Djam/rootcerts
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/rootcerts.git synced 2025-02-23 16:52:57 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Automatic import for version 20110830.00

Browse source
This commit is contained in:
Rosa 2012-02-01 14:52:42 +04:00
commit f25712e6ba
10 changed files with 23528 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.abf.yml Normal file
View file

@ -0,0 +1,2 @@
sources:
"rootcerts.tar.bz2": 54c4ec6b7d2c04dee64f80a2e1b4fe545b1b7484

BIN
cacert.org.der Normal file
View file

Binary file not shown.

22591
certdata.txt Normal file
View file

File diff suppressed because it is too large Load diff

19
generate-cacerts-fix-entrustsslca.patch Normal file
View file

@ -0,0 +1,19 @@
--- generate-cacerts.pl 2008-07-05 09:11:11.000000000 +0300
+++ generate-cacerts.pl.1 2008-07-05 19:59:02.000000000 +0300
@@ -116,7 +116,7 @@
{
$cert_alias = "entrust2048ca";
}
- elsif ($cert =~ /www.entrust.net\/CPS /)
+ elsif ($cert =~ /www.entrust.net\/CPS is incorp\. by/)
{
$cert_alias = "entrustsslca";
}
@@ -285,7 +285,6 @@
/A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
{
$write_current_cert = 0;
- $pem_file_count--;
}
elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
{

65
generate-cacerts-mandriva.patch Normal file
View file

@ -0,0 +1,65 @@
--- generate-cacerts.pl 2008-07-05 19:59:02.000000000 +0300
+++ generate-cacerts.pl.2 2008-07-05 20:06:42.000000000 +0300
@@ -76,16 +76,14 @@
{
$cert_alias = "verisignclass2g3ca";
}
- elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
- {
- $cert_alias = "verisignclass3ca";
- }
+ # "Class 3 Public Primary Certification Authority" is duplicated,
+ # so using serial number to match it.
+
# Version 1 of Class 3 Public Primary Certification Authority
# - G2 is added. Version 3 is excluded. See below.
- elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
- {
- $cert_alias = "verisignclass3g2ca";
- }
+
+ # "Class 3 Public Primary Certification Authority - G2" is duplicated,
+ # so using serial number to match it.
elsif ($cert =~
/VeriSign Class 3 Public Primary Certification Authority - G3/)
{
@@ -234,6 +232,14 @@
# trustcenterclass2caii
# trustcenterclass4caii
# trustcenteruniversalcai
+ elsif ($cert_alias eq "VERISIGNCLASS3CA")
+ {
+ $cert_alias = "verisignclass3ca";
+ }
+ elsif ($cert_alias eq "VERISIGNCLASS3G2CA")
+ {
+ $cert_alias = "verisignclass3g2ca";
+ }
else
{
# Generate an alias using the OU and CN attributes of the
@@ -264,6 +270,14 @@
$cert_alias = "extra-$_";
}
}
+ elsif ($cert =~ /70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf/)
+ {
+ $cert_alias = "VERISIGNCLASS3CA";
+ }
+ elsif ($cert =~ /7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6/)
+ {
+ $cert_alias = "VERISIGNCLASS3G2CA";
+ }
# When it attempts to parse:
#
# Class 3 Public Primary Certification Authority - G2, Version 3
@@ -308,7 +322,8 @@
print PEM $cert;
close(PEM);
}
- $write_current_cert = 1
+ $write_current_cert = 1;
+ $cert_alias .= "-alt";
}
else
{

10
generate-cacerts-rename-duplicates.patch Normal file
View file

@ -0,0 +1,10 @@
--- generate-cacerts.pl.2 2009-03-23 18:01:32.000000000 +0100
+++ generate-cacerts.pl 2009-03-23 18:23:14.000000000 +0100
@@ -310,6 +310,7 @@
if ($write_current_cert == 1)
{
$pem_file_count++;
+ $cert_alias .= "-alt" while -e "$cert_alias.pem";
open(PEM, ">$cert_alias.pem");
print PEM $cert;
}

