.ca-certificates.metadata

@@ -1 +0,0 @@
-adc83b19e793491b1c6ea0fd8b46cd9f32e592fc SOURCES/trust-fixes

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,9 @@
-SOURCES/trust-fixes
+*.rpm
+noarch
+clog
+/.*build.log
+/ca-certificates
+certdata.txt.orig
+codesign-release.txt
+microsoft_sign_obj_ca.pem
+

README.etcssl

@@ -0,0 +1,20 @@
+This directory (/etc/ssl) is provided as a courtesy attempt to provide
+compatibility with software which assumes its existence. It is not a
+supported or canonical location. Software which assumes and relies on
+the existence and layout of this directory is making a wrong assumption
+(this directory is not any kind of 'standard', it is a configuration
+detail of Debian and its derivatives) and should be improved. No
+software packaged in this distribution should use this directory.
+
+An attempt is made to make the layout of /etc/ssl/certs match that
+provided by Debian: it is an OpenSSL 'CApath'-style hashed directory
+of individual certificate files, and also contains a certificate bundle
+file named ca-certificates.crt, as Debian does. It also contains a
+bundle named ca-bundle.crt, as this distribution has long provided
+such a file, and it is possible some software has come to expect its
+existence.
+
+/etc/ssl/certs itself and the bundle files are in fact symlinks to
+some of the output of the 'update-ca-trust' script which forms a part
+of a system of consolidated CA certificates. Please refer to the
+update-ca-trust(8) manual page for additional information.

SOURCES/update-ca-trust

@@ -1,22 +0,0 @@
-#!/bin/sh
-
-#set -vx
-
-# At this time, while this script is trivial, we ignore any parameters given.
-# However, for backwards compatibility reasons, future versions of this script must 
-# support the syntax "update-ca-trust extract" trigger the generation of output 
-# files in $DEST.
-
-DEST=/etc/pki/ca-trust/extracted
-
-# Prevent p11-kit from reading user configuration files.
-export P11_KIT_NO_USER_CONFIG=1
-
-# OpenSSL PEM bundle that includes trust flags
-# (BEGIN TRUSTED CERTIFICATE)
-/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
-/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
-/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
-/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin

ca-certificates.spec

@@ -1,7 +1,6 @@
 %define pkidir %{_sysconfdir}/pki
 %define catrustdir %{_sysconfdir}/pki/ca-trust
 %define classic_tls_bundle ca-bundle.crt
-%define openssl_format_trust_bundle ca-bundle.trust.crt
 %define p11_format_bundle ca-bundle.trust.p11-kit
 %define legacy_default_bundle ca-bundle.legacy.default.crt
 %define legacy_disable_bundle ca-bundle.legacy.disable.crt
@@ -36,13 +35,11 @@ Name: ca-certificates
 # because all future versions will start with 2013 or larger.)
 
 Version: 2024.2.69_v8.0.303
-# On RHEL 8.x, please keep the release version >= 80
-# When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
-# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
-Release: 80.0%{?dist}
-License: Public Domain
+# for Rawhide, please always use release >= 2
+# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
+Release: 102.3%{?dist}
+License: MIT AND GPL-2.0-or-later
 
-Group: System Environment/Base
 URL: https://fedoraproject.org/wiki/CA-Certificates
 
 #Please always update both certdata.txt and nssckbi.h
@@ -63,26 +60,26 @@ Source15: README.openssl
 Source16: README.pem
 Source17: README.edk2
 Source18: README.src
+Source19: README.etcssl
 
 BuildArch: noarch
 
 Requires(post): bash
+Requires(post): findutils
 Requires(post): grep
 Requires(post): sed
 Requires(post): coreutils
 Requires: bash
 Requires: grep
 Requires: sed
-Requires(post): p11-kit >= 0.23.12
-Requires(post): p11-kit-trust >= 0.23.12
-Requires: p11-kit >= 0.23.12
-Requires: p11-kit-trust >= 0.23.12
+Requires(post): p11-kit-trust >= 0.24
+Requires: p11-kit-trust >= 0.24
 
 BuildRequires: perl-interpreter
-BuildRequires: python3-devel
+BuildRequires: python3
 BuildRequires: openssl
 BuildRequires: asciidoc
-BuildRequires: libxslt
+BuildRequires: xmlto
 
 %description
 This package contains the set of CA certificates chosen by the
@@ -100,7 +97,7 @@ mkdir %{name}/java
 pushd %{name}/certs
  pwd
  cp %{SOURCE0} .
- %{__python3} %{SOURCE4} >c2p.log 2>c2p.err
+ python3 %{SOURCE4} >c2p.log 2>c2p.err
 popd
 pushd %{name}
  (
@@ -171,12 +168,12 @@ popd
 
 #manpage
 cp %{SOURCE10} %{name}/update-ca-trust.8.txt
-asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
-xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
+asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
+xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml
 
 cp %{SOURCE9} %{name}/ca-legacy.8.txt
-asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
-xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
+asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
+xmlto -v -o %{name} man %{name}/ca-legacy.8.xml
 
 
 %install
@@ -186,15 +183,16 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
-mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
+mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
+mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
-mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
+mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@@ -209,6 +207,7 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/REA
 install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
 install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
 install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
+install -p -m 644 %{SOURCE19} $RPM_BUILD_ROOT%{_sysconfdir}/ssl/README
 
 install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
 
@@ -236,29 +235,84 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/email-ca-bundle.pem
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/objsign-ca-bundle.pem
-touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
-chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 
-# /etc/ssl/certs symlink for 3rd-party tools
-ln -s ../pki/tls/certs \
+# Populate %%{catrustdir}/extracted/pem/directory-hash.
+#
+# First direct p11-kit-trust.so to the generated bundle (not the one
+# already present on the build system) with an overriding module
+# config. Note that we have to use a different config path based on
+# the current user: if root, ~/.config/pkcs11/modules/* are not read,
+# while if a regular user, she can't write to /etc.
+if test "$(id -u)" -eq 0; then
+   trust_module_dir=/etc/pkcs11/modules
+else
+   trust_module_dir=$HOME/.config/pkcs11/modules
+fi
+
+mkdir -p "$trust_module_dir"
+
+# It is unlikely that the directory would contain any files on a build system,
+# but let's make sure just in case.
+if [ -n "$(ls -A "$trust_module_dir")" ]; then
+        echo "Directory $trust_module_dir is not empty. Aborting build!"
+        exit 1
+fi
+
+trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
+cat >"$trust_module_config" <<EOF
+module: p11-kit-trust.so
+trust-policy: yes
+x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
+EOF
+
+# Extract the trust anchors to the directory-hash format.
+trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
+              --purpose server-auth \
+              $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+
+# Clean up the temporary module config.
+rm -f "$trust_module_config"
+
+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type l \
+     -regextype posix-extended -regex '.*/[0-9a-f]{8}\.[0-9]+' \
+     -exec cp -P {} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ \;
+# Create a temporary file with the list of (%ghost )files in the directory-hash and their copies
+find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
+find $RPM_BUILD_ROOT%{pkidir}/tls/certs -type l -regextype posix-extended \
+     -regex '.*/[0-9a-f]{8}\.[0-9]+' >> .files.txt
+
+sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
+
+# /etc/ssl is provided in a Debian compatible form for (bad) code that
+# expects it: https://bugzilla.redhat.com/show_bug.cgi?id=1053882
+ln -s %{pkidir}/tls/certs \
     $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
+ln -s /etc/pki/tls/openssl.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
+ln -s /etc/pki/tls/ct_log_list.cnf \
+    $RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
 # legacy filenames
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
-ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
-    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 ln -s %{catrustdir}/extracted/%{java_bundle} \
     $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
+ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
+    $RPM_BUILD_ROOT%{pkidir}/tls/certs/%{classic_tls_bundle}
 
+%clean
+/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
+rm -rf $RPM_BUILD_ROOT
 
 %pre
 if [ $1 -gt 1 ] ; then
+  # Remove the old symlinks
+  rm -f %{pkidir}/tls/cert.pem
+  rm -f %{pkidir}/tls/certs/ca-bundle.trust.crt
+
   # Upgrade or Downgrade.
   # If the classic filename is a regular file, then we are upgrading
   # from an old package and we will move it to an .rpmsave backup file.
@@ -290,19 +344,9 @@ if [ $1 -gt 1 ] ; then
       fi
     fi
   fi
-
-  if ! test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave; then
-    # no backup yet
-    if test -e %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
-      # a file exists
-      if ! test -L %{pkidir}/tls/certs/%{openssl_format_trust_bundle}; then
-        # it's an old regular file, not a link
-        mv -f %{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}.rpmsave
-      fi
-    fi
-  fi
 fi
 
