Compare commits

...

No commits in common. 'c9' and 'i8' have entirely different histories.
c9 ... i8

@ -58327,3 +58327,469 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Russian Trusted Root CA"
#
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4096 (0x1000)
# Subject: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Tue Mar 01 21:04:15 2022
# Not Valid After : Fri Feb 27 21:04:15 2032
# Fingerprint (SHA-256): D2:6D:2D:02:31:B7:C3:9F:92:CC:73:85:12:BA:54:10:35:19:E4:40:5D:68:B5:BD:70:3E:97:88:CA:8E:CF:31
# Fingerprint (SHA1): 8F:F9:15:CC:AB:7B:C1:6F:8C:5C:80:99:D5:3E:0E:11:5B:3A:EC:2F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Root CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\000
END
CKA_VALUE MULTILINE_OCTAL
\060\202\005\302\060\202\003\252\240\003\002\001\002\002\002\020
\000\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101\060\036\027\015\062\062\060\063\060\061\062\061\060\064
\061\065\132\027\015\063\062\060\062\062\067\062\061\060\064\061
\065\132\060\160\061\013\060\011\006\003\125\004\006\023\002\122
\125\061\077\060\075\006\003\125\004\012\014\066\124\150\145\040
\115\151\156\151\163\164\162\171\040\157\146\040\104\151\147\151
\164\141\154\040\104\145\166\145\154\157\160\155\145\156\164\040
\141\156\144\040\103\157\155\155\165\156\151\143\141\164\151\157
\156\163\061\040\060\036\006\003\125\004\003\014\027\122\165\163
\163\151\141\156\040\124\162\165\163\164\145\144\040\122\157\157
\164\040\103\101\060\202\002\042\060\015\006\011\052\206\110\206
\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
\002\202\002\001\000\307\305\071\237\051\120\002\367\372\275\247
\252\241\064\146\236\166\261\351\127\260\241\205\142\201\264\030
\316\133\303\075\133\110\133\102\267\340\031\100\310\144\131\010
\136\043\172\150\144\004\350\140\233\272\366\221\313\051\056\220
\134\030\260\004\055\134\277\066\046\121\202\214\141\220\273\214
\116\130\204\105\066\155\042\364\231\176\315\150\314\114\016\141
\366\374\334\056\071\124\143\360\342\046\125\256\154\324\136\024
\316\176\012\277\163\305\224\060\143\215\050\327\051\126\075\222
\150\324\006\305\320\254\201\336\152\251\224\042\303\310\224\325
\224\236\051\227\113\102\064\151\261\061\252\106\335\255\166\327
\143\000\216\136\023\216\332\220\324\307\167\044\230\231\102\061
\101\232\161\104\347\312\134\220\133\145\154\044\214\210\030\017
\025\323\034\335\151\345\027\203\105\131\351\231\215\122\276\130
\005\352\377\020\003\213\075\277\015\142\233\000\204\227\266\231
\170\314\007\362\175\034\333\050\024\300\105\047\111\113\071\077
\376\165\013\343\155\324\131\240\344\374\172\242\151\132\165\103
\123\344\013\376\241\031\237\076\173\067\317\016\130\315\353\151
\262\144\104\327\124\375\236\361\345\041\110\063\321\153\252\323
\174\305\354\054\210\025\201\043\102\272\134\133\216\004\344\303
\341\135\074\243\204\363\047\317\202\162\256\127\224\045\026\330
\276\074\245\223\102\142\340\103\174\030\173\027\031\001\356\240
\340\030\070\232\176\321\044\145\227\300\245\030\066\023\343\075
\033\314\044\064\244\317\054\067\070\300\175\005\015\070\243\206
\014\121\335\216\017\211\055\107\057\146\141\303\266\303\334\046
\354\226\141\006\201\371\347\146\210\315\220\233\134\055\340\107
\004\266\271\333\367\122\300\325\070\131\142\356\155\246\022\210
\011\200\364\205\014\137\137\321\245\372\161\073\027\170\142\111
\241\317\336\350\025\265\032\014\221\142\244\210\040\307\233\027
\170\360\045\221\067\126\236\377\221\130\034\145\047\003\020\333
\232\004\036\144\140\270\326\037\341\232\377\107\032\375\161\057
\167\143\351\235\134\206\132\004\101\064\051\055\242\055\032\232
\072\045\201\222\057\110\061\005\070\246\032\217\070\020\032\033
\260\076\170\377\017\002\003\001\000\001\243\146\060\144\060\035
\006\003\125\035\016\004\026\004\024\341\321\201\345\316\132\137
\004\252\322\351\266\235\146\261\305\372\254\054\207\060\037\006
\003\125\035\043\004\030\060\026\200\024\341\321\201\345\316\132
\137\004\252\322\351\266\235\146\261\305\372\254\054\207\060\022
\006\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002
\001\004\060\016\006\003\125\035\017\001\001\377\004\004\003\002
\001\206\060\015\006\011\052\206\110\206\367\015\001\001\013\005
\000\003\202\002\001\000\000\262\030\327\011\042\226\337\356\255
\361\025\063\233\312\316\276\256\264\347\203\130\045\034\316\145
\227\375\025\370\226\072\121\166\001\176\345\360\010\113\213\307
\266\145\344\252\224\202\071\127\226\122\262\125\365\013\331\237
\242\366\333\266\160\270\115\171\161\150\274\014\040\332\227\165
\036\367\105\240\000\222\131\061\364\354\204\336\016\043\307\052
\133\321\070\020\157\160\202\126\304\264\311\316\154\171\146\263
\301\167\010\171\253\303\171\072\052\145\044\130\152\032\373\361
\015\231\305\145\353\313\277\160\304\145\324\226\326\331\263\076
\377\160\076\110\010\066\163\250\217\016\127\241\163\062\261\332
\206\275\345\005\264\112\103\317\130\153\215\003\360\204\360\052
\162\000\322\041\273\325\305\256\075\321\103\161\052\171\027\022
\001\004\050\167\124\115\270\172\137\021\062\324\374\015\240\062
\153\347\377\017\354\307\264\301\335\156\101\076\316\253\246\263
\200\337\273\156\264\372\275\273\241\123\144\347\006\324\352\243
\013\360\173\311\072\240\043\272\333\312\372\061\354\061\027\241
\176\353\042\041\052\310\323\124\202\344\344\376\355\322\147\205
\127\023\151\046\305\331\222\207\164\320\277\046\337\156\165\325
\340\226\302\145\126\252\211\232\332\251\316\350\144\311\321\241
