Compare commits

...

No commits in common. 'c9' and 'i8' have entirely different histories.
c9 ... i8

@ -58327,3 +58327,469 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Russian Trusted Root CA"
#
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4096 (0x1000)
# Subject: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Tue Mar 01 21:04:15 2022
# Not Valid After : Fri Feb 27 21:04:15 2032
# Fingerprint (SHA-256): D2:6D:2D:02:31:B7:C3:9F:92:CC:73:85:12:BA:54:10:35:19:E4:40:5D:68:B5:BD:70:3E:97:88:CA:8E:CF:31
# Fingerprint (SHA1): 8F:F9:15:CC:AB:7B:C1:6F:8C:5C:80:99:D5:3E:0E:11:5B:3A:EC:2F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Root CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\000
END
CKA_VALUE MULTILINE_OCTAL
\060\202\005\302\060\202\003\252\240\003\002\001\002\002\002\020
\000\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101\060\036\027\015\062\062\060\063\060\061\062\061\060\064
\061\065\132\027\015\063\062\060\062\062\067\062\061\060\064\061
\065\132\060\160\061\013\060\011\006\003\125\004\006\023\002\122
\125\061\077\060\075\006\003\125\004\012\014\066\124\150\145\040
\115\151\156\151\163\164\162\171\040\157\146\040\104\151\147\151
\164\141\154\040\104\145\166\145\154\157\160\155\145\156\164\040
\141\156\144\040\103\157\155\155\165\156\151\143\141\164\151\157
\156\163\061\040\060\036\006\003\125\004\003\014\027\122\165\163
\163\151\141\156\040\124\162\165\163\164\145\144\040\122\157\157
\164\040\103\101\060\202\002\042\060\015\006\011\052\206\110\206
\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
\002\202\002\001\000\307\305\071\237\051\120\002\367\372\275\247
\252\241\064\146\236\166\261\351\127\260\241\205\142\201\264\030
\316\133\303\075\133\110\133\102\267\340\031\100\310\144\131\010
\136\043\172\150\144\004\350\140\233\272\366\221\313\051\056\220
\134\030\260\004\055\134\277\066\046\121\202\214\141\220\273\214
\116\130\204\105\066\155\042\364\231\176\315\150\314\114\016\141
\366\374\334\056\071\124\143\360\342\046\125\256\154\324\136\024
\316\176\012\277\163\305\224\060\143\215\050\327\051\126\075\222
\150\324\006\305\320\254\201\336\152\251\224\042\303\310\224\325
\224\236\051\227\113\102\064\151\261\061\252\106\335\255\166\327
\143\000\216\136\023\216\332\220\324\307\167\044\230\231\102\061
\101\232\161\104\347\312\134\220\133\145\154\044\214\210\030\017
\025\323\034\335\151\345\027\203\105\131\351\231\215\122\276\130
\005\352\377\020\003\213\075\277\015\142\233\000\204\227\266\231
\170\314\007\362\175\034\333\050\024\300\105\047\111\113\071\077
\376\165\013\343\155\324\131\240\344\374\172\242\151\132\165\103
\123\344\013\376\241\031\237\076\173\067\317\016\130\315\353\151
\262\144\104\327\124\375\236\361\345\041\110\063\321\153\252\323
\174\305\354\054\210\025\201\043\102\272\134\133\216\004\344\303
\341\135\074\243\204\363\047\317\202\162\256\127\224\045\026\330
\276\074\245\223\102\142\340\103\174\030\173\027\031\001\356\240
\340\030\070\232\176\321\044\145\227\300\245\030\066\023\343\075
\033\314\044\064\244\317\054\067\070\300\175\005\015\070\243\206
\014\121\335\216\017\211\055\107\057\146\141\303\266\303\334\046
\354\226\141\006\201\371\347\146\210\315\220\233\134\055\340\107
\004\266\271\333\367\122\300\325\070\131\142\356\155\246\022\210
\011\200\364\205\014\137\137\321\245\372\161\073\027\170\142\111
\241\317\336\350\025\265\032\014\221\142\244\210\040\307\233\027
\170\360\045\221\067\126\236\377\221\130\034\145\047\003\020\333
\232\004\036\144\140\270\326\037\341\232\377\107\032\375\161\057
\167\143\351\235\134\206\132\004\101\064\051\055\242\055\032\232
\072\045\201\222\057\110\061\005\070\246\032\217\070\020\032\033
\260\076\170\377\017\002\003\001\000\001\243\146\060\144\060\035
\006\003\125\035\016\004\026\004\024\341\321\201\345\316\132\137
\004\252\322\351\266\235\146\261\305\372\254\054\207\060\037\006
\003\125\035\043\004\030\060\026\200\024\341\321\201\345\316\132
\137\004\252\322\351\266\235\146\261\305\372\254\054\207\060\022
\006\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002
\001\004\060\016\006\003\125\035\017\001\001\377\004\004\003\002
\001\206\060\015\006\011\052\206\110\206\367\015\001\001\013\005
\000\003\202\002\001\000\000\262\030\327\011\042\226\337\356\255
\361\025\063\233\312\316\276\256\264\347\203\130\045\034\316\145
\227\375\025\370\226\072\121\166\001\176\345\360\010\113\213\307
\266\145\344\252\224\202\071\127\226\122\262\125\365\013\331\237
\242\366\333\266\160\270\115\171\161\150\274\014\040\332\227\165
\036\367\105\240\000\222\131\061\364\354\204\336\016\043\307\052
\133\321\070\020\157\160\202\126\304\264\311\316\154\171\146\263
\301\167\010\171\253\303\171\072\052\145\044\130\152\032\373\361
\015\231\305\145\353\313\277\160\304\145\324\226\326\331\263\076
\377\160\076\110\010\066\163\250\217\016\127\241\163\062\261\332
\206\275\345\005\264\112\103\317\130\153\215\003\360\204\360\052
\162\000\322\041\273\325\305\256\075\321\103\161\052\171\027\022
\001\004\050\167\124\115\270\172\137\021\062\324\374\015\240\062
\153\347\377\017\354\307\264\301\335\156\101\076\316\253\246\263
\200\337\273\156\264\372\275\273\241\123\144\347\006\324\352\243
