Resolves: rhbz#1722213

- Update to CKBI 2.32 from NSS 3.44 Removing: # Certificate "Visa eCommerce Root" # Certificate "AC Raiz Certicamara S.A." # Certificate "Certplus Root CA G1" # Certificate "Certplus Root CA G2" # Certificate "OpenTrust Root CA G1" # Certificate "OpenTrust Root CA G2" # Certificate "OpenTrust Root CA G3" Adding: # Certificate "GTS Root R1" # Certificate "GTS Root R2" # Certificate "GTS Root R3" # Certificate "GTS Root R4" # Certificate "UCA Global G2 Root" # Certificate "UCA Extended Validation Root" # Certificate "Certigna Root CA" # Certificate "emSign Root CA - G1" # Certificate "emSign ECC Root CA - G3" # Certificate "emSign Root CA - C1" # Certificate "emSign ECC Root CA - C3" # Certificate "Hongkong Post Root CA 3"
2019-06-19 10:17:16 -07:00 · 2019-06-19 10:17:16 -07:00 · 605570b71e
commit 605570b71e
parent 4f5bce3dc2
4 changed files with 2013 additions and 1033 deletions
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@ -35,10 +35,10 @@ Name: ca-certificates
 # to have increasing version numbers. However, the new scheme will work, 
 # because all future versions will start with 2013 or larger.)

-Version: 2018.2.26
+Version: 2019.2.32
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 3%{?dist}
+Release: 2%{?dist}
 License: Public Domain

 URL: https://fedoraproject.org/wiki/CA-Certificates
@ -369,6 +369,30 @@ fi


 %changelog
+*Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
+ - Update to CKBI 2.32 from NSS 3.44
+   Removing: 
+    # Certificate "Visa eCommerce Root"
+    # Certificate "AC Raiz Certicamara S.A."
+    # Certificate "Certplus Root CA G1"
+    # Certificate "Certplus Root CA G2"
+    # Certificate "OpenTrust Root CA G1"
+    # Certificate "OpenTrust Root CA G2"
+    # Certificate "OpenTrust Root CA G3"
+   Adding: 
+    # Certificate "GTS Root R1"
+    # Certificate "GTS Root R2"
+    # Certificate "GTS Root R3"
+    # Certificate "GTS Root R4"
+    # Certificate "UCA Global G2 Root"
+    # Certificate "UCA Extended Validation Root"
+    # Certificate "Certigna Root CA"
+    # Certificate "emSign Root CA - G1"
+    # Certificate "emSign ECC Root CA - G3"
+    # Certificate "emSign Root CA - C1"
+    # Certificate "emSign ECC Root CA - C3"
+    # Certificate "Hongkong Post Root CA 3"
+
 * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