\152\327\104\155\363\265\271\333\172\317\375\252\024\106\043\263
\352\136\247\212\044\034\355\305\024\304\126\077\016\066\315\135
\130\336\154\315\074\032\074\213\341\222\023\267\010\356\104\255
\115\253\125\325\053\363\334\012\244\325\333\004\340\305\051\033
\140\305\104\373\321\212\146\047\216\225\125\252\235\002\023\231
\017\321\024\122\176\030\151\342\332\113\300\043\110\137\341\355
\111\043\072\046\315\163\212\225\016\043\317\372\271\036\204\125
\214\353\243\325\234\375\114\262\037\167\265\317\255\150\207\302
\021\205\114\306\070\174\314\326\305\272\207\073\177\073\357\254
\122\013\055\356\342\176\361\010\122\244\225\040\057\300\316\231
\114\374\234\160\355\273\227\025\341\217\326\245\102\004\101\352
\337\335\135\377\324\100\175\246\165\333\071\060\026\311\176\040
\254\004\374\346\161\133\300\007\153\330\265\247\201\216\321\204
\215\271\314\363\022\156
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Russian Trusted Root CA"
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4096 (0x1000)
# Subject: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Tue Mar 01 21:04:15 2022
# Not Valid After : Fri Feb 27 21:04:15 2032
# Fingerprint (SHA-256): D2:6D:2D:02:31:B7:C3:9F:92:CC:73:85:12:BA:54:10:35:19:E4:40:5D:68:B5:BD:70:3E:97:88:CA:8E:CF:31
# Fingerprint (SHA1): 8F:F9:15:CC:AB:7B:C1:6F:8C:5C:80:99:D5:3E:0E:11:5B:3A:EC:2F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Root CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\217\371\025\314\253\173\301\157\214\134\200\231\325\076\016\021
\133\072\354\057
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\177\273\037\273\321\051\107\347\050\334\277\244\126\214\144\315
END
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Russian Trusted Sub CA"
#
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4098 (0x1002)
# Subject: CN=Russian Trusted Sub CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Wed Mar 02 11:25:19 2022
# Not Valid After : Sat Mar 06 11:25:19 2027
# Fingerprint (SHA-256): BB:BD:E2:10:3E:79:0B:99:9E:C6:2B:D0:3C:F6:25:A5:A2:E7:C3:16:E1:0A:FE:6A:49:0E:ED:EA:D8:B3:FD:9B
# Fingerprint (SHA1): 33:5D:43:F5:34:51:B7:81:53:5F:F3:88:2D:F7:13:D3:C1:4F:8A:01
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Sub CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\157\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\037\060\035\006\003\125\004\003\014\026\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\123\165\142\040\103
\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\002
END
CKA_VALUE MULTILINE_OCTAL
\060\202\007\102\060\202\005\052\240\003\002\001\002\002\002\020
\002\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101\060\036\027\015\062\062\060\063\060\062\061\061\062\065
\061\071\132\027\015\062\067\060\063\060\066\061\061\062\065\061
\071\132\060\157\061\013\060\011\006\003\125\004\006\023\002\122
\125\061\077\060\075\006\003\125\004\012\014\066\124\150\145\040
\115\151\156\151\163\164\162\171\040\157\146\040\104\151\147\151
\164\141\154\040\104\145\166\145\154\157\160\155\145\156\164\040
\141\156\144\040\103\157\155\155\165\156\151\143\141\164\151\157
\156\163\061\037\060\035\006\003\125\004\003\014\026\122\165\163
\163\151\141\156\040\124\162\165\163\164\145\144\040\123\165\142
\040\103\101\060\202\002\042\060\015\006\011\052\206\110\206\367
\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002
\202\002\001\000\365\203\352\004\243\244\327\323\105\312\152\304
\301\350\163\256\020\104\201\075\232\264\267\263\245\333\201\333
\211\220\354\050\216\153\361\325\244\120\203\105\234\335\306\251
\141\361\332\344\273\215\074\376\324\346\133\071\115\037\366\353
\036\344\041\147\371\242\130\243\237\337\231\151\053\070\362\005
\336\223\074\315\267\270\007\311\274\103\220\333\367\147\050\141
\211\156\305\050\327\373\235\051\053\361\103\005\107\245\133\367
\113\315\016\226\133\212\176\025\217\014\105\320\246\014\205\250
\214\317\243\022\020\114\266\164\165\350\253\147\003\025\035\252
\331\346\357\007\250\167\255\106\340\055\230\355\231\014\144\047
\275\123\211\140\010\345\263\341\342\271\352\273\056\076\316\161
\356\302\102\304\360\125\227\217\371\164\061\333\303\300\150\106
\167\313\253\020\022\336\253\057\116\235\166\224\235\241\063\051
\006\160\252\115\274\126\371\345\214\312\071\010\237\253\175\030
\033\124\127\216\162\007\121\044\034\331\343\330\114\170\033\000
\242\067\324\374\341\004\043\051\052\376\361\375\051\260\152\331
\274\366\302\155\000\060\064\122\143\212\302\342\306\170\345\030
\362\312\153\233\316\230\334\010\207\362\300\311\105\271\016\072
\144\013\035\064\340\263\303\272\243\351\026\302\227\064\252\132
\057\140\346\352\347\064\307\202\150\346\157\240\121\065\116\104
\036\241\071\054\326\235\140\343\330\145\237\242\142\363\317\050
\306\363\120\321\030\120\151\162\217\316\367\174\336\162\302\015
\335\042\366\142\310\351\253\134\335\241\055\065\010\306\061\211
\357\377\367\065\257\143\014\310\333\237\316\146\050\055\236\220
\210\255\307\166\217\126\072\164\305\005\100\014\300\264\161\076
\252\305\337\225\042\374\034\204\276\040\221\005\041\012\033\056
\126\041\036\112\004\335\253\340\067\036\143\226\357\216\055\207
\264\164\135\030\223\035\117\030\330\333\302\253\323\137\176\321
\012\175\366\064\310\345\242\325\266\101\301\204\146\020\312\217
\355\356\255\230\263\247\234\135\114\366\142\264\017\232\022\066
\114\374\330\273\325\123\235\210\343\364\212\006\360\351\253\031