+
 %post
 #if [ $1 -gt 1 ] ; then
 #  # when upgrading or downgrading
@@ -328,9 +372,8 @@ fi
 %{_bindir}/ca-legacy install
 %{_bindir}/update-ca-trust
 
-%files
-%defattr(-,root,root,-)
-
+# The file .files.txt contains the list of (%ghost )files in the directory-hash
+%files -f .files.txt
 %dir %{_sysconfdir}/ssl
 %dir %{pkidir}/tls
 %dir %{pkidir}/tls/certs
@@ -338,7 +381,7 @@ fi
 %dir %{catrustdir}
 %dir %{catrustdir}/source
 %dir %{catrustdir}/source/anchors
-%dir %{catrustdir}/source/blacklist
+%dir %{catrustdir}/source/blocklist
 %dir %{catrustdir}/extracted
 %dir %{catrustdir}/extracted/pem
 %dir %{catrustdir}/extracted/openssl
@@ -346,8 +389,9 @@ fi
 %dir %{_datadir}/pki
 %dir %{_datadir}/pki/ca-trust-source
 %dir %{_datadir}/pki/ca-trust-source/anchors
-%dir %{_datadir}/pki/ca-trust-source/blacklist
+%dir %{_datadir}/pki/ca-trust-source/blocklist
 %dir %{_datadir}/pki/ca-trust-legacy
+%dir %{catrustdir}/extracted/pem/directory-hash
 
 %config(noreplace) %{catrustdir}/ca-legacy.conf
 
@@ -363,14 +407,17 @@ fi
 %{catrustdir}/source/README
 
 # symlinks for old locations
-%{pkidir}/tls/cert.pem
 %{pkidir}/tls/certs/%{classic_tls_bundle}
-%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 %{pkidir}/%{java_bundle}
-# symlink directory
+# Hybrid hash directory with bundle file for Debian compatibility
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1053882
 %{_sysconfdir}/ssl/certs
+%{_sysconfdir}/ssl/README
+%{_sysconfdir}/ssl/cert.pem
+%{_sysconfdir}/ssl/openssl.cnf
+%{_sysconfdir}/ssl/ct_log_list.cnf
 
-# master bundle file with trust
+# primary bundle file with trust
 %{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
 
 %{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@@ -383,41 +430,53 @@ fi
 %ghost %{catrustdir}/extracted/pem/tls-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/email-ca-bundle.pem
 %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
-%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 %ghost %{catrustdir}/extracted/%{java_bundle}
 %ghost %{catrustdir}/extracted/edk2/cacerts.bin
 
-
 %changelog
-*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2024.2.69_v8.0.303-102.3
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+*Fri Sep 27 2024 Michel Lind <salimma@centosproject.org> - 2024.2.69_v8.0.303-101.3
+- Add missing Requires(post) on findutils for update-ca-trust
+- Resolves: RHEL-60723
+
+*Wed Aug 28 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.2
+- update-ca-trust: copy directory-hash symlinks to /etc/pki/tls/certs
+- Remove /etc/pki/tls/cert.pem symlink so that it isn't loaded by default
+
+*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
+- update-ca-trust: return warnings on a unsupported argument instead of error
+
+*Tue Aug 27 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
+- Temporarily generate the directory-hash files in %%install ...(next item)
+- Add list of ghost files from directory-hash to %%files
+
+*Mon Aug 19 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
+- remove base-ci.* tests from gating.yaml
+
+*Thu Jul 18 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101.1
+- Remove blacklist use blocklist-only.
+- add gating.yaml
+
+*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-101
 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
+-    GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
+
+Wed Jul 03 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-101
+- Update to CKBI 2.68_v8.0.302 from NSS 3.101
 -    Removing:
 -     # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
 -     # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
 -     # Certificate "Security Communication Root CA"
--     # Certificate "Camerfirma Chambers of Commerce Root"
--     # Certificate "Hongkong Post Root CA 1"
 -     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
 -     # Certificate "Symantec Class 1 Public Primary Certification Authority - G6"
 -     # Certificate "Symantec Class 2 Public Primary Certification Authority - G6"
 -     # Certificate "TrustCor RootCert CA-1"
 -     # Certificate "TrustCor RootCert CA-2"
 -     # Certificate "TrustCor ECA-1"
--     # Certificate "FNMT-RCM"
 -    Adding:
--     # Certificate "LAWtrust Root CA2 (4096)"
--     # Certificate "Sectigo Public Email Protection Root E46"
--     # Certificate "Sectigo Public Email Protection Root R46"
--     # Certificate "Sectigo Public Server Authentication Root E46"
--     # Certificate "Sectigo Public Server Authentication Root R46"
--     # Certificate "SSL.com TLS RSA Root CA 2022"
--     # Certificate "SSL.com TLS ECC Root CA 2022"
--     # Certificate "SSL.com Client ECC Root CA 2022"
--     # Certificate "SSL.com Client RSA Root CA 2022"
--     # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
--     # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
--     # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
--     # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
 -     # Certificate "TrustAsia Global Root CA G3"
 -     # Certificate "TrustAsia Global Root CA G4"
 -     # Certificate "CommScope Public Trust ECC Root-01"
@@ -432,16 +491,56 @@ fi
 -     # Certificate "Telekom Security TLS RSA Root 2023"
 -     # Certificate "FIRMAPROFESIONAL CA ROOT-A WEB"
 -     # Certificate "SECOM Trust.net"
--     # Certificate "Chambers of Commerce Root"
 -     # Certificate "VeriSign Class 2 Public Primary Certification Authority - G3"
 -     # Certificate "SSL.com Code Signing RSA Root CA 2022"
 -     # Certificate "SSL.com Code Signing ECC Root CA 2022"
 
-*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2023.2.62_v7.0.401-7
+- Bump release for June 2024 mass rebuild
+
+* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2023.2.62_v7.0.401-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-4
+- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
+
+* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2023.2.62_v7.0.401-3
+- Skip %post if getopt is missing (recent change made update-ca-trust use it)
+
+*Wed Oct 04 2023 Robert Relyea <rrelyea@redhat.com> 2023.2.62_v7.0.401-2
+ - Update to CKBI 2.62_v7.0.401 from NSS 3.93
+   Removing: 
+    # Certificate "Camerfirma Chambers of Commerce Root"
+    # Certificate "Hongkong Post Root CA 1"
+    # Certificate "FNMT-RCM"
+   Adding: 
+    # Certificate "LAWtrust Root CA2 (4096)"
+    # Certificate "Sectigo Public Email Protection Root E46"
+    # Certificate "Sectigo Public Email Protection Root R46"
+    # Certificate "Sectigo Public Server Authentication Root E46"
+    # Certificate "Sectigo Public Server Authentication Root R46"
+    # Certificate "SSL.com TLS RSA Root CA 2022"
+    # Certificate "SSL.com TLS ECC Root CA 2022"
+    # Certificate "SSL.com Client ECC Root CA 2022"
+    # Certificate "SSL.com Client RSA Root CA 2022"
+    # Certificate "Atos TrustedRoot Root CA ECC G2 2020"
+    # Certificate "Atos TrustedRoot Root CA RSA G2 2020"
+    # Certificate "Atos TrustedRoot Root CA ECC TLS 2021"
+    # Certificate "Atos TrustedRoot Root CA RSA TLS 2021"
+    # Certificate "Chambers of Commerce Root"
+
+* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2023.2.60_v7.0.306-4
+- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
+
+*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-3
+- update License: field to SPDX
+
+*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-2
 - Update to CKBI 2.60_v7.0.306 from NSS 3.91
 -    Removing:
--     # Certificate "Camerfirma Global Chambersign Root"
--     # Certificate "Staat der Nederlanden EV Root CA"
 -     # Certificate "OpenTrust Root CA G1"
 -     # Certificate "Swedish Government Root Authority v1"
 -     # Certificate "DigiNotar Root CA G2"
@@ -476,16 +575,6 @@ fi
 -     # Certificate "Entrust.net Secure Server Certification Authority"
 -     # Certificate "ePKI EV SSL Certification Authority - G1"
 -    Adding:
--     # Certificate "DigiCert TLS ECC P384 Root G5"
--     # Certificate "DigiCert TLS RSA4096 Root G5"
--     # Certificate "DigiCert SMIME ECC P384 Root G5"
--     # Certificate "DigiCert SMIME RSA4096 Root G5"
--     # Certificate "Certainly Root R1"
--     # Certificate "Certainly Root E1"
--     # Certificate "E-Tugra Global Root CA RSA v3"
--     # Certificate "E-Tugra Global Root CA ECC v3"
--     # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
--     # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
 -     # Certificate "BJCA Global Root CA1"
 -     # Certificate "BJCA Global Root CA2"
 -     # Certificate "Symantec Enterprise Mobile Root for Microsoft"
@@ -502,7 +591,6 @@ fi
 -     # Certificate "ComSign CA"
 -     # Certificate "ComSign Secured CA"
 -     # Certificate "ComSign Advanced Security CA"
--     # Certificate "Global Chambersign Root"
 -     # Certificate "Sonera Class2 CA"
 -     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
 -     # Certificate "VeriSign, Inc."
@@ -517,7 +605,31 @@ fi
 -     # Certificate "GlobalSign Code Signing Root R45"
 -     # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
 
