certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER

This allows to follow upcoming changes in certdata.txt: https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 Signed-off-by: Daiki Ueno <dueno@redhat.com>
2019-12-04 10:53:31 +01:00 · 2019-12-04 10:53:31 +01:00 · 6aec97d9bd
commit 6aec97d9bd
parent 8702798203
1 changed files with 15 additions and 0 deletions
--- a/certdata2pem.py
+++ b/certdata2pem.py
@ -177,6 +177,11 @@ openssl_trust = {
  "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
 }

+cert_distrust_types = {
+  "CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
+  "CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
+}
+
 for tobj in objects:
    if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
        key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -369,6 +374,16 @@ for tobj in objects:
            f.write("nss-mozilla-ca-policy: true\n")
            f.write("modifiable: false\n");

+            # requires p11-kit >= 0.23.19
+            for t in list(cert_distrust_types.keys()):
+                if t in obj:
+                    value = obj[t]
+                    if value == 'CK_FALSE':
+                        value = bytearray(1)
+                    f.write(cert_distrust_types[t] + ": \"")
+                    f.write(urllib.parse.quote(value));
+                    f.write("\"\n")
+
            f.write("-----BEGIN CERTIFICATE-----\n")
            temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
            temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)