ca-certificates: bump to 20190825

2019-08-25 01:44:48 +00:00 · 2019-08-25 01:44:48 +00:00 · 6cf5358df9
commit 6cf5358df9
parent 854d399001
6 changed files with 241 additions and 38 deletions
--- a/core/ca-certificates/build
+++ b/core/ca-certificates/build
@ -1,21 +1,30 @@
 #!/bin/sh -e
+#
+# ca-certificates version is based on commit?
+# There's no upstream version at all?!?!?
+# Not sure what to do here.

-gcc certdata2pem.c -o mozilla/certdata2pem
+cat > blacklist.txt <<EOF
+"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
+"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
+"Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
+"Explicitly Distrust DigiNotar Root CA"
+"Explicitly Distrusted DigiNotar PKIoverheid G2"
+"MITM subCA 1 issued by Trustwave"
+"MITM subCA 2 issued by Trustwave"
+"TURKTRUST Mis-issued Intermediate CA 1"
+"TURKTRUST Mis-issued Intermediate CA 2"
+EOF

-sed -i'' -e 's,python certdata2pem.py,./certdata2pem,g' mozilla/Makefile
-patch -p1 < update-ca-certificates-destdir.patch
+gcc certdata2pem.c -o certdata2pem
+./certdata2pem certdata.txt

-make
-
-install -m0755 -d "$1/usr/share/ca-certificates"
+install -m0755 -d "$1/usr/share/ca-certificates/mozilla"
 install -m0755 -d "$1/usr/bin"
-install -m0755 -d "$1/usr/sbin"
 install -m0755 -d "$1/etc/ssl/certs"

-make DESTDIR="$1" install
+cp ./*.crt "$1/usr/share/ca-certificates/mozilla"
+cp update-ca-certificates "$1/usr/bin"