348
generate-cacerts.pl Normal file
View file

@ -0,0 +1,348 @@
#!/usr/bin/perl
# Copyright (C) 2007, 2008 Red Hat, Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# generate-cacerts.pl generates a JKS keystore named 'cacerts' from
# OpenSSL's certificate bundle using OpenJDK's keytool.
# First extract each of OpenSSL's bundled certificates into its own
# aliased filename.
$file = $ARGV[1];
open(CERTS, $file);
@certs = <CERTS>;
close(CERTS);
$pem_file_count = 0;
$in_cert_block = 0;
$write_current_cert = 1;
foreach $cert (@certs)
{
if ($cert =~ /Issuer: /)
{
$_ = $cert;
if ($cert =~ /personal-freemail/)
{
$cert_alias = "thawtepersonalfreemailca";
}
elsif ($cert =~ /personal-basic/)
{
$cert_alias = "thawtepersonalbasicca";
}
elsif ($cert =~ /personal-premium/)
{
$cert_alias = "thawtepersonalpremiumca";
}
elsif ($cert =~ /server-certs/)
{
$cert_alias = "thawteserverca";
}
elsif ($cert =~ /premium-server/)
{
$cert_alias = "thawtepremiumserverca";
}
elsif ($cert =~ /Class 1 Public Primary Certification Authority$/)
{
$cert_alias = "verisignclass1ca";
}
elsif ($cert =~ /Class 1 Public Primary Certification Authority - G2/)
{
$cert_alias = "verisignclass1g2ca";
}
elsif ($cert =~
/VeriSign Class 1 Public Primary Certification Authority - G3/)
{
$cert_alias = "verisignclass1g3ca";
}
elsif ($cert =~ /Class 2 Public Primary Certification Authority$/)
{
$cert_alias = "verisignclass2ca";
}
elsif ($cert =~ /Class 2 Public Primary Certification Authority - G2/)
{
$cert_alias = "verisignclass2g2ca";
}
elsif ($cert =~
/VeriSign Class 2 Public Primary Certification Authority - G3/)
{
$cert_alias = "verisignclass2g3ca";
}
elsif ($cert =~ /Class 3 Public Primary Certification Authority$/)
{
$cert_alias = "verisignclass3ca";
}
# Version 1 of Class 3 Public Primary Certification Authority
# - G2 is added. Version 3 is excluded. See below.
elsif ($cert =~ /Class 3 Public Primary Certification Authority - G2/)
{
$cert_alias = "verisignclass3g2ca";
}
elsif ($cert =~
/VeriSign Class 3 Public Primary Certification Authority - G3/)
{
$cert_alias = "verisignclass3g3ca";
}
elsif ($cert =~
/RSA Data Security.*Secure Server Certification Authority/)
{
$cert_alias = "verisignserverca";
}
elsif ($cert =~ /GTE CyberTrust Global Root/)
{
$cert_alias = "gtecybertrustglobalca";
}
elsif ($cert =~ /Baltimore CyberTrust Root/)
{
$cert_alias = "baltimorecybertrustca";
}
elsif ($cert =~ /www.entrust.net\/Client_CA_Info\/CPS/)
{
$cert_alias = "entrustclientca";
}
elsif ($cert =~ /www.entrust.net\/GCCA_CPS/)
{
$cert_alias = "entrustglobalclientca";
}
elsif ($cert =~ /www.entrust.net\/CPS_2048/)
{
$cert_alias = "entrust2048ca";
}
elsif ($cert =~ /www.entrust.net\/CPS /)
{
$cert_alias = "entrustsslca";
}
elsif ($cert =~ /www.entrust.net\/SSL_CPS/)
{
$cert_alias = "entrustgsslca";
}
elsif ($cert =~ /The Go Daddy Group/)
{
$cert_alias = "godaddyclass2ca";
}
elsif ($cert =~ /Starfield Class 2 Certification Authority/)
{
$cert_alias = "starfieldclass2ca";
}
elsif ($cert =~ /ValiCert Class 2 Policy Validation Authority/)
{
$cert_alias = "valicertclass2ca";
}
elsif ($cert =~ /GeoTrust Global CA$/)
{
$cert_alias = "geotrustglobalca";
}
elsif ($cert =~ /Equifax Secure Certificate Authority/)
{
$cert_alias = "equifaxsecureca";
}
elsif ($cert =~ /Equifax Secure eBusiness CA-1/)
{
$cert_alias = "equifaxsecureebusinessca1";
}
elsif ($cert =~ /Equifax Secure eBusiness CA-2/)
{
$cert_alias = "equifaxsecureebusinessca2";
}
elsif ($cert =~ /Equifax Secure Global eBusiness CA-1/)
{
$cert_alias = "equifaxsecureglobalebusinessca1";
}
elsif ($cert =~ /Sonera Class1 CA/)
{
$cert_alias = "soneraclass1ca";
}
elsif ($cert =~ /Sonera Class2 CA/)
{
$cert_alias = "soneraclass2ca";
}
elsif ($cert =~ /AAA Certificate Services/)
{
$cert_alias = "comodoaaaca";
}
elsif ($cert =~ /AddTrust Class 1 CA Root/)
{
$cert_alias = "addtrustclass1ca";
}
