"Downgrade" debian/gbp.conf for wheezy.

todo: update adds/removes

debian/NEWS

@@ -1,3 +1,141 @@
+ca-certificates (20130119+deb7u2) wheezy; urgency=medium
+
+  Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+    now untrusted by the major browser vendors.
+  Update Mozilla certificate authority bundle to version 2.14.
+    The following certificate authorities were added (+):
+    + "AC RAIZ FNMT-RCM"
+    + "Amazon Root CA 1"
+    + "Amazon Root CA 2"
+    + "Amazon Root CA 3"
+    + "Amazon Root CA 4"
+    + "Certinomis - Root CA"
+    + "Certplus Root CA G1"
+    + "Certplus Root CA G2"
+    + "Certum Trusted Network CA 2"
+    + "CFCA EV ROOT"
+    + "COMODO RSA Certification Authority"
+    + "D-TRUST Root CA 3 2013"
+    + "DigiCert Assured ID Root G2"
+    + "DigiCert Assured ID Root G3"
+    + "DigiCert Global Root G2"
+    + "DigiCert Global Root G3"
+    + "DigiCert Trusted Root G4"
+    + "Entrust Root Certification Authority - EC1"
+    + "Entrust Root Certification Authority - G2"
+    + "GlobalSign ECC Root CA - R4"
+    + "GlobalSign ECC Root CA - R5"
+    + "Hellenic Academic and Research Institutions ECC RootCA 2015"
+    + "Hellenic Academic and Research Institutions RootCA 2015"
+    + "IdenTrust Commercial Root CA 1"
+    + "IdenTrust Public Sector Root CA 1"
+    + "ISRG Root X1"
+    + "LuxTrust Global Root 2"
+    + "OISTE WISeKey Global Root GB CA"
+    + "OpenTrust Root CA G1"
+    + "OpenTrust Root CA G2"
+    + "OpenTrust Root CA G3"
+    + "QuoVadis Root CA 1 G3"
+    + "QuoVadis Root CA 2 G3"
+    + "QuoVadis Root CA 3 G3"
+    + "S-TRUST Universal Root CA"
+    + "SZAFIR ROOT CA2"
+    + "Staat der Nederlanden EV Root CA"
+    + "Staat der Nederlanden Root CA - G3"
+    + "Symantec Class 1 Public Primary Certification Authority - G4"
+    + "Symantec Class 1 Public Primary Certification Authority - G6"
+    + "Symantec Class 2 Public Primary Certification Authority - G4"
+    + "Symantec Class 2 Public Primary Certification Authority - G6"
+    + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+    + "USERTrust ECC Certification Authority"
+    + "USERTrust RSA Certification Authority"
+    The following certificate authorities were removed (-):
+    - "A-Trust-nQual-03"
+    - "America Online Root Certification Authority 1"
+    - "America Online Root Certification Authority 2"
+    - "ApplicationCA - Japanese Government"
+    - "Buypass Class 2 CA 1"
+    - "Buypass Class 3 CA 1"
+    - "CA Disig"
+    - "ComSign Secured CA"
+    - "Digital Signature Trust Co. Global CA 1"
+    - "Digital Signature Trust Co. Global CA 3"
+    - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+    - "EBG Elektronik Sertifika Hizmet Saglayicisi"
+    - "Entrust.net Secure Server CA"
+    - "Equifax Secure CA"
+    - "Equifax Secure eBusiness CA 1"
+    - "Equifax Secure Global eBusiness CA"
