Add d/{changelog,NEWS} entries for 20090814+squeeze1 release

include updates to properly parse newer CKT_NSS trust bits

debian/NEWS

@@ -1,3 +1,130 @@
+ca-certificates (20090814+squeeze1) oldstable; urgency=low
+
+  Update mozilla/certdata.txt to version 1.97.
+    Certificates added (+), removed (-):
+    + "ACCVRAIZ1"
+    + "ACEDICOM Root"
+    + "AC Raíz Certicámara S.A."
+    + "Actalis Authentication Root CA"
+    + "AffirmTrust Commercial"
+    + "AffirmTrust Networking"
+    + "AffirmTrust Premium"
+    + "AffirmTrust Premium ECC"
+    + "ApplicationCA - Japanese Government"
+    + "Atos TrustedRoot 2011"
+    + "A-Trust-nQual-03"
+    + "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+    + "Buypass Class 2 CA 1"
+    + "Buypass Class 2 Root CA"
+    + "Buypass Class 3 CA 1"
+    + "Buypass Class 3 Root CA"
+    + "CA Disig"
+    + "CA Disig Root R1"
+    + "CA Disig Root R2"
+    + "Certigna"
+    + "Certinomis - Autorité Racine"
+    + "certSIGN ROOT CA"
+    + "Certum Trusted Network CA"
+    + "Chambers of Commerce Root - 2008"
+    + "China Internet Network Information Center EV Certificates Root"
+    + "CNNIC ROOT"
+    + "ComSign CA"
+    + "ComSign Secured CA"
+    + "Cybertrust Global Root"
+    + "Deutsche Telekom Root CA 2"
+    + "D-TRUST Root Class 3 CA 2 2009"
+    + "D-TRUST Root Class 3 CA 2 EV 2009"
+    + "EBG Elektronik Sertifika Hizmet Sağlayıcısı"
+    + "EC-ACC"
+    + "EE Certification Centre Root CA"
+    + "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+    + "ePKI Root Certification Authority"
+    + "E-Tugra Certification Authority"
+    + "GeoTrust Primary Certification Authority - G2"
+    + "GeoTrust Primary Certification Authority - G3"
+    + "Global Chambersign Root - 2008"
+    + "GlobalSign Root CA - R3"
+    + "Go Daddy Root Certificate Authority - G2"
+    + "Hellenic Academic and Research Institutions RootCA 2011"
+    + "Hongkong Post Root CA 1"
+    + "IGC/A"
+    + "Izenpe.com"
+    + "Juur-SK"
+    + "Microsec e-Szigno Root CA"
+    + "Microsec e-Szigno Root CA 2009"
+    + "NetLock Arany (Class Gold) Főtanúsítvány"
+    + "OISTE WISeKey Global Root GA CA"
+    + "PSCProcert"
+    + "Root CA Generalitat Valenciana"
+    + "SecureSign RootCA11"
+    + "Security Communication EV RootCA1"
+    + "Security Communication RootCA2"
+    + "SG TRUST SERVICES RACINE"
+    + "Staat der Nederlanden Root CA - G2"
+    + "Starfield Root Certificate Authority - G2"
+    + "Starfield Services Root Certificate Authority - G2"
+    + "StartCom Certification Authority"_2
+    + "StartCom Certification Authority G2"
+    + "S-TRUST Authentication and Encryption Root CA 2005 PN"
+    + "Swisscom Root CA 2"
+    + "Swisscom Root EV CA 2"
+    + "TC TrustCenter Class 2 CA II"
+    + "TC TrustCenter Class 3 CA II"
+    + "TC TrustCenter Universal CA I"
+    + "TeliaSonera Root CA v1"
+    + "thawte Primary Root CA - G2"
+    + "thawte Primary Root CA - G3"
+    + "Trustis FPS Root CA"
+    + "T-TeleSec GlobalRoot Class 2"
+    + "T-TeleSec GlobalRoot Class 3"
+    + "TURKTRUST Certificate Services Provider Root 2007"
+    + "TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3"
+    + "TWCA Global Root CA"
+    + "TWCA Root Certification Authority"
+    + "VeriSign Class 3 Public Primary Certification Authority"_2
+    + "VeriSign Class 3 Public Primary Certification Authority - G4"
+    + "VeriSign Universal Root Certification Authority"
+    - "ABAecom (sub., Am. Bankers Assn.) Root CA"
+    - "AOL Time Warner Root Certification Authority 1"
+    - "AOL Time Warner Root Certification Authority 2"
+    - "beTRUSTed Root CA"
+    - "beTRUSTed Root CA-Baltimore Implementation"
+    - "beTRUSTed Root CA - Entrust Implementation"
+    - "beTRUSTed Root CA - RSA Implementation"
+    - "Digital Signature Trust Co. Global CA 2"
+    - "Digital Signature Trust Co. Global CA 4"
+    - "Entrust.net Global Secure Personal CA"
+    - "Entrust.net Global Secure Server CA"
+    - "Entrust.net Secure Personal CA"
+    - "Equifax Secure eBusiness CA 2"
+    - "Firmaprofesional Root CA"
+    - "GTE CyberTrust Root CA"
+    - "IPS Chained CAs root"
+    - "IPS CLASE1 root"
+    - "IPS CLASE3 root"
+    - "IPS CLASEA1 root"
+    - "IPS CLASEA3 root"
+    - "IPS Servidores root"
+    - "IPS Timestamping root"
+    - "RSA Security 1024 v3"
+    - "StartCom Ltd."
+    - "TC TrustCenter, Germany, Class 2 CA"
+    - "TC TrustCenter, Germany, Class 3 CA"
+    - "TDC OCES Root CA"
+    - "Thawte Personal Basic CA"
+    - "Thawte Personal Freemail CA"
+    - "Thawte Personal Premium CA"
+    - "Thawte Time Stamping CA"
+    - "UTN-USER First-Network Applications"
+    - "Verisign Class 2 Public Primary Certification Authority"
+    - "Verisign Class 4 Public Primary Certification Authority - G2"
+    - "Verisign/RSA Secure Server CA"
+    - "Verisign Time Stamping Authority CA"
+    - "Visa International Global Root 2"
+    - "Wells Fargo Root CA"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Sun, 30 Mar 2014 22:06:04 -0500
+
 ca-certificates (20090708) unstable; urgency=low
 