elsif ($cert =~ /AddTrust External CA Root/)
{
$cert_alias = "addtrustexternalca";
}
elsif ($cert =~ /AddTrust Qualified CA Root/)
{
$cert_alias = "addtrustqualifiedca";
}
elsif ($cert =~ /UTN-USERFirst-Hardware/)
{
$cert_alias = "utnuserfirsthardwareca";
}
elsif ($cert =~ /UTN-USERFirst-Client Authentication and Email/)
{
$cert_alias = "utnuserfirstclientauthemailca";
}
elsif ($cert =~ /UTN - DATACorp SGC/)
{
$cert_alias = "utndatacorpsgcca";
}
elsif ($cert =~ /UTN-USERFirst-Object/)
{
$cert_alias = "utnuserfirstobjectca";
}
elsif ($cert =~ /America Online Root Certification Authority 1/)
{
$cert_alias = "aolrootca1";
}
elsif ($cert =~ /DigiCert Assured ID Root CA/)
{
$cert_alias = "digicertassuredidrootca";
}
elsif ($cert =~ /DigiCert Global Root CA/)
{
$cert_alias = "digicertglobalrootca";
}
elsif ($cert =~ /DigiCert High Assurance EV Root CA/)
{
$cert_alias = "digicerthighassuranceevrootca";
}
elsif ($cert =~ /GlobalSign Root CA$/)
{
$cert_alias = "globalsignca";
}
elsif ($cert =~ /GlobalSign Root CA - R2/)
{
$cert_alias = "globalsignr2ca";
}
elsif ($cert =~ /Elektronik.*Kas.*2005/)
{
$cert_alias = "extra-elektronikkas2005";
}
elsif ($cert =~ /Elektronik/)
{
$cert_alias = "extra-elektronik2005";
}
# Mozilla does not provide these certificates:
# baltimorecodesigningca
# gtecybertrust5ca
# trustcenterclass2caii
# trustcenterclass4caii
# trustcenteruniversalcai
else
{
# Generate an alias using the OU and CN attributes of the
# Issuer field if both are present, otherwise use only the
# CN attribute. The Issuer field must have either the OU
# or the CN attribute.
$_ = $cert;
if ($cert =~ /OU=/)
{
s/Issuer:.*?OU=//;
# Remove other occurrences of OU=.
s/OU=.*CN=//;
# Remove CN= if there were not other occurrences of OU=.
s/CN=//;
s/\/emailAddress.*//;
s/Certificate Authority/ca/g;
s/Certification Authority/ca/g;
}
elsif ($cert =~ /CN=/)
{
s/Issuer:.*CN=//;
s/\/emailAddress.*//;
s/Certificate Authority/ca/g;
s/Certification Authority/ca/g;
}
s/\W//g;
tr/A-Z/a-z/;
$cert_alias = "extra-$_";
}
}
# When it attempts to parse:
#
# Class 3 Public Primary Certification Authority - G2, Version 3
#
# keytool says:
#
# #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
# Unparseable AuthorityInfoAccess extension due to
# java.io.IOException: Invalid encoding of URI
#
# If we do not exclude this file
# openjdk/jdk/test/lib/security/cacerts/VerifyCACerts.java fails
# on this cert, printing:
#
# Couldn't verify: java.security.SignatureException: Signature
# does not match.
#
elsif ($cert =~
/A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36/)
{
$write_current_cert = 0;
$pem_file_count--;
}
elsif ($cert eq "-----BEGIN CERTIFICATE-----\n")
{
if ($in_cert_block != 0)
{
die "$file is malformed.";
}
$in_cert_block = 1;
if ($write_current_cert == 1)
{
$pem_file_count++;
open(PEM, ">$cert_alias.pem");
print PEM $cert;
}
}
elsif ($cert eq "-----END CERTIFICATE-----\n")
{
$in_cert_block = 0;
if ($write_current_cert == 1)
{
print PEM $cert;
close(PEM);
}
$write_current_cert = 1
}
else
{
if ($in_cert_block == 1 && $write_current_cert == 1)
{
print PEM $cert;
}
}
}
# Check that the correct number of .pem files were produced.
@pem_files = <*.pem>;
if (@pem_files != $pem_file_count)
{
print "$pem_file_count";
die "Number of .pem files produced does not match".
" number of certs read from $file.";
}
# Now store each cert in the 'cacerts' file using keytool.
$certs_written_count = 0;
foreach $pem_file (@pem_files)
{
system "/bin/echo yes | $ARGV[0] -import".
" -alias `basename $pem_file .pem`".
" -keystore cacerts -storepass 'changeit' -file $pem_file";
unlink($pem_file);
$certs_written_count++;
}
# Check that the correct number of certs were added to the keystore.
if ($certs_written_count != $pem_file_count)
{
die "Number of certs added to keystore does not match".
" number of certs read from $file.";
}