\331\374\135\243\066\165\116\164\222\140\326\057\064\004\360\266
\023\146\147\053\002\003\001\000\001\243\202\001\345\060\202\001
\341\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004
\004\003\002\001\206\060\035\006\003\125\035\016\004\026\004\024
\321\341\161\015\013\055\201\116\156\212\112\217\114\043\263\114
\136\253\151\013\060\037\006\003\125\035\043\004\030\060\026\200
\024\341\321\201\345\316\132\137\004\252\322\351\266\235\146\261
\305\372\254\054\207\060\201\307\006\010\053\006\001\005\005\007
\001\001\004\201\272\060\201\267\060\073\006\010\053\006\001\005
\005\007\060\002\206\057\150\164\164\160\072\057\057\162\157\163
\164\145\154\145\143\157\155\056\162\165\057\143\144\160\057\162
\157\157\164\143\141\137\163\163\154\137\162\163\141\062\060\062
\062\056\143\162\164\060\073\006\010\053\006\001\005\005\007\060
\002\206\057\150\164\164\160\072\057\057\143\157\155\160\141\156
\171\056\162\164\056\162\165\057\143\144\160\057\162\157\157\164
\143\141\137\163\163\154\137\162\163\141\062\060\062\062\056\143
\162\164\060\073\006\010\053\006\001\005\005\007\060\002\206\057
\150\164\164\160\072\057\057\162\145\145\163\164\162\055\160\153
\151\056\162\165\057\143\144\160\057\162\157\157\164\143\141\137
\163\163\154\137\162\163\141\062\060\062\062\056\143\162\164\060
\201\260\006\003\125\035\037\004\201\250\060\201\245\060\065\240
\063\240\061\206\057\150\164\164\160\072\057\057\162\157\163\164
\145\154\145\143\157\155\056\162\165\057\143\144\160\057\162\157
\157\164\143\141\137\163\163\154\137\162\163\141\062\060\062\062
\056\143\162\154\060\065\240\063\240\061\206\057\150\164\164\160
\072\057\057\143\157\155\160\141\156\171\056\162\164\056\162\165
\057\143\144\160\057\162\157\157\164\143\141\137\163\163\154\137
\162\163\141\062\060\062\062\056\143\162\154\060\065\240\063\240
\061\206\057\150\164\164\160\072\057\057\162\145\145\163\164\162
\055\160\153\151\056\162\165\057\143\144\160\057\162\157\157\164
\143\141\137\163\163\154\137\162\163\141\062\060\062\062\056\143
\162\154\060\015\006\011\052\206\110\206\367\015\001\001\013\005
\000\003\202\002\001\000\104\025\163\146\133\073\364\007\142\110
\052\132\257\136\135\003\221\353\376\272\323\341\146\353\071\374
\345\244\217\261\254\267\221\076\265\006\351\345\026\041\156\057
\112\350\265\313\035\342\250\142\302\214\367\012\157\341\316\117
\012\021\061\262\072\312\323\377\235\332\167\116\126\056\153\146
\235\275\200\104\205\053\343\263\356\057\015\223\160\136\277\303
\152\166\360\041\147\156\255\231\225\211\004\101\014\127\233\246
\113\347\042\372\356\375\032\126\271\337\371\257\255\270\132\237
\057\241\223\021\266\077\334\233\246\210\364\273\157\005\364\375
\161\374\341\071\247\261\043\377\175\163\136\035\312\053\244\327
\356\220\205\334\012\150\044\123\163\131\235\174\324\046\235\365
\215\105\267\326\205\140\145\053\170\170\030\141\075\044\255\367
\032\117\031\113\300\314\256\107\100\207\114\133\313\214\100\103
\371\222\130\007\326\254\031\237\316\123\252\033\052\001\325\116
\073\131\063\236\250\326\326\222\112\000\077\154\254\367\217\254
\046\016\015\116\110\203\126\325\321\027\251\353\351\366\042\321
\264\216\274\341\140\320\204\053\061\163\266\143\310\062\203\320
\021\164\362\160\052\333\326\137\305\117\000\060\230\062\045\207
\207\211\374\155\232\044\042\262\046\124\242\303\100\241\330\342
\060\254\064\075\207\035\322\137\236\267\113\331\202\160\326\241
\154\220\323\270\161\043\146\147\047\160\321\151\040\216\377\144
\027\342\261\252\260\312\224\037\014\146\355\207\162\132\141\352
\377\302\147\107\320\365\213\204\363\371\154\035\235\020\163\141
\362\211\043\047\276\070\012\345\360\334\335\060\370\175\257\005
\023\310\014\066\352\314\372\105\174\075\077\013\064\203\076\341
\233\076\054\241\025\362\172\221\130\026\261\220\205\111\031\351
\044\124\243\274\304\060\116\033\366\215\353\140\031\050\163\236
\031\314\210\166\356\362\064\303\021\212\021\225\144\046\053\362
\266\042\046\202\242\073\060\352\072\103\344\054\343\335\206\325
\145\202\170\150\303\061\303\304\301\315\017\361\066\130\016\151
\144\173\215\063\371\264\115\173\166\301\064\317\057\262\107\331
\200\264\200\374\377\006\373\322\316\071\054\203\065\071\254\266
\321\311\102\220\222\005
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Russian Trusted Sub CA"
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4098 (0x1002)
# Subject: CN=Russian Trusted Sub CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Wed Mar 02 11:25:19 2022
# Not Valid After : Sat Mar 06 11:25:19 2027
# Fingerprint (SHA-256): BB:BD:E2:10:3E:79:0B:99:9E:C6:2B:D0:3C:F6:25:A5:A2:E7:C3:16:E1:0A:FE:6A:49:0E:ED:EA:D8:B3:FD:9B
# Fingerprint (SHA1): 33:5D:43:F5:34:51:B7:81:53:5F:F3:88:2D:F7:13:D3:C1:4F:8A:01
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Sub CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\063\135\103\365\064\121\267\201\123\137\363\210\055\367\023\323
\301\117\212\001
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\304\023\047\226\170\334\005\047\062\041\103\376\100\312\364\332
END
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\002
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "TCI ECDSA ROOT A1"
