From 6aec97d9bdcbb92ef912a60b86060f4bc6481b1a Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Wed, 4 Dec 2019 10:53:31 +0100 Subject: [PATCH] certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER This allows to follow upcoming changes in certdata.txt: https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 Signed-off-by: Daiki Ueno --- certdata2pem.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/certdata2pem.py b/certdata2pem.py index a4f38c2..a52ce9c 100644 --- a/certdata2pem.py +++ b/certdata2pem.py @@ -177,6 +177,11 @@ openssl_trust = { "CKA_TRUST_EMAIL_PROTECTION": "emailProtection", } +cert_distrust_types = { + "CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after", + "CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after", +} + for tobj in objects: if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST': key = tobj['CKA_LABEL'] + printable_serial(tobj) @@ -369,6 +374,16 @@ for tobj in objects: f.write("nss-mozilla-ca-policy: true\n") f.write("modifiable: false\n"); + # requires p11-kit >= 0.23.19 + for t in list(cert_distrust_types.keys()): + if t in obj: + value = obj[t] + if value == 'CK_FALSE': + value = bytearray(1) + f.write(cert_distrust_types[t] + ": \"") + f.write(urllib.parse.quote(value)); + f.write("\"\n") + f.write("-----BEGIN CERTIFICATE-----\n") temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE']) temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)