153
rootcerts-igp-brasil.txt Normal file
View file

@ -0,0 +1,153 @@
#
# Certificate "ICP-Brasil"
#
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "ICP-Brasil"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\201\264\061\013\060\011\006\003\125\004\006\023\002\102\122
\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102
\162\141\163\151\154\061\075\060\073\006\003\125\004\013\023\064
\111\156\163\164\151\164\165\164\157\040\116\141\143\151\157\156
\141\154\040\144\145\040\124\145\143\156\157\154\157\147\151\141
\040\144\141\040\111\156\146\157\162\155\141\143\141\157\040\055
\040\111\124\111\061\021\060\017\006\003\125\004\007\023\010\102
\162\141\163\151\154\151\141\061\013\060\011\006\003\125\004\010
\023\002\104\106\061\061\060\057\006\003\125\004\003\023\050\101
\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146
\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141
\163\151\154\145\151\162\141
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\201\264\061\013\060\011\006\003\125\004\006\023\002\102\122
\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102
\162\141\163\151\154\061\075\060\073\006\003\125\004\013\023\064
\111\156\163\164\151\164\165\164\157\040\116\141\143\151\157\156
\141\154\040\144\145\040\124\145\143\156\157\154\157\147\151\141
\040\144\141\040\111\156\146\157\162\155\141\143\141\157\040\055
\040\111\124\111\061\021\060\017\006\003\125\004\007\023\010\102
\162\141\163\151\154\151\141\061\013\060\011\006\003\125\004\010
\023\002\104\106\061\061\060\057\006\003\125\004\003\023\050\101
\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146
\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141
\163\151\154\145\151\162\141
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\004
END
CKA_VALUE MULTILINE_OCTAL
\060\202\004\270\060\202\003\240\240\003\002\001\002\002\001\004
\060\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060
\201\264\061\013\060\011\006\003\125\004\006\023\002\102\122\061
\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102\162
\141\163\151\154\061\075\060\073\006\003\125\004\013\023\064\111
\156\163\164\151\164\165\164\157\040\116\141\143\151\157\156\141
\154\040\144\145\040\124\145\143\156\157\154\157\147\151\141\040
\144\141\040\111\156\146\157\162\155\141\143\141\157\040\055\040
\111\124\111\061\021\060\017\006\003\125\004\007\023\010\102\162
\141\163\151\154\151\141\061\013\060\011\006\003\125\004\010\023
\002\104\106\061\061\060\057\006\003\125\004\003\023\050\101\165
\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146\151
\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141\163
\151\154\145\151\162\141\060\036\027\015\060\061\061\061\063\060
\061\062\065\070\060\060\132\027\015\061\061\061\061\063\060\062
\063\065\071\060\060\132\060\201\264\061\013\060\011\006\003\125
\004\006\023\002\102\122\061\023\060\021\006\003\125\004\012\023
\012\111\103\120\055\102\162\141\163\151\154\061\075\060\073\006
\003\125\004\013\023\064\111\156\163\164\151\164\165\164\157\040
\116\141\143\151\157\156\141\154\040\144\145\040\124\145\143\156
\157\154\157\147\151\141\040\144\141\040\111\156\146\157\162\155
\141\143\141\157\040\055\040\111\124\111\061\021\060\017\006\003
\125\004\007\023\010\102\162\141\163\151\154\151\141\061\013\060
\011\006\003\125\004\010\023\002\104\106\061\061\060\057\006\003
\125\004\003\023\050\101\165\164\157\162\151\144\141\144\145\040
\103\145\162\164\151\146\151\143\141\144\157\162\141\040\122\141
\151\172\040\102\162\141\163\151\154\145\151\162\141\060\202\001
\042\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000
\003\202\001\017\000\060\202\001\012\002\202\001\001\000\300\363
\056\167\005\377\206\371\276\122\035\233\376\124\000\160\165\100
\212\306\246\150\271\026\166\114\017\367\364\277\264\342\210\201
\032\313\350\354\276\144\201\245\071\107\135\352\346\055\223\323
\032\377\172\124\246\007\037\064\010\364\275\211\271\202\314\243
\102\217\136\232\307\076\307\251\270\125\154\044\366\052\214\145