#
# Issuer: CN=TCI ECDSA ROOT A1
# Serial Number:01:de:ad:c0:de:00:8c:19:78:3c:7a:d6
# Subject: CN=TCI ECDSA ROOT A1
# Not Valid Before: Wed Mar 30 09:33:18 2022
# Not Valid After : Tue Mar 30 09:33:18 2032
# Fingerprint (SHA-256): 0A:3C:80:4A:CF:2E:70:22:3E:22:2D:65:99:EB:78:8D:CC:A3:EE:CC:F7:F2:66:7C:B3:71:C1:78:AD:07:DB:51
# Fingerprint (SHA1): 4E:87:7A:C0:27:A6:3D:85:14:C0:B4:CB:FA:0F:6F:58:F6:C1:76:96
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TCI ECDSA ROOT A1"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\034\061\032\060\030\006\003\125\004\003\014\021\124\103\111
\040\105\103\104\123\101\040\122\117\117\124\040\101\061
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\034\061\032\060\030\006\003\125\004\003\014\021\124\103\111
\040\105\103\104\123\101\040\122\117\117\124\040\101\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\014\001\336\255\300\336\000\214\031\170\074\172\326
END
CKA_VALUE MULTILINE_OCTAL
\060\202\001\124\060\201\373\240\003\002\001\002\002\014\001\336
\255\300\336\000\214\031\170\074\172\326\060\012\006\010\052\206
\110\316\075\004\003\002\060\034\061\032\060\030\006\003\125\004
\003\014\021\124\103\111\040\105\103\104\123\101\040\122\117\117
\124\040\101\061\060\036\027\015\062\062\060\063\063\060\060\071
\063\063\061\070\132\027\015\063\062\060\063\063\060\060\071\063
\063\061\070\132\060\034\061\032\060\030\006\003\125\004\003\014
\021\124\103\111\040\105\103\104\123\101\040\122\117\117\124\040
\101\061\060\131\060\023\006\007\052\206\110\316\075\002\001\006
\010\052\206\110\316\075\003\001\007\003\102\000\004\231\342\354
\262\123\340\150\374\352\221\264\263\334\016\171\365\240\252\012
\177\020\147\370\145\304\261\066\000\011\176\027\045\351\146\015
\241\146\231\175\371\144\213\204\135\321\134\300\046\006\332\115
\045\266\353\073\257\332\141\214\353\133\161\017\336\243\043\060
\041\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
\206\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
\001\377\060\012\006\010\052\206\110\316\075\004\003\002\003\110
\000\060\105\002\040\062\243\050\372\032\146\272\255\226\071\256
\313\255\006\324\366\010\066\364\167\003\127\213\073\064\370\105
\370\106\005\072\301\002\041\000\204\222\373\041\342\303\156\215
\236\144\002\051\343\070\250\150\212\150\326\025\162\136\100\001
\065\271\351\071\064\075\050\373
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "TCI ECDSA ROOT A1"
# Issuer: CN=TCI ECDSA ROOT A1
# Serial Number:01:de:ad:c0:de:00:8c:19:78:3c:7a:d6
# Subject: CN=TCI ECDSA ROOT A1
# Not Valid Before: Wed Mar 30 09:33:18 2022
# Not Valid After : Tue Mar 30 09:33:18 2032
# Fingerprint (SHA-256): 0A:3C:80:4A:CF:2E:70:22:3E:22:2D:65:99:EB:78:8D:CC:A3:EE:CC:F7:F2:66:7C:B3:71:C1:78:AD:07:DB:51
# Fingerprint (SHA1): 4E:87:7A:C0:27:A6:3D:85:14:C0:B4:CB:FA:0F:6F:58:F6:C1:76:96
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TCI ECDSA ROOT A1"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\116\207\172\300\047\246\075\205\024\300\264\313\372\017\157\130
\366\301\166\226
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\316\230\227\216\027\213\116\066\202\313\342\233\264\216\053\140
END
CKA_ISSUER MULTILINE_OCTAL
\060\034\061\032\060\030\006\003\125\004\003\014\021\124\103\111
\040\105\103\104\123\101\040\122\117\117\124\040\101\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\014\001\336\255\300\336\000\214\031\170\074\172\326
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

@ -177,11 +177,6 @@ openssl_trust = {
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection", "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
} }
cert_distrust_types = {
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
}
for tobj in objects: for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST': if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj) key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -374,16 +369,6 @@ for tobj in objects:
f.write("nss-mozilla-ca-policy: true\n") f.write("nss-mozilla-ca-policy: true\n")
f.write("modifiable: false\n"); f.write("modifiable: false\n");
# requires p11-kit >= 0.23.19
for t in list(cert_distrust_types.keys()):
if t in obj:
value = obj[t]
if value == 'CK_FALSE':
value = bytearray(1)
f.write(cert_distrust_types[t] + ": \"")
f.write(urllib.parse.quote(value));
f.write("\"\n")
f.write("-----BEGIN CERTIFICATE-----\n") f.write("-----BEGIN CERTIFICATE-----\n")
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE']) temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64) temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBVDCB+6ADAgECAgwB3q3A3gCMGXg8etYwCgYIKoZIzj0EAw
IwHDEaMBgGA1UEAwwRVENJIEVDRFNBIFJPT1QgQTEwHhcNMjIw
MzMwMDkzMzE4WhcNMzIwMzMwMDkzMzE4WjAcMRowGAYDVQQDDB
FUQ0kgRUNEU0EgUk9PVCBBMTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABJni7LJT4Gj86pG0s9wOefWgqgp/EGf4ZcSxNgAJfh
cl6WYNoWaZfflki4Rd0VzAJgbaTSW26zuv2mGM61txD96jIzAh
MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAoGCC
qGSM49BAMCA0gAMEUCIDKjKPoaZrqtljmuy60G1PYINvR3A1eL
OzT4RfhGBTrBAiEAhJL7IeLDbo2eZAIp4zioaIpo1hVyXkABNb
npOTQ9KPs=
-----END CERTIFICATE-----

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBXTCCAQigAwIBAgIMAt6twN4AjBl4PHrWMAwGCCqFAwcBAQ
MCBQAwGzEZMBcGA1UEAwwQVENJIEdPU1QgUk9PVCBBMTAeFw0y
MjAzMzAwOTMzMThaFw0zMjAzMzAwOTMzMThaMBsxGTAXBgNVBA
MMEFRDSSBHT1NUIFJPT1QgQTEwZjAfBggqhQMHAQEBATATBgcq
hQMCAiMBBggqhQMHAQECAgNDAARASiE+O1G5yX8JjIS0RmQ2Im
2FKd0RhbOtdjaoAivB3ywbHLGb6deQBRd/MwLP2IrfIZcVb4QP
5PSYolD/Iu+ExaMjMCEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEw
EB/wQFMAMBAf8wDAYIKoUDBwEBAwIFAANBAOi6Dn7pxa/SSbV6
PsfROEKzsBnX6GGggo9wOELuZKfDYdy88/92yr2Aali+fEje63
XqhHoZExE0CNLoncM3ARc=