   * Removed CA files:

debian/changelog

@@ -1,3 +1,151 @@
+ca-certificates (20090814+squeeze1) oldstable; urgency=low
+
+  * Oldstable update including current mozilla/certdata.txt and backported
+    fixes to parse the file.  Closes: #501123
+  * Update Maintainer and Uploaders in d/control.
+  * Fix certdata2pem.py for multiple CAs using the same CKA_LABEL.  Thanks
+    to Marc Deslauriers for the patch.  Closes: #683403, LP: #1031333
+  * Fix certdata2pem.py to parse newer NSS trust bits in certdata.txt.
+  * Update mozilla/certdata.txt to version 1.97 (version now in nssckbi.h).
+    Certificates added (+), removed (-):
+    + "ACCVRAIZ1"
+    + "ACEDICOM Root"
+    + "AC Raíz Certicámara S.A."
+    + "Actalis Authentication Root CA"
+    + "AffirmTrust Commercial"
+    + "AffirmTrust Networking"
+    + "AffirmTrust Premium"
+    + "AffirmTrust Premium ECC"
+    + "ApplicationCA - Japanese Government"
+    + "Atos TrustedRoot 2011"
+    + "A-Trust-nQual-03"
+    + "Autoridad de Certificacion Firmaprofesional CIF A62634068"
+    + "Buypass Class 2 CA 1"
+    + "Buypass Class 2 Root CA"
+    + "Buypass Class 3 CA 1"
+    + "Buypass Class 3 Root CA"
+    + "CA Disig"
+    + "CA Disig Root R1"
+    + "CA Disig Root R2"
+    + "Certigna"
+    + "Certinomis - Autorité Racine"
+    + "certSIGN ROOT CA"
+    + "Certum Trusted Network CA"
+    + "Chambers of Commerce Root - 2008"
+    + "China Internet Network Information Center EV Certificates Root"
+    + "CNNIC ROOT"
+    + "ComSign CA"
+    + "ComSign Secured CA"
+    + "Cybertrust Global Root"
+    + "Deutsche Telekom Root CA 2"
+    + "D-TRUST Root Class 3 CA 2 2009"
+    + "D-TRUST Root Class 3 CA 2 EV 2009"
+    + "EBG Elektronik Sertifika Hizmet Sağlayıcısı"
+    + "EC-ACC"
+    + "EE Certification Centre Root CA"
+    + "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+    + "ePKI Root Certification Authority"
+    + "E-Tugra Certification Authority"
+    + "GeoTrust Primary Certification Authority - G2"
+    + "GeoTrust Primary Certification Authority - G3"
+    + "Global Chambersign Root - 2008"
+    + "GlobalSign Root CA - R3"
+    + "Go Daddy Root Certificate Authority - G2"
+    + "Hellenic Academic and Research Institutions RootCA 2011"
+    + "Hongkong Post Root CA 1"
+    + "IGC/A"
+    + "Izenpe.com"
+    + "Juur-SK"
+    + "Microsec e-Szigno Root CA"
+    + "Microsec e-Szigno Root CA 2009"
+    + "NetLock Arany (Class Gold) Főtanúsítvány"
+    + "OISTE WISeKey Global Root GA CA"
+    + "PSCProcert"
+    + "Root CA Generalitat Valenciana"
+    + "SecureSign RootCA11"
+    + "Security Communication EV RootCA1"
+    + "Security Communication RootCA2"
+    + "SG TRUST SERVICES RACINE"
+    + "Staat der Nederlanden Root CA - G2"
+    + "Starfield Root Certificate Authority - G2"
+    + "Starfield Services Root Certificate Authority - G2"
+    + "StartCom Certification Authority"_2
+    + "StartCom Certification Authority G2"