-*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
+*Tue Jul 25 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60-3
+- Fedora mass rebuild
+
+*Fri Jan 20 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 2023.2.60-2
+- Update to CKBI 2.60 from NSS 3.86
+-    Removing:
+-     # Certificate "Camerfirma Global Chambersign Root"
+-     # Certificate "Staat der Nederlanden EV Root CA"
+-    Adding:
+-     # Certificate "DigiCert TLS ECC P384 Root G5"
+-     # Certificate "DigiCert TLS RSA4096 Root G5"
+-     # Certificate "DigiCert SMIME ECC P384 Root G5"
+-     # Certificate "DigiCert SMIME RSA4096 Root G5"
+-     # Certificate "Certainly Root R1"
+-     # Certificate "Certainly Root E1"
+-     # Certificate "E-Tugra Global Root CA RSA v3"
+-     # Certificate "E-Tugra Global Root CA ECC v3"
+-     # Certificate "DIGITALSIGN GLOBAL ROOT RSA CA"
+-     # Certificate "DIGITALSIGN GLOBAL ROOT ECDSA CA"
+-     # Certificate "Global Chambersign Root"
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-5
 - Update to CKBI 2.54 from NSS 3.79
 -    Removing:
 -     # Certificate "TrustCor ECA-1"
@@ -538,12 +650,27 @@ fi
 -     # Certificate "Government Root Certification Authority"
 -     # Certificate "AC Raíz Certicámara S.A."
 
-*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1
+*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-4
 - Update to CKBI 2.54 from NSS 3.79
 
-*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2022.2.54-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-2
 - Update to CKBI 2.54 from NSS 3.79
+-    Removing:
+-     # Certificate "GlobalSign Root CA - R2"
+-     # Certificate "DST Root CA X3"
+-     # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
 -    Adding:
+-     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+-     # Certificate "vTrus ECC Root CA"
+-     # Certificate "vTrus Root CA"
+-     # Certificate "ISRG Root X2"
+-     # Certificate "HiPKI Root CA - G1"
+-     # Certificate "Telia Root CA v2"
+-     # Certificate "D-TRUST BR Root CA 1 2020"
+-     # Certificate "D-TRUST EV Root CA 1 2020"
 -     # Certificate "CAEDICOM Root"
 -     # Certificate "I.CA Root CA/RSA"
 -     # Certificate "MULTICERT Root Certification Authority 01"
@@ -685,7 +812,6 @@ fi
 -     # Certificate "Certipost E-Trust TOP Root CA"
 -     # Certificate "Certipost E-Trust Primary Qualified CA"
 -     # Certificate "Certipost E-Trust Primary Normalised CA"
--     # Certificate "Cybertrust Global Root"
 -     # Certificate "GlobalSign"
 -     # Certificate "IGC/A"
 -     # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@@ -759,60 +885,72 @@ fi
 -     # Certificate "HARICA Code Signing ECC Root CA 2021"
 -     # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
 
-*Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
-- Update to CKBI 2.54 from NSS 3.79
--    Removing:
--     # Certificate "GlobalSign Root CA - R2"
--     # Certificate "DST Root CA X3"
--     # Certificate "Cybertrust Global Root"
--     # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.52-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+*Mon Dec 13 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.52-2
+- Update to CKBI 2.52 from NSS 3.72
 -    Adding:
 -     # Certificate "TunTrust Root CA"
 -     # Certificate "HARICA TLS RSA Root CA 2021"
 -     # Certificate "HARICA TLS ECC Root CA 2021"
 -     # Certificate "HARICA Client RSA Root CA 2021"
 -     # Certificate "HARICA Client ECC Root CA 2021"
--     # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
--     # Certificate "vTrus ECC Root CA"
--     # Certificate "vTrus Root CA"
--     # Certificate "ISRG Root X2"
--     # Certificate "HiPKI Root CA - G1"
--     # Certificate "Telia Root CA v2"
--     # Certificate "D-TRUST BR Root CA 1 2020"
--     # Certificate "D-TRUST EV Root CA 1 2020"
 
-*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
+*Mon Dec 6 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-5
+- integrate Adam William's /etc/ssl/certs with Debian-compatibility
+- back out blocklist change since p11-kit .24 is not yet available on rawhide
+
+*Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-4
+- remove blacklist directory now that pk11-kit is using blocklist
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2021.2.50-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-2
 - Update to CKBI 2.50 from NSS 3.67
-   - version number update only
-
-*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
-- Update to CKBI 2.48 from NSS 3.66
 -    Removing:
--     # Certificate "QuoVadis Root CA"
--     # Certificate "Sonera Class 2 Root CA"
 -     # Certificate "Trustis FPS Root CA"
+-     # Certificate "GlobalSign Code Signing Root R45"
+-     # Certificate "GlobalSign Code Signing Root E45"
+-     # Certificate "Halcom Root Certificate Authority"
+-     # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
+-     # Certificate "GLOBALTRUST"
+-     # Certificate "MULTICERT Root Certification Authority 01"
+-     # Certificate "Verizon Global Root CA"
+-     # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
+-     # Certificate "CAEDICOM Root"
+-     # Certificate "COMODO Certification Authority"
+-     # Certificate "Security Communication ECC RootCA1"
+-     # Certificate "Security Communication RootCA3"
+-     # Certificate "AC RAIZ DNIE"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
+-     # Certificate "VeriSign Universal Root Certification Authority"
+-     # Certificate "GeoTrust Global CA"
+-     # Certificate "GeoTrust Primary Certification Authority"
+-     # Certificate "thawte Primary Root CA"
+-     # Certificate "thawte Primary Root CA - G2"
+-     # Certificate "thawte Primary Root CA - G3"
+-     # Certificate "GeoTrust Primary Certification Authority - G3"
+-     # Certificate "GeoTrust Primary Certification Authority - G2"
+-     # Certificate "GeoTrust Universal CA"
+-     # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
+-     # Certificate "GLOBALTRUST 2015"
+-     # Certificate "emSign Root CA - G2"
+-     # Certificate "emSign Root CA - C2"
 -    Adding:
 -     # Certificate "GLOBALTRUST 2020"
 -     # Certificate "ANF Secure Server Root CA"
--     # Certificate "Certum EC-384 CA"
--     # Certificate "Certum Trusted Root CA"
 
-*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
+*Tue May 25 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-2
 - Update to CKBI 2.48 from NSS 3.64
 -    Removing:
 -     # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
--     # Certificate "GeoTrust Global CA"
--     # Certificate "GeoTrust Universal CA"
 -     # Certificate "GeoTrust Universal CA 2"
+-     # Certificate "QuoVadis Root CA"
+-     # Certificate "Sonera Class 2 Root CA"
 -     # Certificate "Taiwan GRCA"
--     # Certificate "GeoTrust Primary Certification Authority"
--     # Certificate "thawte Primary Root CA"
--     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
--     # Certificate "GeoTrust Primary Certification Authority - G3"
--     # Certificate "thawte Primary Root CA - G2"
--     # Certificate "thawte Primary Root CA - G3"
--     # Certificate "GeoTrust Primary Certification Authority - G2"
--     # Certificate "VeriSign Universal Root Certification Authority"
 -     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
 -     # Certificate "EE Certification Centre Root CA"
 -     # Certificate "LuxTrust Global Root 2"
@@ -832,56 +970,108 @@ fi
 -     # Certificate "GlobalSign Secure Mail Root E45"
 -     # Certificate "GlobalSign Root R46"
 -     # Certificate "GlobalSign Root E46"
+-     # Certificate "Certum EC-384 CA"
+-     # Certificate "Certum Trusted Root CA"
+-     # Certificate "GlobalSign Code Signing Root R45"
+-     # Certificate "GlobalSign Code Signing Root E45"
+-     # Certificate "Halcom Root Certificate Authority"
+-     # Certificate "Symantec Class 3 Public Primary Certification Authority - G6"
+-     # Certificate "GLOBALTRUST"
+-     # Certificate "MULTICERT Root Certification Authority 01"
+-     # Certificate "Verizon Global Root CA"
+-     # Certificate "Tunisian Root Certificate Authority - TunRootCA2"
+-     # Certificate "CAEDICOM Root"
+-     # Certificate "COMODO Certification Authority"
+-     # Certificate "Security Communication ECC RootCA1"
+-     # Certificate "Security Communication RootCA3"
+-     # Certificate "AC RAIZ DNIE"
+-     # Certificate "VeriSign Class 3 Public Primary Certification Authority - G3"
+-     # Certificate "NetLock Platina (Class Platinum) Főtanúsítvány"
+-     # Certificate "GLOBALTRUST 2015"
+-     # Certificate "emSign Root CA - G2"
+-     # Certificate "emSign Root CA - C2"
 
