From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/2] ca-certificates: Rebase patch for removing TrustCor root CAs
Date: Sun, 05 Mar 2023 20:39:51 +0000 [thread overview]
Message-ID: <590c63e4-139f-f598-3dce-58db7492aad5@ipfire.org> (raw)
In-Reply-To: <74bcbc48-8208-d7da-89a0-60afcdccf600@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 3805 bytes --]
This is necessary since the certdata2pem.py script does not take
meta information such as "distrust after date" into account, hence
Mozilla's changes to TrustCor's root CAs are not sufficient to have them
removed from or distrusted on IPFire installations.
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
...tes-Remove-TrustCor-Systems-root-CAs.patch | 45 +++++++++++++------
1 file changed, 32 insertions(+), 13 deletions(-)
diff --git a/src/patches/ca-certificates-Remove-TrustCor-Systems-root-CAs.patch b/src/patches/ca-certificates-Remove-TrustCor-Systems-root-CAs.patch
index 99498a41a..889d5e63a 100644
--- a/src/patches/ca-certificates-Remove-TrustCor-Systems-root-CAs.patch
+++ b/src/patches/ca-certificates-Remove-TrustCor-Systems-root-CAs.patch
@@ -1,9 +1,10 @@
---- certdata.txt 2022-12-01 10:23:58.186454756 +0100
-+++ certdata.txt 2022-12-01 10:25:19.587297113 +0100
-@@ -15292,517 +15292,6 @@
+--- certdata.txt
++++ certdata.txt
+@@ -14609,536 +14609,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
- #
+
+-#
-# Certificate "TrustCor RootCert CA-1"
-#
-# Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
@@ -120,8 +121,14 @@
-\132\171\054\031
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
--CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
--CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+-# For Server Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
+-# For Email Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
-
-# Trust for "TrustCor RootCert CA-1"
-# Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
@@ -313,8 +320,15 @@
-\326\354\011
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
--CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
--CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+-# For Server Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
+-# For Email Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
+-
-
-# Trust for "TrustCor RootCert CA-2"
-# Issuer: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
@@ -471,8 +485,14 @@
-\264\237\327\346
-END
-CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
--CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
--CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+-# For Server Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
+-# For Email Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
-
-# Trust for "TrustCor ECA-1"
-# Issuer: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
@@ -514,7 +534,6 @@
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
--#
+ #
# Certificate "SSL.com Root Certification Authority RSA"
#
- # Issuer: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US
--
2.35.3
prev parent reply other threads:[~2023-03-05 20:39 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-05 20:39 [PATCH 1/2] ca-certificates: Update root CA certificates bundle Peter Müller
2023-03-05 20:39 ` Peter Müller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=590c63e4-139f-f598-3dce-58db7492aad5@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox