diff options
author | Richard Ipsum <richard.ipsum@codethink.co.uk> | 2015-11-12 10:10:11 +0000 |
---|---|---|
committer | Richard Ipsum <richard.ipsum@codethink.co.uk> | 2015-11-12 10:10:11 +0000 |
commit | c9124556cfc5d29d4fd0d7b688bf4873a6098bf3 (patch) | |
tree | d1112d58b688a6cb026e7f37bf63b92feb18dc4e | |
parent | e9b06b26d9e57444e74a5cb6beca3f12726fc3c6 (diff) | |
parent | 193eb2042c6be1775f4c41f6297fe5c1521828e0 (diff) | |
download | ca-certificates-baserock/debian/20140325.tar.gz |
Merge branch 'baserock/richardipsum/debian/20140325' into baserock/debian/20140325baserock/debian/20140325
Reviewed by:
Javier Jardón <jjardon@gnome.org>
Tristan Van Berkom <tristan.vanberkom@codethink.co.uk>
Richard Maw (on IRC)
-rw-r--r-- | debian/changelog | 109 | ||||
-rw-r--r-- | mozilla/certdata2pem.py | 57 |
2 files changed, 150 insertions, 16 deletions
diff --git a/debian/changelog b/debian/changelog index b367c7f..9a3e0b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,112 @@ +ca-certificates (20151022) UNRELEASED; urgency=medium + + * debian/postinst: + Handle /usr/local/share/ca-certificates permissions and ownership on + upgrade. Closes: #611501 + * mozilla/{certdata.txt,nssckbi.h}: + Update Mozilla certificate authority bundle to version 2.5. + * mozilla/certdata2pem.py: + Add Python 3 support to ca-certificates. + Thanks to Andrew Wilcox for the patch! Closes: #789753 +TODO: verify adds/removes + The following certificate authorities were added (+): + + "Certinomis - Root CA" + + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" + + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" + The following certificate authorities were removed (-): + - "Buypass Class 3 CA 1" + - "SG TRUST SERVICES RACINE" + - "TC TrustCenter Class 2 CA II" + - "TC TrustCenter Universal CA I" + - "TURKTRUST Certificate Services Provider Root 1" + + -- Michael Shuler <michael@pbandjelly.org> Thu, 22 Oct 2015 15:32:23 -0500 + +ca-certificates (20150426) unstable; urgency=medium + + * debian/postinst: + Set mode and group of /usr/local/share/ca-certificates based on current + /usr/local permissions and ownership. Closes: #611501 + * sbin/update-ca-certificates: + Allow customisation of the paths used by update-ca-certificates. + Add an option to set the certs in a directory to the defaults. + Thanks for the patches, Paul Wise. Closes: #774059, #774201 + Fix shellcheck warnings and a little indentation. + * sbin/update-ca-certificates.8: + Correct concatenated file name in man page from certificates.crt to + ca-certificates.crt. Closes: #782230 + * mozilla/{certdata.txt,nssckbi.h}: + Update Mozilla certificate authority bundle to version 2.4. + The following certificate authorities were added (+): + + "CFCA EV ROOT" + + "COMODO RSA Certification Authority" + + "Entrust Root Certification Authority - EC1" + + "Entrust Root Certification Authority - G2" + + "GlobalSign ECC Root CA - R4" + + "GlobalSign ECC Root CA - R5" + + "IdenTrust Commercial Root CA 1" + + "IdenTrust Public Sector Root CA 1" + + "S-TRUST Universal Root CA" + + "Staat der Nederlanden EV Root CA" + + "Staat der Nederlanden Root CA - G3" + + "USERTrust ECC Certification Authority" + + "USERTrust RSA Certification Authority" Closes: #762709 + The following certificate authorities were removed (-): + - "America Online Root Certification Authority 1" + - "America Online Root Certification Authority 2" + - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" + - "GTE CyberTrust Global Root" + - "Thawte Premium Server CA" + - "Thawte Server CA" + + -- Michael Shuler <michael@pbandjelly.org> Sun, 26 Apr 2015 10:37:48 -0500 + +ca-certificates (20141019) unstable; urgency=medium + + * debian/copyright: + Add coverage for all files reported by lintian + file-without-copyright-information warning. + * debian/source/lintian-overrides: + Add file-without-copyright-information override for SPI certificate file. + * sbin/update-ca-certificates: + Restore SELinux label after generating ca-certificates.crt file. + Thanks to Laurent Bigonville for the patch. Closes: #742957 + Tidy indentation whitespace. + Thanks to Antonio Terceiro for the patch. Closes: #742663 + * debian/control: + Update to Standards-Version: 3.9.6 (no other changes needed). + Update Vcs-Browser link to cgit URL. + + -- Michael Shuler <michael@pbandjelly.org> Sun, 19 Oct 2014 10:36:49 -0500 + +ca-certificates (20140927) unstable; urgency=medium + + * Update Mozilla certificate authority bundle to version 2.1. + The following certificate authorities were added (+): + + "DigiCert Assured ID Root G2" + + "DigiCert Assured ID Root G3" + + "DigiCert Global Root G2" + + "DigiCert Global Root G3" + + "DigiCert Trusted Root G4" + + "QuoVadis Root CA 1 G3" + + "QuoVadis Root CA 2 G3" + + "QuoVadis Root CA 3 