Update to CKBI 2.6 from NSS 3.21 with legacy modifications

2015-11-23 17:51:07 +01:00 · 2015-11-23 17:51:07 +01:00 · da979a1a44
commit da979a1a44
parent 87f92384d1
4 changed files with 532 additions and 1387 deletions
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@ -36,7 +36,7 @@ Name: ca-certificates
 # to have increasing version numbers. However, the new scheme will work, 
 # because all future versions will start with 2013 or larger.)

-Version: 2015.2.5
+Version: 2015.2.6
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
 Release: 2%{?dist}
@ -376,6 +376,9 @@ fi


 %changelog
+* Mon Nov 23 2015 Kai Engert <kaie@redhat.com> - 2015.2.6-2
+- Update to CKBI 2.6 from NSS 3.21 with legacy modifications
+
 * Thu Aug 13 2015 Kai Engert <kaie@redhat.com> - 2015.2.5-2
 - Update to CKBI 2.5 from NSS 3.19.3 with legacy modifications

--- a/certdata.txt
+++ b/certdata.txt
--- a/diff-from-upstream-2.6.patch
+++ b/diff-from-upstream-2.6.patch
@ -1,5 +1,5 @@
--- certdata-2.5.txt	2015-08-04 20:56:09.774180992 +0200
-+++ certdata.txt	2015-08-13 22:34:08.128515054 +0200
+--- certdata-2.6.txt	2015-10-29 18:42:57.474411069 +0100
+++ certdata.txt	2015-11-23 17:00:44.364039599 +0100
@@ -23,100 +23,515 @@
 #  CKA_SUBJECT              DER+base64              (varies)
 #  CKA_ID                   byte array              (varies)
@ -516,7 +516,111 @@
 \164\151\146\151\143\141\164\145\040\101\165\164\150\157\162\151
 \164\171\060\201\237\060\015\006\011\052\206\110\206\367\015\001
 \001\001\005\000\003\201\215\000\060\201\211\002\201\201\000\301
-@@ -530,100 +945,103 @@
+@@ -140,100 +555,103 @@
+ \070\062\062\061\066\064\061\065\061\132\060\013\006\003\125\035
+ \017\004\004\003\002\001\006\060\037\006\003\125\035\043\004\030
+ \060\026\200\024\110\346\150\371\053\322\262\225\327\107\330\043
+ \040\020\117\063\230\220\237\324\060\035\006\003\125\035\016\004
+ \026\004\024\110\346\150\371\053\322\262\225\327\107\330\043\040
+ \020\117\063\230\220\237\324\060\014\006\003\125\035\023\004\005
+ \060\003\001\001\377\060\032\006\011\052\206\110\206\366\175\007
+ \101\000\004\015\060\013\033\005\126\063\056\060\143\003\002\006
+ \300\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000
+ \003\201\201\000\130\316\051\352\374\367\336\265\316\002\271\027
+ \265\205\321\271\343\340\225\314\045\061\015\000\246\222\156\177
+ \266\222\143\236\120\225\321\232\157\344\021\336\143\205\156\230
+ \356\250\377\132\310\323\125\262\146\161\127\336\300\041\353\075
+ \052\247\043\111\001\004\206\102\173\374\356\177\242\026\122\265
+ \147\147\323\100\333\073\046\130\262\050\167\075\256\024\167\141
+ \326\372\052\146\047\240\015\372\247\163\134\352\160\361\224\041
+ \145\104\137\372\374\357\051\150\251\242\207\171\357\171\357\117
+ \254\007\167\070
+ END
+ 
+ # Trust for Certificate "Equifax Secure CA"
+ # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+ # Serial Number: 903804111 (0x35def4cf)
+ # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+ # Not Valid Before: Sat Aug 22 16:41:51 1998
+ # Not Valid After : Wed Aug 22 16:41:51 2018
+ # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
+ # Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+ CKA_MODIFIABLE CK_BBOOL CK_FALSE
+ CKA_LABEL UTF8 "Equifax Secure CA"
+ CKA_CERT_SHA1_HASH MULTILINE_OCTAL
+ \322\062\011\255\043\323\024\043\041\164\344\015\177\235\142\023
+ \227\206\143\072
+ END
+ CKA_CERT_MD5_HASH MULTILINE_OCTAL
+ \147\313\235\300\023\044\212\202\233\262\027\036\321\033\354\324
+ END
+ CKA_ISSUER MULTILINE_OCTAL
+ \060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+ \020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+ \170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
+ \146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
+ \146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
+ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\004\065\336\364\317
+ END
+LEGACY_CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+LEGACY_CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ # Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements."
+ # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+ # Serial Number: 1407252 (0x157914)
+ # Subject: CN=*.pb.com,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US
+ # Not Valid Before: Mon Feb 01 14:54:04 2010
+ # Not Valid After : Tue Sep 30 00:00:00 2014
