For CAs trusted by Mozilla, set attribute nss-mozilla-ca-policy: true

Set attribute modifiable: false
Require p11-kit 0.23.4
This commit is contained in:
Kai Engert 2017-02-23 19:39:46 +01:00
parent f0b0be2c1f
commit c1c275770a
2 changed files with 13 additions and 5 deletions

View File

@ -38,7 +38,7 @@ Name: ca-certificates
Version: 2017.2.11 Version: 2017.2.11
# for Rawhide, please always use release >= 2 # for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 4%{?dist} Release: 5%{?dist}
License: Public Domain License: Public Domain
Group: System Environment/Base Group: System Environment/Base
@ -64,8 +64,8 @@ Source17: README.src
BuildArch: noarch BuildArch: noarch
Requires: p11-kit >= 0.19.2 Requires: p11-kit >= 0.23.4
Requires: p11-kit-trust >= 0.19.2 Requires: p11-kit-trust >= 0.23.4
BuildRequires: perl BuildRequires: perl
BuildRequires: python BuildRequires: python
BuildRequires: openssl BuildRequires: openssl
@ -352,6 +352,11 @@ fi
%changelog %changelog
* Thu Feb 23 2017 Kai Engert <kaie@redhat.com> - 2017.2.11-5
- For CAs trusted by Mozilla, set attribute nss-mozilla-ca-policy: true
- Set attribute modifiable: false
- Require p11-kit 0.23.4
* Mon Feb 13 2017 Kai Engert <kaie@redhat.com> - 2017.2.11-4 * Mon Feb 13 2017 Kai Engert <kaie@redhat.com> - 2017.2.11-4
- Changed the packaged bundle to use the flexible p11-kit-object-v1 file format, - Changed the packaged bundle to use the flexible p11-kit-object-v1 file format,
as a preparation to fix bugs in the interaction between p11-kit-trust and as a preparation to fix bugs in the interaction between p11-kit-trust and

View File

@ -122,6 +122,7 @@ def write_cert_ext_to_file(f, oid, value, public_key):
f.write("class: x-certificate-extension\n"); f.write("class: x-certificate-extension\n");
f.write("object-id: " + oid + "\n") f.write("object-id: " + oid + "\n")
f.write("value: \"" + value + "\"\n") f.write("value: \"" + value + "\"\n")
f.write("modifiable: false\n");
f.write(public_key) f.write(public_key)
trust_types = { trust_types = {
@ -346,8 +347,9 @@ for tobj in objects:
else: else:
f.write("trusted: false\n") f.write("trusted: false\n")
# enable the following line, after we have upgraded p11-kit-trust # requires p11-kit >= 0.23.4
# f.write("nss-mozilla-ca-policy: true\n") f.write("nss-mozilla-ca-policy: true\n")
f.write("modifiable: false\n");
f.write("-----BEGIN CERTIFICATE-----\n") f.write("-----BEGIN CERTIFICATE-----\n")
f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
@ -362,6 +364,7 @@ for tobj in objects:
f.write("\n") f.write("\n")
f.write("class: certificate\n") f.write("class: certificate\n")
f.write("certificate-type: x-509\n") f.write("certificate-type: x-509\n")
f.write("modifiable: false\n");
f.write("issuer: \""); f.write("issuer: \"");
f.write(urllib.quote(tobj['CKA_ISSUER'])); f.write(urllib.quote(tobj['CKA_ISSUER']));
f.write("\"\n") f.write("\"\n")