # - download the new certdata.txt # wget -O certdata.txt "http://mxr.mozilla.org/mozilla/source//security/nss/lib/ckfw/builtins/certda..." # - run compareoldnew to show fingerprints of new and changed certificates # - check the bugs referenced in cvs log and compare the checksum # to output of compareoldnew # - Watch out that blacklisted or untrusted certificates are not # accidentally included! Source: certdata.txt Source1: extractcerts.pl Source2: %{name}.COPYING Source3: compareoldnew BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch # for update-ca-certificates PreReq: ca-certificates # Provides: openssl-certs = 0.9.9 Obsoletes: openssl-certs < 0.9.9 %description This package contains some CA root certificates for OpenSSL extracted from MozillaFirefox %prep %setup -qcT install -m 644 %{S:1} COPYING %build perl %{SOURCE1} --trustbits < %{SOURCE0} %install mkdir -p %{buildroot}/%{sslusrdir}/mozilla set +x for i in *.pem; do args=() trust=`sed -n '/^# openssl-trust=/{s/^.*=//;p;q;}' "$i"` alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' "$i"` %if %{with trustedcerts} args+=('-trustout') for t in $trust; do args+=("-addtrust" "$t") done [ -z "$alias" ] || args+=('-setalias' "$alias") %else case "$trust" in *serverAuth*) ;; *) echo "skipping $i, not trusted for serverAuth"; continue ;; esac %endif echo "$i" { grep '^#' "$i" openssl x509 -in "$i" "${args[@]}" } > "%{buildroot}/%{sslusrdir}/mozilla/$i" done set -x %clean rm -rf %{buildroot} %post update-ca-certificates || true %postun update-ca-certificates || true %files %defattr(-, root, root) %doc COPYING %{sslusrdir}/mozilla %changelog ++++++ ca-certificates-mozilla.COPYING ++++++ # ***** BEGIN LICENSE BLOCK ***** # Version: MPL 1.1/GPL 2.0/LGPL 2.1 # # The contents of this file are subject to the Mozilla Public License Version # 1.1 (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # http://www.mozilla.org/MPL/ # # Software distributed under the License is distributed on an "AS IS" basis, # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License # for the specific language governing rights and limitations under the # License. # # The Original Code is the Netscape security libraries. # # The Initial Developer of the Original Code is # Netscape Communications Corporation. # Portions created by the Initial Developer are Copyright (C) 1994-2000 # the Initial Developer. All Rights Reserved. # # Contributor(s): # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), # in which case the provisions of the GPL or the LGPL are applicable instead # of those above. If you wish to allow use of your version of this file only # under the terms of either the GPL or the LGPL, and not to allow others to # use your version of this file under the terms of the MPL, indicate your # decision by deleting the provisions above and replace them with the notice # and other provisions required by the GPL or the LGPL. If you do not delete # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** ++++++ certdata.txt ++++++ ++++ 21023 lines (skipped) ++++++ compareoldnew ++++++ #!/bin/bash # print fingerprints of new or changed certificates set -e cleanup() { rm -rf new{,.files} old{,.files} } showcert() { openssl x509 -in "$1" -noout -subject -fingerprint -nameopt multiline,utf8,-esc_msb \ | sed -ne 's/ *commonName *= / CN: /p; s/.*Fingerprint=/ sha1: /p' } cleanup trap cleanup EXIT mkdir old new cd old echo old... VERBOSE=1 ../extractcerts.pl < ../.osc/certdata.txt | sort > ../old.files cd .. cd new echo new... VERBOSE=1 ../extractcerts.pl < ../certdata.txt | sort > ../new.files cd .. echo '----------------------------' while read line; do IFS='#' eval set -- \$line old="$1" new="$2" common="$3" if [ -n "$old" ]; then echo "$old has been deleted" elif [ -n "$new" ]; then echo "new: $new" showcert new/$new elif ! cmp "old/$common" "new/$common"; then echo "*** $common differs!" showcert old/$common showcert old/$common fi done < <(comm --output-delimiter='#' old.files new.files) ++++++ extractcerts.pl ++++++ #!/usr/bin/perl -w # # ***** BEGIN LICENSE BLOCK ***** # Version: MPL 1.1/GPL 2.0/LGPL 2.1 # # The contents of this file are subject to the Mozilla Public License Version # 1.1 (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # http://www.mozilla.org/MPL/ # # Software distributed under the License is distributed on an "AS IS" basis, # WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License # for the specific language governing rights and limitations under the # License. # # The Original Code is the Netscape security libraries. # # The Initial Developer of the Original Code is # Netscape Communications Corporation. # Portions created by the Initial Developer are Copyright (C) 1994-2000 # the Initial Developer. All Rights Reserved. # # Contributor(s): # # Alternatively, the contents of this file may