\013\360\173\311\072\240\043\272\333\312\372\061\354\061\027\241
\176\353\042\041\052\310\323\124\202\344\344\376\355\322\147\205
\127\023\151\046\305\331\222\207\164\320\277\046\337\156\165\325
\340\226\302\145\126\252\211\232\332\251\316\350\144\311\321\241
\152\327\104\155\363\265\271\333\172\317\375\252\024\106\043\263
\352\136\247\212\044\034\355\305\024\304\126\077\016\066\315\135
\130\336\154\315\074\032\074\213\341\222\023\267\010\356\104\255
\115\253\125\325\053\363\334\012\244\325\333\004\340\305\051\033
\140\305\104\373\321\212\146\047\216\225\125\252\235\002\023\231
\017\321\024\122\176\030\151\342\332\113\300\043\110\137\341\355
\111\043\072\046\315\163\212\225\016\043\317\372\271\036\204\125
\214\353\243\325\234\375\114\262\037\167\265\317\255\150\207\302
\021\205\114\306\070\174\314\326\305\272\207\073\177\073\357\254
\122\013\055\356\342\176\361\010\122\244\225\040\057\300\316\231
\114\374\234\160\355\273\227\025\341\217\326\245\102\004\101\352
\337\335\135\377\324\100\175\246\165\333\071\060\026\311\176\040
\254\004\374\346\161\133\300\007\153\330\265\247\201\216\321\204
\215\271\314\363\022\156
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Russian Trusted Root CA"
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4096 (0x1000)
# Subject: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Tue Mar 01 21:04:15 2022
# Not Valid After : Fri Feb 27 21:04:15 2032
# Fingerprint (SHA-256): D2:6D:2D:02:31:B7:C3:9F:92:CC:73:85:12:BA:54:10:35:19:E4:40:5D:68:B5:BD:70:3E:97:88:CA:8E:CF:31
# Fingerprint (SHA1): 8F:F9:15:CC:AB:7B:C1:6F:8C:5C:80:99:D5:3E:0E:11:5B:3A:EC:2F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Root CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\217\371\025\314\253\173\301\157\214\134\200\231\325\076\016\021
\133\072\354\057
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\177\273\037\273\321\051\107\347\050\334\277\244\126\214\144\315
END
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Russian Trusted Sub CA"
#
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4098 (0x1002)
# Subject: CN=Russian Trusted Sub CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Wed Mar 02 11:25:19 2022
# Not Valid After : Sat Mar 06 11:25:19 2027
# Fingerprint (SHA-256): BB:BD:E2:10:3E:79:0B:99:9E:C6:2B:D0:3C:F6:25:A5:A2:E7:C3:16:E1:0A:FE:6A:49:0E:ED:EA:D8:B3:FD:9B
# Fingerprint (SHA1): 33:5D:43:F5:34:51:B7:81:53:5F:F3:88:2D:F7:13:D3:C1:4F:8A:01
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Sub CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\157\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\037\060\035\006\003\125\004\003\014\026\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\123\165\142\040\103
\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\002
END
CKA_VALUE MULTILINE_OCTAL
\060\202\007\102\060\202\005\052\240\003\002\001\002\002\002\020
\002\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101\060\036\027\015\062\062\060\063\060\062\061\061\062\065
\061\071\132\027\015\062\067\060\063\060\066\061\061\062\065\061
\071\132\060\157\061\013\060\011\006\003\125\004\006\023\002\122
\125\061\077\060\075\006\003\125\004\012\014\066\124\150\145\040
\115\151\156\151\163\164\162\171\040\157\146\040\104\151\147\151
\164\141\154\040\104\145\166\145\154\157\160\155\145\156\164\040
\141\156\144\040\103\157\155\155\165\156\151\143\141\164\151\157
\156\163\061\037\060\035\006\003\125\004\003\014\026\122\165\163
\163\151\141\156\040\124\162\165\163\164\145\144\040\123\165\142
\040\103\101\060\202\002\042\060\015\006\011\052\206\110\206\367
\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002
\202\002\001\000\365\203\352\004\243\244\327\323\105\312\152\304
\301\350\163\256\020\104\201\075\232\264\267\263\245\333\201\333
\211\220\354\050\216\153\361\325\244\120\203\105\234\335\306\251
\141\361\332\344\273\215\074\376\324\346\133\071\115\037\366\353
\036\344\041\147\371\242\130\243\237\337\231\151\053\070\362\005
\336\223\074\315\267\270\007\311\274\103\220\333\367\147\050\141
\211\156\305\050\327\373\235\051\053\361\103\005\107\245\133\367
\113\315\016\226\133\212\176\025\217\014\105\320\246\014\205\250
\214\317\243\022\020\114\266\164\165\350\253\147\003\025\035\252
\331\346\357\007\250\167\255\106\340\055\230\355\231\014\144\047
\275\123\211\140\010\345\263\341\342\271\352\273\056\076\316\161
\356\302\102\304\360\125\227\217\371\164\061\333\303\300\150\106
\167\313\253\020\022\336\253\057\116\235\166\224\235\241\063\051
\006\160\252\115\274\126\371\345\214\312\071\010\237\253\175\030
\033\124\127\216\162\007\121\044\034\331\343\330\114\170\033\000
\242\067\324\374\341\004\043\051\052\376\361\375\051\260\152\331
\274\366\302\155\000\060\064\122\143\212\302\342\306\170\345\030
\362\312\153\233\316\230\334\010\207\362\300\311\105\271\016\072
\144\013\035\064\340\263\303\272\243\351\026\302\227\064\252\132
\057\140\346\352\347\064\307\202\150\346\157\240\121\065\116\104
\036\241\071\054\326\235\140\343\330\145\237\242\142\363\317\050
\306\363\120\321\030\120\151\162\217\316\367\174\336\162\302\015
\335\042\366\142\310\351\253\134\335\241\055\065\010\306\061\211
\357\377\367\065\257\143\014\310\333\237\316\146\050\055\236\220