-----END CERTIFICATE-----

@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFwjCCA6qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCUlUx
PzA9BgNVBAoMNlRoZSBNaW5pc3RyeSBvZiBEaWdpdGFsIERldmVsb3BtZW50IGFu
ZCBDb21tdW5pY2F0aW9uczEgMB4GA1UEAwwXUnVzc2lhbiBUcnVzdGVkIFJvb3Qg
Q0EwHhcNMjIwMzAxMjEwNDE1WhcNMzIwMjI3MjEwNDE1WjBwMQswCQYDVQQGEwJS
VTE/MD0GA1UECgw2VGhlIE1pbmlzdHJ5IG9mIERpZ2l0YWwgRGV2ZWxvcG1lbnQg
YW5kIENvbW11bmljYXRpb25zMSAwHgYDVQQDDBdSdXNzaWFuIFRydXN0ZWQgUm9v
dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMfFOZ8pUAL3+r2n
qqE0Zp52selXsKGFYoG0GM5bwz1bSFtCt+AZQMhkWQheI3poZAToYJu69pHLKS6Q
XBiwBC1cvzYmUYKMYZC7jE5YhEU2bSL0mX7NaMxMDmH2/NwuOVRj8OImVa5s1F4U
zn4Kv3PFlDBjjSjXKVY9kmjUBsXQrIHeaqmUIsPIlNWUnimXS0I0abExqkbdrXbX
YwCOXhOO2pDUx3ckmJlCMUGacUTnylyQW2VsJIyIGA8V0xzdaeUXg0VZ6ZmNUr5Y
Ber/EAOLPb8NYpsAhJe2mXjMB/J9HNsoFMBFJ0lLOT/+dQvjbdRZoOT8eqJpWnVD
U+QL/qEZnz57N88OWM3rabJkRNdU/Z7x5SFIM9FrqtN8xewsiBWBI0K6XFuOBOTD
4V08o4TzJ8+Ccq5XlCUW2L48pZNCYuBDfBh7FxkB7qDgGDiaftEkZZfApRg2E+M9
G8wkNKTPLDc4wH0FDTijhgxR3Y4PiS1HL2Zhw7bD3CbslmEGgfnnZojNkJtcLeBH
BLa52/dSwNU4WWLubaYSiAmA9IUMX1/RpfpxOxd4Ykmhz97oFbUaDJFipIggx5sX
ePAlkTdWnv+RWBxlJwMQ25oEHmRguNYf4Zr/Rxr9cS93Y+mdXIZaBEE0KS2iLRqa
OiWBki9IMQU4phqPOBAaG7A+eP8PAgMBAAGjZjBkMB0GA1UdDgQWBBTh0YHlzlpf
BKrS6badZrHF+qwshzAfBgNVHSMEGDAWgBTh0YHlzlpfBKrS6badZrHF+qwshzAS
BgNVHRMBAf8ECDAGAQH/AgEEMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
AAOCAgEAALIY1wkilt/urfEVM5vKzr6utOeDWCUczmWX/RX4ljpRdgF+5fAIS4vH
tmXkqpSCOVeWUrJV9QvZn6L227ZwuE15cWi8DCDal3Ue90WgAJJZMfTshN4OI8cq
W9E4EG9wglbEtMnObHlms8F3CHmrw3k6KmUkWGoa+/ENmcVl68u/cMRl1JbW2bM+
/3A+SAg2c6iPDlehczKx2oa95QW0SkPPWGuNA/CE8CpyANIhu9XFrj3RQ3EqeRcS
AQQod1RNuHpfETLU/A2gMmvn/w/sx7TB3W5BPs6rprOA37tutPq9u6FTZOcG1Oqj
C/B7yTqgI7rbyvox7DEXoX7rIiEqyNNUguTk/u3SZ4VXE2kmxdmSh3TQvybfbnXV
4JbCZVaqiZraqc7oZMnRoWrXRG3ztbnbes/9qhRGI7PqXqeKJBztxRTEVj8ONs1d
WN5szTwaPIvhkhO3CO5ErU2rVdUr89wKpNXbBODFKRtgxUT70YpmJ46VVaqdAhOZ
D9EUUn4YaeLaS8AjSF/h7UkjOibNc4qVDiPP+rkehFWM66PVnP1Msh93tc+taIfC
EYVMxjh8zNbFuoc7fzvvrFILLe7ifvEIUqSVIC/AzplM/Jxw7buXFeGP1qVCBEHq
391d/9RAfaZ12zkwFsl+IKwE/OZxW8AHa9i1p4GO0YSNuczzEm4=
-----END CERTIFICATE-----

@ -0,0 +1 @@
MIAGCSqGSIb3DQEHAqCAMIACAQExDDAKBggqhQMHAQECAjCABgkqhkiG9w0BBwEAAKCCB7gwgge0MIIHYaADAgECAgsAybP3lAAAAAAFhjAKBggqhQMHAQEDAjCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4MB4XDTIxMDUxOTA4MDc1OFoXDTIyMDgxNzA4MDc1OFowggF4MRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMUIwQAYJKoZIhvcNAQkCDDPQn9C+0LTRgdC40YHRgtC10LzQsCDCq9Cg0LXQtdGB0YLRgNGLwrsg0JjQoSDQk9Cj0KYxLjAsBgkqhkiG9w0BCQEWH2Eua29yemhlbmV2c2theWFAZGlnaXRhbC5nb3YucnUxOjA4BgNVBAkMMdCf0YDQtdGB0L3QtdC90YHQutCw0Y8g0L3QsNCxLiwg0LQuIDEwLCDRgdGC0YAuIDIxGTAXBgNVBAcMENCzLiDQnNC+0YHQutCy0LAxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEmMCQGA1UECgwd0JzQuNC90YbQuNGE0YDRiyDQoNC+0YHRgdC40LgxCzAJBgNVBAYTAlJVMSYwJAYDVQQDDB3QnNC40L3RhtC40YTRgNGLINCg0L7RgdGB0LjQuDBmMB8GCCqFAwcBAQEBMBMGByqFAwICJAAGCCqFAwcBAQICA0MABECPKzaqApZOrOkwaZWzx4xo/CsPpTbMMlJuUm2wIrJxpyZPGAdGO7krlWVfWnxPIl+POqsLM1Fq57nK30CAhUdzo4IEEzCCBA8wFQYDVR0lBA4wDAYKKwYBBAGCNwoDDDAOBgNVHQ8BAf8EBAMCBPAwXQYFKoUDZG8EVAxS0KHQmtCX0JggwqvQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQwrsg0LLQtdGA0YHQuNGPIDQuMCAo0LjRgdC/0L7Qu9C90LXQvdC40LUgMy1CYXNlKTAnBgNVHSAEIDAeMAgGBiqFA2RxATAIBgYqhQNkcQIwCAYGKoUDZHEDMB0GA1UdDgQWBBTvvmSAWPkPuWdrcO5mYdM5ixAd/DCCAWUGA1UdIwSCAVwwggFYgBTCVPG0a9RMt+BtNrQjkPH+wzybBqGCASykggEoMIIBJDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQstCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7QvCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LiCEE5tR4sm8n1lf3aOAlzj05MwgZgGA1UdHwSBkDCBjTAtoCugKYYnaHR0cDovL3JlZXN0ci1wa2kucnUvY2RwL2d1Y19nb3N0MTIuY3JsMC2gK6AphidodHRwOi8vY29tcGFueS5ydC5ydS9jZHAvZ3VjX2dvc3QxMi5jcmwwLaAroCmGJ2h0dHA6Ly9yb3N0ZWxlY29tLnJ1L2NkcC9ndWNfZ29zdDEyLmNybDBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9yZWVzdHItcGtpLnJ1L2NkcC9ndWNfZ29zdDEyLmNydDCB9QYFKoUDZHAEgeswgegMNNCf0JDQmtCcIMKr0JrRgNC40L/RgtC+0J/RgNC+IEhTTcK7INCy0LXRgNGB0LjQuCAyLjAMQ9Cf0JDQmiDCq9CT0L7Qu9C+0LLQvdC+0Lkg0YPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAwrsMNdCX0LDQutC70Y7Rh9C10L3QuNC1IOKEliAxNDkvMy8yLzIvMjMg0L7RgiAwMi4wMy4yMDE4DDTQl9Cw0LrQu9GO0YfQtdC90LjQtSDihJYgMTQ5LzcvNi8xMDUg0L7RgiAyNy4wNi4yMDE4MAoGCCqFAwcBAQMCA0EAiq8EGuoH/RZ2NPQoW+ZP6tuflm4TMrsyT5QMYjVmOJdAXU7HiEqPSLSwH4eEYL6qkdHF8kmQYp2Kwesl86DcWjGCA5cwggOTAgEBMIIBNTCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4AgsAybP3lAAAAAAFhjAKBggqhQMHAQECAqCCAfkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjIwMzAyMDgxNDE0WjAvBgkqhkiG9w0BCQQxIgQgzb9RJkaBTAfbMRIMlNXto6nKufJY5FtfqzLnfcuZ+hMwggGMBgsqhkiG9w0BCRACLzGCAXswggF3MIIBczCCAW8wCgYIKoUDBwEBAgIEIIF2ijeXhxSihco1wb5EBZoP1DAnHrpQuB9P656woqXfMIIBPTCCASykggEoMIIBJDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQstCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7QvCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgCCwDJs/eUAAAAAAWGMAoGCCqFAwcBAQEBBEA0eWBz4JnqO6umBiTQK/tkJgTeV0nKAp2SQlJVOlSPwBDx1H5fUZOTQDP0/4OtMakDCKhUHd5KS9DNhZErA0UmAAAAAAAA

@ -1,10 +1,10 @@
#!/bin/sh #!/bin/sh
#set -vx #set -vx
set -eu
# For backwards compatibility reasons, future versions of this script must # At this time, while this script is trivial, we ignore any parameters given.
# support the syntax "update-ca-trust extract" trigger the generation of output # However, for backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST. # files in $DEST.