G3" + + "WoSign" + + "WoSign China" + The following certificate authorities were removed (-): + - "Entrust.net Secure Server CA" + - "RSA Root Certificate 1" + - "TDC Internet Root CA" + - "ValiCert Class 1 VA" + - "ValiCert Class 2 VA" + * Include clear list of CAs added/removed, as above, and include better note + in README.Debian for trust reconfiguration. Closes: #743365 + * Remove debian/config in debian/rules clean target. + * Include d/{changelog,NEWS} entries in 20140223 for duplicate CKA_LABEL + rename of "StartCom Certification Authority"_2. + + -- Michael Shuler <michael@pbandjelly.org> Sat, 27 Sep 2014 15:14:00 -0500 + ca-certificates (20140325) unstable; urgency=medium * Update mozilla/certdata.txt to version 1.97+revert_of_936304 diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py index 0482894..7bd4d2d 100644 --- a/mozilla/certdata2pem.py +++ b/mozilla/certdata2pem.py @@ -25,13 +25,19 @@ import os.path import re import sys import textwrap +import io objects = [] # Dirty file parser. in_data, in_multiline, in_obj = False, False, False field, type, value, obj = None, None, None, dict() -for line in open('certdata.txt', 'r'): + +# Python 3 will not let us decode non-ascii characters if we +# have not specified an encoding, but Python 2's open does not +# have an option to set the encoding. Python 3's open is io.open +# and io.open has been backported to Python 2.6 and 2.7, so use io.open. +for line in io.open('certdata.txt', 'rt', encoding='utf8'): # Ignore the file header. if not in_data: if line.startswith('BEGINDATA'): @@ -53,7 +59,7 @@ for line in open('certdata.txt', 'r'): if type == 'MULTILINE_OCTAL': line = line.strip() for i in re.finditer(r'\\([0-3][0-7][0-7])', line): - value += chr(int(i.group(1), 8)) + value.append(int(i.group(1), 8)) else: value += line continue @@ -70,13 +76,13 @@ for line in open('certdata.txt', 'r'): field, type = line_parts value = None else: - raise NotImplementedError, 'line_parts < 2 not supported.' + raise NotImplementedError('line_parts < 2 not supported.') if type == 'MULTILINE_OCTAL': in_multiline = True - value = "" + value = bytearray() continue obj[field] = value -if len(obj.items()) > 0: +if len(obj) > 0: objects.append(obj) # Read blacklist. @@ -95,7 +101,7 @@ for obj in objects: if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'): continue if obj['CKA_LABEL'] in blacklist: - print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'] + print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']) elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR', 'CKT_NSS_TRUSTED_DELEGATOR'): trust[obj['CKA_LABEL']] = True @@ -104,13 +110,13 @@ for obj in objects: trust[obj['CKA_LABEL']] = True elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED', 'CKT_NSS_NOT_TRUSTED'): - print '!'*74 - print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'] - print '!'*74 + print('!'*74) + print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']) + print('!'*74) else: - print "Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ + print("Ignoring certificate %s. SAUTH=%s, EPROT=%s" % \ (obj['CKA_LABEL'], obj['CKA_TRUST_SERVER_AUTH'], - obj['CKA_TRUST_EMAIL_PROTECTION']) + obj['CKA_TRUST_EMAIL_PROTECTION'])) for obj in objects: if obj['CKA_CLASS'] == 'CKO_CERTIFICATE': @@ -121,13 +127,32 @@ for obj in objects: .replace('(', '=')\ .replace(')', '=')\ .replace(',', '_') - bname = bname.decode('string_escape') - fname = bname + '.crt' + + # this is the only way to decode the way NSS stores multi-byte UTF-8 + # and we need an escaped string for checking existence of things + # otherwise we're dependant on the user's current locale. + if bytes != str: + # We're in python 3, convert the utf-8 string to a + # sequence of bytes that represents this utf-8 string + # then encode the byte-sequence as an escaped string that + # can be passed to open() and os.path.exists() + bname = bname.encode('utf-8').decode('unicode_escape').encode('latin-1') + else: + # Python 2 + # Convert the unicode string back to its original byte form + # (contents of files returned by io.open are returned as + # unicode strings) + # then to an escaped string that can be passed to open() + # and os.path.exists() + bname = bname.encode('utf-8').decode('string_escape') + + fname = bname + b'.crt' if os.path.exists(fname): - print "Found duplicate certificate name %s, renaming." % bname - fname = bname + '_2.crt' + print("Found duplicate certificate name %s, renaming." % bname) + fname = bname + b'_2.crt' f = open(fname, 'w') f.write("-----BEGIN CERTIFICATE-----\n") - f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64))) + encoded = base64.b64encode(obj['CKA_VALUE']).decode('utf-8') + f.write("\n".join(textwrap.wrap(encoded, 64))) f.write("\n-----END CERTIFICATE-----\n") |