\210\255\307\166\217\126\072\164\305\005\100\014\300\264\161\076
\252\305\337\225\042\374\034\204\276\040\221\005\041\012\033\056
\126\041\036\112\004\335\253\340\067\036\143\226\357\216\055\207
\264\164\135\030\223\035\117\030\330\333\302\253\323\137\176\321
\012\175\366\064\310\345\242\325\266\101\301\204\146\020\312\217
\355\356\255\230\263\247\234\135\114\366\142\264\017\232\022\066
\114\374\330\273\325\123\235\210\343\364\212\006\360\351\253\031
\331\374\135\243\066\165\116\164\222\140\326\057\064\004\360\266
\023\146\147\053\002\003\001\000\001\243\202\001\345\060\202\001
\341\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004
\004\003\002\001\206\060\035\006\003\125\035\016\004\026\004\024
\321\341\161\015\013\055\201\116\156\212\112\217\114\043\263\114
\136\253\151\013\060\037\006\003\125\035\043\004\030\060\026\200
\024\341\321\201\345\316\132\137\004\252\322\351\266\235\146\261
\305\372\254\054\207\060\201\307\006\010\053\006\001\005\005\007
\001\001\004\201\272\060\201\267\060\073\006\010\053\006\001\005
\005\007\060\002\206\057\150\164\164\160\072\057\057\162\157\163
\164\145\154\145\143\157\155\056\162\165\057\143\144\160\057\162
\157\157\164\143\141\137\163\163\154\137\162\163\141\062\060\062
\062\056\143\162\164\060\073\006\010\053\006\001\005\005\007\060
\002\206\057\150\164\164\160\072\057\057\143\157\155\160\141\156
\171\056\162\164\056\162\165\057\143\144\160\057\162\157\157\164
\143\141\137\163\163\154\137\162\163\141\062\060\062\062\056\143
\162\164\060\073\006\010\053\006\001\005\005\007\060\002\206\057
\150\164\164\160\072\057\057\162\145\145\163\164\162\055\160\153
\151\056\162\165\057\143\144\160\057\162\157\157\164\143\141\137
\163\163\154\137\162\163\141\062\060\062\062\056\143\162\164\060
\201\260\006\003\125\035\037\004\201\250\060\201\245\060\065\240
\063\240\061\206\057\150\164\164\160\072\057\057\162\157\163\164
\145\154\145\143\157\155\056\162\165\057\143\144\160\057\162\157
\157\164\143\141\137\163\163\154\137\162\163\141\062\060\062\062
\056\143\162\154\060\065\240\063\240\061\206\057\150\164\164\160
\072\057\057\143\157\155\160\141\156\171\056\162\164\056\162\165
\057\143\144\160\057\162\157\157\164\143\141\137\163\163\154\137
\162\163\141\062\060\062\062\056\143\162\154\060\065\240\063\240
\061\206\057\150\164\164\160\072\057\057\162\145\145\163\164\162
\055\160\153\151\056\162\165\057\143\144\160\057\162\157\157\164
\143\141\137\163\163\154\137\162\163\141\062\060\062\062\056\143
\162\154\060\015\006\011\052\206\110\206\367\015\001\001\013\005
\000\003\202\002\001\000\104\025\163\146\133\073\364\007\142\110
\052\132\257\136\135\003\221\353\376\272\323\341\146\353\071\374
\345\244\217\261\254\267\221\076\265\006\351\345\026\041\156\057
\112\350\265\313\035\342\250\142\302\214\367\012\157\341\316\117
\012\021\061\262\072\312\323\377\235\332\167\116\126\056\153\146
\235\275\200\104\205\053\343\263\356\057\015\223\160\136\277\303
\152\166\360\041\147\156\255\231\225\211\004\101\014\127\233\246
\113\347\042\372\356\375\032\126\271\337\371\257\255\270\132\237
\057\241\223\021\266\077\334\233\246\210\364\273\157\005\364\375
\161\374\341\071\247\261\043\377\175\163\136\035\312\053\244\327
\356\220\205\334\012\150\044\123\163\131\235\174\324\046\235\365
\215\105\267\326\205\140\145\053\170\170\030\141\075\044\255\367
\032\117\031\113\300\314\256\107\100\207\114\133\313\214\100\103
\371\222\130\007\326\254\031\237\316\123\252\033\052\001\325\116
\073\131\063\236\250\326\326\222\112\000\077\154\254\367\217\254
\046\016\015\116\110\203\126\325\321\027\251\353\351\366\042\321
\264\216\274\341\140\320\204\053\061\163\266\143\310\062\203\320
\021\164\362\160\052\333\326\137\305\117\000\060\230\062\045\207
\207\211\374\155\232\044\042\262\046\124\242\303\100\241\330\342
\060\254\064\075\207\035\322\137\236\267\113\331\202\160\326\241
\154\220\323\270\161\043\146\147\047\160\321\151\040\216\377\144
\027\342\261\252\260\312\224\037\014\146\355\207\162\132\141\352
\377\302\147\107\320\365\213\204\363\371\154\035\235\020\163\141
\362\211\043\047\276\070\012\345\360\334\335\060\370\175\257\005
\023\310\014\066\352\314\372\105\174\075\077\013\064\203\076\341
\233\076\054\241\025\362\172\221\130\026\261\220\205\111\031\351
\044\124\243\274\304\060\116\033\366\215\353\140\031\050\163\236
\031\314\210\166\356\362\064\303\021\212\021\225\144\046\053\362
\266\042\046\202\242\073\060\352\072\103\344\054\343\335\206\325
\145\202\170\150\303\061\303\304\301\315\017\361\066\130\016\151
\144\173\215\063\371\264\115\173\166\301\064\317\057\262\107\331
\200\264\200\374\377\006\373\322\316\071\054\203\065\071\254\266
\321\311\102\220\222\005
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Russian Trusted Sub CA"
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4098 (0x1002)
# Subject: CN=Russian Trusted Sub CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Wed Mar 02 11:25:19 2022
# Not Valid After : Sat Mar 06 11:25:19 2027
# Fingerprint (SHA-256): BB:BD:E2:10:3E:79:0B:99:9E:C6:2B:D0:3C:F6:25:A5:A2:E7:C3:16:E1:0A:FE:6A:49:0E:ED:EA:D8:B3:FD:9B
# Fingerprint (SHA1): 33:5D:43:F5:34:51:B7:81:53:5F:F3:88:2D:F7:13:D3:C1:4F:8A:01
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Sub CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\063\135\103\365\064\121\267\201\123\137\363\210\055\367\023\323