-*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
-- fix post issues
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 
-*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
+* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
+- remove unnecessarily divisive terms, take 1.
+-   in ca-certificates there are 3 cases:
+-   1) master refering to the fedora master branch in the fetch.sh script.
+-      This can only be changed once fedora changes the master branch name.
+-   2) a reference to the 'master bundle' in this file: this has been changed
+-      to 'primary bundle'.
+-   3) a couple of blacklist directories owned by this package, but used to
+-      p11-kit. New 'blocklist' directories have been created, but p11-kit
+-      needs to be updated before the old blacklist directories can be removed
+-      and the man pages corrected.
+
+* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
+- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
+- Fix up broken %post and %postinstall scriptlet changes from -2
+
+* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
 - Update to CKBI 2.41 from NSS 3.53.0
 -    Removing:
 -     # Certificate "AddTrust Low-Value Services Root"
 -     # Certificate "AddTrust External Root"
+-     # Certificate "Staat der Nederlanden Root CA - G2"
+
+* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
+- Update versioned dependency on p11-kit
+
+* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
+- Update to CKBI 2.40 from NSS 3.48
+-    Removing:
 -     # Certificate "UTN USERFirst Email Root CA"
 -     # Certificate "Certplus Class 2 Primary CA"
 -     # Certificate "Deutsche Telekom Root CA 2"
--     # Certificate "Staat der Nederlanden Root CA - G2"
 -     # Certificate "Swisscom Root CA 2"
 -     # Certificate "Certinomis - Root CA"
 -    Adding:
 -     # Certificate "Entrust Root Certification Authority - G4"
+- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
 
-*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
-- Update to CKBI 2.32 from NSS 3.44
--  Removing:
--   # Certificate "Visa eCommerce Root"
--   # Certificate "AC Raiz Certicamara S.A."
--   # Certificate "ComSign CA"
--   # Certificate "Certplus Root CA G1"
--   # Certificate "Certplus Root CA G2"
--   # Certificate "OpenTrust Root CA G1"
--   # Certificate "OpenTrust Root CA G2"
--   # Certificate "OpenTrust Root CA G3"
--  Adding:
--   # Certificate "GlobalSign Root CA - R6"
--   # Certificate "OISTE WISeKey Global Root GC CA"
--   # Certificate "GTS Root R1"
--   # Certificate "GTS Root R2"
--   # Certificate "GTS Root R3"
--   # Certificate "GTS Root R4"
--   # Certificate "UCA Global G2 Root"
--   # Certificate "UCA Extended Validation Root"
--   # Certificate "Certigna Root CA"
--   # Certificate "emSign Root CA - G1"
--   # Certificate "emSign ECC Root CA - G3"
--   # Certificate "emSign Root CA - C1"
--   # Certificate "emSign ECC Root CA - C3"
--   # Certificate "Hongkong Post Root CA 3"
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 
-* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
-- Test gating
+* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
+ - Update to CKBI 2.32 from NSS 3.44
+   Removing: 
+    # Certificate "Visa eCommerce Root"
+    # Certificate "AC Raiz Certicamara S.A."
+    # Certificate "Certplus Root CA G1"
+    # Certificate "Certplus Root CA G2"
+    # Certificate "OpenTrust Root CA G1"
+    # Certificate "OpenTrust Root CA G2"
+    # Certificate "OpenTrust Root CA G3"
+   Adding: 
+    # Certificate "GTS Root R1"
+    # Certificate "GTS Root R2"
+    # Certificate "GTS Root R3"
+    # Certificate "GTS Root R4"
+    # Certificate "UCA Global G2 Root"
+    # Certificate "UCA Extended Validation Root"
+    # Certificate "Certigna Root CA"
+    # Certificate "emSign Root CA - G1"
+    # Certificate "emSign ECC Root CA - G3"
+    # Certificate "emSign Root CA - C1"
+    # Certificate "emSign ECC Root CA - C3"
+    # Certificate "Hongkong Post Root CA 3"
 
-* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
-- Use __python3 macro when invoking Python
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2
+- Update to CKBI 2.26 from NSS 3.39
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 
 * Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
 - Ported scripts to python3

certdata2pem.py

@@ -177,6 +177,11 @@ openssl_trust = {
   "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
 }
 
+cert_distrust_types = {
+  "CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
+  "CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
+}
+
 for tobj in objects:
     if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
         key = tobj['CKA_LABEL'] + printable_serial(tobj)
@@ -369,6 +374,16 @@ for tobj in objects:
             f.write("nss-mozilla-ca-policy: true\n")
             f.write("modifiable: false\n");
 
+            # requires p11-kit >= 0.23.19
+            for t in list(cert_distrust_types.keys()):
+                if t in obj:
+                    value = obj[t]
+                    if value == 'CK_FALSE':
+                        value = bytearray(1)
+                    f.write(cert_distrust_types[t] + ": \"")
+                    f.write(urllib.parse.quote(value));
+                    f.write("\"\n")
+
             f.write("-----BEGIN CERTIFICATE-----\n")
             temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
             temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)

check_certs.sh

@@ -0,0 +1,118 @@
+#!/bin/perl
+
+sub adjust {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+   my @pos = @{$_[2]};
+   my $found = 0;
+   my @newneg = ();
+
+   foreach my $cline (@neg) {
+	if ($cline eq $newLine) {
+	   $found = 1;
+	} else {
+            push(@newneg ,$cline );
+	}
+   }
+   if (! $found ) {
+ 	push(@pos, $newLine);
+   }
+   @neg=@newneg;
+}
+
+sub removeLine {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+   my $found = 0;
+   my @newneg = ();
+
+   foreach my $cline (@neg) {
+        if ($found) {
+            push(@newneg ,$cline );
+	} elsif ($cline eq $newLine) {
+	   $found = 1;
+	} else {
+            push(@newneg ,$cline );
+	}
+   }
+   return @newneg;
+}
+
+sub filter {
+   my @list = @{$_[0]};
+   my $string = $_[1];
+   my @filteredList = ();
+   foreach my $cline (@list) {
+	if ($cline =~ m/$string/) {
+            push(@filteredList ,$cline );
+	}
+   }
+   return @filteredList;
+}
+
+sub lineExists {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+
+   foreach my $cline (@neg) {
+	if ($cline eq $newLine) {
+           return 1;
+	}
+   }
+   return 0;
+}
+
+sub lineExists {
+   my $newLine = $_[0];
+   my @neg = @{$_[1]};
+
+   foreach my $cline (@neg) {
+	if ($cline eq $newLine) {
+           return 1;
+	}
+   }
+   return 0;
+}
+
+sub printeach {
+   my @args = @{$_[0]};
+   foreach my $arg (@args) {
+	chomp $arg;
+	print "    $arg\n";
+    }
+}
+
+open my $handle, "git diff certdata.txt|";
+my @diff_lines = <$handle>;
+close $handle;
+my @adds = ();
+my @subs = ();
+foreach my $line (@diff_lines) {
+    $type = substr $line,0,1;
+    $lline = substr $line,1;
+    if ($type eq "+") {
+          if (lineExists($lline, \@subs)) {
+               @subs = removeLine($lline,\@subs);
+          } else {
+               push(@adds, $lline);
+          }
+    };
+    if ($type eq "-") {
+          if (lineExists($lline, \@adds)) {
+                @adds = removeLine($lline,\@adds);
+          } else {
+                push(@subs, $lline);
+          }
+    };
+}
+
+my @tmp = filter(\@subs, "# Certificate");
+if (@tmp) {
+    print "   Removing: \n";
+    printeach(\@tmp);
+}
+my @tmp = filter(\@adds, "# Certificate");
+if (@tmp) {
+    print "   Adding: \n";
+    printeach(\@tmp);
+}