\040\212\344\104\044\002\257\324\267\211\373\052\342\304\327\350
\035\176\334\035\042\014\137\122\303\355\340\054\215\255\216\164
\101\136\173\050\315\224\117\314\171\256\271\263\022\072\373\114
\200\206\245\045\000\227\150\025\251\356\261\152\050\276\156\146
\021\325\012\346\131\240\122\000\156\175\056\271\053\216\266\055
\155\030\105\156\205\003\173\120\312\373\244\374\263\222\372\223
\307\074\242\112\133\036\226\275\275\343\063\264\065\102\366\303
\311\353\103\026\136\036\232\235\122\250\325\107\013\161\265\021
\310\107\215\275\231\336\125\022\200\001\116\250\273\007\143\016
\374\045\261\242\262\164\122\260\171\335\023\241\016\073\156\145
\012\201\311\276\301\135\336\115\031\067\351\103\247\117\002\003
\001\000\001\243\201\322\060\201\317\060\116\006\003\125\035\040
\004\107\060\105\060\103\006\005\140\114\001\001\000\060\072\060
\070\006\010\053\006\001\005\005\007\002\001\026\054\150\164\164
\160\072\057\057\141\143\162\141\151\172\056\151\143\160\142\162
\141\163\151\154\056\147\157\166\056\142\162\057\104\120\103\141
\143\162\141\151\172\056\160\144\146\060\075\006\003\125\035\037
\004\066\060\064\060\062\240\060\240\056\206\054\150\164\164\160
\072\057\057\141\143\162\141\151\172\056\151\143\160\142\162\141
\163\151\154\056\147\157\166\056\142\162\057\114\103\122\141\143
\162\141\151\172\056\143\162\154\060\035\006\003\125\035\016\004
\026\004\024\212\372\361\127\204\021\023\065\220\102\372\127\111
\124\151\015\244\304\360\067\060\017\006\003\125\035\023\001\001
\377\004\005\060\003\001\001\377\060\016\006\003\125\035\017\001
\001\377\004\004\003\002\001\006\060\015\006\011\052\206\110\206
\367\015\001\001\005\005\000\003\202\001\001\000\031\003\227\065
\123\370\140\042\036\216\162\002\300\176\042\140\025\152\157\230
\066\126\252\125\167\323\366\307\026\230\374\210\032\033\045\051
\271\270\072\155\355\070\253\142\035\124\305\355\337\101\241\245
\142\062\136\373\334\335\372\054\317\105\260\152\134\365\120\003
\176\004\135\314\044\342\252\126\271\375\141\036\270\226\175\332
\361\360\007\052\112\252\372\012\344\005\301\052\373\344\132\054
\113\071\160\014\000\332\357\111\223\357\006\143\002\144\041\235
\234\166\304\236\260\175\151\123\365\124\037\113\377\311\141\342
\034\354\133\236\330\223\113\167\115\024\071\043\014\152\042\277
\267\277\136\234\243\107\020\015\237\272\221\367\274\110\240\177
\221\041\341\265\100\067\225\150\206\264\346\350\306\071\337\036
\327\101\226\153\324\301\073\153\236\145\024\111\322\171\075\056
\232\123\200\215\035\246\001\273\322\063\225\371\241\046\115\256
\147\255\167\074\223\217\147\345\010\317\002\013\263\013\151\275
\044\221\331\340\104\211\124\004\141\305\327\364\271\236\143\333
\053\357\100\343\253\035\337\172\052\053\311\374
END
# Trust for Certificate "ICP-Brasil"
CKA_CLASS CK_OBJECT_CLASS CKO_NETSCAPE_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "ICP-Brasil"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\216\375\312\274\223\346\036\222\135\115\035\355\030\032\103\040
\244\147\241\071
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\226\211\175\141\321\125\053\047\342\132\071\264\052\154\104\157
END
CKA_ISSUER MULTILINE_OCTAL
\060\201\264\061\013\060\011\006\003\125\004\006\023\002\102\122
\061\023\060\021\006\003\125\004\012\023\012\111\103\120\055\102
\162\141\163\151\154\061\075\060\073\006\003\125\004\013\023\064
\111\156\163\164\151\164\165\164\157\040\116\141\143\151\157\156
\141\154\040\144\145\040\124\145\143\156\157\154\157\147\151\141
\040\144\141\040\111\156\146\157\162\155\141\143\141\157\040\055
\040\111\124\111\061\021\060\017\006\003\125\004\007\023\010\102
\162\141\163\151\154\151\141\061\013\060\011\006\003\125\004\010
\023\002\104\106\061\061\060\057\006\003\125\004\003\023\050\101
\165\164\157\162\151\144\141\144\145\040\103\145\162\164\151\146
\151\143\141\144\157\162\141\040\122\141\151\172\040\102\162\141
\163\151\154\145\151\162\141
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\004
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR

313
rootcerts.spec Normal file
View file

@ -0,0 +1,313 @@
# don't make useless debug packages
%define _enable_debug_packages %{nil}
%define debug_package %{nil}
# _without = java enabled, _with = java disabled
%if %mdkversion < 200900
%bcond_with java
%else
%ifnarch %arm %mips
%bcond_without java
%else
%bcond_with java
%endif
%endif
Summary: Bundle of CA Root Certificates
Name: rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch: 1
Version: 20110830.00
Release: %mkrel 1
License: GPL
Group: System/Servers
URL: http://www.mandriva.com
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0: rootcerts.tar.bz2
# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
Source1: certdata.txt
Source2: rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3: cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4: verisign-class-3-secure-server-ca.pem
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6: generate-cacerts.pl
# Fix overwriting issue with generate-cacerts.pl
Patch0: generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1: generate-cacerts-mandriva.patch
# Just rename identically named certificates that are not handled by mandriva.cpatch
Patch2: generate-cacerts-rename-duplicates.patch
BuildRequires: perl openssl nss automake libtool
%if %with java
BuildRequires: java-rpmbuild
%endif
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.
%if %with java
%package java
Summary: Bundle of CA Root Certificates for Java
Group: Development/Java
%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif
%prep
%setup -q -n rootcerts
#cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt > certdata.txt
mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt
# extract the license
head -36 builtins/certdata.txt > LICENSE
# add additional CA's here, needs to have the mozilla format...
cat %{SOURCE2} >> builtins/certdata.txt
# CAcert
cp %{SOURCE3} .
cp %{SOURCE6} .
%patch0 -p0
%patch1 -p0
%patch2 -p0
%build
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
# CAcert
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
# new verisign intermediate certificate
# -t trust trust flags (cCTpPuw).
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \
addbuiltin -n "VeriSign Class 3 Secure Server CA" \
-t "CT,C,C" >> builtins/certdata.txt
perl mkcerts.pl > certs.sh
%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
%make
cat pem/*.pem > ca-bundle.crt
cat %{SOURCE4} >> ca-bundle.crt
%if %with java
mkdir -p java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif
%install
rm -rf %{buildroot}
%makeinstall_std
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}
install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem
install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif
cat > README << EOF
R O O T C E R T S
-----------------
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.
EOF
# fix #58107
install -d %{buildroot}%{_sysconfdir}/ssl
ln -sf %{_sysconfdir}/pki/tls/certs %{buildroot}%{_sysconfdir}/ssl/certs
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root)
%doc README LICENSE
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs
%if %with java
%files java
%defattr(-,root,root)
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif
%changelog
* Wed Aug 31 2011 Oden Eriksson <oeriksson@mandriva.com> 1:20110830.00-1mdv2011.0
+ Revision: 697585
- new certdata.txt file (fixes MFSA 2011-34 Protection against fraudulent DigiNotar certificates)
* Fri Aug 12 2011 Oden Eriksson <oeriksson@mandriva.com> 1:20110801.00-1
+ Revision: 694114
- fix deps (wtf?)
- new certdata.txt file as of august the first 2011
* Mon May 09 2011 Oden Eriksson <oeriksson@mandriva.com> 1:20110413.00-1
+ Revision: 673014
- whoops, forgot to drop the patch
- new certdata.txt from upstream cvs as of 2011/04/13
* Thu May 05 2011 Oden Eriksson <oeriksson@mandriva.com> 1:20110323.00-2
+ Revision: 669429
- mass rebuild
* Fri Mar 25 2011 Oden Eriksson <oeriksson@mandriva.com> 1:20110323.00-1
+ Revision: 648516
- new certdata.txt file from upstream (2011/03/23)