DEST=/etc/pki/ca-trust/extracted DEST=/etc/pki/ca-trust/extracted
@ -12,126 +12,11 @@ DEST=/etc/pki/ca-trust/extracted
# Prevent p11-kit from reading user configuration files. # Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1 export P11_KIT_NO_USER_CONFIG=1
usage() { # OpenSSL PEM bundle that includes trust flags
fold -s -w 76 >&2 <<-EOF # (BEGIN TRUSTED CERTIFICATE)
Usage: $0 [extract] [-o DIR|--output=DIR] /usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
Update the system trust store in $DEST. /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
COMMANDS /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
(absent/empty command): Same as the extract command without arguments. /usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
extract: Instruct update-ca-trust to scan the source configuration in
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
updated versions of the consolidated configuration files stored below
the $DEST directory hierarchy.
EXTRACT OPTIONS
-o DIR, --output=DIR: Write the extracted trust store into the given
directory instead of updating $DEST.
EOF
}
extract() {
USER_DEST=
# can't use getopt here. ca-certificates can't depend on a lot
# of other libraries since openssl depends on ca-certificates
# just fail when we hand parse
while [ $# -ne 0 ]; do
case "$1" in
"-o"|"--output")
if [ $# -lt 2 ]; then
echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
fi
USER_DEST=$2
shift 2
continue
;;
"--")
shift
break
;;
*)
echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
exit 1
;;
esac
done
if [ -n "$USER_DEST" ]; then
DEST=$USER_DEST
# Attempt to create the directories if they do not exist
# yet (rhbz#2241240)
/usr/bin/mkdir -p \
"$DEST"/openssl \
"$DEST"/pem \
"$DEST"/java \
"$DEST"/edk2
fi
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
# by GnuTLS)
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
# p11-kit extract will have made this directory unwritable; when run with
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
# not be the case. See rhbz#2241240.
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u+w "$DEST/pem/directory-hash"
fi
# Debian compatibility: their /etc/ssl/certs has this bundle
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
# Remove write permissions again
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u-w "$DEST/pem/directory-hash"
fi
}
if [ $# -lt 1 ]; then
set -- extract
fi
case "$1" in
"extract")
shift
extract "$@"
;;
"--help")
usage
exit 0
;;
"-o"|"--output")
echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
;;
"enable")
echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
*)
echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
esac

@ -27,7 +27,7 @@ certificates and associated trust
SYNOPSIS SYNOPSIS
-------- --------
*update-ca-trust* [extract] [-o 'DIR'|--output='DIR'] *update-ca-trust* ['COMMAND']
DESCRIPTION DESCRIPTION
@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/ * add it as a new file to directory /etc/pki/ca-trust/source/anchors/
* run 'update-ca-trust extract' * run 'update-ca-trust extract'
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then: .*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
* add it as a new file to directory /etc/pki/ca-trust/source/ * add it as a new file to directory /etc/pki/ca-trust/source/
* run 'update-ca-trust extract' * run 'update-ca-trust extract'
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ * simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/ * simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ * extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats: .In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format. format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes. Each certificate will be treated as *trusted* for all purposes.
In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/ In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
you may install one or multiple certificates in either the DER file you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format. format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes. Each certificate will be treated as *distrusted* for all purposes.
@ -214,23 +214,15 @@ server authentication.
COMMANDS COMMANDS
-------- --------
(absent/empty command) (absent/empty command)::
~~~~~~~~~~~~~~~~~~~~~~ Same as the *extract* command described below. (However, the command may
Same as the *extract* command described below. (However, the command may print print fewer warnings, as this command is being run during rpm package
fewer warnings, as this command is being run during rpm package installation, installation, where non-fatal status output is undesired.)
where non-fatal status output is undesired.)
*extract*::
extract Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
~~~~~~~ updated versions of the consolidated configuration files stored below
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and the /etc/pki/ca-trust/extracted directory hierarchy.
produce updated versions of the consolidated configuration files stored below
the /etc/pki/ca-trust/extracted directory hierarchy.
EXTRACT OPTIONS
^^^^^^^^^^^^^^^
*-o DIR*, *--output=DIR*::
Write the extracted trust store into the given directory instead of
updating /etc/pki/ca-trust/extracted.
FILES FILES
----- -----

@ -36,11 +36,13 @@ Name: ca-certificates
# because all future versions will start with 2013 or larger.) # because all future versions will start with 2013 or larger.)
Version: 2024.2.69_v8.0.303 Version: 2024.2.69_v8.0.303
# for y-stream, please always use 91 <= release < 100 (91,92,93) # On RHEL 8.x, please keep the release version >= 80
# for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...) # When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
Release: 91.4%{?dist} # When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
License: MIT AND GPL-2.0-or-later Release: 80.0%{?dist}.inferit.1
License: Public Domain
Group: System Environment/Base
URL: https://fedoraproject.org/wiki/CA-Certificates URL: https://fedoraproject.org/wiki/CA-Certificates
#Please always update both certdata.txt and nssckbi.h #Please always update both certdata.txt and nssckbi.h
@ -62,6 +64,14 @@ Source16: README.pem
Source17: README.edk2 Source17: README.edk2
Source18: README.src Source18: README.src
# Russian Ministry of Digital Development and Communications
Source90: rootca_ssl_rsa2022.cer
Source91: rootca_ssl_rsa2022.cer.detached.sig
# TCI ECSDA ROOT A1
Source92: ecdsa-a1.crt
# TCI GOST ROOT A1
Source93: gost-a1.crt
BuildArch: noarch BuildArch: noarch
Requires(post): bash Requires(post): bash
@ -71,14 +81,16 @@ Requires(post): coreutils
Requires: bash Requires: bash
Requires: grep Requires: grep
Requires: sed Requires: sed
Requires(post): p11-kit-trust >= 0.24 Requires(post): p11-kit >= 0.23.12
Requires: p11-kit-trust >= 0.24 Requires(post): p11-kit-trust >= 0.23.12
Requires: p11-kit >= 0.23.12
Requires: p11-kit-trust >= 0.23.12
BuildRequires: perl-interpreter BuildRequires: perl-interpreter
BuildRequires: python3 BuildRequires: python3-devel
BuildRequires: openssl BuildRequires: openssl
BuildRequires: asciidoc BuildRequires: asciidoc
BuildRequires: xmlto BuildRequires: libxslt
%description %description
This package contains the set of CA certificates chosen by the This package contains the set of CA certificates chosen by the
@ -96,7 +108,7 @@ mkdir %{name}/java
pushd %{name}/certs pushd %{name}/certs
pwd pwd
cp %{SOURCE0} . cp %{SOURCE0} .
