Compare commits

..

No commits in common. 'i8' and 'c9' have entirely different histories.
i8 ... c9

@ -58327,469 +58327,3 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Russian Trusted Root CA"
#
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4096 (0x1000)
# Subject: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Tue Mar 01 21:04:15 2022
# Not Valid After : Fri Feb 27 21:04:15 2032
# Fingerprint (SHA-256): D2:6D:2D:02:31:B7:C3:9F:92:CC:73:85:12:BA:54:10:35:19:E4:40:5D:68:B5:BD:70:3E:97:88:CA:8E:CF:31
# Fingerprint (SHA1): 8F:F9:15:CC:AB:7B:C1:6F:8C:5C:80:99:D5:3E:0E:11:5B:3A:EC:2F
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Root CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\000
END
CKA_VALUE MULTILINE_OCTAL
\060\202\005\302\060\202\003\252\240\003\002\001\002\002\002\020
\000\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101\060\036\027\015\062\062\060\063\060\061\062\061\060\064
\061\065\132\027\015\063\062\060\062\062\067\062\061\060\064\061
\065\132\060\160\061\013\060\011\006\003\125\004\006\023\002\122
\125\061\077\060\075\006\003\125\004\012\014\066\124\150\145\040
\115\151\156\151\163\164\162\171\040\157\146\040\104\151\147\151
\164\141\154\040\104\145\166\145\154\157\160\155\145\156\164\040
\141\156\144\040\103\157\155\155\165\156\151\143\141\164\151\157
\156\163\061\040\060\036\006\003\125\004\003\014\027\122\165\163
\163\151\141\156\040\124\162\165\163\164\145\144\040\122\157\157
\164\040\103\101\060\202\002\042\060\015\006\011\052\206\110\206
\367\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012
\002\202\002\001\000\307\305\071\237\051\120\002\367\372\275\247
\252\241\064\146\236\166\261\351\127\260\241\205\142\201\264\030
\316\133\303\075\133\110\133\102\267\340\031\100\310\144\131\010
\136\043\172\150\144\004\350\140\233\272\366\221\313\051\056\220
\134\030\260\004\055\134\277\066\046\121\202\214\141\220\273\214
\116\130\204\105\066\155\042\364\231\176\315\150\314\114\016\141
\366\374\334\056\071\124\143\360\342\046\125\256\154\324\136\024
\316\176\012\277\163\305\224\060\143\215\050\327\051\126\075\222
\150\324\006\305\320\254\201\336\152\251\224\042\303\310\224\325
\224\236\051\227\113\102\064\151\261\061\252\106\335\255\166\327
\143\000\216\136\023\216\332\220\324\307\167\044\230\231\102\061
\101\232\161\104\347\312\134\220\133\145\154\044\214\210\030\017
\025\323\034\335\151\345\027\203\105\131\351\231\215\122\276\130
\005\352\377\020\003\213\075\277\015\142\233\000\204\227\266\231
\170\314\007\362\175\034\333\050\024\300\105\047\111\113\071\077
\376\165\013\343\155\324\131\240\344\374\172\242\151\132\165\103
\123\344\013\376\241\031\237\076\173\067\317\016\130\315\353\151
\262\144\104\327\124\375\236\361\345\041\110\063\321\153\252\323
\174\305\354\054\210\025\201\043\102\272\134\133\216\004\344\303
\341\135\074\243\204\363\047\317\202\162\256\127\224\045\026\330
\276\074\245\223\102\142\340\103\174\030\173\027\031\001\356\240
\340\030\070\232\176\321\044\145\227\300\245\030\066\023\343\075
\033\314\044\064\244\317\054\067\070\300\175\005\015\070\243\206
\014\121\335\216\017\211\055\107\057\146\141\303\266\303\334\046
\354\226\141\006\201\371\347\146\210\315\220\233\134\055\340\107
\004\266\271\333\367\122\300\325\070\131\142\356\155\246\022\210
\011\200\364\205\014\137\137\321\245\372\161\073\027\170\142\111
\241\317\336\350\025\265\032\014\221\142\244\210\040\307\233\027
\170\360\045\221\067\126\236\377\221\130\034\145\047\003\020\333
\232\004\036\144\140\270\326\037\341\232\377\107\032\375\161\057
\167\143\351\235\134\206\132\004\101\064\051\055\242\055\032\232
\072\045\201\222\057\110\061\005\070\246\032\217\070\020\032\033
\260\076\170\377\017\002\003\001\000\001\243\146\060\144\060\035
\006\003\125\035\016\004\026\004\024\341\321\201\345\316\132\137
\004\252\322\351\266\235\146\261\305\372\254\054\207\060\037\006
\003\125\035\043\004\030\060\026\200\024\341\321\201\345\316\132
\137\004\252\322\351\266\235\146\261\305\372\254\054\207\060\022
\006\003\125\035\023\001\001\377\004\010\060\006\001\001\377\002
\001\004\060\016\006\003\125\035\017\001\001\377\004\004\003\002
\001\206\060\015\006\011\052\206\110\206\367\015\001\001\013\005
\000\003\202\002\001\000\000\262\030\327\011\042\226\337\356\255
\361\025\063\233\312\316\276\256\264\347\203\130\045\034\316\145
\227\375\025\370\226\072\121\166\001\176\345\360\010\113\213\307
\266\145\344\252\224\202\071\127\226\122\262\125\365\013\331\237
\242\366\333\266\160\270\115\171\161\150\274\014\040\332\227\165
\036\367\105\240\000\222\131\061\364\354\204\336\016\043\307\052
\133\321\070\020\157\160\202\126\304\264\311\316\154\171\146\263
\301\167\010\171\253\303\171\072\052\145\044\130\152\032\373\361
\015\231\305\145\353\313\277\160\304\145\324\226\326\331\263\076
\377\160\076\110\010\066\163\250\217\016\127\241\163\062\261\332
\206\275\345\005\264\112\103\317\130\153\215\003\360\204\360\052
\162\000\322\041\273\325\305\256\075\321\103\161\052\171\027\022
\001\004\050\167\124\115\270\172\137\021\062\324\374\015\240\062
\153\347\377\017\354\307\264\301\335\156\101\076\316\253\246\263
\200\337\273\156\264\372\275\273\241\123\144\347\006\324\352\243
\013\360\173\311\072\240\043\272\333\312\372\061\354\061\027\241
\176\353\042\041\052\310\323\124\202\344\344\376\355\322\147\205
\127\023\151\046\305\331\222\207\164\320\277\046\337\156\165\325
\340\226\302\145\126\252\211\232\332\251\316\350\144\311\321\241
\152\327\104\155\363\265\271\333\172\317\375\252\024\106\043\263
\352\136\247\212\044\034\355\305\024\304\126\077\016\066\315\135
\130\336\154\315\074\032\074\213\341\222\023\267\010\356\104\255
\115\253\125\325\053\363\334\012\244\325\333\004\340\305\051\033
\140\305\104\373\321\212\146\047\216\225\125\252\235\002\023\231
\017\321\024\122\176\030\151\342\332\113\300\043\110\137\341\355
\111\043\072\046\315\163\212\225\016\043\317\372\271\036\204\125
\214\353\243\325\234\375\114\262\037\167\265\317\255\150\207\302
\021\205\114\306\070\174\314\326\305\272\207\073\177\073\357\254
\122\013\055\356\342\176\361\010\122\244\225\040\057\300\316\231
\114\374\234\160\355\273\227\025\341\217\326\245\102\004\101\352
\337\335\135\377\324\100\175\246\165\333\071\060\026\311\176\040
\254\004\374\346\161\133\300\007\153\330\265\247\201\216\321\204
\215\271\314\363\022\156
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Russian Trusted Root CA"
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4096 (0x1000)
# Subject: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Tue Mar 01 21:04:15 2022
# Not Valid After : Fri Feb 27 21:04:15 2032
# Fingerprint (SHA-256): D2:6D:2D:02:31:B7:C3:9F:92:CC:73:85:12:BA:54:10:35:19:E4:40:5D:68:B5:BD:70:3E:97:88:CA:8E:CF:31
# Fingerprint (SHA1): 8F:F9:15:CC:AB:7B:C1:6F:8C:5C:80:99:D5:3E:0E:11:5B:3A:EC:2F
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Root CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\217\371\025\314\253\173\301\157\214\134\200\231\325\076\016\021
\133\072\354\057
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\177\273\037\273\321\051\107\347\050\334\277\244\126\214\144\315
END