+    - "GTE CyberTrust Global Root"
+    - "IGC/A"
+    - "Juur-SK"
+    - "Microsec e-Szigno Root CA"
+    - "NetLock Business (Class B) Root"
+    - "NetLock Express (Class C) Root"
+    - "NetLock Notary (Class A) Root"
+    - "NetLock Qualified (Class QA) Root"
+    - "Root CA Generalitat Valenciana"
+    - "RSA Root Certificate 1"
+    - "RSA Security 2048 v3"
+    - "S-TRUST Authentication and Encryption Root CA 2005 PN"
+    - "SG TRUST SERVICES RACINE"
+    - "Sonera Class 1 Root CA"
+    - "Staat der Nederlanden Root CA"
+    - "TC TrustCenter Class 2 CA II"
+    - "TC TrustCenter Universal CA I"
+    - "TDC Internet Root CA"
+    - "Thawte Premium Server CA"
+    - "Thawte Server CA"
+    - "TURKTRUST Certificate Services Provider Root 1"
+    - "TURKTRUST Certificate Services Provider Root 2"
+    - "UTN DATACorp SGC Root CA"
+    - "ValiCert Class 1 VA"
+    - "ValiCert Class 2 VA"
+    - "Verisign Class 1 Public Primary Certification Authority"
+    - "Verisign Class 1 Public Primary Certification Authority - G2"
+    - "Verisign Class 2 Public Primary Certification Authority - G2"
+    - "Verisign Class 3 Public Primary Certification Authority"
+    - "Verisign Class 3 Public Primary Certification Authority - G2"
+    - "Verisign Class 4 Public Primary Certification Authority - G3"
+    - "WellsSecure Public Root Certificate Authority"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Tue, 18 Jul 2017 21:58:24 -0500
+
+ca-certificates (20130119+deb7u1) stable; urgency=low
+
+  Update mozilla/certdata.txt to version 1.97
+    Certificates added (+), removed (-), and renamed (~):
+    + "ACCVRAIZ1"
+    + "Atos TrustedRoot 2011"
+    + "CA Disig Root R1"
+    + "CA Disig Root R2"
+    + "China Internet Network Information Center EV Certificates Root"
+    + "D-TRUST Root Class 3 CA 2 2009"
+    + "D-TRUST Root Class 3 CA 2 EV 2009"
+    + "E-Tugra Certification Authority"
+    + "PSCProcert"
+    + "SG TRUST SERVICES RACINE"
+    + "StartCom Certification Authority"
+    ~ "StartCom Certification Authority"_2
+      (both StartCom CAs now included with duplicate CKA_LABEL fix)
+    + "Swisscom Root CA 2"
+    + "Swisscom Root EV CA 2"
+    + "T-TeleSec GlobalRoot Class 2"
+    + "TURKTRUST Certificate Services Provider Root 2007"
+    + "TWCA Global Root CA"
+    + "TeliaSonera Root CA v1"
+    + "Verisign Class 3 Public Primary Certification Authority"
+    ~ "Verisign Class 3 Public Primary Certification Authority"_2
+      (both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
+    - "Equifax Secure eBusiness CA 2"
+    - "Firmaprofesional Root CA"
+    - "TC TrustCenter Universal CA III"
+    - "TDC OCES Root CA"
+    - "Wells Fargo Root CA"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Sun, 30 Mar 2014 17:49:01 -0500
+
 ca-certificates (20130119) unstable; urgency=low
 