* Sat Dec 25 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20101202.00-1mdv2011.0
+ Revision: 624972
- new certdata.txt file from upstream cvs (20101202)
* Thu Nov 25 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20101119.00-1mdv2011.0
+ Revision: 601001
- new certdata.txt from upstream (2010-11-19)
* Thu Sep 09 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20100827.00-1mdv2011.0
+ Revision: 576922
- new certdata.txt file as of 2010/08/27
* Mon May 17 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20100408.00-1mdv2010.1
+ Revision: 544960
- drop the RSA Security 1024 V3 Root cert
* Tue Apr 06 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20100403.01-1mdv2010.1
+ Revision: 532249
- new certdata.txt from upstream (20100403)
* Fri Mar 12 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20100216.01-1mdv2010.1
+ Revision: 518349
- fix #58107 (provide compatibility symlink for Adobe Flash)
- new certdata.txt (20100216) from upstream
* Wed Feb 03 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20091203.04-1mdv2010.1
+ Revision: 500052
- P3: remove the offending MD5 Collisions Forged Rogue CA 25c3 cert
* Thu Jan 28 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20091203.03-1mdv2010.1
+ Revision: 497698
- avoid making useless (empty) debug packages
* Thu Jan 28 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20091203.02-1mdv2010.1
+ Revision: 497654
- fix the bcond stuff (thanks anssi)
* Thu Jan 28 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20091203.01-1mdv2010.1
+ Revision: 497593
- disable java cert generations on older products
* Sun Jan 24 2010 Oden Eriksson <oeriksson@mandriva.com> 1:20091203.00-1mdv2010.1
+ Revision: 495449
- new certdata.txt file as of 2009/12/03
- the java certs won't build unless using a safe locale
* Mon Oct 19 2009 Anssi Hannula <anssi@mandriva.org> 1:20090831.00-1mdv2010.0
+ Revision: 458242
- add multiple "-alt" suffixes to java certificate shortnames if more
than 2 certificates share the same name
(cacerts-rename-duplicates.patch modified)
+ Oden Eriksson <oeriksson@mandriva.com>
- new certdata.txt from mozilla
* Mon Sep 28 2009 Olivier Blin <blino@mandriva.org> 1:20090814.00-2mdv2010.0
+ Revision: 450336
- disable java on mips & arm, implying it's not noarch anymore
(from Arnaud Patard)
* Sat Aug 22 2009 Oden Eriksson <oeriksson@mandriva.com> 1:20090814.00-1mdv2010.0
+ Revision: 419733
- new snapshot (20090814)
* Sun Aug 02 2009 Oden Eriksson <oeriksson@mandriva.com> 1:20090521.00-1mdv2010.0
+ Revision: 407545
- new cvs snap (20090521)
- the IGC/A cert was added upstream (S5)
* Mon Mar 23 2009 Anssi Hannula <anssi@mandriva.org> 1:20090115.00-1mdv2009.1
+ Revision: 360711
- java: rename identically named certificates that are not handled by
mandriva.patch
+ Oden Eriksson <oeriksson@mandriva.com>
- new certdata.txt file
* Sat Jan 24 2009 Oden Eriksson <oeriksson@mandriva.com> 1:20081017.00-2mdv2009.1
+ Revision: 333321
- roll back the certdata.txt file for now
- new certdata.txt file
* Fri Oct 24 2008 Oden Eriksson <oeriksson@mandriva.com> 1:20081017.00-1mdv2009.1
+ Revision: 296928
- new S1
* Sat Jul 05 2008 Anssi Hannula <anssi@mandriva.org> 1:20080503.00-2mdv2009.0
+ Revision: 232015
- add java subpackage that contains cacerts file for JRE, and a
--with[out] java build option to disable it
* Fri Jul 04 2008 Oden Eriksson <oeriksson@mandriva.com> 1:20080503.00-1mdv2009.0
+ Revision: 231658
- new certdata.txt
* Wed Jun 18 2008 Thierry Vignaud <tv@mandriva.org> 1:20080117.00-2mdv2009.0
+ Revision: 225323
- rebuild
* Thu Feb 14 2008 Oden Eriksson <oeriksson@mandriva.com> 1:20080117.00-1mdv2008.1
+ Revision: 168072
- new certdata.txt (Guenter Knauf)
* Thu Dec 20 2007 Oden Eriksson <oeriksson@mandriva.com> 1:20070713.00-1mdv2008.1
+ Revision: 135400
- new S1 from upstream cvs
* Mon Dec 17 2007 Thierry Vignaud <tv@mandriva.org> 1:20070402.00-1mdv2008.1
+ Revision: 126645
- kill re-definition of %%buildroot on Pixel's request