-# Fix issues with 'libressl'.
-sed -i'' -e 's/ssl rehash/ssl certhash/' "$1/usr/sbin/update-ca-certificates"
-
-cd "$1/usr/share/ca-certificates" &&
-    find . -name '*.crt' | sort | cut -b3- > "$1/etc/ca-certificates.conf"
+cd "$1/usr/share/ca-certificates"
+find . -name '*.crt' | sort | cut -b3- > "$1/etc/ca-certificates.conf"
--- a/core/ca-certificates/checksums
+++ b/core/ca-certificates/checksums
@ -1,3 +1,3 @@
-ee4bf0f4c6398005f5b5ca4e0b87b82837ac5c3b0280a1cb3a63c47555c3a675  ca-certificates_20190110.tar.xz
+c979c6f35714a0fedb17d9e5ba37adecbbc91a8faf4186b4e23d6f9ca44fd6cb  certdata.txt
 064f7d41106cd9efa08b9e68cf049f44e3be55666bd2ab96d02c508293b8dce7  certdata2pem.c
-9abcbeadae690315b760a4d726d71265b2c479121e2e30e95f9678c4b8d81ef2  update-ca-certificates-destdir.patch
+a4283508b5775a67c7df65b28bbe9100817ffda97db3a789a5414742ac66335c  update-ca-certificates
--- a/core/ca-certificates/files/update-ca-certificates
+++ b/core/ca-certificates/files/update-ca-certificates
@ -0,0 +1,214 @@
+#!/bin/sh -e
+#
+# update-ca-certificates
+#
+# Copyright (c) 2003 Fumitoshi UKAI <ukai@debian.or.jp>
+# Copyright (c) 2009 Philipp Kern <pkern@debian.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301,
+# USA.
+#
+
+verbose=0
+fresh=0
+default=0
+CERTSCONF=$DESTDIR/etc/ca-certificates.conf
+CERTSDIR=/usr/share/ca-certificates
+LOCALCERTSDIR=$DESTDIR/usr/local/share/ca-certificates
+CERTBUNDLE=ca-certificates.crt
+ETCCERTSDIR=$DESTDIR/etc/ssl/certs
+HOOKSDIR=$DESTDIR/etc/ca-certificates/update.d
+
+while [ $# -gt 0 ];
+do
+  case $1 in
+    --verbose|-v)
+      verbose=1;;
+    --fresh|-f)
+      fresh=1;;
+    --default|-d)
+      default=1
+      fresh=1;;
+    --certsconf)
+      shift
+      CERTSCONF="$1";;
+    --certsdir)
+      shift
+      CERTSDIR="$1";;
+    --localcertsdir)
+      shift
+      LOCALCERTSDIR="$1";;
+    --certbundle)
+      shift
+      CERTBUNDLE="$1";;
+    --etccertsdir)
+      shift
+      ETCCERTSDIR="$1";;
+    --hooksdir)
+      shift
+      HOOKSDIR="$1";;
+    --help|-h|*)
+      echo "$0: [--verbose] [--fresh]"
+      exit;;
+  esac
+  shift
+done
+
+if [ ! -s "$CERTSCONF" ]
+then
+  fresh=1
+fi
+
+cleanup() {
+  rm -f "$TEMPBUNDLE"
+  rm -f "$ADDED"
+  rm -f "$REMOVED"
+}
+trap cleanup 0
+
+# Helper files.  (Some of them are not simple arrays because we spawn
+# subshells later on.)
+TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
+ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+
+# Adds a certificate to the list of trusted ones.  This includes a symlink
+# in /etc/ssl/certs to the certificate file and its inclusion into the
+# bundle.
+add() {
+  CERT="$1"
+  PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
+                                                  -e 's/[()]/=/g' \
+                                                  -e 's/,/_/g').pem"
+  if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
+  then
+    ln -sf "$CERT" "$PEM"
+    echo "+$PEM" >> "$ADDED"
+  fi
+  # Add trailing newline to certificate, if it is missing (#635570)
+  sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
+}
+
+remove() {
+  CERT="$1"
+  PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem"
+  if test -L "$PEM"
+  then
+    rm -f "$PEM"
+    echo "-$PEM" >> "$REMOVED"
+  fi
+}
+
+cd "$ETCCERTSDIR"
+if [ "$fresh" = 1 ]; then
+  echo "Clearing symlinks in $ETCCERTSDIR..."
+  find . -type l -print | while read symlink
+  do
+    case $(readlink "$symlink") in
+      $CERTSDIR*|$LOCALCERTSDIR*) rm -f $symlink;;
+    esac
+  done
+  find . -type l -print | while read symlink
+  do
+    test -f "$symlink" || rm -f "$symlink"
+  done
+  echo "done."
+fi
+
+echo "Updating certificates in $ETCCERTSDIR..."
+
+# Add default certificate authorities if requested
+if [ "$default" = 1 ]; then
+  find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt
+  do
+    add "$crt"
+  done
+fi
+
+# Handle certificates that should be removed.  This is an explicit act
+# by prefixing lines in the configuration files with exclamation marks (!).
+sed -n -e '/^$/d' -e 's/^!//p' "$CERTSCONF" | while read crt
+do
+  remove "$CERTSDIR/$crt"
+done
+
+sed -e '/^$/d' -e '/^#/d' -e '/^!/d' "$CERTSCONF" | while read crt
+do
+  if ! test -f "$CERTSDIR/$crt"
+  then
+    echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2
+    continue
+  fi
+  add "$CERTSDIR/$crt"
+done
+
+# Now process certificate authorities installed by the local system
+# administrator.
+if [ -d "$LOCALCERTSDIR" ]
+then
+  find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read crt
+  do
+    add "$crt"
+  done
+fi
+
+rm -f "$CERTBUNDLE"
+
+ADDED_CNT=$(wc -l < "$ADDED")
+REMOVED_CNT=$(wc -l < "$REMOVED")
+
+if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
+then
+  # only run if set of files has changed
+  # Remove orphan symlinks found in ETCCERTSDIR to prevent `openssl certhash`
+  # from exiting with an error. See #895482, #895473.
+  find $ETCCERTSDIR -type l ! -exec test -e {} \; -print | while read orphan
+  do
+    rm -f "$orphan"
+    if [ "$verbose" = 1 ]; then
+      echo "Removed orphan symlink $orphan"
+    fi
+  done
+  if [ "$verbose" = 0 ]
+  then
+    openssl certhash . > /dev/null
+  else
+    openssl certhash -v .
+  fi
+fi
+
+chmod 0644 "$TEMPBUNDLE"
+mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+# Restore proper SELinux label after moving the file
+[ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" >/dev/null 2>&1
+
+echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
+
+if [ -d "$HOOKSDIR" ]
+then
+
+  echo "Running hooks in $HOOKSDIR..."
+  VERBOSE_ARG=
+  [ "$verbose" = 0 ] || VERBOSE_ARG="--verbose"
+  eval run-parts "$VERBOSE_ARG" --test -- "$HOOKSDIR" | while read hook
+  do
+    ( cat "$ADDED"
+      cat "$REMOVED" ) | "$hook" || echo "E: $hook exited with code $?."
+  done
+  echo "done."
+
+fi
+
+# vim:set et sw=2:
--- a/core/ca-certificates/patches/update-ca-certificates-destdir.patch
+++ b/core/ca-certificates/patches/update-ca-certificates-destdir.patch
@ -1,20 +0,0 @@
--- usr/sbin/update-ca-certificates.orig	2015-05-29 11:09:43.922158838 +0200
-+++ usr/sbin/update-ca-certificates	2015-05-29 11:10:06.842632933 +0200
-@@ -24,12 +24,12 @@
- verbose=0
- fresh=0
- default=0
-CERTSCONF=/etc/ca-certificates.conf
-CERTSDIR=/usr/share/ca-certificates
-LOCALCERTSDIR=/usr/local/share/ca-certificates
-+CERTSCONF=$DESTDIR/etc/ca-certificates.conf
-+CERTSDIR=/usr/share/ca-certificates
-+LOCALCERTSDIR=$DESTDIR/usr/local/share/ca-certificates
- CERTBUNDLE=ca-certificates.crt
-ETCCERTSDIR=/etc/ssl/certs
-HOOKSDIR=/etc/ca-certificates/update.d
-+ETCCERTSDIR=$DESTDIR/etc/ssl/certs
-+HOOKSDIR=$DESTDIR/etc/ca-certificates/update.d
-
- while [ $# -gt 0 ];
- do
--- a/core/ca-certificates/sources
+++ b/core/ca-certificates/sources
@ -1,3 +1,3 @@
-http://ftp.no.debian.org/debian/pool/main/c/ca-certificates/ca-certificates_20190110.tar.xz
+https://hg.mozilla.org/mozilla-central/raw-file/1125aad05d5c39c2453c04ca6d037afaef16c296/security/nss/lib/ckfw/builtins/certdata.txt
 files/certdata2pem.c
-patches/update-ca-certificates-destdir.patch
+files/update-ca-certificates
--- a/core/ca-certificates/version
+++ b/core/ca-certificates/version
@ -1 +1 @@
-20190110 2
+20190825 1