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

fetch.sh

@@ -0,0 +1,185 @@
+#!/bin/sh
+#
+# This script fetches the latest released certdata.txt and updates the 
+# ca-certificates.spec file
+#
+baseurl="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib"
+force=0
+skip_signed_obj=0
+release_type="RTM"
+release="3_65"
+while [ -n "$1" ]; do
+   case $1 in
+   "-d")
+	baseurl="https://hg.mozilla.org/projects/nss/raw-file/default/lib"
+	;;
+   -t*)
+	release_type=`echo $1 | sed -e 's;-t;;'`
+	if [ "${release_type}" = "" ]; then
+	   shift
+	   release_type=$1
+	fi
+	baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
+	;;
+   -n*)
+	release=`echo $1 | sed -e 's;-n;;'`
+	if [ "${release}" = "" ]; then
+	   shift
+	   release=$1
+	fi
+	release=`echo ${release} | sed -e 's;\\.;_;g'`
+	baseurl="https://hg.mozilla.org/projects/nss/raw-file/NSS_${release}_${release_type}/lib"
+	;;
+   "-f")
+	force=1
+	;;
+   "-s")
+        skip_signed_obj=1
+        ;;
+    *)
+	echo "usage: $0 [-r] [-n release] [-f]"
+	echo "-d           use the development tip rather than the latest release"
+	echo "-n release   fetch a specific nss release"
+	echo "-f           skip the verify check"
+	echo "-s           skip fetching signed objects"
+	exit 1
+	;;
+    esac
+    shift
+done
+
+# get the current certdata version number
+# nss version number
+# user making the change
+# email of user
+# 
+# versions from the latest nss code in mozilla
+echo "Getting CKBI version number"
+ckbi_version=`wget ${baseurl}/ckfw/builtins/nssckbi.h -O - | grep "NSS_BUILTINS_LIBRARY_VERSION " | awk '{print $NF}' | sed -e "s;\";;g" `
+if [ "${ckbi_version}" = "" ]; then
+    echo "Didn't find ckbi version from ${baseurl}"
+    exit 1;
+fi
+echo "Getting NSS version number"
+nss_version=`wget ${baseurl}/nss/nss.h -O - | grep "NSS_VERSION" | awk '{print $3}' | sed -e "s;\";;g" `
+if [ "${nss_version}" = "" ]; then
+    echo "Didn't find nss version from ${baseurl}"
+    exit 1;
+fi
+# date from the current system date on this machine
+echo "Creating change log"
+export LANG=C
+year=`date +%Y`
+log_date=`date +"%a %b %d %Y"`
+# user name from the environment, fallback to git, fallback to the current user
+username=`whoami`
+name=${NAME}
+if [ "${name}" = "" ]; then
+   name=`git config user.name`
+fi
+if [ "${name}" = "" ]; then
+   name=`getent passwd $username`
+fi
+email=${EMAIL}
+if [ "${email}" = "" ]; then
+   email=`git config user.email`
+fi
+if [ "${email}" = "" ]; then
+   email=$username@`hostname`
+fi
+# rawhide >=2, branches 1.x
+cwd=$(pwd)
+if [ `basename ${cwd}` = rawhide ]; then
+    release="2"
+else
+    release="1.0"
+fi
+
+
+# fetch the codesigning certs now so we can get
+# the code signing version number
+if [ ${skip_signed_obj} -eq 0 ]; then
+   ./fetch_objsign.sh
+   if [ -f codesign-release.txt ]; then
+      mcs_version=$(cat codesign-release.txt)
+      if [[ $ms_version != "unknown" ]]; then
+          ckbi_version="${ckbi_version}_${mcs_version}"
+      fi
+      signobjects="and Microsoft Signed Objects version $ms_version"
+   fi
+fi
+
+version=${year}.${ckbi_version}
+
+#make sure the the current version is newer than what is already there
+current_version=`grep ^Version: ca-certificates.spec | awk '{ print $NF }'`
+if [ ${current_version} \> ${version} -o ${current_version} = ${version} ]; then
+   echo "Can't downgrade current version: ${current_version} new version: ${version}"
+   exit 1;
+fi
+
+# now get our new certdata.txt
+echo "Fetching new certdata.txt"
+wget ${baseurl}/ckfw/builtins/certdata.txt -O certdata.txt
+if [ $? -ne 0 ]; then
+   echo fetching certdata.text from ${baseurl} failed!
+   echo " To restore the old certdata.txt use:"
+   echo "    git checkout -- certdata.txt"
+   exit 1;
+fi
+
+# merge the signing certs into the normal certdata.txt file.
+if [ ${skip_signed_obj} -eq 0 ]; then
+   cp certdata.txt certdata.txt.orig
+   python3 ./mergepem2certdata.py -c "certdata.txt.orig" -p "microsoft_sign_obj_ca.pem" -o "certdata.txt" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate" -x "NEVER"
+fi
+
+# Verify everything is good with the user
+echo -e "Upgrading ${current_version} -> ${version}:"
+echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}${sign_objects}"
+./check_certs.sh
+echo ""
+
+yn=""
+if [ ! ${force} ]; then
+	echo -n "Do you want to continue (Y/N default Y)? "
+	read yn
+	echo ""
+fi
+if [ "${yn}" != "" -a "${yn}" != "y" -a "${yn}" != "Y" -a "${yn}" != "yes" -a "${yn}" != "YES" ]; then
+    echo "Skipping ca-certificate.spec upgrade."
+    echo " NOTE: certdata.txt has been upgraded."
+    echo " To restore the old certdata.txt use:"
+    echo "    git checkout -- certdata.txt"
+    exit 1;
+fi
+
+echo "Updating .spec file"
+cat ca-certificates.spec | while IFS= read -r line
+do
+    echo $line | grep "^Version: " 1>&2
+    if [ $? -eq 0 ]; then
+	echo "Version: ${version}"
+	echo "New Version: ${version}" 1>&2
+	continue
+    fi
+    echo $line | grep "^Release: " 1>&2
+    if [ $?  -eq 0 ]; then
+	echo "Release: ${release}%{?dist}"
+	echo "New Release: ${release}%{?dist}" 1>&2
+	continue
+    fi
+    echo $line | grep "^%changelog" 1>&2
+    if [ $?  -eq 0 ]; then
+	echo "$line"
+	echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"
+	echo -e "*${log_date} ${name} <$email> ${version}-${release}\n - Update to CKBI ${ckbi_version} from NSS ${nss_version}"  1>&2
+	./check_certs.sh
+       echo ""
+	continue
+    fi
+    echo "$line"
+done > /tmp/ca-certificates.spec.$$
+mv /tmp/ca-certificates.spec.$$ ca-certificates.spec
+git status
+exit 0

fetch_objsign.sh

@@ -0,0 +1,123 @@
+#!/bin/sh
+#
+# This script fetches the object signing list from the Microsoft list. It then
+# mergest that list into the fetched certdata.txt.
+#
+giturl="https://github.com/dotnet/sdk"
+gitrawurl="https://raw.githubusercontent.com/dotnet/sdk"
+release="latest"
+treedir="src/Layout/redist/trustedroots/codesignctl.pem"
+target="microsoft_sign_obj_ca.pem"
+certdata="./certdata.txt"
+baseurl=""
+merge=1
+diff=0
+
+function getlatest
+{
+    local url=$1
+    local latest="0"
+    local tags=($(git ls-remote --tags ${url}))
+    for tag in "${tags[@]}"
+    do
+        if [[ ! ${tag} =~ refs/.* ]];  then
+            continue # skip hashes
+        fi
+        if [[ ${tag} =~ .*preview.* ]];  then
+            continue # skip preview tags, we only want release tags
+        fi
+        if [[ ${tag} =~ .*rc.* ]];  then
+            continue # skip release candidate tags, we only want release tags
+        fi
+        if [[ ${latest} < ${tag} ]]; then
+            latest=$tag
+        fi
+    done
+    latest=${latest##refs/tags/}
+    echo $latest
+}
+
+while [ -n "$1" ]; do
+   case $1 in
+   "-g")
+        shift
+	giturl=$1
+	;;
+   "-r")
+        shift
+	gitrawurl=$1
+	;;
+   "-t")
+        shift
+	treedir=$1
+	;;
+   "-r")
+        shift
+	release=$1
+	;;
+   "-u")
+        shift
+	baseurl=$1
+        release="unknown"
+	;;
+   "-o")
+        shift
+	target=$1
+	;;
+   "-c")
+        shift
+	certdata=$1
+	;;
+   "-n")
+        merge=0
+        ;;
+   "-d")
+        shift
+        diff=1
+        difffile=$1
+        ;;
+    *)
+	echo "usage: $0 [-u URL] [-o target] [-c certdata] [-n]"
+	echo "-g URL      git URL to fetch code signing list"
+	echo "-r URL      raw git URL to fetch code signing list"
+	echo "-t URL      git tree directory to fetch code signing list"
+	echo "-r release  code signing list release version"
+	echo "-u URL      base URL to fetch code signing list"
+	echo "-o target   name of the codesigning target"
+	echo "-c certdata patch to certdata.txt to merge with"
+	echo "-d diff     optional diff file"
+        echo "-n          don't merge"
+	exit 1
+	;;
+    esac
+    shift
+done
+
+if [ "${release}" = "latest" ]; then
+     release=$(getlatest ${giturl} )
+fi
+
+if [ "${baseurl}" = "" ]; then
+     baseurl="${gitrawurl}/${release}/${treedir}"
+fi
+
+echo $release > "./codesign-release.txt"
+
+echo "Fetching release=${release}, ${target} from ${baseurl}"
+
+wget ${baseurl} -O ${target}
+
+if [ ${merge} -eq 0 ]; then
+    exit 0;
+fi
+
+out=${certdata}
+if [ ${diff} -eq 1 ]; then
+   out=${certdata}.out
+fi
+python3 ./mergepem2certdata.py -c "${certdata}" -p "${target}" -o "${out}" -t "CKA_TRUST_CODE_SIGNING" -l "Microsoft Code Signing Only Certificate"
+
+if [ ${diff} -eq 1 ]; then
+    diff -u ${certdata} ${out} > ${difffile}
+    mv ${out} ${certdata}
+fi