+ # Fingerprint (MD5): 8F:46:BE:99:47:6F:93:DC:5C:01:54:50:D0:4A:BD:AC
+ # Fingerprint (SHA1): 30:F1:82:CA:1A:5E:4E:4F:F3:6E:D0:E6:38:18:B8:B9:41:CB:5F:8C
+ CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+ CKA_MODIFIABLE CK_BBOOL CK_FALSE
+ CKA_LABEL UTF8 "Distrust a pb.com certificate that does not comply with the baseline requirements."
+ CKA_ISSUER MULTILINE_OCTAL
+ \060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
+ \020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
+ \170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
+ \146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
+ \146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
+ END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\003\025\171\024
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+ # Certificate "Verisign Class 3 Public Primary Certification Authority"
+ #
+ # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+ # Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
+ # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
+ # Not Valid Before: Mon Jan 29 00:00:00 1996
+ # Not Valid After : Tue Aug 01 23:59:59 2028
+ # Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
+ # Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
+ CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
+ CKA_TOKEN CK_BBOOL CK_TRUE
+ CKA_PRIVATE CK_BBOOL CK_FALSE
+ CKA_MODIFIABLE CK_BBOOL CK_FALSE
+ CKA_LABEL UTF8 "Verisign Class 3 Public Primary Certification Authority"
+ CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
+ CKA_SUBJECT MULTILINE_OCTAL
+@@ -284,100 +702,103 @@
 \005\252\354\003\037\170\177\236\223\271\232\000\252\043\175\326
 \254\205\242\143\105\307\162\047\314\364\114\306\165\161\322\071
 \357\117\102\360\165\337\012\220\306\216\040\157\230\017\370\254
@ -620,7 +724,7 @@
 \141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
 \156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
 \162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-@@ -824,100 +1242,103 @@
+@@ -578,100 +999,103 @@
 \005\005\000\003\201\201\000\162\056\371\177\321\361\161\373\304
 \236\366\305\136\121\212\100\230\270\150\370\233\034\203\330\342
 \235\275\377\355\241\346\146\352\057\011\364\312\327\352\245\053
@ -724,7 +828,7 @@
 \141\165\164\150\157\162\151\172\145\144\040\165\163\145\040\157
 \156\154\171\061\037\060\035\006\003\125\004\013\023\026\126\145
 \162\151\123\151\147\156\040\124\162\165\163\164\040\116\145\164
-@@ -971,100 +1392,103 @@
+@@ -725,100 +1149,103 @@
 \005\000\003\201\201\000\121\115\315\276\134\313\230\031\234\025
 \262\001\071\170\056\115\017\147\160\160\231\306\020\132\224\244
 \123\115\124\155\053\257\015\135\100\213\144\323\327\356\336\126
@ -828,7 +932,7 @@
 \055\163\141\061\020\060\016\006\003\125\004\013\023\007\122\157
 \157\164\040\103\101\061\033\060\031\006\003\125\004\003\023\022
 \107\154\157\142\141\154\123\151\147\156\040\122\157\157\164\040
-@@ -1240,100 +1664,520 @@
+@@ -994,100 +1421,520 @@
 \333\335\161\064\032\301\124\332\106\077\340\323\052\253\155\124
 \042\365\072\142\315\040\157\272\051\211\327\335\221\356\323\134
 \242\076\241\133\101\365\337\345\144\103\055\351\325\071\253\322
@ -1349,32 +1453,32 @@
 \002\021\000\213\133\165\126\204\124\205\013\000\317\257\070\110
 \316\261\244
 END
-@@ -2008,100 +2852,274 @@
- \154\273\322\036\000\260\041\355\370\101\142\202\271\330\262\304
- \273\106\120\363\061\305\217\001\250\164\353\365\170\047\332\347
- \367\146\103\363\236\203\076\040\252\303\065\140\221\316
+@@ -1598,100 +2445,274 @@
+ \040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
+ \165\164\150\157\162\151\164\171\040\055\040\107\063
 END
+ CKA_SERIAL_NUMBER MULTILINE_OCTAL
+ \002\020\076\014\236\207\151\252\225\134\352\043\330\105\236\324
+ \133\121
+ END
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
- # Trust for Certificate "Verisign Class 4 Public Primary Certification Authority - G3"
- # Issuer: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Serial Number:00:ec:a0:a7:8b:6e:75:6a:01:cf:c4:7c:cc:2f:94:5e:d7
- # Subject: CN=VeriSign Class 4 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
- # Not Valid Before: Fri Oct 01 00:00:00 1999
- # Not Valid After : Wed Jul 16 23:59:59 2036
- # Fingerprint (MD5): DB:C8:F2:27:2E:B1:EA:6A:29:23:5D:FE:56:3E:33:DF
