From b2e71a9f9a025394206bccc167bf321b48dabf29 Mon Sep 17 00:00:00 2001
From: Kai Engert <kaie@redhat.com>
Date: Mon, 22 Apr 2013 14:58:59 +0200
Subject: [PATCH] * Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-12 -
 Use both label and serial to identify cert during conversion, rhbz#927601 -
 Add myself as contributor to certdata2.pem.py and remove use of rcs/ident.  
 (thanks to Michael Shuler for suggesting to do so) - Update source URLs and
 comments, add source file for version information.

---
 ca-certificates.spec | 35 ++++++++++++++++----------
 certdata2pem.py      | 23 ++++++++++-------
 nssckbi.h            | 60 ++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 96 insertions(+), 22 deletions(-)
 create mode 100644 nssckbi.h

diff --git a/ca-certificates.spec b/ca-certificates.spec
index 0f2283d..cab7ff6 100644
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -12,13 +12,13 @@ Name: ca-certificates
 # For the package version number, we use: year.{upstream version}
 #
 # The {upstream version} can be found as symbol NSS_BUILTINS_LIBRARY_VERSION at
-# http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/nssckbi.h
+# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
 # which corresponds to
-# http://hg.mozilla.org/projects/nss/file/default/lib/ckfw/builtins/certdata.txt
+# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
 # (these revisions are the tip of development and might be unreleased).
 # For the latest release used in RTM versions of Mozilla Firefox, check:
-# https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/nssckbi.h
-# https://hg.mozilla.org/releases/mozilla-release/file/default/security/nss/lib/ckfw/builtins/certdata.txt
+# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
+# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
 #
 # (until 2012.87 the version was based on the cvs revision ID of certdata.txt,
 # but in 2013 the NSS projected was migrated to HG. Old version 2012.87 is 
@@ -27,16 +27,18 @@ Name: ca-certificates
 # because all future versions will start with 2013 or larger.)
 
 Version: 2012.87
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: Public Domain
 
 Group: System Environment/Base
 URL: http://www.mozilla.org/
 
+#Please always update both certdata.txt and nssckbi.h
 Source0: certdata.txt
-Source1: update-ca-trust
-Source2: trust-fixes
-Source3: certdata2pem.py
+Source1: nssckbi.h
+Source2: update-ca-trust
+Source3: trust-fixes
+Source4: certdata2pem.py
 Source11: README.usr
 Source12: README.etc
 Source13: README.extr
@@ -68,7 +70,7 @@ mkdir %{name}/java
 pushd %{name}/certs
  pwd
  cp %{SOURCE0} .
- python %{SOURCE3} >c2p.log 2>c2p.err
+ python %{SOURCE4} >c2p.log 2>c2p.err
 popd
 pushd %{name}
  (
@@ -78,11 +80,12 @@ pushd %{name}
 # These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
 # format and have trust bits set accordingly.
 #
-# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+# Source: nss/lib/ckfw/builtins/certdata.txt
+# Source: nss/lib/ckfw/builtins/nssckbi.h
 #
 # Generated from:
 EOF
-   ident -q %{SOURCE0} | sed '1d;s/^/#/';
+   cat %{SOURCE1}  |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
    echo '#';
  ) > %{trusted_all_bundle}
  for f in certs/*.crt; do 
@@ -112,7 +115,7 @@ EOF
    cat "$p" >> %{bundle_supplement}
  done
  # Append our trust fixes
- cat %{SOURCE2} >> %{bundle_supplement}
+ cat %{SOURCE3} >> %{bundle_supplement}
 popd
 
 
@@ -150,7 +153,7 @@ touch -r %{SOURCE0} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{bundle_supp
 
 # TODO: consider to dynamically create the update-ca-trust script from within
 #       this .spec file, in order to have the output file+directory names at once place only.
-install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_bindir}/update-ca-trust
+install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_bindir}/update-ca-trust
 
 # touch ghosted files that will be extracted dynamically
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/tls-ca-bundle.pem
@@ -271,6 +274,12 @@ fi
 
