From c1c275770a923610511be57f74b3a4468d0112a9 Mon Sep 17 00:00:00 2001 From: Kai Engert Date: Thu, 23 Feb 2017 19:39:46 +0100 Subject: [PATCH] For CAs trusted by Mozilla, set attribute nss-mozilla-ca-policy: true Set attribute modifiable: false Require p11-kit 0.23.4 --- ca-certificates.spec | 11 ++++++++--- certdata2pem.py | 7 +++++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/ca-certificates.spec b/ca-certificates.spec index 693e99a..ce5f043 100644 --- a/ca-certificates.spec +++ b/ca-certificates.spec @@ -38,7 +38,7 @@ Name: ca-certificates Version: 2017.2.11 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 4%{?dist} +Release: 5%{?dist} License: Public Domain Group: System Environment/Base @@ -64,8 +64,8 @@ Source17: README.src BuildArch: noarch -Requires: p11-kit >= 0.19.2 -Requires: p11-kit-trust >= 0.19.2 +Requires: p11-kit >= 0.23.4 +Requires: p11-kit-trust >= 0.23.4 BuildRequires: perl BuildRequires: python BuildRequires: openssl @@ -352,6 +352,11 @@ fi %changelog +* Thu Feb 23 2017 Kai Engert - 2017.2.11-5 +- For CAs trusted by Mozilla, set attribute nss-mozilla-ca-policy: true +- Set attribute modifiable: false +- Require p11-kit 0.23.4 + * Mon Feb 13 2017 Kai Engert - 2017.2.11-4 - Changed the packaged bundle to use the flexible p11-kit-object-v1 file format, as a preparation to fix bugs in the interaction between p11-kit-trust and diff --git a/certdata2pem.py b/certdata2pem.py index db6090d..e63ca0f 100644 --- a/certdata2pem.py +++ b/certdata2pem.py @@ -122,6 +122,7 @@ def write_cert_ext_to_file(f, oid, value, public_key): f.write("class: x-certificate-extension\n"); f.write("object-id: " + oid + "\n") f.write("value: \"" + value + "\"\n") + f.write("modifiable: false\n"); f.write(public_key) trust_types = { @@ -346,8 +347,9 @@ for tobj in objects: else: f.write("trusted: false\n") - # enable the following line, after we have upgraded p11-kit-trust - # f.write("nss-mozilla-ca-policy: true\n") + # requires p11-kit >= 0.23.4 + f.write("nss-mozilla-ca-policy: true\n") + f.write("modifiable: false\n"); f.write("-----BEGIN CERTIFICATE-----\n") f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) @@ -362,6 +364,7 @@ for tobj in objects: f.write("\n") f.write("class: certificate\n") f.write("certificate-type: x-509\n") + f.write("modifiable: false\n"); f.write("issuer: \""); f.write(urllib.quote(tobj['CKA_ISSUER'])); f.write("\"\n")