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Russian Trusted Sub CA"
#
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4098 (0x1002)
# Subject: CN=Russian Trusted Sub CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Wed Mar 02 11:25:19 2022
# Not Valid After : Sat Mar 06 11:25:19 2027
# Fingerprint (SHA-256): BB:BD:E2:10:3E:79:0B:99:9E:C6:2B:D0:3C:F6:25:A5:A2:E7:C3:16:E1:0A:FE:6A:49:0E:ED:EA:D8:B3:FD:9B
# Fingerprint (SHA1): 33:5D:43:F5:34:51:B7:81:53:5F:F3:88:2D:F7:13:D3:C1:4F:8A:01
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Sub CA"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\157\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\037\060\035\006\003\125\004\003\014\026\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\123\165\142\040\103
\101
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\002
END
CKA_VALUE MULTILINE_OCTAL
\060\202\007\102\060\202\005\052\240\003\002\001\002\002\002\020
\002\060\015\006\011\052\206\110\206\367\015\001\001\013\005\000
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101\060\036\027\015\062\062\060\063\060\062\061\061\062\065
\061\071\132\027\015\062\067\060\063\060\066\061\061\062\065\061
\071\132\060\157\061\013\060\011\006\003\125\004\006\023\002\122
\125\061\077\060\075\006\003\125\004\012\014\066\124\150\145\040
\115\151\156\151\163\164\162\171\040\157\146\040\104\151\147\151
\164\141\154\040\104\145\166\145\154\157\160\155\145\156\164\040
\141\156\144\040\103\157\155\155\165\156\151\143\141\164\151\157
\156\163\061\037\060\035\006\003\125\004\003\014\026\122\165\163
\163\151\141\156\040\124\162\165\163\164\145\144\040\123\165\142
\040\103\101\060\202\002\042\060\015\006\011\052\206\110\206\367
\015\001\001\001\005\000\003\202\002\017\000\060\202\002\012\002
\202\002\001\000\365\203\352\004\243\244\327\323\105\312\152\304
\301\350\163\256\020\104\201\075\232\264\267\263\245\333\201\333
\211\220\354\050\216\153\361\325\244\120\203\105\234\335\306\251
\141\361\332\344\273\215\074\376\324\346\133\071\115\037\366\353
\036\344\041\147\371\242\130\243\237\337\231\151\053\070\362\005
\336\223\074\315\267\270\007\311\274\103\220\333\367\147\050\141
\211\156\305\050\327\373\235\051\053\361\103\005\107\245\133\367
\113\315\016\226\133\212\176\025\217\014\105\320\246\014\205\250
\214\317\243\022\020\114\266\164\165\350\253\147\003\025\035\252
\331\346\357\007\250\167\255\106\340\055\230\355\231\014\144\047
\275\123\211\140\010\345\263\341\342\271\352\273\056\076\316\161
\356\302\102\304\360\125\227\217\371\164\061\333\303\300\150\106
\167\313\253\020\022\336\253\057\116\235\166\224\235\241\063\051
\006\160\252\115\274\126\371\345\214\312\071\010\237\253\175\030
\033\124\127\216\162\007\121\044\034\331\343\330\114\170\033\000
\242\067\324\374\341\004\043\051\052\376\361\375\051\260\152\331
\274\366\302\155\000\060\064\122\143\212\302\342\306\170\345\030
\362\312\153\233\316\230\334\010\207\362\300\311\105\271\016\072
\144\013\035\064\340\263\303\272\243\351\026\302\227\064\252\132
\057\140\346\352\347\064\307\202\150\346\157\240\121\065\116\104
\036\241\071\054\326\235\140\343\330\145\237\242\142\363\317\050
\306\363\120\321\030\120\151\162\217\316\367\174\336\162\302\015
\335\042\366\142\310\351\253\134\335\241\055\065\010\306\061\211
\357\377\367\065\257\143\014\310\333\237\316\146\050\055\236\220
\210\255\307\166\217\126\072\164\305\005\100\014\300\264\161\076
\252\305\337\225\042\374\034\204\276\040\221\005\041\012\033\056
\126\041\036\112\004\335\253\340\067\036\143\226\357\216\055\207
\264\164\135\030\223\035\117\030\330\333\302\253\323\137\176\321
\012\175\366\064\310\345\242\325\266\101\301\204\146\020\312\217
\355\356\255\230\263\247\234\135\114\366\142\264\017\232\022\066
\114\374\330\273\325\123\235\210\343\364\212\006\360\351\253\031
\331\374\135\243\066\165\116\164\222\140\326\057\064\004\360\266
\023\146\147\053\002\003\001\000\001\243\202\001\345\060\202\001
\341\060\022\006\003\125\035\023\001\001\377\004\010\060\006\001
\001\377\002\001\000\060\016\006\003\125\035\017\001\001\377\004
\004\003\002\001\206\060\035\006\003\125\035\016\004\026\004\024
\321\341\161\015\013\055\201\116\156\212\112\217\114\043\263\114
\136\253\151\013\060\037\006\003\125\035\043\004\030\060\026\200
\024\341\321\201\345\316\132\137\004\252\322\351\266\235\146\261
\305\372\254\054\207\060\201\307\006\010\053\006\001\005\005\007
\001\001\004\201\272\060\201\267\060\073\006\010\053\006\001\005
\005\007\060\002\206\057\150\164\164\160\072\057\057\162\157\163
\164\145\154\145\143\157\155\056\162\165\057\143\144\160\057\162
\157\157\164\143\141\137\163\163\154\137\162\163\141\062\060\062
\062\056\143\162\164\060\073\006\010\053\006\001\005\005\007\060
\002\206\057\150\164\164\160\072\057\057\143\157\155\160\141\156
\171\056\162\164\056\162\165\057\143\144\160\057\162\157\157\164
\143\141\137\163\163\154\137\162\163\141\062\060\062\062\056\143
\162\164\060\073\006\010\053\006\001\005\005\007\060\002\206\057
\150\164\164\160\072\057\057\162\145\145\163\164\162\055\160\153
\151\056\162\165\057\143\144\160\057\162\157\157\164\143\141\137
\163\163\154\137\162\163\141\062\060\062\062\056\143\162\164\060
\201\260\006\003\125\035\037\004\201\250\060\201\245\060\065\240
\063\240\061\206\057\150\164\164\160\072\057\057\162\157\163\164
\145\154\145\143\157\155\056\162\165\057\143\144\160\057\162\157
\157\164\143\141\137\163\163\154\137\162\163\141\062\060\062\062
\056\143\162\154\060\065\240\063\240\061\206\057\150\164\164\160
\072\057\057\143\157\155\160\141\156\171\056\162\164\056\162\165
\057\143\144\160\057\162\157\157\164\143\141\137\163\163\154\137
\162\163\141\062\060\062\062\056\143\162\154\060\065\240\063\240
\061\206\057\150\164\164\160\072\057\057\162\145\145\163\164\162
\055\160\153\151\056\162\165\057\143\144\160\057\162\157\157\164
\143\141\137\163\163\154\137\162\163\141\062\060\062\062\056\143
\162\154\060\015\006\011\052\206\110\206\367\015\001\001\013\005
\000\003\202\002\001\000\104\025\163\146\133\073\364\007\142\110
\052\132\257\136\135\003\221\353\376\272\323\341\146\353\071\374
\345\244\217\261\254\267\221\076\265\006\351\345\026\041\156\057
\112\350\265\313\035\342\250\142\302\214\367\012\157\341\316\117
\012\021\061\262\072\312\323\377\235\332\167\116\126\056\153\146
\235\275\200\104\205\053\343\263\356\057\015\223\160\136\277\303
\152\166\360\041\147\156\255\231\225\211\004\101\014\127\233\246
\113\347\042\372\356\375\032\126\271\337\371\257\255\270\132\237
\057\241\223\021\266\077\334\233\246\210\364\273\157\005\364\375
\161\374\341\071\247\261\043\377\175\163\136\035\312\053\244\327
\356\220\205\334\012\150\044\123\163\131\235\174\324\046\235\365
\215\105\267\326\205\140\145\053\170\170\030\141\075\044\255\367
\032\117\031\113\300\314\256\107\100\207\114\133\313\214\100\103
\371\222\130\007\326\254\031\237\316\123\252\033\052\001\325\116
\073\131\063\236\250\326\326\222\112\000\077\154\254\367\217\254
\046\016\015\116\110\203\126\325\321\027\251\353\351\366\042\321
\264\216\274\341\140\320\204\053\061\163\266\143\310\062\203\320
\021\164\362\160\052\333\326\137\305\117\000\060\230\062\045\207
\207\211\374\155\232\044\042\262\046\124\242\303\100\241\330\342