python3 %{SOURCE4} >c2p.log 2>c2p.err %{__python3} %{SOURCE4} >c2p.log 2>c2p.err
popd popd
pushd %{name} pushd %{name}
( (
@ -167,12 +179,12 @@ popd
#manpage #manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
cp %{SOURCE9} %{name}/ca-legacy.8.txt cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xmlto -v -o %{name} man %{name}/ca-legacy.8.xml xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
%install %install
@ -182,16 +194,15 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir} mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8 mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@ -240,15 +251,9 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility # /etc/ssl/certs symlink for 3rd-party tools
ln -s /etc/pki/tls/certs \ ln -s ../pki/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
ln -s /etc/pki/tls/openssl.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
ln -s /etc/pki/tls/ct_log_list.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
# legacy filenames # legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
@ -259,49 +264,12 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
ln -s %{catrustdir}/extracted/%{java_bundle} \ ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle} $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
# Populate %%{catrustdir}/extracted/pem/directory-hash. # Russian Ministry of Digital Development and Communications
# install -m 644 %{SOURCE90} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
# First direct p11-kit-trust.so to the generated bundle (not the one install -m 644 %{SOURCE91} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
# already present on the build system) with an overriding module # TCI ECDSA and GOST root certificates
# config. Note that we have to use a different config path based on install -m 644 %{SOURCE92} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
# the current user: if root, ~/.config/pkcs11/modules/* are not read, install -m 644 %{SOURCE93} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
# while if a regular user, she can't write to /etc.
if test "$(id -u)" -eq 0; then
trust_module_dir=/etc/pkcs11/modules
else
trust_module_dir=$HOME/.config/pkcs11/modules
fi
mkdir -p "$trust_module_dir"
# It is unlikely that the directory would contain any files on a build system,
# but let's make sure just in case.
if [ -n "$(ls -A "$trust_module_dir")" ]; then
echo "Directory $trust_module_dir is not empty. Aborting build!"
exit 1
fi
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
cat >"$trust_module_config" <<EOF
module: p11-kit-trust.so
trust-policy: yes
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
EOF
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
--purpose server-auth \
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
# Create a temporary file with the list of (%ghost )files in the directory-hash.
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
# Clean up the temporary module config.
rm -f "$trust_module_config"
%clean
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
rm -rf $RPM_BUILD_ROOT
%pre %pre
if [ $1 -gt 1 ] ; then if [ $1 -gt 1 ] ; then
@ -349,7 +317,6 @@ if [ $1 -gt 1 ] ; then
fi fi
fi fi
%post %post
#if [ $1 -gt 1 ] ; then #if [ $1 -gt 1 ] ; then
# # when upgrading or downgrading # # when upgrading or downgrading
@ -375,8 +342,9 @@ fi
%{_bindir}/ca-legacy install %{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust %{_bindir}/update-ca-trust
# The file .files.txt contains the list of (%ghost )files in the directory-hash %files
%files -f .files.txt %defattr(-,root,root,-)
%dir %{_sysconfdir}/ssl %dir %{_sysconfdir}/ssl
%dir %{pkidir}/tls %dir %{pkidir}/tls
%dir %{pkidir}/tls/certs %dir %{pkidir}/tls/certs
@ -384,7 +352,7 @@ fi
%dir %{catrustdir} %dir %{catrustdir}
%dir %{catrustdir}/source %dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors %dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/blocklist %dir %{catrustdir}/source/blacklist
%dir %{catrustdir}/extracted %dir %{catrustdir}/extracted
%dir %{catrustdir}/extracted/pem %dir %{catrustdir}/extracted/pem
%dir %{catrustdir}/extracted/openssl %dir %{catrustdir}/extracted/openssl
@ -392,9 +360,13 @@ fi
%dir %{_datadir}/pki %dir %{_datadir}/pki
%dir %{_datadir}/pki/ca-trust-source %dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors %dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blocklist %dir %{_datadir}/pki/ca-trust-source/blacklist
%dir %{_datadir}/pki/ca-trust-legacy %dir %{_datadir}/pki/ca-trust-legacy
%dir %{catrustdir}/extracted/pem/directory-hash
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer.detached.sig
%{catrustdir}/source/anchors/ecdsa-a1.crt
%{catrustdir}/source/anchors/gost-a1.crt
%config(noreplace) %{catrustdir}/ca-legacy.conf %config(noreplace) %{catrustdir}/ca-legacy.conf
@ -414,13 +386,10 @@ fi
%{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/%{java_bundle} %{pkidir}/%{java_bundle}
# symlinks to cross-distro compatibility files and directory # symlink directory
%{_sysconfdir}/ssl/certs %{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/cert.pem
%{_sysconfdir}/ssl/openssl.cnf
%{_sysconfdir}/ssl/ct_log_list.cnf
# primary bundle file with trust # master bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle} %{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle} %{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@ -436,33 +405,18 @@ fi
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} %ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin %ghost %{catrustdir}/extracted/edk2/cacerts.bin
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
%changelog
*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
- update-ca-trust: return warnings on a unsupported argument instead of error
*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
- Temporarily generate the directory-hash files in %%install ...(next item)
- Add list of ghost files from directory-hash to %%files
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
- Remove write permissions from directory-hash
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1 %changelog
- Reduce dependency on p11-kit to only the trust subpackage * Wed Sep 11 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-80.0.inferit.1
- Own the Directory-hash directory - Remove TCI GOST certificate from certdata.txt
- Bump version
*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0 * Thu Aug 22 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-80.0.inferit
- Fix release number - Update to 2024.2.69_v8.0.303-80.0
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91 *Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
- Removing: - Removing:
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
@ -509,22 +463,27 @@ fi
- # Certificate "SSL.com Code Signing RSA Root CA 2022" - # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022" - # Certificate "SSL.com Code Signing ECC Root CA 2022"
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0 * Wed Jul 10 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit.2
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix - Fixed addition TCI GOST certificate
- Bump version
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0 * Tue Jul 09 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit.1
- Skip %post if getopt is missing (recent change made update-ca-trust use it) - Added TCI ECDSA and GOST root certificates
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0 * Fri Dec 15 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit
- update-ca-trust: Support --output and non-root operation (rhbz#2241240) - Update to version 2023.2.60_v7.0.306-80.0
- Rebuilt for MSVSphere 8.9
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0 * Fri Dec 15 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2022.2.54-80.2.inferit.1
- update License: field to SPDX - place MDDC certificates to /etc/pki/ca-trust/source/anchors (Arkady L. Shane <tigro@msvsphere-os.ru>)
*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1 * Wed Aug 30 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 2022.2.54-80.2.inferit
- Bump release number to make CI happy - Added:
- # Certificate "Russian Trusted Root CA"
- # Certificate "Russian Trusted Sub CA"
- Rebuilt for MSVSphere 8.8
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0 *Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
- Update to CKBI 2.60_v7.0.306 from NSS 3.91 - Update to CKBI 2.60_v7.0.306 from NSS 3.91
- Removing: - Removing:
- # Certificate "Camerfirma Global Chambersign Root" - # Certificate "Camerfirma Global Chambersign Root"
@ -604,7 +563,10 @@ fi
- # Certificate "GlobalSign Code Signing Root R45" - # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1" - # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2 * Tue Jul 25 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2022.2.54-80.2
- Rebuilt for MSVSphere 8.8
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing: - Removing:
- # Certificate "TrustCor ECA-1" - # Certificate "TrustCor ECA-1"
@ -625,29 +587,12 @@ fi
- # Certificate "Government Root Certification Authority" - # Certificate "Government Root Certification Authority"
- # Certificate "AC Raíz Certicámara S.A." - # Certificate "AC Raíz Certicámara S.A."
