For CAs trusted by Mozilla, set attribute nss-mozilla-ca-policy: true

Set attribute modifiable: false Require p11-kit 0.23.4
2017-02-23 19:39:46 +01:00 · 2017-02-23 19:39:46 +01:00 · c1c275770a
commit c1c275770a
parent f0b0be2c1f
2 changed files with 13 additions and 5 deletions
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@ -38,7 +38,7 @@ Name: ca-certificates
 Version: 2017.2.11
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: Public Domain

 Group: System Environment/Base
@ -64,8 +64,8 @@ Source17: README.src

 BuildArch: noarch

-Requires: p11-kit >= 0.19.2
-Requires: p11-kit-trust >= 0.19.2
+Requires: p11-kit >= 0.23.4
+Requires: p11-kit-trust >= 0.23.4
 BuildRequires: perl
 BuildRequires: python
 BuildRequires: openssl
@ -352,6 +352,11 @@ fi


 %changelog
+* Thu Feb 23 2017 Kai Engert <kaie@redhat.com> - 2017.2.11-5
+- For CAs trusted by Mozilla, set attribute nss-mozilla-ca-policy: true
+- Set attribute modifiable: false
+- Require p11-kit 0.23.4
+
 * Mon Feb 13 2017 Kai Engert <kaie@redhat.com> - 2017.2.11-4
 - Changed the packaged bundle to use the flexible p11-kit-object-v1 file format,
  as a preparation to fix bugs in the interaction between p11-kit-trust and
--- a/certdata2pem.py
+++ b/certdata2pem.py
@ -122,6 +122,7 @@ def write_cert_ext_to_file(f, oid, value, public_key):
    f.write("class: x-certificate-extension\n");
    f.write("object-id: " + oid + "\n")
    f.write("value: \"" + value + "\"\n")
+    f.write("modifiable: false\n");
    f.write(public_key)

 trust_types = {
@ -346,8 +347,9 @@ for tobj in objects:
            else:
                f.write("trusted: false\n")

-            # enable the following line, after we have upgraded p11-kit-trust
-            # f.write("nss-mozilla-ca-policy: true\n")
+            # requires p11-kit >= 0.23.4
+            f.write("nss-mozilla-ca-policy: true\n")
+            f.write("modifiable: false\n");

            f.write("-----BEGIN CERTIFICATE-----\n")
            f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
@ -362,6 +364,7 @@ for tobj in objects:
            f.write("\n")
            f.write("class: certificate\n")
            f.write("certificate-type: x-509\n")
+            f.write("modifiable: false\n");
            f.write("issuer: \"");
            f.write(urllib.quote(tobj['CKA_ISSUER']));
            f.write("\"\n")