\060\254\064\075\207\035\322\137\236\267\113\331\202\160\326\241
\154\220\323\270\161\043\146\147\047\160\321\151\040\216\377\144
\027\342\261\252\260\312\224\037\014\146\355\207\162\132\141\352
\377\302\147\107\320\365\213\204\363\371\154\035\235\020\163\141
\362\211\043\047\276\070\012\345\360\334\335\060\370\175\257\005
\023\310\014\066\352\314\372\105\174\075\077\013\064\203\076\341
\233\076\054\241\025\362\172\221\130\026\261\220\205\111\031\351
\044\124\243\274\304\060\116\033\366\215\353\140\031\050\163\236
\031\314\210\166\356\362\064\303\021\212\021\225\144\046\053\362
\266\042\046\202\242\073\060\352\072\103\344\054\343\335\206\325
\145\202\170\150\303\061\303\304\301\315\017\361\066\130\016\151
\144\173\215\063\371\264\115\173\166\301\064\317\057\262\107\331
\200\264\200\374\377\006\373\322\316\071\054\203\065\071\254\266
\321\311\102\220\222\005
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "Russian Trusted Sub CA"
# Issuer: CN=Russian Trusted Root CA,O=The Ministry of Digital Development and Communications,C=RU
# Serial Number: 4098 (0x1002)
# Subject: CN=Russian Trusted Sub CA,O=The Ministry of Digital Development and Communications,C=RU
# Not Valid Before: Wed Mar 02 11:25:19 2022
# Not Valid After : Sat Mar 06 11:25:19 2027
# Fingerprint (SHA-256): BB:BD:E2:10:3E:79:0B:99:9E:C6:2B:D0:3C:F6:25:A5:A2:E7:C3:16:E1:0A:FE:6A:49:0E:ED:EA:D8:B3:FD:9B
# Fingerprint (SHA1): 33:5D:43:F5:34:51:B7:81:53:5F:F3:88:2D:F7:13:D3:C1:4F:8A:01
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Russian Trusted Sub CA"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\063\135\103\365\064\121\267\201\123\137\363\210\055\367\023\323
\301\117\212\001
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\304\023\047\226\170\334\005\047\062\041\103\376\100\312\364\332
END
CKA_ISSUER MULTILINE_OCTAL
\060\160\061\013\060\011\006\003\125\004\006\023\002\122\125\061
\077\060\075\006\003\125\004\012\014\066\124\150\145\040\115\151
\156\151\163\164\162\171\040\157\146\040\104\151\147\151\164\141
\154\040\104\145\166\145\154\157\160\155\145\156\164\040\141\156
\144\040\103\157\155\155\165\156\151\143\141\164\151\157\156\163
\061\040\060\036\006\003\125\004\003\014\027\122\165\163\163\151
\141\156\040\124\162\165\163\164\145\144\040\122\157\157\164\040
\103\101
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\002\020\002
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "TCI ECDSA ROOT A1"
#
# Issuer: CN=TCI ECDSA ROOT A1
# Serial Number:01:de:ad:c0:de:00:8c:19:78:3c:7a:d6
# Subject: CN=TCI ECDSA ROOT A1
# Not Valid Before: Wed Mar 30 09:33:18 2022
# Not Valid After : Tue Mar 30 09:33:18 2032
# Fingerprint (SHA-256): 0A:3C:80:4A:CF:2E:70:22:3E:22:2D:65:99:EB:78:8D:CC:A3:EE:CC:F7:F2:66:7C:B3:71:C1:78:AD:07:DB:51
# Fingerprint (SHA1): 4E:87:7A:C0:27:A6:3D:85:14:C0:B4:CB:FA:0F:6F:58:F6:C1:76:96
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TCI ECDSA ROOT A1"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\034\061\032\060\030\006\003\125\004\003\014\021\124\103\111
\040\105\103\104\123\101\040\122\117\117\124\040\101\061
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\034\061\032\060\030\006\003\125\004\003\014\021\124\103\111
\040\105\103\104\123\101\040\122\117\117\124\040\101\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\014\001\336\255\300\336\000\214\031\170\074\172\326
END
CKA_VALUE MULTILINE_OCTAL
\060\202\001\124\060\201\373\240\003\002\001\002\002\014\001\336
\255\300\336\000\214\031\170\074\172\326\060\012\006\010\052\206
\110\316\075\004\003\002\060\034\061\032\060\030\006\003\125\004
\003\014\021\124\103\111\040\105\103\104\123\101\040\122\117\117
\124\040\101\061\060\036\027\015\062\062\060\063\063\060\060\071
\063\063\061\070\132\027\015\063\062\060\063\063\060\060\071\063
\063\061\070\132\060\034\061\032\060\030\006\003\125\004\003\014
\021\124\103\111\040\105\103\104\123\101\040\122\117\117\124\040
\101\061\060\131\060\023\006\007\052\206\110\316\075\002\001\006
\010\052\206\110\316\075\003\001\007\003\102\000\004\231\342\354
\262\123\340\150\374\352\221\264\263\334\016\171\365\240\252\012
\177\020\147\370\145\304\261\066\000\011\176\027\045\351\146\015
\241\146\231\175\371\144\213\204\135\321\134\300\046\006\332\115
\045\266\353\073\257\332\141\214\353\133\161\017\336\243\043\060
\041\060\016\006\003\125\035\017\001\001\377\004\004\003\002\001
\206\060\017\006\003\125\035\023\001\001\377\004\005\060\003\001
\001\377\060\012\006\010\052\206\110\316\075\004\003\002\003\110
\000\060\105\002\040\062\243\050\372\032\146\272\255\226\071\256
\313\255\006\324\366\010\066\364\167\003\127\213\073\064\370\105
\370\106\005\072\301\002\041\000\204\222\373\041\342\303\156\215
\236\144\002\051\343\070\250\150\212\150\326\025\162\136\100\001
\065\271\351\071\064\075\050\373
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
# Trust for "TCI ECDSA ROOT A1"
# Issuer: CN=TCI ECDSA ROOT A1
# Serial Number:01:de:ad:c0:de:00:8c:19:78:3c:7a:d6
# Subject: CN=TCI ECDSA ROOT A1
# Not Valid Before: Wed Mar 30 09:33:18 2022
# Not Valid After : Tue Mar 30 09:33:18 2032
# Fingerprint (SHA-256): 0A:3C:80:4A:CF:2E:70:22:3E:22:2D:65:99:EB:78:8D:CC:A3:EE:CC:F7:F2:66:7C:B3:71:C1:78:AD:07:DB:51
# Fingerprint (SHA1): 4E:87:7A:C0:27:A6:3D:85:14:C0:B4:CB:FA:0F:6F:58:F6:C1:76:96
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "TCI ECDSA ROOT A1"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\116\207\172\300\047\246\075\205\024\300\264\313\372\017\157\130
\366\301\166\226
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\316\230\227\216\027\213\116\066\202\313\342\233\264\216\053\140
END
CKA_ISSUER MULTILINE_OCTAL
\060\034\061\032\060\030\006\003\125\004\003\014\021\124\103\111
\040\105\103\104\123\101\040\122\117\117\124\040\101\061
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\014\001\336\255\300\336\000\214\031\170\074\172\326
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

@ -177,6 +177,11 @@ openssl_trust = {
"CKA_TRUST_EMAIL_PROTECTION": "emailProtection", "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
} }
cert_distrust_types = {
"CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
"CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
}
for tobj in objects: for tobj in objects:
if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST': if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
key = tobj['CKA_LABEL'] + printable_serial(tobj) key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -369,6 +374,16 @@ for tobj in objects:
f.write("nss-mozilla-ca-policy: true\n") f.write("nss-mozilla-ca-policy: true\n")
f.write("modifiable: false\n"); f.write("modifiable: false\n");
# requires p11-kit >= 0.23.19
for t in list(cert_distrust_types.keys()):
if t in obj:
value = obj[t]
if value == 'CK_FALSE':
value = bytearray(1)
f.write(cert_distrust_types[t] + ": \"")
f.write(urllib.parse.quote(value));
f.write("\"\n")
f.write("-----BEGIN CERTIFICATE-----\n") f.write("-----BEGIN CERTIFICATE-----\n")
temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE']) temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64) temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)

