summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRichard Ipsum <richard.ipsum@codethink.co.uk>2015-11-12 10:10:11 (GMT)
committerRichard Ipsum <richard.ipsum@codethink.co.uk>2015-11-12 10:10:11 (GMT)
commitc9124556cfc5d29d4fd0d7b688bf4873a6098bf3 (patch)
treed1112d58b688a6cb026e7f37bf63b92feb18dc4e
parente9b06b26d9e57444e74a5cb6beca3f12726fc3c6 (diff)
parent193eb2042c6be1775f4c41f6297fe5c1521828e0 (diff)
downloadca-certificates-baserock/debian/20140325.tar.gz
Merge branch 'baserock/richardipsum/debian/20140325' into baserock/debian/20140325baserock/debian/20140325
Reviewed by: Javier Jardón <jjardon@gnome.org> Tristan Van Berkom <tristan.vanberkom@codethink.co.uk> Richard Maw (on IRC)
-rw-r--r--debian/changelog109
-rw-r--r--mozilla/certdata2pem.py57
2 files changed, 150 insertions, 16 deletions
diff --git a/debian/changelog b/debian/changelog
index b367c7f..9a3e0b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,112 @@
+ca-certificates (20151022) UNRELEASED; urgency=medium
+
+ * debian/postinst:
+ Handle /usr/local/share/ca-certificates permissions and ownership on
+ upgrade. Closes: #611501
+ * mozilla/{certdata.txt,nssckbi.h}:
+ Update Mozilla certificate authority bundle to version 2.5.
+ * mozilla/certdata2pem.py:
+ Add Python 3 support to ca-certificates.
+ Thanks to Andrew Wilcox for the patch! Closes: #789753
+TODO: verify adds/removes
+ The following certificate authorities were added (+):
+ + "Certinomis - Root CA"
+ + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+ + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6"
+ The following certificate authorities were removed (-):
+ - "Buypass Class 3 CA 1"
+ - "SG TRUST SERVICES RACINE"
+ - "TC TrustCenter Class 2 CA II"
+ - "TC TrustCenter Universal CA I"
+ - "TURKTRUST Certificate Services Provider Root 1"
+
+ -- Michael Shuler <michael@pbandjelly.org> Thu, 22 Oct 2015 15:32:23 -0500
+
+ca-certificates (20150426) unstable; urgency=medium
+
+ * debian/postinst:
+ Set mode and group of /usr/local/share/ca-certificates based on current
+ /usr/local permissions and ownership. Closes: #611501
+ * sbin/update-ca-certificates:
+ Allow customisation of the paths used by update-ca-certificates.
+ Add an option to set the certs in a directory to the defaults.
+ Thanks for the patches, Paul Wise. Closes: #774059, #774201
+ Fix shellcheck warnings and a little indentation.
+ * sbin/update-ca-certificates.8:
+ Correct concatenated file name in man page from certificates.crt to
+ ca-certificates.crt. Closes: #782230
+ * mozilla/{certdata.txt,nssckbi.h}:
+ Update Mozilla certificate authority bundle to version 2.4.
+ The following certificate authorities were added (+):
+ + "CFCA EV ROOT"
+ + "COMODO RSA Certification Authority"
+ + "Entrust Root Certification Authority - EC1"
+ + "Entrust Root Certification Authority - G2"
+ + "GlobalSign ECC Root CA - R4"
+ + "GlobalSign ECC Root CA - R5"
+ + "IdenTrust Commercial Root CA 1"
+ + "IdenTrust Public Sector Root CA 1"
+ + "S-TRUST Universal Root CA"
+ + "Staat der Nederlanden EV Root CA"
+ + "Staat der Nederlanden Root CA - G3"
+ + "USERTrust ECC Certification Authority"
+ + "USERTrust RSA Certification Authority" Closes: #762709
+ The following certificate authorities were removed (-):
+ - "America Online Root Certification Authority 1"
+ - "America Online Root Certification Authority 2"
+ - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+ - "GTE CyberTrust Global Root"
+ - "Thawte Premium Server CA"
+ - "Thawte Server CA"
+
+ -- Michael Shuler <michael@pbandjelly.org> Sun, 26 Apr 2015 10:37:48 -0500
+
+ca-certificates (20141019) unstable; urgency=medium
+
+ * debian/copyright:
+ Add coverage for all files reported by lintian
+ file-without-copyright-information warning.
+ * debian/source/lintian-overrides:
+ Add file-without-copyright-information override for SPI certificate file.
+ * sbin/update-ca-certificates:
+ Restore SELinux label after generating ca-certificates.crt file.
+ Thanks to Laurent Bigonville for the patch. Closes: #742957
+ Tidy indentation whitespace.
+ Thanks to Antonio Terceiro for the patch. Closes: #742663
+ * debian/control:
+ Update to Standards-Version: 3.9.6 (no other changes needed).
+ Update Vcs-Browser link to cgit URL.
+
+ -- Michael Shuler <michael@pbandjelly.org> Sun, 19 Oct 2014 10:36:49 -0500
+
+ca-certificates (20140927) unstable; urgency=medium
+
+ * Update Mozilla certificate authority bundle to version 2.1.