 
 %changelog
+* Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 2012.87-12
+- Use both label and serial to identify cert during conversion, rhbz#927601
+- Add myself as contributor to certdata2.pem.py and remove use of rcs/ident.
+  (thanks to Michael Shuler for suggesting to do so)
+- Update source URLs and comments, add source file for version information.
+
 * Tue Mar 19 2013 Kai Engert <kaie@redhat.com> - 2012.87-11
 - adjust to changed and new functionality provided by p11-kit 0.17.3
 - updated READMEs to describe the new directory-specific treatment of files
diff --git a/certdata2pem.py b/certdata2pem.py
index b52e031..230298f 100644
--- a/certdata2pem.py
+++ b/certdata2pem.py
@@ -4,6 +4,7 @@
 # certdata2pem.py - splits certdata.txt into multiple files
 #
 # Copyright (C) 2009 Philipp Kern <pkern@debian.org>
+# Copyright (C) 2013 Kai Engert <kaie@redhat.com>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -29,6 +30,9 @@ import urllib
 
 objects = []
 
+def printable_serial(obj):
+  return ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER']))
+
 # Dirty file parser.
 in_data, in_multiline, in_obj = False, False, False
 field, type, value, obj = None, None, None, dict()
@@ -85,18 +89,18 @@ trustmap = dict()
 for obj in objects:
     if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
         continue
-    label = obj['CKA_LABEL']
-    trustmap[label] = obj
-    print " added trust", label
+    key = obj['CKA_LABEL'] + printable_serial(obj)
+    trustmap[key] = obj
+    print " added trust", key
 
 # Build up cert database.
 certmap = dict()
 for obj in objects:
     if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
         continue
-    label = obj['CKA_LABEL']
-    certmap[label] = obj
-    print " added cert", label
+    key = obj['CKA_LABEL'] + printable_serial(obj)
+    certmap[key] = obj
+    print " added cert", key
 
 def obj_to_filename(obj):
     label = obj['CKA_LABEL'][1:-1]
@@ -106,7 +110,7 @@ def obj_to_filename(obj):
         .replace(')', '=')\
         .replace(',', '_')
     label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label)
-    serial = ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER']))
+    serial = printable_serial(obj)
     return label + ":" + serial
 
 trust_types = {
@@ -137,7 +141,8 @@ openssl_trust = {
 
 for tobj in objects:
     if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
-        print "producing trust for " + tobj['CKA_LABEL']
+        key = tobj['CKA_LABEL'] + printable_serial(tobj)
+        print "producing trust for " + key
         trustbits = []
         distrustbits = []
         openssl_trustflags = []
@@ -154,7 +159,7 @@ for tobj in objects:
 
         fname = obj_to_filename(tobj)
         try:
-            obj = certmap[tobj['CKA_LABEL']]
+            obj = certmap[key]
         except:
             obj = None
 
diff --git a/nssckbi.h b/nssckbi.h
new file mode 100644
index 0000000..d3f10ef
--- /dev/null
+++ b/nssckbi.h
@@ -0,0 +1,60 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef NSSCKBI_H
+#define NSSCKBI_H
+
+/*
+ * NSS BUILTINS Version numbers.
+ *
+ * These are the version numbers for the builtins module packaged with
+ * this release on NSS. To determine the version numbers of the builtin
+ * module you are using, use the appropriate PKCS #11 calls.
+ *
+ * These version numbers detail changes to the PKCS #11 interface. They map
+ * to the PKCS #11 spec versions.
+ */
+#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
+#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
+
+/* These version numbers detail the changes 
+ * to the list of trusted certificates.
+ *
+ * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
+ * for each NSS minor release AND whenever we change the list of
+ * trusted certificates.  10 minor versions are allocated for each
+ * NSS 3.x branch as follows, allowing us to change the list of
+ * trusted certificates up to 9 times on each branch.
+ *   - NSS 3.5 branch:  3-9
+ *   - NSS 3.6 branch:  10-19
+ *   - NSS 3.7 branch:  20-29
+ *   - NSS 3.8 branch:  30-39
+ *   - NSS 3.9 branch:  40-49
+ *   - NSS 3.10 branch: 50-59
+ *   - NSS 3.11 branch: 60-69
+ *     ...
+ *   - NSS 3.12 branch: 70-89
+ *   - NSS 3.13 branch: 90-99
+ *   - NSS 3.14 branch: 100-109
+ *     ...
+ *   - NSS 3.29 branch: 250-255
+ *
+ * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
+ * whether we may use its full range (0-255) or only 0-99 because
+ * of the comment in the CK_VERSION type definition.
+ */
+#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 94
+#define NSS_BUILTINS_LIBRARY_VERSION "1.94"
+
+/* These version numbers detail the semantic changes to the ckfw engine. */
+#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
+#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
+
+/* These version numbers detail the semantic changes to ckbi itself 
+ * (new PKCS #11 objects), etc. */
+#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
+#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
+
+#endif /* NSSCKBI_H */