@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIBVDCB+6ADAgECAgwB3q3A3gCMGXg8etYwCgYIKoZIzj0EAw
IwHDEaMBgGA1UEAwwRVENJIEVDRFNBIFJPT1QgQTEwHhcNMjIw
MzMwMDkzMzE4WhcNMzIwMzMwMDkzMzE4WjAcMRowGAYDVQQDDB
FUQ0kgRUNEU0EgUk9PVCBBMTBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABJni7LJT4Gj86pG0s9wOefWgqgp/EGf4ZcSxNgAJfh
cl6WYNoWaZfflki4Rd0VzAJgbaTSW26zuv2mGM61txD96jIzAh
MA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAoGCC
qGSM49BAMCA0gAMEUCIDKjKPoaZrqtljmuy60G1PYINvR3A1eL
OzT4RfhGBTrBAiEAhJL7IeLDbo2eZAIp4zioaIpo1hVyXkABNb
npOTQ9KPs=
-----END CERTIFICATE-----

@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIBXTCCAQigAwIBAgIMAt6twN4AjBl4PHrWMAwGCCqFAwcBAQ
MCBQAwGzEZMBcGA1UEAwwQVENJIEdPU1QgUk9PVCBBMTAeFw0y
MjAzMzAwOTMzMThaFw0zMjAzMzAwOTMzMThaMBsxGTAXBgNVBA
MMEFRDSSBHT1NUIFJPT1QgQTEwZjAfBggqhQMHAQEBATATBgcq
hQMCAiMBBggqhQMHAQECAgNDAARASiE+O1G5yX8JjIS0RmQ2Im
2FKd0RhbOtdjaoAivB3ywbHLGb6deQBRd/MwLP2IrfIZcVb4QP
5PSYolD/Iu+ExaMjMCEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEw
EB/wQFMAMBAf8wDAYIKoUDBwEBAwIFAANBAOi6Dn7pxa/SSbV6
PsfROEKzsBnX6GGggo9wOELuZKfDYdy88/92yr2Aali+fEje63
XqhHoZExE0CNLoncM3ARc=
-----END CERTIFICATE-----

@ -1,33 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFwjCCA6qgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCUlUx
PzA9BgNVBAoMNlRoZSBNaW5pc3RyeSBvZiBEaWdpdGFsIERldmVsb3BtZW50IGFu
ZCBDb21tdW5pY2F0aW9uczEgMB4GA1UEAwwXUnVzc2lhbiBUcnVzdGVkIFJvb3Qg
Q0EwHhcNMjIwMzAxMjEwNDE1WhcNMzIwMjI3MjEwNDE1WjBwMQswCQYDVQQGEwJS
VTE/MD0GA1UECgw2VGhlIE1pbmlzdHJ5IG9mIERpZ2l0YWwgRGV2ZWxvcG1lbnQg
YW5kIENvbW11bmljYXRpb25zMSAwHgYDVQQDDBdSdXNzaWFuIFRydXN0ZWQgUm9v
dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMfFOZ8pUAL3+r2n
qqE0Zp52selXsKGFYoG0GM5bwz1bSFtCt+AZQMhkWQheI3poZAToYJu69pHLKS6Q
XBiwBC1cvzYmUYKMYZC7jE5YhEU2bSL0mX7NaMxMDmH2/NwuOVRj8OImVa5s1F4U
zn4Kv3PFlDBjjSjXKVY9kmjUBsXQrIHeaqmUIsPIlNWUnimXS0I0abExqkbdrXbX
YwCOXhOO2pDUx3ckmJlCMUGacUTnylyQW2VsJIyIGA8V0xzdaeUXg0VZ6ZmNUr5Y
Ber/EAOLPb8NYpsAhJe2mXjMB/J9HNsoFMBFJ0lLOT/+dQvjbdRZoOT8eqJpWnVD
U+QL/qEZnz57N88OWM3rabJkRNdU/Z7x5SFIM9FrqtN8xewsiBWBI0K6XFuOBOTD
4V08o4TzJ8+Ccq5XlCUW2L48pZNCYuBDfBh7FxkB7qDgGDiaftEkZZfApRg2E+M9
G8wkNKTPLDc4wH0FDTijhgxR3Y4PiS1HL2Zhw7bD3CbslmEGgfnnZojNkJtcLeBH
BLa52/dSwNU4WWLubaYSiAmA9IUMX1/RpfpxOxd4Ykmhz97oFbUaDJFipIggx5sX
ePAlkTdWnv+RWBxlJwMQ25oEHmRguNYf4Zr/Rxr9cS93Y+mdXIZaBEE0KS2iLRqa
OiWBki9IMQU4phqPOBAaG7A+eP8PAgMBAAGjZjBkMB0GA1UdDgQWBBTh0YHlzlpf
BKrS6badZrHF+qwshzAfBgNVHSMEGDAWgBTh0YHlzlpfBKrS6badZrHF+qwshzAS
BgNVHRMBAf8ECDAGAQH/AgEEMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
AAOCAgEAALIY1wkilt/urfEVM5vKzr6utOeDWCUczmWX/RX4ljpRdgF+5fAIS4vH
tmXkqpSCOVeWUrJV9QvZn6L227ZwuE15cWi8DCDal3Ue90WgAJJZMfTshN4OI8cq
W9E4EG9wglbEtMnObHlms8F3CHmrw3k6KmUkWGoa+/ENmcVl68u/cMRl1JbW2bM+
/3A+SAg2c6iPDlehczKx2oa95QW0SkPPWGuNA/CE8CpyANIhu9XFrj3RQ3EqeRcS
AQQod1RNuHpfETLU/A2gMmvn/w/sx7TB3W5BPs6rprOA37tutPq9u6FTZOcG1Oqj
C/B7yTqgI7rbyvox7DEXoX7rIiEqyNNUguTk/u3SZ4VXE2kmxdmSh3TQvybfbnXV
4JbCZVaqiZraqc7oZMnRoWrXRG3ztbnbes/9qhRGI7PqXqeKJBztxRTEVj8ONs1d
WN5szTwaPIvhkhO3CO5ErU2rVdUr89wKpNXbBODFKRtgxUT70YpmJ46VVaqdAhOZ
D9EUUn4YaeLaS8AjSF/h7UkjOibNc4qVDiPP+rkehFWM66PVnP1Msh93tc+taIfC
EYVMxjh8zNbFuoc7fzvvrFILLe7ifvEIUqSVIC/AzplM/Jxw7buXFeGP1qVCBEHq
391d/9RAfaZ12zkwFsl+IKwE/OZxW8AHa9i1p4GO0YSNuczzEm4=
-----END CERTIFICATE-----

@ -1 +0,0 @@
MIAGCSqGSIb3DQEHAqCAMIACAQExDDAKBggqhQMHAQECAjCABgkqhkiG9w0BBwEAAKCCB7gwgge0MIIHYaADAgECAgsAybP3lAAAAAAFhjAKBggqhQMHAQEDAjCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4MB4XDTIxMDUxOTA4MDc1OFoXDTIyMDgxNzA4MDc1OFowggF4MRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMUIwQAYJKoZIhvcNAQkCDDPQn9C+0LTRgdC40YHRgtC10LzQsCDCq9Cg0LXQtdGB0YLRgNGLwrsg0JjQoSDQk9Cj0KYxLjAsBgkqhkiG9w0BCQEWH2Eua29yemhlbmV2c2theWFAZGlnaXRhbC5nb3YucnUxOjA4BgNVBAkMMdCf0YDQtdGB0L3QtdC90YHQutCw0Y8g0L3QsNCxLiwg0LQuIDEwLCDRgdGC0YAuIDIxGTAXBgNVBAcMENCzLiDQnNC+0YHQutCy0LAxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEmMCQGA1UECgwd0JzQuNC90YbQuNGE0YDRiyDQoNC+0YHRgdC40LgxCzAJBgNVBAYTAlJVMSYwJAYDVQQDDB3QnNC40L3RhtC40YTRgNGLINCg0L7RgdGB0LjQuDBmMB8GCCqFAwcBAQEBMBMGByqFAwICJAAGCCqFAwcBAQICA0MABECPKzaqApZOrOkwaZWzx4xo/CsPpTbMMlJuUm2wIrJxpyZPGAdGO7krlWVfWnxPIl+POqsLM1Fq57nK30CAhUdzo4IEEzCCBA8wFQYDVR0lBA4wDAYKKwYBBAGCNwoDDDAOBgNVHQ8BAf8EBAMCBPAwXQYFKoUDZG8EVAxS0KHQmtCX0JggwqvQmtGA0LjQv9GC0L7Qn9GA0L4gQ1NQwrsg0LLQtdGA0YHQuNGPIDQuMCAo0LjRgdC/0L7Qu9C90LXQvdC40LUgMy1CYXNlKTAnBgNVHSAEIDAeMAgGBiqFA2RxATAIBgYqhQNkcQIwCAYGKoUDZHEDMB0GA1UdDgQWBBTvvmSAWPkPuWdrcO5mYdM5ixAd/DCCAWUGA1UdIwSCAVwwggFYgBTCVPG0a9RMt+BtNrQjkPH+wzybBqGCASykggEoMIIBJDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQstCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7QvCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LiCEE5tR4sm8n1lf3aOAlzj05MwgZgGA1UdHwSBkDCBjTAtoCugKYYnaHR0cDovL3JlZXN0ci1wa2kucnUvY2RwL2d1Y19nb3N0MTIuY3JsMC2gK6AphidodHRwOi8vY29tcGFueS5ydC5ydS9jZHAvZ3VjX2dvc3QxMi5jcmwwLaAroCmGJ2h0dHA6Ly9yb3N0ZWxlY29tLnJ1L2NkcC9ndWNfZ29zdDEyLmNybDBDBggrBgEFBQcBAQQ3MDUwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9yZWVzdHItcGtpLnJ1L2NkcC9ndWNfZ29zdDEyLmNydDCB9QYFKoUDZHAEgeswgegMNNCf0JDQmtCcIMKr0JrRgNC40L/RgtC+0J/RgNC+IEhTTcK7INCy0LXRgNGB0LjQuCAyLjAMQ9Cf0JDQmiDCq9CT0L7Qu9C+0LLQvdC+0Lkg0YPQtNC+0YHRgtC+0LLQtdGA0Y/RjtGJ0LjQuSDRhtC10L3RgtGAwrsMNdCX0LDQutC70Y7Rh9C10L3QuNC1IOKEliAxNDkvMy8yLzIvMjMg0L7RgiAwMi4wMy4yMDE4DDTQl9Cw0LrQu9GO0YfQtdC90LjQtSDihJYgMTQ5LzcvNi8xMDUg0L7RgiAyNy4wNi4yMDE4MAoGCCqFAwcBAQMCA0EAiq8EGuoH/RZ2NPQoW+ZP6tuflm4TMrsyT5QMYjVmOJdAXU7HiEqPSLSwH4eEYL6qkdHF8kmQYp2Kwesl86DcWjGCA5cwggOTAgEBMIIBNTCCASQxHjAcBgkqhkiG9w0BCQEWD2RpdEBtaW5zdnlhei5ydTELMAkGA1UEBhMCUlUxGDAWBgNVBAgMDzc3INCc0L7RgdC60LLQsDEZMBcGA1UEBwwQ0LMuINCc0L7RgdC60LLQsDEuMCwGA1UECQwl0YPQu9C40YbQsCDQotCy0LXRgNGB0LrQsNGPLCDQtNC+0LwgNzEsMCoGA1UECgwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgxGDAWBgUqhQNkARINMTA0NzcwMjAyNjcwMTEaMBgGCCqFAwOBAwEBEgwwMDc3MTA0NzQzNzUxLDAqBgNVBAMMI9Cc0LjQvdC60L7QvNGB0LLRj9C30Ywg0KDQvtGB0YHQuNC4AgsAybP3lAAAAAAFhjAKBggqhQMHAQECAqCCAfkwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjIwMzAyMDgxNDE0WjAvBgkqhkiG9w0BCQQxIgQgzb9RJkaBTAfbMRIMlNXto6nKufJY5FtfqzLnfcuZ+hMwggGMBgsqhkiG9w0BCRACLzGCAXswggF3MIIBczCCAW8wCgYIKoUDBwEBAgIEIIF2ijeXhxSihco1wb5EBZoP1DAnHrpQuB9P656woqXfMIIBPTCCASykggEoMIIBJDEeMBwGCSqGSIb3DQEJARYPZGl0QG1pbnN2eWF6LnJ1MQswCQYDVQQGEwJSVTEYMBYGA1UECAwPNzcg0JzQvtGB0LrQstCwMRkwFwYDVQQHDBDQsy4g0JzQvtGB0LrQstCwMS4wLAYDVQQJDCXRg9C70LjRhtCwINCi0LLQtdGA0YHQutCw0Y8sINC00L7QvCA3MSwwKgYDVQQKDCPQnNC40L3QutC+0LzRgdCy0Y/Qt9GMINCg0L7RgdGB0LjQuDEYMBYGBSqFA2QBEg0xMDQ3NzAyMDI2NzAxMRowGAYIKoUDA4EDAQESDDAwNzcxMDQ3NDM3NTEsMCoGA1UEAwwj0JzQuNC90LrQvtC80YHQstGP0LfRjCDQoNC+0YHRgdC40LgCCwDJs/eUAAAAAAWGMAoGCCqFAwcBAQEBBEA0eWBz4JnqO6umBiTQK/tkJgTeV0nKAp2SQlJVOlSPwBDx1H5fUZOTQDP0/4OtMakDCKhUHd5KS9DNhZErA0UmAAAAAAAA

@ -1,9 +1,9 @@
#!/bin/sh #!/bin/sh
#set -vx #set -vx
set -eu
# At this time, while this script is trivial, we ignore any parameters given. # For backwards compatibility reasons, future versions of this script must
# However, for backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output # support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST. # files in $DEST.