gating.yaml

@@ -0,0 +1,8 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: manual.sst_security_crypto.ca-certificates.streamspreadprevent}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/buildroot-enabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/buildroot-disabled.functional}

mergepem2certdata.py

@@ -0,0 +1,442 @@
+#!/usr/bin/python
+# vim:set et sw=4:
+#
+# certdata2pem.py - splits certdata.txt into multiple files
+#
+# Copyright (C) 2009 Philipp Kern <pkern@debian.org>
+# Copyright (C) 2013 Kai Engert <kaie@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301,
+# USA.
+
+import base64
+import os.path
+import re
+import sys
+import textwrap
+import subprocess
+import getopt
+import asn1
+from cryptography import x509
+from cryptography.hazmat.primitives import hashes, serialization
+from datetime import datetime
+from dateutil.parser import parse
+
+objects = []
+
+pemcerts = []
+
+certdata='./certdata.txt'
+pem='./cert.pem'
+output='./certdata_out.txt'
+trust='CKA_TRUST_CODE_SIGNING'
+merge_label="Non-Mozilla Object Signing Only Certificate"
+dateString='thisyear'
+
+trust_types = {
+  "CKA_TRUST_SERVER_AUTH",
+  "CKA_TRUST_EMAIL_PROTECTION",
+  "CKA_TRUST_CODE_SIGNING"
+}
+
+attribute_types = {
+    "CKA_CLASS" : "CK_OBJECT_CLASS",
+    "CKA_TOKEN" : "CK_BBOOL",
+    "CKA_PRIVATE" : "CK_BBOOL",
+    "CKA_MODIFIABLE" : "CK_BBOOL",
+    "CKA_LABEL" : "UTF8",
+    "CKA_CERTIFICATE_TYPE" : "CK_CERTIFICATE_TYPE",
+    "CKA_SUBJECT" : "MULTILINE_OCTAL",
+    "CKA_ID" : "UTF8",
+    "CKA_CERT_SHA1_HASH" : "MULTILINE_OCTAL",
+    "CKA_CERT_MD5_HASH" : "MULTILINE_OCTAL",
+    "CKA_ISSUER" : "MULTILINE_OCTAL",
+    "CKA_SERIAL_NUMBER" : "MULTILINE_OCTAL",
+    "CKA_VALUE" : "MULTILINE_OCTAL",
+    "CKA_NSS_MOZILLA_CA_POLICY" : "CK_BBOOL",
+    "CKA_NSS_SERVER_DISTRUST_AFTER" : "Distrust",
+    "CKA_NSS_EMAIL_DISTRUST_AFTER" : "Distrust",
+    "CKA_TRUST_SERVER_AUTH" : "CK_TRUST",
+    "CKA_TRUST_EMAIL_PROTECTION" : "CK_TRUST",
+    "CKA_TRUST_CODE_SIGNING" : "CK_TRUST",
+    "CKA_TRUST_STEP_UP_APPROVED" : "CK_BBOOL"
+}
+
+def printable_serial(obj):
+  return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])
+
+def getSerial(cert):
+    encoder = asn1.Encoder()
+    encoder.start()
+    encoder.write(cert.serial_number)
+    return encoder.output()
+
+def dumpOctal(f,value):
+    for i in range(len(value)) :
+        if  i % 16 == 0 :
+            f.write("\n")
+        f.write("\\%03o"%int.from_bytes(value[i:i+1],sys.byteorder))
+    f.write("\nEND\n")
+
+# in python 3.8 this can be replaced with return byteval.hex(':',1)
+def formatHex(byteval) :
+    string=byteval.hex()
+    string_out=""
+    for i in range(0,len(string)-2,2) :
+         string_out += string[i:i+2] + ':'
+    string_out += string[-2:]
+    return string_out
+
+def getdate(dateString):
+    print("dateString= %s"%dateString)
+    if dateString.upper() == "THISYEAR":
+        return datetime(datetime.today().year,12,31,11,59,59,9999)
+    if dateString.upper() == "TODAY":
+        return datetime.today()
+    return parse(dateString, fuzzy=True);
+
+def getTrust(objlist, serial, issuer) :
+    for obj in objlist:
+        if obj['CKA_CLASS'] == 'CKO_NSS_TRUST' and obj['CKA_SERIAL_NUMBER'] == serial and obj['CKA_ISSUER'] == issuer:
+            return obj
+    return None
+
+def isDistrusted(obj) :
+    if (obj == None):
+        return False
+    return obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED' and obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'
+
+
+def stripQuotes(label) :
+    if label[:1] == "\"" :
+        label=label[1:]
+    if label[-1] == "\"" :
+        label = label[:-1]
+    return label
+
+# another object of the same class has the same label
+def labelExists(objlist, obj) :
+    for iobj in objlist:
+        if obj['CKA_CLASS'] == iobj['CKA_CLASS'] and obj['CKA_LABEL'] == iobj['CKA_LABEL']:
+            return True
+    return False
+
+# add an object, make sure that label is unique
+def addObj(objlist, newObj, specialLabel, drop) :
+    label = stripQuotes(newObj['CKA_LABEL'])
+    count=1
+    if specialLabel != None :
+        count=0
+        label=label+' '+specialLabel
+    # make sure the label is unique
+    while labelExists(objlist, newObj) :
+        if drop :
+            return 'DROPPED'
+        if count != 0 :
+            newObj['CKA_LABEL'] = "\"%s %d\""%(label,count)
+        else :
+            newObj['CKA_LABEL'] = "\"%s\""%label
+        count=count+1
+    objlist.append(obj)
+    return stripQuotes(newObj['CKA_LABEL'])
+
+try:
+    opts, args = getopt.getopt(sys.argv[1:],"c:o:p:t:l:x:",)
+except getopt.GetoptError as err:
+    print(err)
+    print(sys.argv[0] + ' [-c certdata] [-p pem] [-o certdata_target] [-t trustvalue] [-l merge_label]')
+    print('-c certdata         certdata file to merge to (default="'+certdata+'")');
+    print('-p pem              pem file with CAs to merge from (default="'+pem+'")');
+    print('-o certdata_target  resulting output file (default="'+output+'")');
+    print('-t trustvalue       what these CAs are trusted for (default="'+trust+'")');
+    print('-l merge_label      what label CAs that aren\'t in certdata (default="'+merge_label+'")');
+    print('-x date             remove all certs that expire before data (default='+dateString+')');
+    sys.exit(2)
+
+for opt, arg in opts:
+    if opt == '-c' :
+        certdata = arg
+    elif opt == '-p' :
+        pem = arg
+    elif opt == '-o' :
+        output = arg
+    elif opt == '-t' :
+        trust = arg
+    elif opt == '-l' :
+        merge_label = arg
+    elif opt == '-x' :
+        dateString = arg
+
+# parse dateString
+print ("datastring=",dateString)
+verifyDate = True
+if dateString.upper() == "NEVER":
+   verifyDate = False
+else:
+   date = getdate(dateString)
+print ("verifyDate=",verifyDate)
+
+
+# read the pem file
+in_cert, certvalue = False, ""
+for line in open(pem, 'r'):
+    if not in_cert:
+       if line.find("BEGIN CERTIFICATE") != -1:
+            in_cert = True;
+       continue
+    # Ignore comment lines and blank lines.
+    if line.startswith('#'):
+        continue
+    if len(line.strip()) == 0:
+        continue
+    if line.find("END CERTIFICATE") != -1 :
+       pemcerts.append(certvalue);
+       certvalue = "";
+       in_cert = False;
+       continue
+    certvalue += line;
+
+# read the certdata.txt file
+in_data, in_multiline, in_obj = False, False, False
+field, ftype, value, binval, obj = None, None, None, bytearray(), dict()
+header, comment = "", ""
+for line in open(certdata, 'r'):
+    # Ignore the file header.
+    if not in_data:
+        header += line
+        if line.startswith('BEGINDATA'):
+            in_data = True
+        continue
+    # Ignore comment lines. 
+    if line.startswith('#'):
+        comment += line
+        continue
+
+    # Empty lines are significant if we are inside an object.
+    if in_obj and len(line.strip()) == 0:
+        # collect all the inline comments in this object
+        obj['Comment'] += comment
+        comment = ""
+        addObj(objects, obj, None, False)
+        obj = dict()
+        in_obj = False
+        continue
+    if len(line.strip()) == 0:
+        continue
+    if in_multiline:
+        if not line.startswith('END'):
+            if ftype == 'MULTILINE_OCTAL':
+                line = line.strip()
+                for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
+                    integ = int(i.group(1), 8)
+                    binval.extend((integ).to_bytes(1, sys.byteorder))
+                obj[field] = binval
+            else:
+                value += line
+                obj[field] = value
+            continue