   Update mozilla/certdata.txt to version 1.87

debian/changelog

@@ -1,3 +1,182 @@
+ca-certificates (20130119+deb7u3) wheezy-security; urgency=high
+
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.22.
+    The following certificate authorities were added (+):
+    + "GDCA TrustAUTH R5 ROOT"
+    + "SSL.com EV Root Certification Authority ECC"
+    + "SSL.com EV Root Certification Authority RSA R2"
+    + "SSL.com Root Certification Authority ECC"
+    + "SSL.com Root Certification Authority RSA"
+    + "TrustCor ECA-1"
+    + "TrustCor RootCert CA-1"
+    + "TrustCor RootCert CA-2"
+    The following certificate authorities were removed (-):
+    - "ACEDICOM Root"
+    - "AddTrust Public Services Root"
+    - "AddTrust Qualified Certificates Root"
+    - "CA Disig Root R1"
+    - "CNNIC ROOT"
+    - "Certinomis - Autorité Racine"
+    - "China Internet Network Information Center EV Certificates Root"
+    - "Comodo Secure Services root"
+    - "Comodo Trusted Services root"
+    - "DST ACES CA X6"
+    - "GeoTrust Global CA 2"
+    - "PSCProcert"
+    - "Security Communication EV RootCA1"
+    - "Swisscom Root CA 1"
+    - "Swisscom Root EV CA 2"
+    - "TUBITAK UEKAE Kok Sertifika Hizmet Saglayicisi - Surum 3"
+    - "TURKTRUST Certificate Services Provider Root 2007"
+    - "UTN USERFirst Hardware Root CA"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Thu, 05 Jul 2018 17:10:00 -0500
+
+ca-certificates (20130119+deb7u2) wheezy-security; urgency=medium
+
+  * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+    now untrusted by the major browser vendors. Closes: #858539
+  * mozilla/{certdata.txt,nssckbi.h}:
+    Update Mozilla certificate authority bundle to version 2.14.
+    Closes: #858064
+    The following certificate authorities were added (+):
+    + "AC RAIZ FNMT-RCM"
+    + "Amazon Root CA 1"
+    + "Amazon Root CA 2"
+    + "Amazon Root CA 3"
+    + "Amazon Root CA 4"
+    + "Certinomis - Root CA"
+    + "Certplus Root CA G1"
+    + "Certplus Root CA G2"
+    + "Certum Trusted Network CA 2"
+    + "CFCA EV ROOT"
+    + "COMODO RSA Certification Authority"
+    + "D-TRUST Root CA 3 2013"
+    + "DigiCert Assured ID Root G2"
+    + "DigiCert Assured ID Root G3"
+    + "DigiCert Global Root G2"
+    + "DigiCert Global Root G3"
+    + "DigiCert Trusted Root G4"
+    + "Entrust Root Certification Authority - EC1"
+    + "Entrust Root Certification Authority - G2"
+    + "GlobalSign ECC Root CA - R4"
+    + "GlobalSign ECC Root CA - R5"
+    + "Hellenic Academic and Research Institutions ECC RootCA 2015"
+    + "Hellenic Academic and Research Institutions RootCA 2015"
+    + "IdenTrust Commercial Root CA 1"
+    + "IdenTrust Public Sector Root CA 1"
+    + "ISRG Root X1"
+    + "LuxTrust Global Root 2"
+    + "OISTE WISeKey Global Root GB CA"
+    + "OpenTrust Root CA G1"
+    + "OpenTrust Root CA G2"
+    + "OpenTrust Root CA G3"
+    + "QuoVadis Root CA 1 G3"
+    + "QuoVadis Root CA 2 G3"
+    + "QuoVadis Root CA 3 G3"
+    + "S-TRUST Universal Root CA"
+    + "SZAFIR ROOT CA2"
+    + "Staat der Nederlanden EV Root CA"
+    + "Staat der Nederlanden Root CA - G3"
+    + "Symantec Class 1 Public Primary Certification Authority - G4"
+    + "Symantec Class 1 Public Primary Certification Authority - G6"
+    + "Symantec Class 2 Public Primary Certification Authority - G4"
+    + "Symantec Class 2 Public Primary Certification Authority - G6"
+    + "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1"
+    + "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
+    + "USERTrust ECC Certification Authority"
+    + "USERTrust RSA Certification Authority"
+    The following certificate authorities were removed (-):
+    - "A-Trust-nQual-03"
+    - "America Online Root Certification Authority 1"