\301\117\212\001
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\304\023\047\226\170\334\005\047\062\041\103\376\100\312\364\332
END
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\002
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "TCI ECDSA ROOT A1"
#
# Issuer: CN=TCI ECDSA ROOT A1
# Serial Number:01:de:ad:c0:de:00:8c:19:78:3c:7a:d6
# Subject: CN=TCI ECDSA ROOT A1
# Not Valid Before: Wed Mar 30 09:33:18 2022
# Not Valid After : Tue Mar 30 09:33:18 2032
# Fingerprint (SHA-256): 0A:3C:80:4A:CF:2E:70:22:3E:22:2D:65:99:EB:78:8D:CC:A3:EE:CC:F7:F2:66:7C:B3:71:C1:78:AD:07:DB:51
# Fingerprint (SHA1): 4E:87:7A:C0:27:A6:3D:85:14:C0:B4:CB:FA:0F:6F:58:F6:C1:76:96
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TCI ECDSA ROOT A1"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\034\061\032\060\030\006\003\125\004\003\014\021\124\103\111
\040\105\103\104\123\101\040\122\117\117\124\040\101\061
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\034\061\032\060\030\006\003\125\004\003\014\021\124\103\111
\040\105\103\104\123\101\040\122\117\117\124\040\101\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\014\001\336\255\300\336\000\214\031\170\074\172\326
END
CKA_VALUE MULTILINE_OCTAL
\060\202\001\124\060\201\373\240\003\002\001\002\002\014\001\336
\255\300\336\000\214\031\170\074\172\326\060\012\006\010\052\206
\110\316\075\004\003\002\060\034\061\032\060\030\006\003\125\004
\003\014\021\124\103\111\040\105\103\104\123\101\040\122\117\117
\124\040\101\061\060\036\027\015\062\062\060\063\063\060\060\071
\063\063\061\070\132\027\015\063\062\060\063\063\060\060\071\063
\063\061\070\132\060\034\061\032\060\030\006\003\125\004\003\014
\021\124\103\111\040\105\103\104\123\101\040\122\117\117\124\040
\101\061\060\131\060\023\006\007\052\206\110\316\075\002\001\006
\010\052\206\110\316\075\003\001\007\003\102\000\004\231\342\354
\262\123\340\150\374\352\221\264\263\334\016\171\365\240\252\012
\177\020\147\370\145\304\261\066\000\011\176\027\045\351\146\015
\241\146\231\175\371\144\213\204\135\321\134\300\046\006\332\115
\045\266\353\073\257\332\141\214\353\133\161\017\336\243\043\060
\041\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
\206\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
\001\377\060\012\006\010\052\206\110\316\075\004\003\002\003\110
\000\060\105\002\040\062\243\050\372\032\146\272\255\226\071\256
\313\255\006\324\366\010\066\364\167\003\127\213\073\064\370\105
\370\106\005\072\301\002\041\000\204\222\373\041\342\303\156\215
\236\144\002\051\343\070\250\150\212\150\326\025\162\136\100\001
\065\271\351\071\064\075\050\373
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "TCI ECDSA ROOT A1"
# Issuer: CN=TCI ECDSA ROOT A1
# Serial Number:01:de:ad:c0:de:00:8c:19:78:3c:7a:d6
# Subject: CN=TCI ECDSA ROOT A1
# Not Valid Before: Wed Mar 30 09:33:18 2022
# Not Valid After : Tue Mar 30 09:33:18 2032
# Fingerprint (SHA-256): 0A:3C:80:4A:CF:2E:70:22:3E:22:2D:65:99:EB:78:8D:CC:A3:EE:CC:F7:F2:66:7C:B3:71:C1:78:AD:07:DB:51
# Fingerprint (SHA1): 4E:87:7A:C0:27:A6:3D:85:14:C0:B4:CB:FA:0F:6F:58:F6:C1:76:96
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TCI ECDSA ROOT A1"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\116\207\172\300\047\246\075\205\024\300\264\313\372\017\157\130
\366\301\166\226
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\316\230\227\216\027\213\116\066\202\313\342\233\264\216\053\140
END
CKA_ISSUER MULTILINE_OCTAL
\060\034\061\032\060\030\006\003\125\004\003\014\021\124\103\111
\040\105\103\104\123\101\040\122\117\117\124\040\101\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\014\001\336\255\300\336\000\214\031\170\074\172\326
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

@ -177,11 +177,6 @@ openssl_trust = {
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
}
cert_distrust_types = {
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
}
for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -374,16 +369,6 @@ for tobj in objects:
f.write("nss-mozilla-ca-policy: true\n")
f.write("modifiable: false\n");
# requires p11-kit >= 0.23.19
for t in list(cert_distrust_types.keys()):
if t in obj:
value = obj[t]
if value == 'CK_FALSE':
value = bytearray(1)
f.write(cert_distrust_types[t] + ": \"")
f.write(urllib.parse.quote(value));
f.write("\"\n")
f.write("-----BEGIN CERTIFICATE-----\n")
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBVDCB+6ADAgECAgwB3q3A3gCMGXg8etYwCgYIKoZIzj0EAw
IwHDEaMBgGA1UEAwwRVENJIEVDRFNBIFJPT1QgQTEwHhcNMjIw
MzMwMDkzMzE4WhcNMzIwMzMwMDkzMzE4WjAcMRowGAYDVQQDDB
FUQ0kgRUNEU0EgUk9PVCBBMTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABJni7LJT4Gj86pG0s9wOefWgqgp/EGf4ZcSxNgAJfh
cl6WYNoWaZfflki4Rd0VzAJgbaTSW26zuv2mGM61txD96jIzAh
MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAoGCC
qGSM49BAMCA0gAMEUCIDKjKPoaZrqtljmuy60G1PYINvR3A1eL
OzT4RfhGBTrBAiEAhJL7IeLDbo2eZAIp4zioaIpo1hVyXkABNb
npOTQ9KPs=
-----END CERTIFICATE-----

@ -0,0 +1,12 @@
-----BEGIN CERTIFICATE-----