+    + "S-TRUST Authentication and Encryption Root CA 2005 PN"
+    + "Swisscom Root CA 2"
+    + "Swisscom Root EV CA 2"
+    + "TC TrustCenter Class 2 CA II"
+    + "TC TrustCenter Class 3 CA II"
+    + "TC TrustCenter Universal CA I"
+    + "TeliaSonera Root CA v1"
+    + "thawte Primary Root CA - G2"
+    + "thawte Primary Root CA - G3"
+    + "Trustis FPS Root CA"
+    + "T-TeleSec GlobalRoot Class 2"
+    + "T-TeleSec GlobalRoot Class 3"
+    + "TURKTRUST Certificate Services Provider Root 2007"
+    + "TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3"
+    + "TWCA Global Root CA"
+    + "TWCA Root Certification Authority"
+    + "VeriSign Class 3 Public Primary Certification Authority"_2
+    + "VeriSign Class 3 Public Primary Certification Authority - G4"
+    + "VeriSign Universal Root Certification Authority"
+    - "ABAecom (sub., Am. Bankers Assn.) Root CA"
+    - "AOL Time Warner Root Certification Authority 1"
+    - "AOL Time Warner Root Certification Authority 2"
+    - "beTRUSTed Root CA"
+    - "beTRUSTed Root CA-Baltimore Implementation"
+    - "beTRUSTed Root CA - Entrust Implementation"
+    - "beTRUSTed Root CA - RSA Implementation"
+    - "Digital Signature Trust Co. Global CA 2"
+    - "Digital Signature Trust Co. Global CA 4"
+    - "Entrust.net Global Secure Personal CA"
+    - "Entrust.net Global Secure Server CA"
+    - "Entrust.net Secure Personal CA"
+    - "Equifax Secure eBusiness CA 2"
+    - "Firmaprofesional Root CA"
+    - "GTE CyberTrust Root CA"
+    - "IPS Chained CAs root"
+    - "IPS CLASE1 root"
+    - "IPS CLASE3 root"
+    - "IPS CLASEA1 root"
+    - "IPS CLASEA3 root"
+    - "IPS Servidores root"
+    - "IPS Timestamping root"
+    - "RSA Security 1024 v3"
+    - "StartCom Ltd."
+    - "TC TrustCenter, Germany, Class 2 CA"
+    - "TC TrustCenter, Germany, Class 3 CA"
+    - "TDC OCES Root CA"
+    - "Thawte Personal Basic CA"
+    - "Thawte Personal Freemail CA"
+    - "Thawte Personal Premium CA"
+    - "Thawte Time Stamping CA"
+    - "UTN-USER First-Network Applications"
+    - "Verisign Class 2 Public Primary Certification Authority"
+    - "Verisign Class 4 Public Primary Certification Authority - G2"
+    - "Verisign/RSA Secure Server CA"
+    - "Verisign Time Stamping Authority CA"
+    - "Visa International Global Root 2"
+    - "Wells Fargo Root CA"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Sun, 30 Mar 2014 22:06:04 -0500
+
+ca-certificates (20090814+nmu3squeeze1) stable; urgency=low
+
+  * Non-maintainer upload.
+  * No-change upload with incremented version number to avoid a
+    version number conflict with '20090814+nmu3'.
+
+ -- Thijs Kinkhorst <thijs@debian.org>  Tue, 13 Sep 2011 11:29:21 +0200
+
+ca-certificates (20090814+nmu3) squeeze-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Blacklist "DigiNotar Root CA" (Closes: #639744)
+
+ -- Raphael Geissert <geissert@debian.org>  Tue, 30 Aug 2011 21:37:34 -0500
+
 ca-certificates (20090814+nmu2) unstable; urgency=low
 