+    - "America Online Root Certification Authority 2"
+    - "ApplicationCA - Japanese Government"
+    - "Buypass Class 2 CA 1"
+    - "Buypass Class 3 CA 1"
+    - "CA Disig"
+    - "ComSign Secured CA"
+    - "Digital Signature Trust Co. Global CA 1"
+    - "Digital Signature Trust Co. Global CA 3"
+    - "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi"
+    - "EBG Elektronik Sertifika Hizmet Saglayicisi"
+    - "Entrust.net Secure Server CA"
+    - "Equifax Secure CA"
+    - "Equifax Secure eBusiness CA 1"
+    - "Equifax Secure Global eBusiness CA"
+    - "GTE CyberTrust Global Root"
+    - "IGC/A"
+    - "Juur-SK"
+    - "Microsec e-Szigno Root CA"
+    - "NetLock Business (Class B) Root"
+    - "NetLock Express (Class C) Root"
+    - "NetLock Notary (Class A) Root"
+    - "NetLock Qualified (Class QA) Root"
+    - "Root CA Generalitat Valenciana"
+    - "RSA Root Certificate 1"
+    - "RSA Security 2048 v3"
+    - "S-TRUST Authentication and Encryption Root CA 2005 PN"
+    - "SG TRUST SERVICES RACINE"
+    - "Sonera Class 1 Root CA"
+    - "Staat der Nederlanden Root CA"
+    - "TC TrustCenter Class 2 CA II"
+    - "TC TrustCenter Universal CA I"
+    - "TDC Internet Root CA"
+    - "Thawte Premium Server CA"
+    - "Thawte Server CA"
+    - "TURKTRUST Certificate Services Provider Root 1"
+    - "TURKTRUST Certificate Services Provider Root 2"
+    - "UTN DATACorp SGC Root CA"
+    - "ValiCert Class 1 VA"
+    - "ValiCert Class 2 VA"
+    - "Verisign Class 1 Public Primary Certification Authority"
+    - "Verisign Class 1 Public Primary Certification Authority - G2"
+    - "Verisign Class 2 Public Primary Certification Authority - G2"
+    - "Verisign Class 3 Public Primary Certification Authority"
+    - "Verisign Class 3 Public Primary Certification Authority - G2"
+    - "Verisign Class 4 Public Primary Certification Authority - G3"
+    - "WellsSecure Public Root Certificate Authority"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Tue, 18 Jul 2017 21:58:24 -0500
+
+ca-certificates (20130119+deb7u1) stable; urgency=low
+
+  * Stable update including one patch and current mozilla/certdata.txt.
+    Closes: #501123
+  * Fix certdata2pem.py for multiple CAs using the same CKA_LABEL.  Thanks
+    to Marc Deslauriers for the patch.  Closes: #683403, LP: #1031333
+  * Update mozilla/certdata.txt to version 1.97 (version now in nssckbi.h).
+    Certificates added (+), removed (-), and renamed (~):
+    + "ACCVRAIZ1"                                                         
+    + "Atos TrustedRoot 2011"
+    + "CA Disig Root R1"
+    + "CA Disig Root R2"
+    + "China Internet Network Information Center EV Certificates Root"
+    + "D-TRUST Root Class 3 CA 2 2009"
+    + "D-TRUST Root Class 3 CA 2 EV 2009"
+    + "E-Tugra Certification Authority"
+    + "PSCProcert"
+    + "SG TRUST SERVICES RACINE"
+    + "StartCom Certification Authority"
+    ~ "StartCom Certification Authority"_2
+      (both StartCom CAs now included with duplicate CKA_LABEL fix)
+    + "Swisscom Root CA 2"
+    + "Swisscom Root EV CA 2"
+    + "T-TeleSec GlobalRoot Class 2"
+    + "TURKTRUST Certificate Services Provider Root 2007"
+    + "TWCA Global Root CA"
+    + "TeliaSonera Root CA v1"
+    + "Verisign Class 3 Public Primary Certification Authority"
+    ~ "Verisign Class 3 Public Primary Certification Authority"_2
+      (both Verisign Class 3 CAs now included with duplicate CKA_LABEL fix)
+    - "Equifax Secure eBusiness CA 2"
+    - "Firmaprofesional Root CA"
+    - "TC TrustCenter Universal CA III"
+    - "TDC OCES Root CA"
+    - "Wells Fargo Root CA"
+
+ -- Michael Shuler <michael@pbandjelly.org>  Sun, 30 Mar 2014 17:49:01 -0500
+
 ca-certificates (20130119) unstable; urgency=low
 