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1 *Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0 *Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding: - Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
- # Certificate "CAEDICOM Root" - # Certificate "CAEDICOM Root"
- # Certificate "I.CA Root CA/RSA" - # Certificate "I.CA Root CA/RSA"
- # Certificate "MULTICERT Root Certification Authority 01" - # Certificate "MULTICERT Root Certification Authority 01"
@ -789,6 +734,7 @@ fi
- # Certificate "Certipost E-Trust TOP Root CA" - # Certificate "Certipost E-Trust TOP Root CA"
- # Certificate "Certipost E-Trust Primary Qualified CA" - # Certificate "Certipost E-Trust Primary Qualified CA"
- # Certificate "Certipost E-Trust Primary Normalised CA" - # Certificate "Certipost E-Trust Primary Normalised CA"
- # Certificate "Cybertrust Global Root"
- # Certificate "GlobalSign" - # Certificate "GlobalSign"
- # Certificate "IGC/A" - # Certificate "IGC/A"
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN" - # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@ -862,113 +808,129 @@ fi
- # Certificate "HARICA Code Signing ECC Root CA 2021" - # Certificate "HARICA Code Signing ECC Root CA 2021"
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020" - # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94 *Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
- remove blacklist directory and references now that p11-kit has been updated. - Update to CKBI 2.54 from NSS 3.79
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
- Update to CKBI 2.50 from NSS 3.67
- Removing:
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Trustis FPS Root CA"
- Adding:
- # Certificate "GLOBALTRUST 2020"
- # Certificate "ANF Secure Server Root CA"
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
- remove unnecessarily divisive terms, take 1.
- in ca-certificates there are 3 cases:
- 1) master refering to the fedora master branch in the fetch.sh script.
- This can only be changed once fedora changes the master branch name.
- 2) a reference to the 'master bundle' in this file: this has been changed
- to 'primary bundle'.
- 3) a couple of blacklist directories owned by this package, but used to
- p11-kit. New 'blocklist' directories have been created, but p11-kit
- needs to be updated before the old blacklist directories can be removed
- and the man pages corrected.
* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
- Fix up broken %post and %postinstall scriptlet changes from -2
* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
- Update to CKBI 2.41 from NSS 3.53.0
- Removing: - Removing:
- # Certificate "AddTrust Low-Value Services Root" - # Certificate "GlobalSign Root CA - R2"
- # Certificate "AddTrust External Root" - # Certificate "DST Root CA X3"
- # Certificate "Staat der Nederlanden Root CA - G2" - # Certificate "Cybertrust Global Root"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
- Update to CKBI 2.50 from NSS 3.67
- version number update only
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3 *Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
- Update versioned dependency on p11-kit - Update to CKBI 2.48 from NSS 3.66
- Removing:
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
- # Certificate "Trustis FPS Root CA"
- Adding:
- # Certificate "GLOBALTRUST 2020"
- # Certificate "ANF Secure Server Root CA"
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2 *Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
- Update to CKBI 2.40 from NSS 3.48 - Update to CKBI 2.48 from NSS 3.64
- Removing: - Removing:
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
- # Certificate "GeoTrust Global CA"
- # Certificate "GeoTrust Universal CA"
- # Certificate "GeoTrust Universal CA 2"
- # Certificate "Taiwan GRCA"
- # Certificate "GeoTrust Primary Certification Authority"
- # Certificate "thawte Primary Root CA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
- # Certificate "GeoTrust Primary Certification Authority - G3"
- # Certificate "thawte Primary Root CA - G2"
- # Certificate "thawte Primary Root CA - G3"
- # Certificate "GeoTrust Primary Certification Authority - G2"
- # Certificate "VeriSign Universal Root Certification Authority"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- # Certificate "EE Certification Centre Root CA"
- # Certificate "LuxTrust Global Root 2"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
- Adding:
- # Certificate "Microsoft ECC Root Certificate Authority 2017"
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
- # Certificate "e-Szigno Root CA 2017"
- # Certificate "certSIGN Root CA G2"
- # Certificate "Trustwave Global Certification Authority"
- # Certificate "Trustwave Global ECC P256 Certification Authority"
- # Certificate "Trustwave Global ECC P384 Certification Authority"
- # Certificate "NAVER Global Root Certification Authority"
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
- # Certificate "GlobalSign Secure Mail Root R45"
- # Certificate "GlobalSign Secure Mail Root E45"
- # Certificate "GlobalSign Root R46"
- # Certificate "GlobalSign Root E46"
*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
- fix post issues
*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
- Update to CKBI 2.41 from NSS 3.53.0
- Removing:
- # Certificate "AddTrust Low-Value Services Root"
- # Certificate "AddTrust External Root"
- # Certificate "UTN USERFirst Email Root CA" - # Certificate "UTN USERFirst Email Root CA"
- # Certificate "Certplus Class 2 Primary CA" - # Certificate "Certplus Class 2 Primary CA"
- # Certificate "Deutsche Telekom Root CA 2" - # Certificate "Deutsche Telekom Root CA 2"
- # Certificate "Staat der Nederlanden Root CA - G2"
- # Certificate "Swisscom Root CA 2" - # Certificate "Swisscom Root CA 2"
- # Certificate "Certinomis - Root CA" - # Certificate "Certinomis - Root CA"
- Adding: - Adding:
- # Certificate "Entrust Root Certification Authority - G4" - # Certificate "Entrust Root Certification Authority - G4"
- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3 - Update to CKBI 2.32 from NSS 3.44
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - Removing:
- # Certificate "Visa eCommerce Root"
* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2 - # Certificate "AC Raiz Certicamara S.A."
- Update to CKBI 2.32 from NSS 3.44 - # Certificate "ComSign CA"
Removing: - # Certificate "Certplus Root CA G1"
# Certificate "Visa eCommerce Root" - # Certificate "Certplus Root CA G2"
# Certificate "AC Raiz Certicamara S.A." - # Certificate "OpenTrust Root CA G1"
# Certificate "Certplus Root CA G1" - # Certificate "OpenTrust Root CA G2"
# Certificate "Certplus Root CA G2" - # Certificate "OpenTrust Root CA G3"
# Certificate "OpenTrust Root CA G1" - Adding:
# Certificate "OpenTrust Root CA G2" - # Certificate "GlobalSign Root CA - R6"
# Certificate "OpenTrust Root CA G3" - # Certificate "OISTE WISeKey Global Root GC CA"
Adding: - # Certificate "GTS Root R1"
# Certificate "GTS Root R1" - # Certificate "GTS Root R2"
# Certificate "GTS Root R2" - # Certificate "GTS Root R3"
# Certificate "GTS Root R3" - # Certificate "GTS Root R4"
# Certificate "GTS Root R4" - # Certificate "UCA Global G2 Root"
# Certificate "UCA Global G2 Root" - # Certificate "UCA Extended Validation Root"
# Certificate "UCA Extended Validation Root" - # Certificate "Certigna Root CA"
# Certificate "Certigna Root CA" - # Certificate "emSign Root CA - G1"
# Certificate "emSign Root CA - G1" - # Certificate "emSign ECC Root CA - G3"
# Certificate "emSign ECC Root CA - G3" - # Certificate "emSign Root CA - C1"
# Certificate "emSign Root CA - C1" - # Certificate "emSign ECC Root CA - C3"
# Certificate "emSign ECC Root CA - C3" - # Certificate "Hongkong Post Root CA 3"
# Certificate "Hongkong Post Root CA 3"
* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3 - Test gating
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2 - Use __python3 macro when invoking Python
- Update to CKBI 2.26 from NSS 3.39
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5 * Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
- Ported scripts to python3 - Ported scripts to python3

Loading…
Cancel
Save