   * Non-maintainer upload.

debian/control

@@ -1,7 +1,10 @@
 Source: ca-certificates
 Section: misc
 Priority: optional
-Maintainer: Philipp Kern <pkern@debian.org>
+Maintainer: Michael Shuler <michael@pbandjelly.org>
+Uploaders: Raphael Geissert <geissert@debian.org>,
+           Thijs Kinkhorst <thijs@debian.org>,
+           Christian Perrier <bubulle@debian.org>
 Build-Depends: debhelper (>> 4.1.16), po-debconf
 Build-Depends-Indep: python
 Standards-Version: 3.8.2

mozilla/blacklist.txt

@@ -3,3 +3,5 @@
 # MD5 Collision Proof of Concept CA
 "MD5 Collisions Forged Rogue CA 25c3"
 
+# DigiNotar Root CA (see debbug#639744)
+"DigiNotar Root CA"

mozilla/certdata2pem.py

@@ -92,15 +92,18 @@ if os.path.exists('blacklist.txt'):
 # Build up trust database.
 trust = dict()
 for obj in objects:
-    if obj['CKA_CLASS'] != 'CKO_NETSCAPE_TRUST':
+    if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'):
         continue
     if obj['CKA_LABEL'] in blacklist:
         print "Certificate %s blacklisted, ignoring." % obj['CKA_LABEL']
-    elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR':
+    elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
+                                          'CKT_NSS_TRUSTED_DELEGATOR'):
         trust[obj['CKA_LABEL']] = True
-    elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NETSCAPE_TRUSTED_DELEGATOR':
+    elif obj['CKA_TRUST_EMAIL_PROTECTION'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
+                                               'CKT_NSS_TRUSTED_DELEGATOR'):
         trust[obj['CKA_LABEL']] = True
-    elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NETSCAPE_UNTRUSTED':
+    elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED',
+                                          'CKT_NSS_NOT_TRUSTED'):
         print '!'*74
         print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
         print '!'*74
@@ -113,11 +116,16 @@ for obj in objects:
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
             continue
-        fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+        bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                       .replace(' ', '_')\
                                       .replace('(', '=')\
                                       .replace(')', '=')\
-                                      .replace(',', '_') + '.crt'
+                                      .replace(',', '_')
+        bname = bname.decode('string_escape')
+        fname = bname + '.crt'
+        if os.path.exists(fname):
+            print "Found duplicate certificate name %s, renaming." % bname
+            fname = bname + '_2.crt'
         f = open(fname, 'w')
         f.write("-----BEGIN CERTIFICATE-----\n")
         f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))

mozilla/nssckbi.h

@@ -0,0 +1,60 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef NSSCKBI_H
+#define NSSCKBI_H
+
+/*
+ * NSS BUILTINS Version numbers.
+ *
+ * These are the version numbers for the builtins module packaged with
+ * this release on NSS. To determine the version numbers of the builtin
+ * module you are using, use the appropriate PKCS #11 calls.
+ *
+ * These version numbers detail changes to the PKCS #11 interface. They map
+ * to the PKCS #11 spec versions.
+ */
+#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
+#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
+
+/* These version numbers detail the changes 
+ * to the list of trusted certificates.
+ *
+ * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
+ * for each NSS minor release AND whenever we change the list of
+ * trusted certificates.  10 minor versions are allocated for each
+ * NSS 3.x branch as follows, allowing us to change the list of
+ * trusted certificates up to 9 times on each branch.
+ *   - NSS 3.5 branch:  3-9
+ *   - NSS 3.6 branch:  10-19
+ *   - NSS 3.7 branch:  20-29
+ *   - NSS 3.8 branch:  30-39
+ *   - NSS 3.9 branch:  40-49
+ *   - NSS 3.10 branch: 50-59
+ *   - NSS 3.11 branch: 60-69
+ *     ...
+ *   - NSS 3.12 branch: 70-89
+ *   - NSS 3.13 branch: 90-99
+ *   - NSS 3.14 branch: 100-109
+ *     ...
+ *   - NSS 3.29 branch: 250-255
+ *
+ * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
+ * whether we may use its full range (0-255) or only 0-99 because
+ * of the comment in the CK_VERSION type definition.
+ */
+#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 1
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 97
+#define NSS_BUILTINS_LIBRARY_VERSION "1.97"
+
+/* These version numbers detail the semantic changes to the ckfw engine. */
+#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
+#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
+
+/* These version numbers detail the semantic changes to ckbi itself 
+ * (new PKCS #11 objects), etc. */
+#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
+#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
+
+#endif /* NSSCKBI_H */