rpms/ca-certificates
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'f18'

Browse Source 
Conflicts:
	ca-certificates.spec
This commit is contained in:
Paul Wouters 2012-10-24 14:19:30 -04:00
commit 3f84976ebe
3 changed files with 31 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
blacklist.txt
View File

@ -3,3 +3,24 @@
# MD5 Collision Proof of Concept CA # MD5 Collision Proof of Concept CA
"MD5 Collisions Forged Rogue CA 25c3" "MD5 Collisions Forged Rogue CA 25c3"
# Obtained from certdata.txt version 1.86 on Wed Oct 24 13:49:41 EDT 2012 by Paul Wouters <pwouters@redhat.com>
"Bogus Mozilla Addons"
"Bogus Global Trustee"
"Bogus GMail"
"Bogus Google"
"Bogus Skype"
"Bogus Yahoo 1"
"Bogus Yahoo 2"
"Bogus Yahoo 3"
"Bogus live.com"
"Bogus kuix.de"
"Explicitly Distrust DigiNotar Root CA"
"Explicitly Distrust DigiNotar Services 1024 CA"
"Explicitly Distrust DigiNotar Cyber CA"
"Explicitly Distrust DigiNotar Cyber CA 2nd"
"Explicitly Distrusted DigiNotar PKIoverheid"
"Explicitly Distrusted DigiNotar PKIoverheid G2"
"Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (cyb)"
"Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (en)"
"MITM subCA 1 issued by Trustwave"
"MITM subCA 2 issued by Trustwave"

12
ca-certificates.spec
View File

@ -7,16 +7,16 @@
# #
# Keep the RCS version in sync with the spec Version. # Keep the RCS version in sync with the spec Version.
# #
# The real url is: # Note: This will give us the experimental version, not one that
# https://hg.mozilla.org/mozilla-central/raw-file/d3de9d8e2b5b/security/nss/lib/ckfw/builtins/certdata.txt # Firefox deems "stable". For that, we should check a firefox
# release branch for the certdata.txt version.
%define pkidir %{_sysconfdir}/pki %define pkidir %{_sysconfdir}/pki
Summary: The Mozilla CA root certificate bundle Summary: The Mozilla CA root certificate bundle
Name: ca-certificates Name: ca-certificates
Version: 2012.86 Version: 2012.86
Release: 1%{?dist} Release: 2%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Base Group: System Environment/Base
URL: http://www.mozilla.org/ URL: http://www.mozilla.org/
@ -122,6 +122,10 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/ssl/certs %{_sysconfdir}/ssl/certs
%changelog %changelog
* Wed Oct 24 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-2
- Updated blacklist with 20 entries (Diginotar, Trustwave, Comodo(?)
- Fix to certdata2pem.py to also check for CKT_NSS_NOT_TRUSTED
* Tue Oct 23 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-1 * Tue Oct 23 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-1
- update to r1.86 - update to r1.86

3
certdata2pem.py
View File

@ -104,7 +104,8 @@ for obj in objects:
trust[obj['CKA_LABEL']] = True trust[obj['CKA_LABEL']] = True
elif obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_TRUSTED_DELEGATOR': elif obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_TRUSTED_DELEGATOR':
trust[obj['CKA_LABEL']] = True trust[obj['CKA_LABEL']] = True
elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_UNTRUSTED': # NSS recently changed CKT_NSS_UNTRUSTED to CKT_NSS_NOT_TRUSTED
elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_UNTRUSTED' or obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED':
print '!'*74 print '!'*74
print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'] print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
print '!'*74 print '!'*74