--- a/certdata.txt
+++ b/certdata.txt
--- a/check_certs.sh
+++ b/check_certs.sh
@ -0,0 +1,118 @@
+#!/bin/perl
+
+sub adjust {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+   my @pos = @{$_[2]};
+   my $found = 0;
+   my @newneg = ();
+
+   foreach my $cline (@neg) {
+	if ($cline eq $newLine) {
+	   $found = 1;
+	} else {
+            push(@newneg ,$cline );
+	}
+   }
+   if (! $found ) {
+ 	push(@pos, $newLine);
+   }
+   @neg=@newneg;
+}
+
+sub removeLine {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+   my $found = 0;
+   my @newneg = ();
+
+   foreach my $cline (@neg) {
+        if ($found) {
+            push(@newneg ,$cline );
+	} elsif ($cline eq $newLine) {
+	   $found = 1;
+	} else {
+            push(@newneg ,$cline );
+	}
+   }
+   return @newneg;
+}
+
+sub filter {
+   my @list = @{$_[0]};
+   my $string = $_[1];
+   my @filteredList = ();
+   foreach my $cline (@list) {
+	if ($cline =~ m/$string/) {
+            push(@filteredList ,$cline );
+	}
+   }
+   return @filteredList;
+}
+
+sub lineExists {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+
+   foreach my $cline (@neg) {
+	if ($cline eq $newLine) {
+           return 1;
+	}
+   }
+   return 0;
+}
+
+sub lineExists {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+
+   foreach my $cline (@neg) {
+	if ($cline eq $newLine) {
+           return 1;
+	}
+   }
+   return 0;
+}
+
+sub printeach {
+   my @args = @{$_[0]};
+   foreach my $arg (@args) {
+	chomp $arg;
+	print "    $arg\n";
+    }
+}
+
+open my $handle, "git diff certdata.txt|";
+my @diff_lines = <$handle>;
+close $handle;
+my @adds = ();
+my @subs = ();
+foreach my $line (@diff_lines) {
+    $type = substr $line,0,1;
+    $lline = substr $line,1;
+    if ($type eq "+") {
+          if (lineExists($lline, \@subs)) {
+               @subs = removeLine($lline,\@subs);
+          } else {
+               push(@adds, $lline);
+          }
+    };
+    if ($type eq "-") {
+          if (lineExists($lline, \@adds)) {
+                @adds = removeLine($lline,\@adds);
+          } else {
+                push(@subs, $lline);
+          }
+    };
+}
+
+my @tmp = filter(\@subs, "# Certificate");
+if (@tmp) {
+    print "   Removing: \n";
+    printeach(\@tmp);
+}
+my @tmp = filter(\@adds, "# Certificate");
+if (@tmp) {
+    print "   Adding: \n";
+    printeach(\@tmp);
+}
--- a/fetch.sh
+++ b/fetch.sh
@ -1,4 +1,159 @@
 #!/bin/sh
-exec cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot   \
-     co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt   \
-     > certdata.txt
+#
+# This script fetches the latest released certdata.txt and updates the 
+# ca-certificates.spec file
+#
+baseurl="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib"
+force=0
+release_type="RTM"
+release="3_43"
+while [ -n "$1" ]; do
+   case $1 in
+   "-d")
+	baseurl="https://hg.mozilla.org/projects/nss/raw-file/default/lib"
+	;;
+   -t*)
+	release_type=`echo $1 | sed -e 's;-t;;'`
+	if [ "${release_type}" = "" ]; then
+	   shift
+	   release_type=$1
+	fi
+	baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
+	;;
+   -n*)
+	release=`echo $1 | sed -e 's;-n;;'`
+	if [ "${release}" = "" ]; then
+	   shift
+	   release=$1
+	fi
+	release=`echo ${release} | sed -e 's;\\.;_;g'`
+	baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
+	;;
+   "-f")
+	force=1
+	;;
+    *)
+	echo "usage: $0 [-r] [-n release] [-f]"
+	echo "-d           use the development tip rather than the latest release"
+	echo "-n release   fetch a specific nss release"
+	echo "-f           skip the verify check"
+	exit 1
+	;;
+    esac
+    shift
+done
+
+# get the current certdata version number
+# nss version number
+# user making the change
+# email of user
+# 
+# versions from the latest nss code in mozilla
+echo "Getting CKBI version number"
+ckbi_version=`wget ${baseurl}/ckfw/builtins/nssckbi.h -O - | grep "NSS_BUILTINS_LIBRARY_VERSION " | awk '{print $NF}' | sed -e "s;\";;g" `
+if [ "${ckbi_version}" = "" ]; then
+    echo "Didn't find ckbi version from ${baseurl}"
+    exit 1;
+fi
+echo "Getting NSS version number"
+nss_version=`wget ${baseurl}/nss/nss.h -O - | grep "NSS_VERSION" | awk '{print $3}' | sed -e "s;\";;g" `
+if [ "${nss_version}" = "" ]; then
+    echo "Didn't find nss version from ${baseurl}"
+    exit 1;
+fi
+# date from the current system date on this machine
+echo "Creating change log"
+export LANG=C
+year=`date +%Y`
+log_date=`date +"%a %b %d %Y"`
+# user name from the environment, fallback to git, fallback to the current user
+username=`whoami`
+name=${NAME}
+if [ "${name}" = "" ]; then
+   name=`git config user.name`
+fi
+if [ "${name}" = "" ]; then
+   name=`getent passwd $username`
+fi
+email=${EMAIL}
+if [ "${email}" = "" ]; then
+   email=`git config user.email`
+fi
+if [ "${email}" = "" ]; then
+   email=$username@`hostname`
+fi
+# rawhide >=2, branches 1.x
+cwd=$(pwd)
+if [ `basename ${cwd}` = master ]; then
+    release="2"
+else
+    release="1.0"
+fi
+version=${year}.${ckbi_version}
+
+#make sure the the current version is newer than what is already there
+current_version=`grep ^Version: ca-certificates.spec | awk '{ print $NF }'`
+if [ ${current_version} \> ${version} -o ${current_version} = ${version} ]; then
+   echo "Can't downgrade current version: ${current_version} new version: ${version}"
+   exit 1;
+fi
+
+# now get our new certdata.txt
+echo "Fetching new certdata.txt"
+wget ${baseurl}/ckfw/builtins/certdata.txt -O certdata.txt
+if [ $? -ne 0 ]; then
+   echo fetching certdata.text from ${baseurl} failed!
+   echo " To restore the old certdata.txt use:"
+   echo "    git checkout -- certdata.txt"
+   exit 1;
+fi
+
+# Verify everything is good with the user
+echo -e "Upgrading ${current_version} -> ${version}:"
+echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
+./check_certs.sh
+echo ""
+
+yn=""
+if [ ! ${force} ]; then
+	echo -n "Do you want to continue (Y/N default Y)? "
+	read yn
+	echo ""
+fi
+if [ "${yn}" != "" -a "${yn}" != "y" -a "${yn}" != "Y" -a "${yn}" != "yes" -a "${yn}" != "YES" ]; then
+    echo "Skipping ca-certificate.spec upgrade."
+    echo " NOTE: certdata.txt has been upgraded."
+    echo " To restore the old certdata.txt use:"
+    echo "    git checkout -- certdata.txt"
+    exit 1;
+fi
+
+echo "Updating .spec file"
+cat ca-certificates.spec | while IFS= read -r line
+do
+    echo $line | grep "^Version: " 1>&2
+    if [ $? -eq 0 ]; then
+	echo "Version: ${version}"
+	echo "New Version: ${version}" 1>&2
+	continue
+    fi
+    echo $line | grep "^Release: " 1>&2
+    if [ $?  -eq 0 ]; then
+	echo "Release: ${release}%{?dist}"
+	echo "New Release: ${release}%{?dist}" 1>&2
+	continue
+    fi
+    echo $line | grep "^%changelog" 1>&2
+    if [ $?  -eq 0 ]; then
+	echo "$line"
+	echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
+	echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"  1>&2
+	./check_certs.sh
+       echo ""
+	continue
+    fi
+    echo "$line"
+done > /tmp/ca-certificates.spec.$$
+mv /tmp/ca-certificates.spec.$$ ca-certificates.spec
+git status
+exit 0