- # Fingerprint (SHA1): C8:EC:8C:87:92:69:CB:4B:AB:39:E9:8D:7E:57:67:F3:14:95:73:9D
+ # Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
+ # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+ # Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76
+ # Subject: CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
+ # Not Valid Before: Sun May 18 00:00:00 2008
+ # Not Valid After : Thu May 17 23:59:59 2018
+ # Fingerprint (MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E
+ # Fingerprint (SHA1): 83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
- CKA_LABEL UTF8 "Verisign Class 4 Public Primary Certification Authority - G3"
- CKA_CERT_SHA1_HASH MULTILINE_OCTAL
- \310\354\214\207\222\151\313\113\253\071\351\215\176\127\147\363
- \024\225\163\235
- END
- CKA_CERT_MD5_HASH MULTILINE_OCTAL
- \333\310\362\047\056\261\352\152\051\043\135\376\126\076\063\337
- END
+ CKA_LABEL UTF8 "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
 CKA_ISSUER MULTILINE_OCTAL
 \060\201\312\061\013\060\011\006\003\125\004\006\023\002\125\123
 \061\027\060\025\006\003\125\004\012\023\016\126\145\162\151\123
@ -1386,17 +1490,17 @@
 \157\162\040\141\165\164\150\157\162\151\172\145\144\040\165\163
 \145\040\157\156\154\171\061\105\060\103\006\003\125\004\003\023
 \074\126\145\162\151\123\151\147\156\040\103\154\141\163\163\040
- \064\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
+ \063\040\120\165\142\154\151\143\040\120\162\151\155\141\162\171
 \040\103\145\162\164\151\146\151\143\141\164\151\157\156\040\101
 \165\164\150\157\162\151\164\171\040\055\040\107\063
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
- \002\021\000\354\240\247\213\156\165\152\001\317\304\174\314\057
- \224\136\327
+ \002\020\022\275\046\242\256\063\300\177\044\173\152\130\151\362
+ \012\166
 END
- CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
@ -1624,7 +1728,7 @@
 CKA_VALUE MULTILINE_OCTAL
 \060\202\004\052\060\202\003\022\240\003\002\001\002\002\004\070
 \143\336\370\060\015\006\011\052\206\110\206\367\015\001\001\005
-@@ -2410,100 +3428,103 @@
+@@ -2000,100 +3021,103 @@
 \305\310\303\141\002\003\001\000\001\243\146\060\144\060\021\006
 \011\140\206\110\001\206\370\102\001\001\004\004\003\002\000\007
 \060\017\006\003\125\035\023\001\001\377\004\005\060\003\001\001
@ -1728,7 +1832,7 @@
 \006\003\125\004\003\023\035\105\161\165\151\146\141\170\040\123
 \145\143\165\162\145\040\145\102\165\163\151\156\145\163\163\040
 \103\101\055\061\060\036\027\015\071\071\060\066\062\061\060\064
-@@ -2526,100 +3547,103 @@
+@@ -2116,100 +3140,103 @@
 \022\173\376\217\246\003\002\003\001\000\001\243\146\060\144\060
 \021\006\011\140\206\110\001\206\370\102\001\001\004\004\003\002
 \000\007\060\017\006\003\125\035\023\001\001\377\004\005\060\003
@ -1832,7 +1936,7 @@
 \060\022\006\003\125\004\012\023\013\101\144\144\124\162\165\163
 \164\040\101\102\061\035\060\033\006\003\125\004\013\023\024\101
 \144\144\124\162\165\163\164\040\124\124\120\040\116\145\164\167
-@@ -7415,100 +8439,103 @@
+@@ -6682,100 +7709,103 @@
 \164\164\160\163\072\057\057\167\167\167\056\156\145\164\154\157
 \143\153\056\156\145\164\057\144\157\143\163\040\157\162\040\142
 \171\040\145\055\155\141\151\154\040\141\164\040\143\160\163\100
@ -1936,7 +2040,7 @@
 \002\001\150
 END
 CKA_VALUE MULTILINE_OCTAL
-@@ -7588,100 +8615,103 @@
+@@ -6855,100 +7885,103 @@
 \145\164\154\157\143\153\056\156\145\164\057\144\157\143\163\040
 \157\162\040\142\171\040\145\055\155\141\151\154\040\141\164\040
 \143\160\163\100\156\145\164\154\157\143\153\056\156\145\164\056
@ -2040,7 +2144,7 @@
 END
 CKA_VALUE MULTILINE_OCTAL
 \060\202\004\060\060\202\003\030\240\003\002\001\002\002\020\120
-@@ -16556,100 +17586,103 @@
+@@ -15659,100 +16692,103 @@
 \005\252\354\003\037\170\177\236\223\271\232\000\252\043\175\326
 \254\205\242\143\105\307\162\047\314\364\114\306\165\161\322\071
 \357\117\102\360\165\337\012\220\306\216\040\157\230\017\370\254
--- a/nssckbi.h
+++ b/nssckbi.h
@ -45,8 +45,8 @@
 * of the comment in the CK_VERSION type definition.
 */
 #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 5
-#define NSS_BUILTINS_LIBRARY_VERSION "2.5"
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 6
+#define NSS_BUILTINS_LIBRARY_VERSION "2.6"

 /* These version numbers detail the semantic changes to the ckfw engine. */
 #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1