+        in_multiline = False
+        continue
+    if line.startswith('CKA_CLASS'):
+        in_obj = True
+        obj['Comment'] = comment
+        comment = ""
+    line_parts = line.strip().split(' ', 2)
+    if len(line_parts) > 2:
+        field, ftype = line_parts[0:2]
+        value = ' '.join(line_parts[2:])
+    elif len(line_parts) == 2:
+        field, ftype = line_parts
+        value = None
+    else:
+        raise NotImplementedError('line_parts < 2 not supported.\n' + line)
+    if ftype == 'MULTILINE_OCTAL':
+        in_multiline = True
+        value = ""
+        binval = bytearray()
+        continue
+    obj[field] = value
+
+if len(list(obj.items())) > 0:
+    addObj(objects, obj, None, False)
+
+# strip out expired certificates from certdata.txt
+if verifyDate :
+    for obj in objects:
+        if obj['CKA_CLASS'] == 'CKO_CERTIFICATE' :
+            cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+            if (cert.not_valid_after <= date) :
+                trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])
+                # we don't remove distrusted expired certificates
+                if  not isDistrusted(trust_obj) :
+                    print("  Remove cert %s"%obj['CKA_LABEL'])
+                    print("     Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
+                    print("     Prune time %s: "%date.strftime("%m/%d/%Y"))
+                    obj['Comment'] = None;
+                    if (trust_obj != None):
+                        trust_obj['Comment'] = None;
+
+# now merge the results
+for certval in pemcerts:
+    certder = base64.b64decode(certval)
+    cert = x509.load_der_x509_certificate(certder)
+    try:
+        label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value
+    except:
+        try:
+            label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_UNIT_NAME)[0].value
+        except:
+            try:
+                label=cert.subject.get_attributes_for_oid(x509.oid.NameOID.ORGANIZATION_NAME)[0].value
+            except:
+                label="Unknown Certificate"
+    if verifyDate :
+        if cert.not_valid_after <= date:
+            print("  Skipping code signing cert %s"%label)
+            print("     Expires: %s"%cert.not_valid_after.strftime("%m/%d/%Y"))
+            print("     Prune time %s: "%date.strftime("%m/%d/%Y"))
+            continue
+    certhashsha1 = cert.fingerprint(hashes.SHA1())
+    certhashmd5 =  cert.fingerprint(hashes.MD5())
+    
+    
+    found = False
+    # see if it exists in certdata.txt
+    for obj in objects:
+        # we only need to check the trust objects, because
+        # that is the object we would modify if it exists
+        if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
+            continue
+        # explicitly distrusted certs don't have a hash value
+        if not 'CKA_CERT_SHA1_HASH' in obj:
+            continue
+        if obj['CKA_CERT_SHA1_HASH'] != certhashsha1:
+            continue
+        obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR'
+        found = True
+        print('Updating "'+label+'" with code signing');
+        break
+    if  found :
+        continue
+
+    # check for almost duplicates, certs with the same subject and key, but
+    # different values. If they exist, treat them as the same certificate
+    for obj in objects:
+        if obj['CKA_CLASS'] != 'CKO_CERTIFICATE':
+            continue
+        # do they have the same subject?
+        if obj['CKA_SUBJECT'] != cert.subject.public_bytes():
+            continue
+        # do they have the same public key?
+        cert2 = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
+        if cert2.public_key().public_bytes(serialization.Encoding.DER,serialization.PublicFormat.SubjectPublicKeyInfo) != cert.public_key().public_bytes(serialization.Encoding.DER,serialization.PublicFormat.SubjectPublicKeyInfo) :
+            continue
+        #found now update trust record
+        trust_obj = getTrust(objects,obj['CKA_SERIAL_NUMBER'],obj['CKA_ISSUER'])
+        if trust_obj is None :
+            print('Couldn\'t find trust object for "'+obj['CKA_LABEL']);
+            exit
+        trust_obj[trust] = 'CKT_NSS_TRUSTED_DELEGATOR'
+        found = True
+        print('Updating sister certificate "'+obj['CKA_LABEL']+'" with code signing based on Microsoft "'+label+'"');
+        break
+        if found :
+            break
+    if  found :
+        continue
+    # append this certificate
+    obj=dict()
+    time='%a %b %d %H:%M:%S %Y'
+    comment  = '# ' + merge_label + '\n# %s "'+label+'"\n'
+    comment +=  '# Issuer: ' + cert.issuer.rfc4514_string() + '\n'
+    comment +=  '# Serial Number:'
+    sn=cert.serial_number
+    if sn < 0x100000:
+        comment +=  ' %d (0x%x)\n'%(sn,sn)
+    else:
+        comment +=  formatHex(sn.to_bytes((sn.bit_length()+7)//8,"big")) + '\n'
+    comment +=  '# Subject: ' + cert.subject.rfc4514_string() + '\n'
+    comment +=  '# Not Valid Before: ' + cert.not_valid_before.strftime(time) + '\n'
+    comment +=  '# Not Valid After: ' + cert.not_valid_after.strftime(time) + '\n'
+    comment +=  '# Fingerprint (MD5): ' + formatHex(certhashmd5) + '\n'
+    comment +=  '# Fingerprint (SHA1): ' + formatHex(certhashsha1) + '\n'
+    obj['Comment']= comment%"Certificate"
+    obj['CKA_CLASS'] = 'CKO_CERTIFICATE'
+    obj['CKA_TOKEN'] = 'CK_TRUE'
+    obj['CKA_PRIVATE'] = 'CK_FALSE'
+    obj['CKA_MODIFIABLE'] = 'CK_FALSE'
+    obj['CKA_LABEL'] = '"' + label + '"'
+    obj['CKA_CERTIFICATE_TYPE'] = 'CKC_X_509'
+    obj['CKA_SUBJECT'] = cert.subject.public_bytes()
+    obj['CKA_ID'] = '"0"'
+    obj['CKA_ISSUER'] = cert.issuer.public_bytes()
+    obj['CKA_SERIAL_NUMBER'] = getSerial(cert)
+    obj['CKA_VALUE'] = certder
+    obj['CKA_NSS_MOZILLA_CA_POLICY'] = 'CK_FALSE'
+    obj['CKA_NSS_SERVER_DISTRUST_AFTER'] = 'CK_FALSE'
+    obj['CKA_NSS_EMAIL_DISTRUST_AFTER'] = 'CK_FALSE'
+    label = addObj(objects, obj, 'CodeSigning', True)
+    if label == 'DROPPED' :
+        continue
+
+    # append the trust values
+    obj=dict()
+    obj['Comment']= comment%"Trust for"
+    obj['CKA_CLASS'] = 'CKO_NSS_TRUST'
+    obj['CKA_TOKEN'] = 'CK_TRUE'
+    obj['CKA_PRIVATE'] = 'CK_FALSE'
+    obj['CKA_MODIFIABLE'] = 'CK_FALSE'
+    obj['CKA_LABEL'] = '"' + label + '"'
+    obj['CKA_CERT_SHA1_HASH'] = certhashsha1
+    obj['CKA_CERT_MD5_HASH'] = certhashmd5
+    obj['CKA_ISSUER'] = cert.issuer.public_bytes()
+    obj['CKA_SERIAL_NUMBER'] = getSerial(cert)
+    for t in list(trust_types):
+       if t == trust:
+          obj[t] = 'CKT_NSS_TRUSTED_DELEGATOR'
+       else:
+          obj[t] = 'CKT_NSS_MUST_VERIFY_TRUST'
+    obj['CKA_TRUST_STEP_UP_APPROVED'] = 'CK_FALSE'
+    label = addObj(objects, obj, 'CodeSigning', True)
+    print('Adding code signing cert "'+label+'"');
+
+# now dump the results
+f = open(output, 'w')
+f.write(header)
+for obj in objects:
+    if 'Comment' in obj:
+        # if comment is None, we've deleted the entry above
+        if obj['Comment'] == None:
+            continue
+        f.write(obj['Comment'])
+    else:
+        print("Object with no comment!!")
+        print(obj)
+    for field in list(attribute_types.keys()):
+        if not field in obj:
+            continue
+        ftype = attribute_types[field];
+        if ftype == 'Distrust':
+            if obj[field] == 'CK_FALSE':
+                ftype = 'CK_BBOOL'
+            else:
+                ftype = 'MULTILINE_OCTAL'
+        f.write("%s %s"%(field,ftype));
+        if ftype == 'MULTILINE_OCTAL':
+           dumpOctal(f,obj[field])
+        else:
+           f.write(" %s\n"%obj[field])
+    f.write("\n")
+f.close