   * Update mozilla/certdata.txt to version 1.87  Closes: #697366

debian/gbp.conf

@@ -0,0 +1,2 @@
+[git-buildpackage]
+debian-branch = debian-wheezy

mozilla/blacklist.txt

@@ -5,3 +5,19 @@
 
 # DigiNotar Root CA (see debbug#639744)
 "DigiNotar Root CA"
+
+# StartCom and WoSign certificates are now untrusted by the major browser
+# vendors[0]. See [1] for discussion. The list was generated by:
+#
+#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
+#         | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
+#
+# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
+# [1] https://bugs.debian.org/858539
+#
+"StartCom Certification Authority"
+"StartCom Certification Authority G2"
+"WoSign"
+"WoSign China"
+"Certification Authority of WoSign G2"
+"CA WoSign ECC Root"

mozilla/certdata2pem.py

@@ -116,12 +116,16 @@ for obj in objects:
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
             continue
-        fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+        bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                       .replace(' ', '_')\
                                       .replace('(', '=')\
                                       .replace(')', '=')\
-                                      .replace(',', '_') + '.crt'
-        fname = fname.decode('string_escape')
+                                      .replace(',', '_')
+        bname = bname.decode('string_escape')
+        fname = bname + '.crt'
+        if os.path.exists(fname):
+            print "Found duplicate certificate name %s, renaming." % bname
+            fname = bname + '_2.crt'
         f = open(fname, 'w')
         f.write("-----BEGIN CERTIFICATE-----\n")
         f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))

mozilla/nssckbi.h

@@ -0,0 +1,61 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef NSSCKBI_H
+#define NSSCKBI_H
+
+/*
+ * NSS BUILTINS Version numbers.
+ *
+ * These are the version numbers for the builtins module packaged with
+ * this release on NSS. To determine the version numbers of the builtin
+ * module you are using, use the appropriate PKCS #11 calls.
+ *
+ * These version numbers detail changes to the PKCS #11 interface. They map
+ * to the PKCS #11 spec versions.
+ */
+#define NSS_BUILTINS_CRYPTOKI_VERSION_MAJOR 2
+#define NSS_BUILTINS_CRYPTOKI_VERSION_MINOR 20
+
+/* These version numbers detail the changes
+ * to the list of trusted certificates.
+ *
+ * The NSS_BUILTINS_LIBRARY_VERSION_MINOR macro needs to be bumped
+ * whenever we change the list of trusted certificates.
+ *
+ * Please use the following rules when increasing the version number:
+ *
+ * - starting with version 2.14, NSS_BUILTINS_LIBRARY_VERSION_MINOR
+ *   must always be an EVEN number (e.g. 16, 18, 20 etc.)
+ *
+ * - whenever possible, if older branches require a modification to the
+ *   list, these changes should be made on the main line of development (trunk),
+ *   and the older branches should update to the most recent list.
+ * 
+ * - ODD minor version numbers are reserved to indicate a snapshot that has
+ *   deviated from the main line of development, e.g. if it was necessary
+ *   to modify the list on a stable branch.
+ *   Once the version has been changed to an odd number (e.g. 2.13) on a branch,
+ *   it should remain unchanged on that branch, even if further changes are
+ *   made on that branch.
+ *
+ * NSS_BUILTINS_LIBRARY_VERSION_MINOR is a CK_BYTE.  It's not clear
+ * whether we may use its full range (0-255) or only 0-99 because
+ * of the comment in the CK_VERSION type definition.
+ * It's recommend to switch back to 0 after having reached version 98/99.
+ */
+#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
+#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 22
+#define NSS_BUILTINS_LIBRARY_VERSION "2.22"
+
+/* These version numbers detail the semantic changes to the ckfw engine. */
+#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1
+#define NSS_BUILTINS_HARDWARE_VERSION_MINOR 0
+
+/* These version numbers detail the semantic changes to ckbi itself
+ * (new PKCS #11 objects), etc. */
+#define NSS_BUILTINS_FIRMWARE_VERSION_MAJOR 1
+#define NSS_BUILTINS_FIRMWARE_VERSION_MINOR 0
+
+#endif /* NSSCKBI_H */