@ -12,11 +12,126 @@ DEST=/etc/pki/ca-trust/extracted
# Prevent p11-kit from reading user configuration files. # Prevent p11-kit from reading user configuration files.
export P11_KIT_NO_USER_CONFIG=1 export P11_KIT_NO_USER_CONFIG=1
# OpenSSL PEM bundle that includes trust flags usage() {
# (BEGIN TRUSTED CERTIFICATE) fold -s -w 76 >&2 <<-EOF
/usr/bin/p11-kit extract --format=openssl-bundle --filter=certificates --overwrite --comment $DEST/openssl/ca-bundle.trust.crt Usage: $0 [extract] [-o DIR|--output=DIR]
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem Update the system trust store in $DEST.
/usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts COMMANDS
/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin (absent/empty command): Same as the extract command without arguments.
extract: Instruct update-ca-trust to scan the source configuration in
/usr/share/pki/ca-trust-source and /etc/pki/ca-trust/source and produce
updated versions of the consolidated configuration files stored below
the $DEST directory hierarchy.
EXTRACT OPTIONS
-o DIR, --output=DIR: Write the extracted trust store into the given
directory instead of updating $DEST.
EOF
}
extract() {
USER_DEST=
# can't use getopt here. ca-certificates can't depend on a lot
# of other libraries since openssl depends on ca-certificates
# just fail when we hand parse
while [ $# -ne 0 ]; do
case "$1" in
"-o"|"--output")
if [ $# -lt 2 ]; then
echo >&2 "Error: missing argument for '$1' option. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
fi
USER_DEST=$2
shift 2
continue
;;
"--")
shift
break
;;
*)
echo >&2 "Error: unknown extract argument '$1'. See 'update-ca-trust --help' for usage."
exit 1
;;
esac
done
if [ -n "$USER_DEST" ]; then
DEST=$USER_DEST
# Attempt to create the directories if they do not exist
# yet (rhbz#2241240)
/usr/bin/mkdir -p \
"$DEST"/openssl \
"$DEST"/pem \
"$DEST"/java \
"$DEST"/edk2
fi
# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/trust extract --format=openssl-bundle --filter=certificates --overwrite --comment "$DEST/openssl/ca-bundle.trust.crt"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose server-auth "$DEST/pem/tls-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email "$DEST/pem/email-ca-bundle.pem"
/usr/bin/trust extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing "$DEST/pem/objsign-ca-bundle.pem"
/usr/bin/trust extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth "$DEST/java/cacerts"
/usr/bin/trust extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth "$DEST/edk2/cacerts.bin"
# Hashed directory of BEGIN TRUSTED-style certs (usable as OpenSSL CApath and
# by GnuTLS)
/usr/bin/trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose server-auth "$DEST/pem/directory-hash"
# p11-kit extract will have made this directory unwritable; when run with
# CAP_DAC_OVERRIDE this does not matter, but in container use cases that may
# not be the case. See rhbz#2241240.
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u+w "$DEST/pem/directory-hash"
fi
# Debian compatibility: their /etc/ssl/certs has this bundle
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-certificates.crt"
# Backwards compatibility: RHEL/Fedora provided a /etc/ssl/certs/ca-bundle.crt
# since https://bugzilla.redhat.com/show_bug.cgi?id=572725
/usr/bin/ln -s ../tls-ca-bundle.pem "$DEST/pem/directory-hash/ca-bundle.crt"
# Remove write permissions again
if [ -n "$USER_DEST" ]; then
/usr/bin/chmod u-w "$DEST/pem/directory-hash"
fi
}
if [ $# -lt 1 ]; then
set -- extract
fi
case "$1" in
"extract")
shift
extract "$@"
;;
"--help")
usage
exit 0
;;
"-o"|"--output")
echo >&2 "Error: the '$1' option must be preceded with the 'extract' command. See 'update-ca-trust --help' for usage."
echo >&2
exit 1
;;
"enable")
echo >&2 "Warning: 'enable' is a deprecated argument. Use 'update-ca-trust extract' in future. See 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
*)
echo >&2 "Warning: unknown command: '$1', see 'update-ca-trust --help' for usage."
echo >&2
echo >&2 "Proceeding with extraction anyway for backwards compatibility."
extract
;;
esac

@ -27,7 +27,7 @@ certificates and associated trust
SYNOPSIS SYNOPSIS
-------- --------
*update-ca-trust* ['COMMAND'] *update-ca-trust* [extract] [-o 'DIR'|--output='DIR']
DESCRIPTION DESCRIPTION
@ -98,13 +98,13 @@ subdirectory in the /etc hierarchy.
* add it as a new file to directory /etc/pki/ca-trust/source/anchors/ * add it as a new file to directory /etc/pki/ca-trust/source/anchors/
* run 'update-ca-trust extract' * run 'update-ca-trust extract'
.*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blacklist trust flags, or trust flags for usages other than TLS) then: .*QUICK HELP 2*: If your certificate is in the extended BEGIN TRUSTED file format (which may contain distrust/blocklist trust flags, or trust flags for usages other than TLS) then:
* add it as a new file to directory /etc/pki/ca-trust/source/ * add it as a new file to directory /etc/pki/ca-trust/source/
* run 'update-ca-trust extract' * run 'update-ca-trust extract'
.In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to. .In order to offer simplicity and flexibility, the way certificate files are treated depends on the subdirectory they are installed to.
* simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/ * simple trust anchors subdirectory: /usr/share/pki/ca-trust-source/anchors/ or /etc/pki/ca-trust/source/anchors/
* simple blacklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ * simple blocklist (distrust) subdirectory: /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
* extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ * extended format directory: /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/
.In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats: .In the main directories /usr/share/pki/ca-trust-source/ or /etc/pki/ca-trust/source/ you may install one or multiple files in the following file formats:
@ -134,7 +134,7 @@ you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format. format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *trusted* for all purposes. Each certificate will be treated as *trusted* for all purposes.
In the blacklist subdirectories /usr/share/pki/ca-trust-source/blacklist/ or /etc/pki/ca-trust/source/blacklist/ In the blocklist subdirectories /usr/share/pki/ca-trust-source/blocklist/ or /etc/pki/ca-trust/source/blocklist/
you may install one or multiple certificates in either the DER file you may install one or multiple certificates in either the DER file
format or in the PEM (BEGIN/END CERTIFICATE) file format. format or in the PEM (BEGIN/END CERTIFICATE) file format.
Each certificate will be treated as *distrusted* for all purposes. Each certificate will be treated as *distrusted* for all purposes.
@ -214,15 +214,23 @@ server authentication.
COMMANDS COMMANDS
-------- --------
(absent/empty command):: (absent/empty command)
Same as the *extract* command described below. (However, the command may ~~~~~~~~~~~~~~~~~~~~~~
print fewer warnings, as this command is being run during rpm package Same as the *extract* command described below. (However, the command may print
installation, where non-fatal status output is undesired.) fewer warnings, as this command is being run during rpm package installation,
where non-fatal status output is undesired.)
*extract*::
Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and produce extract
updated versions of the consolidated configuration files stored below ~~~~~~~
the /etc/pki/ca-trust/extracted directory hierarchy. Instruct update-ca-trust to scan the <<sourceconf,SOURCE CONFIGURATION>> and
produce updated versions of the consolidated configuration files stored below
the /etc/pki/ca-trust/extracted directory hierarchy.