+ The following certificate authorities were added (+):
+ + "DigiCert Assured ID Root G2"
+ + "DigiCert Assured ID Root G3"
+ + "DigiCert Global Root G2"
+ + "DigiCert Global Root G3"
+ + "DigiCert Trusted Root G4"
+ + "QuoVadis Root CA 1 G3"
+ + "QuoVadis Root CA 2 G3"
+ + "QuoVadis Root CA 3 G3"
+ + "WoSign"
+ + "WoSign China"
+ The following certificate authorities were removed (-):
+ - "Entrust.net Secure Server CA"
+ - "RSA Root Certificate 1"
+ - "TDC Internet Root CA"
+ - "ValiCert Class 1 VA"
+ - "ValiCert Class 2 VA"
+ * Include clear list of CAs added/removed, as above, and include better note
+ in README.Debian for trust reconfiguration. Closes: #743365
+ * Remove debian/config in debian/rules clean target.
+ * Include d/{changelog,NEWS} entries in 20140223 for duplicate CKA_LABEL
+ rename of "StartCom Certification Authority"_2.
+
+ -- Michael Shuler <michael@pbandjelly.org> Sat, 27 Sep 2014 15:14:00 -0500
+
ca-certificates (20140325) unstable; urgency=medium
* Update mozilla/certdata.txt to version 1.97+revert_of_936304
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index 0482894..7bd4d2d 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -25,13 +25,19 @@ import os.path
import re
import sys
import textwrap
+import io
objects = []
# Dirty file parser.
in_data, in_multiline, in_obj = False, False, False
field, type, value, obj = None, None, None, dict()
-for line in open('certdata.txt', 'r'):
+
+# Python 3 will not let us decode non-ascii characters if we
+# have not specified an encoding, but Python 2's open does not
+# have an option to set the encoding. Python 3's open is io.open
+# and io.open has been backported to Python 2.6 and 2.7, so use io.open.
+for line in io.open('certdata.txt', 'rt', encoding='utf8'):
# Ignore the file header.
if not in_data:
if line.startswith('BEGINDATA'):
@@ -53,7 +59,7 @@ for line in open('certdata.txt', 'r'):
if type == 'MULTILINE_OCTAL':
line = line.strip()
for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
- value += chr(int(i.group(1), 8))
+ value.append(int(i.group(1), 8))
else:
value += line
continue
@@ -70,13 +76,13 @@ for line in open('certdata.txt', 'r'):
field, type = line_parts
value = None
else:
- raise NotImplementedError, 'line_parts < 2 not supported.'
+ raise NotImplementedError('line_parts < 2 not supported.')
if type == 'MULTILINE_OCTAL':
in_multiline = True
- value = ""
+ value = bytearray()
continue
obj[field] = value
-if len(obj.items()) > 0:
+if len(obj) > 0:
objects.append(obj)
# Read blacklist.
@@ -95,7 +101,7 @@ for obj in objects:
if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'):
continue
if obj['CKA_LABEL'] in blacklist:
- print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']
+ print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
'CKT_NSS_TRUSTED_DELEGATOR'):
trust[obj['CKA_LABEL']] = True
@@ -104,13 +110,13 @@ for obj in objects:
trust[obj['CKA_LABEL']] = True
elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED',
'CKT_NSS_NOT_TRUSTED'):
- print '!'*74
- print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
- print '!'*74
+ print('!'*74)
+ print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'])
+ print('!'*74)
else:
- print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \
+ print("Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \
(obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'],
- obj['CKA_TRUST_EMAIL_PROTECTION'])
+ obj['CKA_TRUST_EMAIL_PROTECTION']))
for obj in objects:
if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
@@ -121,13 +127,32 @@ for obj in objects:
.replace('(', '=')\
.replace(')', '=')\
.replace(',', '_')
- bname = bname.decode('string_escape')
- fname = bname + '.crt'
+
+ # this is the only way to decode the way NSS stores multi-byte UTF-8
+ # and we need an escaped string for checking existence of things
+ # otherwise we're dependant on the user's current locale.
+ if bytes != str:
+ # We're in python 3, convert the utf-8 string to a
+ # sequence of bytes that represents this utf-8 string
+ # then encode the byte-sequence as an escaped string that
+ # can be passed to open() and os.path.exists()
+ bname = bname.encode('utf-8').decode('unicode_escape').encode('latin-1')
+ else:
+ # Python 2
+ # Convert the unicode string back to its original byte form
+ # (contents of files returned by io.open are returned as
+ # unicode strings)
+ # then to an escaped string that can be passed to open()
+ # and os.path.exists()
+ bname = bname.encode('utf-8').decode('string_escape')
+
+ fname = bname + b'.crt'
if os.path.exists(fname):
- print "Found duplicate certificate name %s, renaming." % bname
- fname = bname + '_2.crt'
+ print("Found duplicate certificate name %s, renaming." % bname)
+ fname = bname + b'_2.crt'
f = open(fname, 'w')
f.write("-----BEGIN CERTIFICATE-----\n")
- f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+ encoded = base64.b64encode(obj['CKA_VALUE']).decode('utf-8')
+ f.write("\n".join(textwrap.wrap(encoded, 64)))
f.write("\n-----END CERTIFICATE-----\n")