plans/ci.fmf

@@ -0,0 +1,11 @@
+/buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/ca-certificates
+      name: /plans/ci/buildroot-disabled
+
+/buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/ca-certificates
+      name: /plans/ci/buildroot-enabled

sort-blocks.py

@@ -0,0 +1,34 @@
+#!/usr/bin/python3
+
+# Expected input is a file, where blocks of lines are separated by newline.
+# Blocks will be sorted.
+# Intention is to prepare files for comparison, were lines inside each block are
+# in stable order, but the order of blocks is random.
+
+import sys
+import string
+
+if (len(sys.argv) != 2):
+    print("syntax: " + sys.argv[0] + " input-filename")
+    sys.exit(1)
+
+filename = sys.argv[1]
+
+block = []
+block_list = []
+with open(filename, 'r') as f:
+    for line in f:
+        if (len(line) == 1):
+            if len(block) == 0:
+                continue
+            else:
+                combined_string = string.join(block, '')
+                block_list.append(combined_string)
+                block = []
+        else:
+            block.append(line)
+
+block_list.sort()
+
+for block in block_list:
+    print(block)

trust-fixes

@@ -0,0 +1 @@
+

update-ca-trust

@@ -0,0 +1,123 @@
+#!/bin/sh
+
+#set -vx
+set -eu
+
+# For backwards compatibility reasons, future versions of this script must
+# support the syntax "update-ca-trust extract" trigger the generation of output
+# files in $DEST.
+
+DEST=/etc/pki/ca-trust/extracted
+DEST_CERTS=/etc/pki/tls/certs
+
+# Prevent p11-kit from reading user configuration files.
+export P11_KIT_NO_USER_CONFIG=1
+
+usage() {
+	fold -s -w 76 >&2 <<-EOF
+		Usage: $0 [extract] [-o DIR|--output=DIR]
+
+		Update the system trust store in $DEST.
+
+		COMMANDS
+		(absent/empty command): Same as the extract command without arguments.
+
+		extract: Instruct update-ca-trust to scan the source configuration in
+		/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
+		updated versions of the consolidated configuration files stored below
+		the $DEST directory hierarchy.
+
+		EXTRACT OPTIONS
+		-o DIR, --output=DIR: Write the extracted trust store into the given
+		directory instead of updating $DEST. (Note: This option will not
+		populate the ../pki/tls/certs with the directory-hash symbolic links.)
+	EOF
+}
+
+extract() {
+	USER_DEST=
+
+        # can't use getopt here. ca-certificates can't depend on a lot
+        # of other libraries since openssl depends on ca-certificates
+        # just fail when we hand parse
+
+        while [ $# -ne 0 ]; do
+	    case "$1" in
+	      "-o"|"--output")
+		  if [ $# -lt 2 ]; then
+			  echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
+			  echo >&2
+			  exit 1
+		  fi
+	          USER_DEST=$2
+		  shift 2
+		  continue
+		  ;;
+		"--")
+		  shift
+		  break
+		  ;;
+		*)
+		  echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
+		  exit 1
+		  ;;
+	    esac
+	done
+
+	if [ -n "$USER_DEST" ]; then
+		DEST=$USER_DEST
+	        # Attempt to create the directories if they do not exist
+                # yet (rhbz#2241240)
+	        /usr/bin/mkdir -p \
+		    "$DEST"/openssl \
+		    "$DEST"/pem \
+		    "$DEST"/java \
+		    "$DEST"/edk2
+	fi
+
+
+	# Delete all directory hash symlinks from the cert directory
+	if [ -z "$USER_DEST" ]; then
+		find "$DEST_CERTS" -type l -regextype posix-extended \
+		     -regex '.*/[0-9a-f]{8}\.[0-9]+' -exec rm -f {} \;
+	fi
+
+	# OpenSSL PEM bundle that includes trust flags
+	# (BEGIN TRUSTED CERTIFICATE)
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
+	/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
+	/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
+	/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
+	# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
+	# by GnuTLS)
+	/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
+
+
+	if [ -z "$USER_DEST" ]; then
+		find "$DEST/pem/directory-hash" -type l -regextype posix-extended \
+		     -regex '.*/[0-9a-f]{8}\.[0-9]+' | while read link; do
+			target=$(readlink -f "$link")
+			new_link="$DEST_CERTS/$(basename "$link")"
+			ln -s "$target" "$new_link"
+		done
+	fi
+}
+if [ $# -lt 1 ]; then
+    set -- extract
+fi
+
+case "$1" in
+	"extract")
+		shift
+		extract "$@"
+	;;
+	"--help")
+		usage
+		exit 0
+	;;
+	*)
+		echo >&2 "Error: unknown command: '$1', see 'update-ca-trust --help' for usage."
+		exit 1
+	;;
+esac

update-ca-trust.8.txt

@@ -27,7 +27,7 @@ certificates and associated trust
 
 SYNOPSIS
 --------
-*update-ca-trust* ['COMMAND']
+*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
 
 
 DESCRIPTION
@@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
 * add it as a new file to directory /etc/pki/ca-trust/source/anchors/
 * run 'update-ca-trust extract'
 
-.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
+.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
 * add it as a new file to directory /etc/pki/ca-trust/source/
 * run 'update-ca-trust extract'
 
 .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
 * simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
-* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
+* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
 * extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
 
 .In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
 format or in the PEM (BEGIN/END CERTIFICATE) file format.
 Each certificate will be treated as *trusted* for all purposes.
 
-In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
+In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
 you may install one or multiple certificates in either the DER file
 format or in the PEM (BEGIN/END CERTIFICATE) file format.
 Each certificate will be treated as *distrusted* for all purposes.
@@ -214,15 +214,24 @@ server authentication.
 
 COMMANDS
 --------
-(absent/empty command)::
-    Same as the *extract* command described below. (However, the command may
-    print fewer warnings, as this command is being run during rpm package 
-    installation, where non-fatal status output is undesired.)
+(absent/empty command)
+~~~~~~~~~~~~~~~~~~~~~~
+Same as the *extract* command described below. (However, the command may print
+fewer warnings, as this command is being run during rpm package installation,
+where non-fatal status output is undesired.)
 
-*extract*::
-    Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce 
-    updated versions of the consolidated configuration files stored below
-    the /etc/pki/ca-trust/extracted directory hierarchy.
+extract
+~~~~~~~
+Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
+produce updated versions of the consolidated configuration files stored below
+the /etc/pki/ca-trust/extracted directory hierarchy.
+
+EXTRACT OPTIONS
+^^^^^^^^^^^^^^^
+*-o DIR*, *--output=DIR*::
+	Write the extracted trust store into the given directory instead of
+	updating /etc/pki/ca-trust/extracted. (Note: This option will not
+	populate the ../pki/tls/certs with the directory-hash symbolic links.)
 
 FILES
 -----
@@ -249,6 +258,9 @@ FILES
 	which are created using the 'update-ca-trust extract' command. Don't edit files in this directory, because they will be overwritten.
 	See section <<extractconf,EXTRACTED CONFIGURATION>> for additional details.
 
+/etc/pki/tls/certs::
+	Contains symbolic links to the directory-hash format certificates generated by update-ca-trust command.
+
 AUTHOR
 ------
 Written by Kai Engert and Stef Walter.