MIIBXTCCAQigAwIBAgIMAt6twN4AjBl4PHrWMAwGCCqFAwcBAQ
MCBQAwGzEZMBcGA1UEAwwQVENJIEdPU1QgUk9PVCBBMTAeFw0y
MjAzMzAwOTMzMThaFw0zMjAzMzAwOTMzMThaMBsxGTAXBgNVBA
MMEFRDSSBHT1NUIFJPT1QgQTEwZjAfBggqhQMHAQEBATATBgcq
hQMCAiMBBggqhQMHAQECAgNDAARASiE+O1G5yX8JjIS0RmQ2Im
2FKd0RhbOtdjaoAivB3ywbHLGb6deQBRd/MwLP2IrfIZcVb4QP
5PSYolD/Iu+ExaMjMCEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEw
EB/wQFMAMBAf8wDAYIKoUDBwEBAwIFAANBAOi6Dn7pxa/SSbV6
PsfROEKzsBnX6GGggo9wOELuZKfDYdy88/92yr2Aali+fEje63
XqhHoZExE0CNLoncM3ARc=
-----END CERTIFICATE-----

@ -0,0 +1,33 @@
-----BEGIN CERTIFICATE-----
MIIFwjCCA6qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCUlUx
PzA9BgNVBAoMNlRoZSBNaW5pc3RyeSBvZiBEaWdpdGFsIERldmVsb3BtZW50IGFu
ZCBDb21tdW5pY2F0aW9uczEgMB4GA1UEAwwXUnVzc2lhbiBUcnVzdGVkIFJvb3Qg
Q0EwHhcNMjIwMzAxMjEwNDE1WhcNMzIwMjI3MjEwNDE1WjBwMQswCQYDVQQGEwJS
VTE/MD0GA1UECgw2VGhlIE1pbmlzdHJ5IG9mIERpZ2l0YWwgRGV2ZWxvcG1lbnQg
YW5kIENvbW11bmljYXRpb25zMSAwHgYDVQQDDBdSdXNzaWFuIFRydXN0ZWQgUm9v
dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMfFOZ8pUAL3+r2n
qqE0Zp52selXsKGFYoG0GM5bwz1bSFtCt+AZQMhkWQheI3poZAToYJu69pHLKS6Q
XBiwBC1cvzYmUYKMYZC7jE5YhEU2bSL0mX7NaMxMDmH2/NwuOVRj8OImVa5s1F4U
zn4Kv3PFlDBjjSjXKVY9kmjUBsXQrIHeaqmUIsPIlNWUnimXS0I0abExqkbdrXbX
YwCOXhOO2pDUx3ckmJlCMUGacUTnylyQW2VsJIyIGA8V0xzdaeUXg0VZ6ZmNUr5Y
Ber/EAOLPb8NYpsAhJe2mXjMB/J9HNsoFMBFJ0lLOT/+dQvjbdRZoOT8eqJpWnVD
U+QL/qEZnz57N88OWM3rabJkRNdU/Z7x5SFIM9FrqtN8xewsiBWBI0K6XFuOBOTD
4V08o4TzJ8+Ccq5XlCUW2L48pZNCYuBDfBh7FxkB7qDgGDiaftEkZZfApRg2E+M9
G8wkNKTPLDc4wH0FDTijhgxR3Y4PiS1HL2Zhw7bD3CbslmEGgfnnZojNkJtcLeBH
BLa52/dSwNU4WWLubaYSiAmA9IUMX1/RpfpxOxd4Ykmhz97oFbUaDJFipIggx5sX
ePAlkTdWnv+RWBxlJwMQ25oEHmRguNYf4Zr/Rxr9cS93Y+mdXIZaBEE0KS2iLRqa
OiWBki9IMQU4phqPOBAaG7A+eP8PAgMBAAGjZjBkMB0GA1UdDgQWBBTh0YHlzlpf
BKrS6badZrHF+qwshzAfBgNVHSMEGDAWgBTh0YHlzlpfBKrS6badZrHF+qwshzAS
BgNVHRMBAf8ECDAGAQH/AgEEMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
AAOCAgEAALIY1wkilt/urfEVM5vKzr6utOeDWCUczmWX/RX4ljpRdgF+5fAIS4vH
tmXkqpSCOVeWUrJV9QvZn6L227ZwuE15cWi8DCDal3Ue90WgAJJZMfTshN4OI8cq
W9E4EG9wglbEtMnObHlms8F3CHmrw3k6KmUkWGoa+/ENmcVl68u/cMRl1JbW2bM+
/3A+SAg2c6iPDlehczKx2oa95QW0SkPPWGuNA/CE8CpyANIhu9XFrj3RQ3EqeRcS
AQQod1RNuHpfETLU/A2gMmvn/w/sx7TB3W5BPs6rprOA37tutPq9u6FTZOcG1Oqj
C/B7yTqgI7rbyvox7DEXoX7rIiEqyNNUguTk/u3SZ4VXE2kmxdmSh3TQvybfbnXV
4JbCZVaqiZraqc7oZMnRoWrXRG3ztbnbes/9qhRGI7PqXqeKJBztxRTEVj8ONs1d
WN5szTwaPIvhkhO3CO5ErU2rVdUr89wKpNXbBODFKRtgxUT70YpmJ46VVaqdAhOZ
D9EUUn4YaeLaS8AjSF/h7UkjOibNc4qVDiPP+rkehFWM66PVnP1Msh93tc+taIfC
EYVMxjh8zNbFuoc7fzvvrFILLe7ifvEIUqSVIC/AzplM/Jxw7buXFeGP1qVCBEHq
391d/9RAfaZ12zkwFsl+IKwE/OZxW8AHa9i1p4GO0YSNuczzEm4=
-----END CERTIFICATE-----

@ -0,0 +1 @@
MIAGCSqGSIb3DQEHAqCAMIACAQExDDAKBggqhQMHAQECAjCABgkqhkiG9w0BBwEAAKCCB7gwgge0MIIHYaADAgECAgsAybP3lAAAAAAFhjAKBggqhQMHAQEDAjCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4MB4XDTIxMDUxOTA4MDc1OFoXDTIyMDgxNzA4MDc1OFowggF4MRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMUIwQAYJKoZIhvcNAQkCDDPQn9C+0LTRgdC40YHRgtC10LzQsCDCq9Cg0LXQtdGB0YLRgNGLwrsg0JjQoSDQk9Cj0KYxLjAsBgkqhkiG9w0BCQEWH2Eua29yemhlbmV2c2theWFAZGlnaXRhbC5nb3YucnUxOjA4BgNVBAkMMdCf0YDQtdGB0L3QtdC90YHQutCw0Y8g0L3QsNCxLiwg0LQuIDEwLCDRgdGC0YAuIDIxGTAXBgNVBAcMENCzLiDQnNC+0YHQutCy0LAxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEmMCQGA1UECgwd0JzQuNC90YbQuNGE0YDRiyDQoNC+0YHRgdC40LgxCzAJBgNVBAYTAlJVMSYwJAYDVQQDDB3QnNC40L3RhtC40YTRgNGLINCg0L7RgdGB0LjQuDBmMB8GCCqFAwcBAQEBMBMGByqFAwICJAAGCCqFAwcBAQICA0MABECPKzaqApZOrOkwaZWzx4xo/CsPpTbMMlJuUm2wIrJxpyZPGAdGO7krlWVfWnxPIl+POqsLM1Fq57nK30CAhUdzo4IEEzCCBA8wFQYDVR0lBA4wDAYKKwYBBAGCNwoDDDAOBgNVHQ8BAf8EBAMCBPAwXQYFKoUDZG8EVAxS0KHQmtCX0JggwqvQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQwrsg0LLQtdGA0YHQuNGPIDQuMCAo0LjRgdC/0L7Qu9C90LXQvdC40LUgMy1CYXNlKTAnBgNVHSAEIDAeMAgGBiqFA2RxATAIBgYqhQNkcQIwCAYGKoUDZHEDMB0GA1UdDgQWBBTvvmSAWPkPuWdrcO5mYdM5ixAd/DCCAWUGA1UdIwSCAVwwggFYgBTCVPG0a9RMt+BtNrQjkPH+wzybBqGCASykggEoMIIBJDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQstCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7QvCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LiCEE5tR4sm8n1lf3aOAlzj05MwgZgGA1UdHwSBkDCBjTAtoCugKYYnaHR0cDovL3JlZXN0ci1wa2kucnUvY2RwL2d1Y19nb3N0MTIuY3JsMC2gK6AphidodHRwOi8vY29tcGFueS5ydC5ydS9jZHAvZ3VjX2dvc3QxMi5jcmwwLaAroCmGJ2h0dHA6Ly9yb3N0ZWxlY29tLnJ1L2NkcC9ndWNfZ29zdDEyLmNybDBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9yZWVzdHItcGtpLnJ1L2NkcC9ndWNfZ29zdDEyLmNydDCB9QYFKoUDZHAEgeswgegMNNCf0JDQmtCcIMKr0JrRgNC40L/RgtC+0J/RgNC+IEhTTcK7INCy0LXRgNGB0LjQuCAyLjAMQ9Cf0JDQmiDCq9CT0L7Qu9C+0LLQvdC+0Lkg0YPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAwrsMNdCX0LDQutC70Y7Rh9C10L3QuNC1IOKEliAxNDkvMy8yLzIvMjMg0L7RgiAwMi4wMy4yMDE4DDTQl9Cw0LrQu9GO0YfQtdC90LjQtSDihJYgMTQ5LzcvNi8xMDUg0L7RgiAyNy4wNi4yMDE4MAoGCCqFAwcBAQMCA0EAiq8EGuoH/RZ2NPQoW+ZP6tuflm4TMrsyT5QMYjVmOJdAXU7HiEqPSLSwH4eEYL6qkdHF8kmQYp2Kwesl86DcWjGCA5cwggOTAgEBMIIBNTCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4AgsAybP3lAAAAAAFhjAKBggqhQMHAQECAqCCAfkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjIwMzAyMDgxNDE0WjAvBgkqhkiG9w0BCQQxIgQgzb9RJkaBTAfbMRIMlNXto6nKufJY5FtfqzLnfcuZ+hMwggGMBgsqhkiG9w0BCRACLzGCAXswggF3MIIBczCCAW8wCgYIKoUDBwEBAgIEIIF2ijeXhxSihco1wb5EBZoP1DAnHrpQuB9P656woqXfMIIBPTCCASykggEoMIIBJDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQstCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7QvCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgCCwDJs/eUAAAAAAWGMAoGCCqFAwcBAQEBBEA0eWBz4JnqO6umBiTQK/tkJgTeV0nKAp2SQlJVOlSPwBDx1H5fUZOTQDP0/4OtMakDCKhUHd5KS9DNhZErA0UmAAAAAAAA

@ -1,9 +1,9 @@
#!/bin/sh
#set -vx
set -eu
# For backwards compatibility reasons, future versions of this script must
# At this time, while this script is trivial, we ignore any parameters given.
# However, for backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST.
@ -12,126 +12,11 @@ DEST=/etc/pki/ca-trust/extracted
# Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1
usage() {
fold -s -w 76 >&2 <<-EOF
Usage: $0 [extract] [-o DIR|--output=DIR]
Update the system trust store in $DEST.
COMMANDS
(absent/empty command): Same as the extract command without arguments.
extract: Instruct update-ca-trust to scan the source configuration in
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
updated versions of the consolidated configuration files stored below
the $DEST directory hierarchy.
EXTRACT OPTIONS
-o DIR, --output=DIR: Write the extracted trust store into the given
directory instead of updating $DEST.
EOF
}
extract() {
USER_DEST=
# can't use getopt here. ca-certificates can't depend on a lot
# of other libraries since openssl depends on ca-certificates
# just fail when we hand parse
while [ $# -ne 0 ]; do
case "$1" in
"-o"|"--output")
if [ $# -lt 2 ]; then
echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
fi
USER_DEST=$2
shift 2
continue
;;
"--")
shift
break
;;
*)
echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
exit 1
;;
esac
done
if [ -n "$USER_DEST" ]; then
DEST=$USER_DEST
# Attempt to create the directories if they do not exist
# yet (rhbz#2241240)
/usr/bin/mkdir -p \
"$DEST"/openssl \
"$DEST"/pem \
"$DEST"/java \
"$DEST"/edk2
fi
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
# by GnuTLS)
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
# p11-kit extract will have made this directory unwritable; when run with
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
# not be the case. See rhbz#2241240.
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u+w "$DEST/pem/directory-hash"
fi
# Debian compatibility: their /etc/ssl/certs has this bundle
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
# Remove write permissions again
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u-w "$DEST/pem/directory-hash"
fi
}
if [ $# -lt 1 ]; then
set -- extract
fi
case "$1" in
"extract")
shift
extract "$@"
;;
"--help")
usage
exit 0
;;
"-o"|"--output")
echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
;;
"enable")
echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
*)
echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
esac
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin

@ -27,7 +27,7 @@ certificates and associated trust
SYNOPSIS
--------
*update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
*update-ca-trust* ['COMMAND']
DESCRIPTION
@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/
* run 'update-ca-trust extract'
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then:
* add it as a new file to directory /etc/pki/ca-trust/source/
* run 'update-ca-trust extract'
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
* simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes.
In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/
you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes.
@ -214,23 +214,15 @@ server authentication.
COMMANDS
--------
(absent/empty command)
~~~~~~~~~~~~~~~~~~~~~~
Same as the *extract* command described below. (However, the command may print
fewer warnings, as this command is being run during rpm package installation,
where non-fatal status output is undesired.)
extract
~~~~~~~
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
produce updated versions of the consolidated configuration files stored below
the /etc/pki/ca-trust/extracted directory hierarchy.
EXTRACT OPTIONS
^^^^^^^^^^^^^^^
*-o DIR*, *--output=DIR*::
Write the extracted trust store into the given directory instead of
updating /etc/pki/ca-trust/extracted.
(absent/empty command)::
Same as the *extract* command described below. (However, the command may
print fewer warnings, as this command is being run during rpm package
installation, where non-fatal status output is undesired.)
*extract*::
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce
updated versions of the consolidated configuration files stored below
the /etc/pki/ca-trust/extracted directory hierarchy.
FILES
-----

@ -36,11 +36,13 @@ Name: ca-certificates
# because all future versions will start with 2013 or larger.)
Version: 2024.2.69_v8.0.303
# for y-stream, please always use 91 <= release < 100 (91,92,93)
# for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...)
Release: 91.4%{?dist}
License: MIT AND GPL-2.0-or-later
# On RHEL 8.x, please keep the release version >= 80
# When rebasing on Y-Stream (8.y), use 81, 82, 83, ...
# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, ..
Release: 80.0%{?dist}.inferit.1
License: Public Domain
Group: System Environment/Base
URL: https://fedoraproject.org/wiki/CA-Certificates
#Please always update both certdata.txt and nssckbi.h
@ -62,6 +64,14 @@ Source16: README.pem
Source17: README.edk2
Source18: README.src
# Russian Ministry of Digital Development and Communications
Source90: rootca_ssl_rsa2022.cer
Source91: rootca_ssl_rsa2022.cer.detached.sig
# TCI ECSDA ROOT A1
Source92: ecdsa-a1.crt
# TCI GOST ROOT A1
Source93: gost-a1.crt
BuildArch: noarch
Requires(post): bash
@ -71,14 +81,16 @@ Requires(post): coreutils
Requires: bash
Requires: grep
Requires: sed
Requires(post): p11-kit-trust >= 0.24
Requires: p11-kit-trust >= 0.24
Requires(post): p11-kit >= 0.23.12
Requires(post): p11-kit-trust >= 0.23.12
Requires: p11-kit >= 0.23.12
Requires: p11-kit-trust >= 0.23.12
BuildRequires: perl-interpreter
BuildRequires: python3
BuildRequires: python3-devel
BuildRequires: openssl
BuildRequires: asciidoc
BuildRequires: xmlto
BuildRequires: libxslt
%description
This package contains the set of CA certificates chosen by the
@ -96,7 +108,7 @@ mkdir %{name}/java
pushd %{name}/certs
pwd
cp %{SOURCE0} .
python3 %{SOURCE4} >c2p.log 2>c2p.err
%{__python3} %{SOURCE4} >c2p.log 2>c2p.err
popd
pushd %{name}
(
@ -167,12 +179,12 @@ popd
#manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xmlto -v -o %{name} man %{name}/ca-legacy.8.xml
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
%install
@ -182,16 +194,15 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@ -240,15 +251,9 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
# /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
ln -s /etc/pki/tls/certs \
# /etc/ssl/certs symlink for 3rd-party tools
ln -s ../pki/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
ln -s /etc/pki/tls/openssl.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
ln -s /etc/pki/tls/ct_log_list.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
# legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
@ -259,49 +264,12 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
# Populate %%{catrustdir}/extracted/pem/directory-hash.
#
# First direct p11-kit-trust.so to the generated bundle (not the one
# already present on the build system) with an overriding module
# config. Note that we have to use a different config path based on
# the current user: if root, ~/.config/pkcs11/modules/* are not read,
# while if a regular user, she can't write to /etc.
if test "$(id -u)" -eq 0; then
trust_module_dir=/etc/pkcs11/modules
else
trust_module_dir=$HOME/.config/pkcs11/modules
fi
mkdir -p "$trust_module_dir"
# It is unlikely that the directory would contain any files on a build system,
# but let's make sure just in case.
if [ -n "$(ls -A "$trust_module_dir")" ]; then
echo "Directory $trust_module_dir is not empty. Aborting build!"
exit 1
fi
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
cat >"$trust_module_config" <<EOF
module: p11-kit-trust.so
trust-policy: yes
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
EOF
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
--purpose server-auth \
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
# Create a temporary file with the list of (%ghost )files in the directory-hash.
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
# Clean up the temporary module config.
rm -f "$trust_module_config"
%clean
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
rm -rf $RPM_BUILD_ROOT
# Russian Ministry of Digital Development and Communications
install -m 644 %{SOURCE90} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
install -m 644 %{SOURCE91} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
# TCI ECDSA and GOST root certificates
install -m 644 %{SOURCE92} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
install -m 644 %{SOURCE93} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/
%pre
if [ $1 -gt 1 ] ; then
@ -349,7 +317,6 @@ if [ $1 -gt 1 ] ; then
fi
fi
%post
#if [ $1 -gt 1 ] ; then
# # when upgrading or downgrading
@ -375,8 +342,9 @@ fi
%{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust
# The file .files.txt contains the list of (%ghost )files in the directory-hash
%files -f .files.txt
%files
%defattr(-,root,root,-)
%dir %{_sysconfdir}/ssl
%dir %{pkidir}/tls
%dir %{pkidir}/tls/certs
@ -384,7 +352,7 @@ fi
%dir %{catrustdir}
%dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/blocklist
%dir %{catrustdir}/source/blacklist
%dir %{catrustdir}/extracted
%dir %{catrustdir}/extracted/pem
%dir %{catrustdir}/extracted/openssl
@ -392,9 +360,13 @@ fi
%dir %{_datadir}/pki
%dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blocklist
%dir %{_datadir}/pki/ca-trust-source/blacklist
%dir %{_datadir}/pki/ca-trust-legacy
%dir %{catrustdir}/extracted/pem/directory-hash
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer.detached.sig
%{catrustdir}/source/anchors/ecdsa-a1.crt
%{catrustdir}/source/anchors/gost-a1.crt
%config(noreplace) %{catrustdir}/ca-legacy.conf
@ -414,13 +386,10 @@ fi
%{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/%{java_bundle}
# symlinks to cross-distro compatibility files and directory
# symlink directory
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/cert.pem
%{_sysconfdir}/ssl/openssl.cnf
%{_sysconfdir}/ssl/ct_log_list.cnf
# primary bundle file with trust
# master bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@ -436,33 +405,18 @@ fi
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
%changelog
*Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
- update-ca-trust: return warnings on a unsupported argument instead of error
*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
- Temporarily generate the directory-hash files in %%install ...(next item)
- Add list of ghost files from directory-hash to %%files
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
- Remove write permissions from directory-hash
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
- Reduce dependency on p11-kit to only the trust subpackage
- Own the Directory-hash directory
%changelog
* Wed Sep 11 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-80.0.inferit.1
- Remove TCI GOST certificate from certdata.txt
- Bump version
*Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
- Fix release number
* Thu Aug 22 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-80.0.inferit
- Update to 2024.2.69_v8.0.303-80.0
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
- Removing:
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
@ -509,22 +463,27 @@ fi
- # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022"
* Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
- update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
* Wed Jul 10 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit.2
- Fixed addition TCI GOST certificate
- Bump version
* Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
- Skip %post if getopt is missing (recent change made update-ca-trust use it)
* Tue Jul 09 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit.1
- Added TCI ECDSA and GOST root certificates
* Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
- update-ca-trust: Support --output and non-root operation (rhbz#2241240)
* Fri Dec 15 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit
- Update to version 2023.2.60_v7.0.306-80.0
- Rebuilt for MSVSphere 8.9
*Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
- update License: field to SPDX
* Fri Dec 15 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2022.2.54-80.2.inferit.1
- place MDDC certificates to /etc/pki/ca-trust/source/anchors (Arkady L. Shane <tigro@msvsphere-os.ru>)
*Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
- Bump release number to make CI happy
* Wed Aug 30 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 2022.2.54-80.2.inferit
- Added:
- # Certificate "Russian Trusted Root CA"
- # Certificate "Russian Trusted Sub CA"
- Rebuilt for MSVSphere 8.8
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0
- Update to CKBI 2.60_v7.0.306 from NSS 3.91
- Removing:
- # Certificate "Camerfirma Global Chambersign Root"
@ -604,7 +563,10 @@ fi
- # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2
* Tue Jul 25 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2022.2.54-80.2
- Rebuilt for MSVSphere 8.8
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
- Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "TrustCor ECA-1"
@ -625,29 +587,12 @@ fi
- # Certificate "Government Root Certification Authority"
- # Certificate "AC Raíz Certicámara S.A."
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1
- Update to CKBI 2.54 from NSS 3.79
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0
- Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
- # Certificate "CAEDICOM Root"
- # Certificate "I.CA Root CA/RSA"
- # Certificate "MULTICERT Root Certification Authority 01"
@ -789,6 +734,7 @@ fi
- # Certificate "Certipost E-Trust TOP Root CA"
- # Certificate "Certipost E-Trust Primary Qualified CA"
- # Certificate "Certipost E-Trust Primary Normalised CA"
- # Certificate "Cybertrust Global Root"
- # Certificate "GlobalSign"
- # Certificate "IGC/A"
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@ -862,19 +808,34 @@ fi
- # Certificate "HARICA Code Signing ECC Root CA 2021"
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
* Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94
- remove blacklist directory and references now that p11-kit has been updated.
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
*Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81
- Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Cybertrust Global Root"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
* Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
- Update to CKBI 2.50 from NSS 3.67
- version number update only
*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82
- Update to CKBI 2.48 from NSS 3.66
- Removing:
- # Certificate "QuoVadis Root CA"
- # Certificate "Sonera Class 2 Root CA"
@ -885,90 +846,91 @@ fi
- # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
- remove unnecessarily divisive terms, take 1.
- in ca-certificates there are 3 cases:
- 1) master refering to the fedora master branch in the fetch.sh script.
- This can only be changed once fedora changes the master branch name.
- 2) a reference to the 'master bundle' in this file: this has been changed
- to 'primary bundle'.
- 3) a couple of blacklist directories owned by this package, but used to
- p11-kit. New 'blocklist' directories have been created, but p11-kit
- needs to be updated before the old blacklist directories can be removed
- and the man pages corrected.
* Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
- Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
- Fix up broken %post and %postinstall scriptlet changes from -2
* Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81
- Update to CKBI 2.48 from NSS 3.64
- Removing:
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3"
- # Certificate "GeoTrust Global CA"
- # Certificate "GeoTrust Universal CA"
- # Certificate "GeoTrust Universal CA 2"
- # Certificate "Taiwan GRCA"
- # Certificate "GeoTrust Primary Certification Authority"
- # Certificate "thawte Primary Root CA"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5"
- # Certificate "GeoTrust Primary Certification Authority - G3"
- # Certificate "thawte Primary Root CA - G2"
- # Certificate "thawte Primary Root CA - G3"
- # Certificate "GeoTrust Primary Certification Authority - G2"
- # Certificate "VeriSign Universal Root Certification Authority"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- # Certificate "EE Certification Centre Root CA"
- # Certificate "LuxTrust Global Root 2"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
- Adding:
- # Certificate "Microsoft ECC Root Certificate Authority 2017"
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
- # Certificate "e-Szigno Root CA 2017"
- # Certificate "certSIGN Root CA G2"
- # Certificate "Trustwave Global Certification Authority"
- # Certificate "Trustwave Global ECC P256 Certification Authority"
- # Certificate "Trustwave Global ECC P384 Certification Authority"
- # Certificate "NAVER Global Root Certification Authority"
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
- # Certificate "GlobalSign Secure Mail Root R45"
- # Certificate "GlobalSign Secure Mail Root E45"
- # Certificate "GlobalSign Root R46"
- # Certificate "GlobalSign Root E46"
*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
- fix post issues
*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
- Update to CKBI 2.41 from NSS 3.53.0
- Removing:
- # Certificate "AddTrust Low-Value Services Root"
- # Certificate "AddTrust External Root"
- # Certificate "Staat der Nederlanden Root CA - G2"
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
- Update versioned dependency on p11-kit
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
- Update to CKBI 2.40 from NSS 3.48
- Removing:
- # Certificate "UTN USERFirst Email Root CA"
- # Certificate "Certplus Class 2 Primary CA"
- # Certificate "Deutsche Telekom Root CA 2"
- # Certificate "Staat der Nederlanden Root CA - G2"
- # Certificate "Swisscom Root CA 2"
- # Certificate "Certinomis - Root CA"
- Adding:
- # Certificate "Entrust Root Certification Authority - G4"
- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
- Update to CKBI 2.32 from NSS 3.44
Removing:
# Certificate "Visa eCommerce Root"
# Certificate "AC Raiz Certicamara S.A."
# Certificate "Certplus Root CA G1"
# Certificate "Certplus Root CA G2"
# Certificate "OpenTrust Root CA G1"
# Certificate "OpenTrust Root CA G2"
# Certificate "OpenTrust Root CA G3"
Adding:
# Certificate "GTS Root R1"
# Certificate "GTS Root R2"
# Certificate "GTS Root R3"
# Certificate "GTS Root R4"
# Certificate "UCA Global G2 Root"
# Certificate "UCA Extended Validation Root"
# Certificate "Certigna Root CA"
# Certificate "emSign Root CA - G1"
# Certificate "emSign ECC Root CA - G3"
# Certificate "emSign Root CA - C1"
# Certificate "emSign ECC Root CA - C3"
# Certificate "Hongkong Post Root CA 3"
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2
- Update to CKBI 2.26 from NSS 3.39
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
- Update to CKBI 2.32 from NSS 3.44
- Removing:
- # Certificate "Visa eCommerce Root"
- # Certificate "AC Raiz Certicamara S.A."
- # Certificate "ComSign CA"
- # Certificate "Certplus Root CA G1"
- # Certificate "Certplus Root CA G2"
- # Certificate "OpenTrust Root CA G1"
- # Certificate "OpenTrust Root CA G2"
- # Certificate "OpenTrust Root CA G3"
- Adding:
- # Certificate "GlobalSign Root CA - R6"
- # Certificate "OISTE WISeKey Global Root GC CA"
- # Certificate "GTS Root R1"
- # Certificate "GTS Root R2"
- # Certificate "GTS Root R3"
- # Certificate "GTS Root R4"
- # Certificate "UCA Global G2 Root"
- # Certificate "UCA Extended Validation Root"
- # Certificate "Certigna Root CA"
- # Certificate "emSign Root CA - G1"
- # Certificate "emSign ECC Root CA - G3"
- # Certificate "emSign Root CA - C1"
- # Certificate "emSign ECC Root CA - C3"
- # Certificate "Hongkong Post Root CA 3"
* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
- Test gating
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
- Use __python3 macro when invoking Python
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
- Ported scripts to python3

Loading…
Cancel
Save