EXTRACT OPTIONS
^^^^^^^^^^^^^^^
*-o DIR*, *--output=DIR*::
Write the extracted trust store into the given directory instead of
updating /etc/pki/ca-trust/extracted.
FILES FILES
----- -----

@ -36,13 +36,11 @@ Name: ca-certificates
# because all future versions will start with 2013 or larger.) # because all future versions will start with 2013 or larger.)
Version: 2024.2.69_v8.0.303 Version: 2024.2.69_v8.0.303
# On RHEL 8.x, please keep the release version >= 80 # for y-stream, please always use 91 <= release < 100 (91,92,93)
# When rebasing on Y-Stream (8.y), use 81, 82, 83, ... # for z-stream release branches, please use 90 <= release < 91 (90.0, 90.1, ...)
# When rebasing on Z-Stream (8.y.z), use 80.0, 80.1, 80.2, .. Release: 91.4%{?dist}
Release: 80.0%{?dist}.inferit.1 License: MIT AND GPL-2.0-or-later
License: Public Domain
Group: System Environment/Base
URL: https://fedoraproject.org/wiki/CA-Certificates URL: https://fedoraproject.org/wiki/CA-Certificates
#Please always update both certdata.txt and nssckbi.h #Please always update both certdata.txt and nssckbi.h
@ -64,14 +62,6 @@ Source16: README.pem
Source17: README.edk2 Source17: README.edk2
Source18: README.src Source18: README.src
# Russian Ministry of Digital Development and Communications
Source90: rootca_ssl_rsa2022.cer
Source91: rootca_ssl_rsa2022.cer.detached.sig
# TCI ECSDA ROOT A1
Source92: ecdsa-a1.crt
# TCI GOST ROOT A1
Source93: gost-a1.crt
BuildArch: noarch BuildArch: noarch
Requires(post): bash Requires(post): bash
@ -81,16 +71,14 @@ Requires(post): coreutils
Requires: bash Requires: bash
Requires: grep Requires: grep
Requires: sed Requires: sed
Requires(post): p11-kit >= 0.23.12 Requires(post): p11-kit-trust >= 0.24
Requires(post): p11-kit-trust >= 0.23.12 Requires: p11-kit-trust >= 0.24
Requires: p11-kit >= 0.23.12
Requires: p11-kit-trust >= 0.23.12
BuildRequires: perl-interpreter BuildRequires: perl-interpreter
BuildRequires: python3-devel BuildRequires: python3
BuildRequires: openssl BuildRequires: openssl
BuildRequires: asciidoc BuildRequires: asciidoc
BuildRequires: libxslt BuildRequires: xmlto
%description %description
This package contains the set of CA certificates chosen by the This package contains the set of CA certificates chosen by the
@ -108,7 +96,7 @@ mkdir %{name}/java
pushd %{name}/certs pushd %{name}/certs
pwd pwd
cp %{SOURCE0} . cp %{SOURCE0} .
%{__python3} %{SOURCE4} >c2p.log 2>c2p.err python3 %{SOURCE4} >c2p.log 2>c2p.err
popd popd
pushd %{name} pushd %{name}
( (
@ -179,12 +167,12 @@ popd
#manpage #manpage
cp %{SOURCE10} %{name}/update-ca-trust.8.txt cp %{SOURCE10} %{name}/update-ca-trust.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt asciidoc -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
xsltproc --nonet -o %{name}/update-ca-trust.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml xmlto -v -o %{name} man %{name}/update-ca-trust.8.xml
cp %{SOURCE9} %{name}/ca-legacy.8.txt cp %{SOURCE9} %{name}/ca-legacy.8.txt
asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt asciidoc -v -d manpage -b docbook %{name}/ca-legacy.8.txt
xsltproc --nonet -o %{name}/ca-legacy.8 /usr/share/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml xmlto -v -o %{name} man %{name}/ca-legacy.8.xml
%install %install
@ -194,15 +182,16 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{pkidir}/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl mkdir -p -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/ssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blacklist mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/source/blocklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
mkdir -p -m 555 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blocklist
mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-legacy
mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir} mkdir -p -m 755 $RPM_BUILD_ROOT%{_bindir}
mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8 mkdir -p -m 755 $RPM_BUILD_ROOT%{_mandir}/man8
@ -251,9 +240,15 @@ chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
# /etc/ssl/certs symlink for 3rd-party tools # /etc/ssl symlinks for 3rd-party tools and cross-distro compatibility
ln -s ../pki/tls/certs \ ln -s /etc/pki/tls/certs \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs $RPM_BUILD_ROOT%{_sysconfdir}/ssl/certs
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/cert.pem
ln -s /etc/pki/tls/openssl.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/openssl.cnf
ln -s /etc/pki/tls/ct_log_list.cnf \
$RPM_BUILD_ROOT%{_sysconfdir}/ssl/ct_log_list.cnf
# legacy filenames # legacy filenames
ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \ ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
$RPM_BUILD_ROOT%{pkidir}/tls/cert.pem $RPM_BUILD_ROOT%{pkidir}/tls/cert.pem
@ -264,12 +259,49 @@ ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
ln -s %{catrustdir}/extracted/%{java_bundle} \ ln -s %{catrustdir}/extracted/%{java_bundle} \
$RPM_BUILD_ROOT%{pkidir}/%{java_bundle} $RPM_BUILD_ROOT%{pkidir}/%{java_bundle}
# Russian Ministry of Digital Development and Communications # Populate %%{catrustdir}/extracted/pem/directory-hash.
install -m 644 %{SOURCE90} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/ #
install -m 644 %{SOURCE91} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/ # First direct p11-kit-trust.so to the generated bundle (not the one
# TCI ECDSA and GOST root certificates # already present on the build system) with an overriding module
install -m 644 %{SOURCE92} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/ # config. Note that we have to use a different config path based on
install -m 644 %{SOURCE93} $RPM_BUILD_ROOT%{catrustdir}/source/anchors/ # the current user: if root, ~/.config/pkcs11/modules/* are not read,
# while if a regular user, she can't write to /etc.
if test "$(id -u)" -eq 0; then
trust_module_dir=/etc/pkcs11/modules
else
trust_module_dir=$HOME/.config/pkcs11/modules
fi
mkdir -p "$trust_module_dir"
# It is unlikely that the directory would contain any files on a build system,
# but let's make sure just in case.
if [ -n "$(ls -A "$trust_module_dir")" ]; then
echo "Directory $trust_module_dir is not empty. Aborting build!"
exit 1
fi
trust_module_config=$trust_module_dir/%{name}-p11-kit-trust.module
cat >"$trust_module_config" <<EOF
module: p11-kit-trust.so
trust-policy: yes
x-init-reserved: paths='$RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source'
EOF
trust extract --format=pem-directory-hash --filter=ca-anchors --overwrite \
--purpose server-auth \
$RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
# Create a temporary file with the list of (%ghost )files in the directory-hash.
find $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash -type f,l > .files.txt
sed -i "s|^$RPM_BUILD_ROOT|%ghost /|" .files.txt
# Clean up the temporary module config.
rm -f "$trust_module_config"
%clean
/usr/bin/chmod u+w $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/directory-hash
rm -rf $RPM_BUILD_ROOT
%pre %pre
if [ $1 -gt 1 ] ; then if [ $1 -gt 1 ] ; then
@ -317,6 +349,7 @@ if [ $1 -gt 1 ] ; then
fi fi
fi fi
%post %post
#if [ $1 -gt 1 ] ; then #if [ $1 -gt 1 ] ; then
# # when upgrading or downgrading # # when upgrading or downgrading
@ -342,9 +375,8 @@ fi
%{_bindir}/ca-legacy install %{_bindir}/ca-legacy install
%{_bindir}/update-ca-trust %{_bindir}/update-ca-trust
%files # The file .files.txt contains the list of (%ghost )files in the directory-hash
%defattr(-,root,root,-) %files -f .files.txt
%dir %{_sysconfdir}/ssl %dir %{_sysconfdir}/ssl
%dir %{pkidir}/tls %dir %{pkidir}/tls
%dir %{pkidir}/tls/certs %dir %{pkidir}/tls/certs
@ -352,7 +384,7 @@ fi
%dir %{catrustdir} %dir %{catrustdir}
%dir %{catrustdir}/source %dir %{catrustdir}/source
%dir %{catrustdir}/source/anchors %dir %{catrustdir}/source/anchors
%dir %{catrustdir}/source/blacklist %dir %{catrustdir}/source/blocklist
%dir %{catrustdir}/extracted %dir %{catrustdir}/extracted
%dir %{catrustdir}/extracted/pem %dir %{catrustdir}/extracted/pem
%dir %{catrustdir}/extracted/openssl %dir %{catrustdir}/extracted/openssl
@ -360,13 +392,9 @@ fi
%dir %{_datadir}/pki %dir %{_datadir}/pki
%dir %{_datadir}/pki/ca-trust-source %dir %{_datadir}/pki/ca-trust-source
%dir %{_datadir}/pki/ca-trust-source/anchors %dir %{_datadir}/pki/ca-trust-source/anchors
%dir %{_datadir}/pki/ca-trust-source/blacklist %dir %{_datadir}/pki/ca-trust-source/blocklist
%dir %{_datadir}/pki/ca-trust-legacy %dir %{_datadir}/pki/ca-trust-legacy
%dir %{catrustdir}/extracted/pem/directory-hash
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer
%{catrustdir}/source/anchors/rootca_ssl_rsa2022.cer.detached.sig
%{catrustdir}/source/anchors/ecdsa-a1.crt
%{catrustdir}/source/anchors/gost-a1.crt
%config(noreplace) %{catrustdir}/ca-legacy.conf %config(noreplace) %{catrustdir}/ca-legacy.conf
@ -386,10 +414,13 @@ fi
%{pkidir}/tls/certs/%{classic_tls_bundle} %{pkidir}/tls/certs/%{classic_tls_bundle}
%{pkidir}/tls/certs/%{openssl_format_trust_bundle} %{pkidir}/tls/certs/%{openssl_format_trust_bundle}
%{pkidir}/%{java_bundle} %{pkidir}/%{java_bundle}
# symlink directory # symlinks to cross-distro compatibility files and directory
%{_sysconfdir}/ssl/certs %{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/cert.pem
%{_sysconfdir}/ssl/openssl.cnf
%{_sysconfdir}/ssl/ct_log_list.cnf
# master bundle file with trust # primary bundle file with trust
%{_datadir}/pki/ca-trust-source/%{p11_format_bundle} %{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
%{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle} %{_datadir}/pki/ca-trust-legacy/%{legacy_default_bundle}
@ -405,18 +436,33 @@ fi
%ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} %ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
%ghost %{catrustdir}/extracted/%{java_bundle} %ghost %{catrustdir}/extracted/%{java_bundle}
%ghost %{catrustdir}/extracted/edk2/cacerts.bin %ghost %{catrustdir}/extracted/edk2/cacerts.bin
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-bundle.crt
%ghost %{catrustdir}/extracted/pem/directory-hash/ca-certificates.crt
%changelog %changelog
* Wed Sep 11 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-80.0.inferit.1 *Fri Aug 16 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.4
- Remove TCI GOST certificate from certdata.txt - update-ca-trust: return warnings on a unsupported argument instead of error
- Bump version
*Wed Aug 7 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.3
- Temporarily generate the directory-hash files in %%install ...(next item)
- Add list of ghost files from directory-hash to %%files
*Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.2
- Remove write permissions from directory-hash
* Thu Aug 22 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2024.2.69_v8.0.303-80.0.inferit *Mon Jul 29 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.1
- Update to 2024.2.69_v8.0.303-80.0 - Reduce dependency on p11-kit to only the trust subpackage
- Own the Directory-hash directory
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-80.0 *Mon Jul 15 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91.0
- Fix release number
*Thu Jul 11 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.69_v8.0.303-91
- Update to CKBI 2.69_v8.0.303 from NSS 3.101.1 - Update to CKBI 2.69_v8.0.303 from NSS 3.101.1
- GLOBALTRUST 2020 root CA certificate set CKA_NSS_{SERVER|EMAIL}_DISTRUST_AFTER
*Tue Jun 25 2024 Frantisek Krenzelok <fkrenzel@redhat.com> - 2024.2.68_v8.0.302-91
- Update to CKBI 2.68_v8.0.302 from NSS 3.101
- Removing: - Removing:
- # Certificate "Verisign Class 1 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 1 Public Primary Certification Authority - G3"
- # Certificate "Verisign Class 2 Public Primary Certification Authority - G3" - # Certificate "Verisign Class 2 Public Primary Certification Authority - G3"
@ -463,27 +509,22 @@ fi
- # Certificate "SSL.com Code Signing RSA Root CA 2022" - # Certificate "SSL.com Code Signing RSA Root CA 2022"
- # Certificate "SSL.com Code Signing ECC Root CA 2022" - # Certificate "SSL.com Code Signing ECC Root CA 2022"
* Wed Jul 10 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit.2 * Mon Oct 09 2023 Robert Relyea <rrelyea@redhat.com> 2024.2.68_v8.0.302-91.0
- Fixed addition TCI GOST certificate - update-ca-trust: Fix bug in update-ca-trust so we don't depened on util-unix
- Bump version
* Tue Jul 09 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit.1 * Sat Oct 07 2023 Adam Williamson <awilliam@redhat.com> - 2024.2.68_v8.0.302-91.0
- Added TCI ECDSA and GOST root certificates - Skip %post if getopt is missing (recent change made update-ca-trust use it)
* Fri Dec 15 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2023.2.60_v7.0.306-80.0.inferit * Fri Sep 29 2023 Clemens Lang <cllang@redhat.com> - 2024.2.68_v8.0.302-91.0
- Update to version 2023.2.60_v7.0.306-80.0 - update-ca-trust: Support --output and non-root operation (rhbz#2241240)
- Rebuilt for MSVSphere 8.9
* Fri Dec 15 2023 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 2022.2.54-80.2.inferit.1 *Thu Sep 07 2023 Robert Relyea <rrelyea@redhat.com> - 2024.2.68_v8.0.302-91.0
- place MDDC certificates to /etc/pki/ca-trust/source/anchors (Arkady L. Shane <tigro@msvsphere-os.ru>) - update License: field to SPDX
* Wed Aug 30 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 2022.2.54-80.2.inferit *Tue Aug 29 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.1
- Added: - Bump release number to make CI happy
- # Certificate "Russian Trusted Root CA"
- # Certificate "Russian Trusted Sub CA"
- Rebuilt for MSVSphere 8.8
*Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-80.0 *Tue Aug 01 2023 Robert Relyea <rrelyea@redhat.com> - 2023.2.60_v7.0.306-90.0
- Update to CKBI 2.60_v7.0.306 from NSS 3.91 - Update to CKBI 2.60_v7.0.306 from NSS 3.91
- Removing: - Removing:
- # Certificate "Camerfirma Global Chambersign Root" - # Certificate "Camerfirma Global Chambersign Root"
@ -563,10 +604,7 @@ fi
- # Certificate "GlobalSign Code Signing Root R45" - # Certificate "GlobalSign Code Signing Root R45"
- # Certificate "Entrust Code Signing Root Certification Authority - CSBR1" - # Certificate "Entrust Code Signing Root Certification Authority - CSBR1"
* Tue Jul 25 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2022.2.54-80.2 *Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.2
- Rebuilt for MSVSphere 8.8
*Thu Jul 28 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.2
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing: - Removing:
- # Certificate "TrustCor ECA-1" - # Certificate "TrustCor ECA-1"
@ -587,12 +625,29 @@ fi
- # Certificate "Government Root Certification Authority" - # Certificate "Government Root Certification Authority"
- # Certificate "AC Raíz Certicámara S.A." - # Certificate "AC Raíz Certicámara S.A."
*Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.1 *Wed Jul 27 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.1
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
*Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-80.0 *Fri Jul 15 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-90.0
- Update to CKBI 2.54 from NSS 3.79 - Update to CKBI 2.54 from NSS 3.79
- Removing:
- # Certificate "GlobalSign Root CA - R2"
- # Certificate "DST Root CA X3"
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding: - Adding:
- # Certificate "TunTrust Root CA"
- # Certificate "HARICA TLS RSA Root CA 2021"
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021"
- # Certificate "HARICA Client ECC Root CA 2021"
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068"
- # Certificate "vTrus ECC Root CA"
- # Certificate "vTrus Root CA"
- # Certificate "ISRG Root X2"
- # Certificate "HiPKI Root CA - G1"
- # Certificate "Telia Root CA v2"
- # Certificate "D-TRUST BR Root CA 1 2020"
- # Certificate "D-TRUST EV Root CA 1 2020"
- # Certificate "CAEDICOM Root" - # Certificate "CAEDICOM Root"
- # Certificate "I.CA Root CA/RSA" - # Certificate "I.CA Root CA/RSA"
- # Certificate "MULTICERT Root Certification Authority 01" - # Certificate "MULTICERT Root Certification Authority 01"
@ -734,7 +789,6 @@ fi
- # Certificate "Certipost E-Trust TOP Root CA" - # Certificate "Certipost E-Trust TOP Root CA"
- # Certificate "Certipost E-Trust Primary Qualified CA" - # Certificate "Certipost E-Trust Primary Qualified CA"
- # Certificate "Certipost E-Trust Primary Normalised CA" - # Certificate "Certipost E-Trust Primary Normalised CA"
- # Certificate "Cybertrust Global Root"
- # Certificate "GlobalSign" - # Certificate "GlobalSign"
- # Certificate "IGC/A" - # Certificate "IGC/A"
- # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN" - # Certificate "S-TRUST Authentication and Encryption Root CA 2005:PN"
@ -808,129 +862,113 @@ fi
- # Certificate "HARICA Code Signing ECC Root CA 2021" - # Certificate "HARICA Code Signing ECC Root CA 2021"
- # Certificate "Microsoft Identity Verification Root Certificate Authority 2020" - # Certificate "Microsoft Identity Verification Root Certificate Authority 2020"
*Mon Jul 11 2022 Bob Relyea <rrelyea@redhat.com> - 2022.2.54-81 * Mon Nov 1 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-94
- Update to CKBI 2.54 from NSS 3.79 - remove blacklist directory and references now that p11-kit has been updated.