27
verisign-class-3-secure-server-ca.pem Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN CERTIFICATE-----
MIIEnDCCBAWgAwIBAgIQdTN9mrDhIzuuLX3kRpFi1DANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNMDUwMTE5MDAwMDAwWhcNMTUwMTE4MjM1OTU5WjCBsDELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVz
dCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cu
dmVyaXNpZ24uY29tL3JwYSAoYykwNTEqMCgGA1UEAxMhVmVyaVNpZ24gQ2xhc3Mg
MyBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAlcMhEo5AxQ0BX3ZeZpTZcyxYGSK4yfx6OZAqd3J8HT732FXjr0LLhzAC3Fus
cOa4RLQrNeuT0hcFfstG1lxToDJRnXRkWPkMmgDqXkRJZHL0zRDihQr5NO6ziGap
paRa0A6Yf1gNK1K7hql+LvqySHyN2y1fAXWijQY7i7RhB8m+Ipn4G9G1V2YETTX0
kXGWtZkIJZuXyDrzILHdnpgMSmO3ps6wAc74k2rzDG6fsemEe4GYQeaB3D0s57Rr
4578CBbXs9W5ZhKZfG1xyE2+xw/j+zet1XWHIWuG0EQUWlR5OZZpVsm5Mc2JYVjh
2XYFBa33uQKvp/1HkaIiNFox0QIDAQABo4IBgTCCAX0wEgYDVR0TAQH/BAgwBgEB
/wIBADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwMQYDVR0fBCowKDAmoCSgIoYgaHR0
cDovL2NybC52ZXJpc2lnbi5jb20vcGNhMy5jcmwwDgYDVR0PAQH/BAQDAgEGMBEG
CWCGSAGG+EIBAQQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRQ2xhc3Mz
Q0EyMDQ4LTEtNDUwHQYDVR0OBBYEFG/sr6DdiqTv9SoQZy0/VYK81+8lMIGABgNV
HSMEeTB3oWOkYTBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIElu
Yy4xNzA1BgNVBAsTLkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlv
biBBdXRob3JpdHmCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQEFBQADgYEA
w34IRl2RNs9n3Nenr6+4IsOLBHTTsWC85v63RBKBWzFzFGNWxnIu0RoDQ1w4ClBK
Tc3athmo9JkNr+P32PF1KGX2av6b9L1S2T/L2hbLpZ4ujmZSeD0m+v6UNohKlV4q
TBnvbvqCPy0D79YoszcYz0KyNCFkR9MgazpM3OYDkAw=
-----END CERTIFICATE-----