be used under the terms of # either the GNU General Public License Version 2 or later (the "GPL"), or # the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), # in which case the provisions of the GPL or the LGPL are applicable instead # of those above. If you wish to allow use of your version of this file only # under the terms of either the GPL or the LGPL, and not to allow others to # use your version of this file under the terms of the MPL, indicate your # decision by deleting the provisions above and replace them with the notice # and other provisions required by the GPL or the LGPL. If you do not delete # the provisions above, a recipient may use your version of this file under # the terms of any one of the MPL, the GPL or the LGPL. # # ***** END LICENSE BLOCK ***** use strict; use Encode; my $count = 0; my @certificates = (); my %trusts = (); my $object = undef; my $output_trustbits; my %trust_types = ( "CKA_TRUST_DIGITAL_SIGNATURE" => "digital-signature", "CKA_TRUST_NON_REPUDIATION" => "non-repudiation", "CKA_TRUST_KEY_ENCIPHERMENT" => "key-encipherment", "CKA_TRUST_DATA_ENCIPHERMENT" => "data-encipherment", "CKA_TRUST_KEY_AGREEMENT" => "key-agreement", "CKA_TRUST_KEY_CERT_SIGN" => "cert-sign", "CKA_TRUST_CRL_SIGN" => "crl-sign", "CKA_TRUST_SERVER_AUTH" => "server-auth", "CKA_TRUST_CLIENT_AUTH" => "client-auth", "CKA_TRUST_CODE_SIGNING" => "code-signing", "CKA_TRUST_EMAIL_PROTECTION" => "email-protection", "CKA_TRUST_IPSEC_END_SYSTEM" => "ipsec-end-system", "CKA_TRUST_IPSEC_TUNNEL" => "ipsec-tunnel", "CKA_TRUST_IPSEC_USER" => "ipsec-user", "CKA_TRUST_TIME_STAMPING" => "time-stamping", "CKA_TRUST_STEP_UP_APPROVED" => "step-up-approved", ); my %openssl_trust = ( CKA_TRUST_SERVER_AUTH => 'serverAuth', CKA_TRUST_CLIENT_AUTH => 'clientAuth', CKA_TRUST_EMAIL_PROTECTION => 'emailProtection', CKA_TRUST_CODE_SIGNING => 'codeSigning', ); if (@ARGV && $ARGV[0] eq '--trustbits') { shift @ARGV; $output_trustbits = 1; } sub handle_object($) { my $object = shift; return unless $object; if($object->{'CKA_CLASS'} eq 'CKO_CERTIFICATE' && $object->{'CKA_CERTIFICATE_TYPE'} eq 'CKC_X_509') { push @certificates, $object; } elsif ($object->{'CKA_CLASS'} eq 'CKO_NETSCAPE_TRUST') { my $label = $object->{'CKA_LABEL'}; die "$label exists" if exists($trusts{$label}); $trusts{$label} = $object; } elsif ($object->{'CKA_CLASS'} eq 'CKO_NETSCAPE_BUILTIN_ROOT_LIST') { # ignore } else { print STDERR "class ", $object->{'CKA_CLASS'} ," not handled\n"; } } while(<>) { my @fields = (); s/^((?:[^"#]+|"[^"]*")*)(\s*#.*$)/$1/; next if (/^\s*$/); if( /(^CVS_ID\s+)(.*)/ ) { next; } # This was taken from the perl faq #4. my $text = $_; push(@fields, $+) while $text =~ m{ "([^\"\\]*(?:\\.[^\"\\]*)*)"\s? # groups the phrase inside the quotes | ([^\s]+)\s? | \s }gx; push(@fields, undef) if substr($text,-1,1) eq '\s'; if( $fields[0] =~ /BEGINDATA/ ) { next; } if( $fields[1] =~ /MULTILINE/ ) { $fields[2] = ""; while(<>) { last if /END/; chomp; $fields[2] .= $_; } } if( $fields[0] =~ /CKA_CLASS/ ) { $count++; handle_object($object); $object = {}; } $object->{$fields[0]} = $fields[2]; } handle_object($object); use MIME::Base64; for my $cert (@certificates) { my $alias = $cert->{'CKA_LABEL'}; if(!exists($trusts{$alias})) { print STDERR "NO TRUST: $alias\n"; next; } # check trust. We only include certificates that are trusted for identifying # web sites my $trust = $trusts{$alias}; my @addtrust; my @addtrust_openssl; my $trusted; if ($output_trustbits) { for my $type (keys %trust_types) { if (exists $trust->{$type} && $trust->{$type} eq 'CKT_NETSCAPE_TRUSTED_DELEGATOR') { push @addtrust, $trust_types{$type}; if (exists $openssl_trust{$type}) { push @addtrust_openssl, $openssl_trust{$type}; } $trusted = 1; } } } else { if($trust->{'CKA_TRUST_SERVER_AUTH'} eq 'CKT_NETSCAPE_TRUSTED_DELEGATOR') { $trusted = 1; } } if (!$trusted) { my $t = $trust->{'CKA_TRUST_SERVER_AUTH'}; $t =~ s/CKT_NETSCAPE_//; print STDERR "$t: $alias\n"; next; } if ($alias =~ /\\x[0-9a-fA-F]{2}/) { $alias =~ s/\\x([0-9a-fA-F]{2})/chr(hex($1))/ge; # thanks mls! $alias = Encode::decode("UTF-8", $alias); } my $file = $alias; $alias =~ s/'/-/g; $file =~ s/[^[:alnum:]\\]+/_/g; $file .= '.pem'; $file = Encode::encode("UTF-8", $file); if (!open(O, '>', $file)) { print STDERR "$file: $!\n"; next; } print "$file\n" if $ENV{'VERBOSE'}; my $value = $cert->{'CKA_VALUE'}; my $enc = ''; $enc .= pack("C", oct($+)) while $value =~ /\G\\([0-3][0-7][0-7])/g; if ($output_trustbits) { print O "# alias=",Encode::encode("UTF-8", $alias),"\n"; print O "# trust=",join(" ", @addtrust),"\n"; if (@addtrust_openssl) { print O "# openssl-trust=",join(" ", @addtrust_openssl),"\n"; } } print O "-----BEGIN CERTIFICATE-----\n"; print O encode_base64($enc); print O "-----END CERTIFICATE-----\n"; close O; } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org