- Removing:
- # Certificate "GlobalSign Root CA - R2" * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-93
- # Certificate "DST Root CA X3" - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
- # Certificate "Cybertrust Global Root" Related: rhbz#1991688
- # Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
- Adding: * Tue Jun 22 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.50-92
- # Certificate "TunTrust Root CA" - Rebuilt for RHEL 9 BETA for openssl 3.0
- # Certificate "HARICA TLS RSA Root CA 2021" Related: rhbz#1971065
- # Certificate "HARICA TLS ECC Root CA 2021"
- # Certificate "HARICA Client RSA Root CA 2021" * Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.50-90
- # Certificate "HARICA Client ECC Root CA 2021" - Update to CKBI 2.50 from NSS 3.67
- # Certificate "Autoridad de Certificacion Firmaprofesional CIF A62634068" - Removing:
- # Certificate "vTrus ECC Root CA" - # Certificate "QuoVadis Root CA"
- # Certificate "vTrus Root CA" - # Certificate "Sonera Class 2 Root CA"
- # Certificate "ISRG Root X2" - # Certificate "Trustis FPS Root CA"
- # Certificate "HiPKI Root CA - G1" - Adding:
- # Certificate "Telia Root CA v2" - # Certificate "GLOBALTRUST 2020"
- # Certificate "D-TRUST BR Root CA 1 2020" - # Certificate "ANF Secure Server Root CA"
- # Certificate "D-TRUST EV Root CA 1 2020" - # Certificate "Certum EC-384 CA"
- # Certificate "Certum Trusted Root CA"
*Wed Jun 16 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.50-82
- Update to CKBI 2.50 from NSS 3.67 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2020.2.41-8
- version number update only - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
*Fri Jun 11 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-82 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-7
- Update to CKBI 2.48 from NSS 3.66 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
- Removing:
- # Certificate "QuoVadis Root CA" * Wed Jan 13 2021 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-6
- # Certificate "Sonera Class 2 Root CA" - remove unnecessarily divisive terms, take 1.
- # Certificate "Trustis FPS Root CA" - in ca-certificates there are 3 cases:
- Adding: - 1) master refering to the fedora master branch in the fetch.sh script.
- # Certificate "GLOBALTRUST 2020" - This can only be changed once fedora changes the master branch name.
- # Certificate "ANF Secure Server Root CA" - 2) a reference to the 'master bundle' in this file: this has been changed
- # Certificate "Certum EC-384 CA" - to 'primary bundle'.
- # Certificate "Certum Trusted Root CA" - 3) a couple of blacklist directories owned by this package, but used to
- p11-kit. New 'blocklist' directories have been created, but p11-kit
*Tue Jun 08 2021 Bob Relyea <rrelyea@redhat.com> - 2021.2.48-81 - needs to be updated before the old blacklist directories can be removed
- Update to CKBI 2.48 from NSS 3.64 - and the man pages corrected.
- Removing:
- # Certificate "Verisign Class 3 Public Primary Certification Authority - G3" * Mon Nov 09 2020 Christian Heimes <cheimes@redhat.com> - 2020.2.41-5
- # Certificate "GeoTrust Global CA" - Add cross-distro compatibility symlinks to /etc/ssl (rhbz#1895619)
- # Certificate "GeoTrust Universal CA"
- # Certificate "GeoTrust Universal CA 2" * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2020.2.41-4
- # Certificate "Taiwan GRCA" - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
- # Certificate "GeoTrust Primary Certification Authority"
- # Certificate "thawte Primary Root CA" * Tue Jun 16 2020 Adam Williamson <awilliam@redhat.com> - 2020.2.41-3
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G5" - Fix up broken %post and %postinstall scriptlet changes from -2
- # Certificate "GeoTrust Primary Certification Authority - G3"
- # Certificate "thawte Primary Root CA - G2" * Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-2
- # Certificate "thawte Primary Root CA - G3"
- # Certificate "GeoTrust Primary Certification Authority - G2"
- # Certificate "VeriSign Universal Root Certification Authority"
- # Certificate "VeriSign Class 3 Public Primary Certification Authority - G4"
- # Certificate "EE Certification Centre Root CA"
- # Certificate "LuxTrust Global Root 2"
- # Certificate "Symantec Class 1 Public Primary Certification Authority - G4"
- # Certificate "Symantec Class 2 Public Primary Certification Authority - G4"
- Adding:
- # Certificate "Microsoft ECC Root Certificate Authority 2017"
- # Certificate "Microsoft RSA Root Certificate Authority 2017"
- # Certificate "e-Szigno Root CA 2017"
- # Certificate "certSIGN Root CA G2"
- # Certificate "Trustwave Global Certification Authority"
- # Certificate "Trustwave Global ECC P256 Certification Authority"
- # Certificate "Trustwave Global ECC P384 Certification Authority"
- # Certificate "NAVER Global Root Certification Authority"
- # Certificate "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
- # Certificate "GlobalSign Secure Mail Root R45"
- # Certificate "GlobalSign Secure Mail Root E45"
- # Certificate "GlobalSign Root R46"
- # Certificate "GlobalSign Root E46"
*Wed Jun 17 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-82
- fix post issues
*Wed Jun 10 2020 Bob Relyea <rrelyea@redhat.com> - 2020.2.41-81
- Update to CKBI 2.41 from NSS 3.53.0 - Update to CKBI 2.41 from NSS 3.53.0
- Removing: - Removing:
- # Certificate "AddTrust Low-Value Services Root" - # Certificate "AddTrust Low-Value Services Root"
- # Certificate "AddTrust External Root" - # Certificate "AddTrust External Root"
- # Certificate "Staat der Nederlanden Root CA - G2"
* Tue Jan 28 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-3
- Update versioned dependency on p11-kit
* Wed Jan 22 2020 Daiki Ueno <dueno@redhat.com> - 2020.2.40-2
- Update to CKBI 2.40 from NSS 3.48
- Removing:
- # Certificate "UTN USERFirst Email Root CA" - # Certificate "UTN USERFirst Email Root CA"
- # Certificate "Certplus Class 2 Primary CA" - # Certificate "Certplus Class 2 Primary CA"
- # Certificate "Deutsche Telekom Root CA 2" - # Certificate "Deutsche Telekom Root CA 2"
- # Certificate "Staat der Nederlanden Root CA - G2"
- # Certificate "Swisscom Root CA 2" - # Certificate "Swisscom Root CA 2"
- # Certificate "Certinomis - Root CA" - # Certificate "Certinomis - Root CA"
- Adding: - Adding:
- # Certificate "Entrust Root Certification Authority - G4" - # Certificate "Entrust Root Certification Authority - G4"
- certdata2pem.py: emit flags for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER
*Fri Jun 21 2019 Bob Relyea <rrelyea@redhat.com> - 2019.2.32-1
- Update to CKBI 2.32 from NSS 3.44 * Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2019.2.32-3
- Removing: - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
- # Certificate "Visa eCommerce Root"
- # Certificate "AC Raiz Certicamara S.A." * Wed Jun 19 2019 Bob Relyea <rrelyea@redhat.com> 2019.2.32-2
- # Certificate "ComSign CA" - Update to CKBI 2.32 from NSS 3.44
- # Certificate "Certplus Root CA G1" Removing:
- # Certificate "Certplus Root CA G2" # Certificate "Visa eCommerce Root"
- # Certificate "OpenTrust Root CA G1" # Certificate "AC Raiz Certicamara S.A."
- # Certificate "OpenTrust Root CA G2" # Certificate "Certplus Root CA G1"
- # Certificate "OpenTrust Root CA G3" # Certificate "Certplus Root CA G2"
- Adding: # Certificate "OpenTrust Root CA G1"
- # Certificate "GlobalSign Root CA - R6" # Certificate "OpenTrust Root CA G2"
- # Certificate "OISTE WISeKey Global Root GC CA" # Certificate "OpenTrust Root CA G3"
- # Certificate "GTS Root R1" Adding:
- # Certificate "GTS Root R2" # Certificate "GTS Root R1"
- # Certificate "GTS Root R3" # Certificate "GTS Root R2"
- # Certificate "GTS Root R4" # Certificate "GTS Root R3"
- # Certificate "UCA Global G2 Root" # Certificate "GTS Root R4"
- # Certificate "UCA Extended Validation Root" # Certificate "UCA Global G2 Root"
- # Certificate "Certigna Root CA" # Certificate "UCA Extended Validation Root"
- # Certificate "emSign Root CA - G1" # Certificate "Certigna Root CA"
- # Certificate "emSign ECC Root CA - G3" # Certificate "emSign Root CA - G1"
- # Certificate "emSign Root CA - C1" # Certificate "emSign ECC Root CA - G3"
- # Certificate "emSign ECC Root CA - C3" # Certificate "emSign Root CA - C1"
- # Certificate "Hongkong Post Root CA 3" # Certificate "emSign ECC Root CA - C3"
# Certificate "Hongkong Post Root CA 3"
* Fri May 10 2019 Robert Relyea <rrelyea@redhat.com> - 2018.2.24-6.1
- Test gating * Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.26-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Mon Aug 13 2018 Tomáš Mráz <tmraz@redhat.com> - 2018.2.24-6
- Use __python3 macro when invoking Python * Mon Sep 24 2018 Bob Relyea <rrelyea@redhat.com> - 2018.2.26-2
- Update to CKBI 2.26 from NSS 3.39
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2018.2.24-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5 * Thu Jun 28 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-5
- Ported scripts to python3 - Ported scripts to python3

Loading…
Cancel
Save