From 327c7e9306c61feed3ea046ff895121278e026cf Mon Sep 17 00:00:00 2001
From: DJ Lucas <dj@linuxfromscratch.org>
Date: Wed, 21 Dec 2022 23:10:22 -0600
Subject: [PATCH] make-ca{,.conf.dist}: set nss tree to default source and
 introduce workaround for p11-kit mishandling of
 nss-{email,server}-distrust-after values.

---
 make-ca           | 14 +++++++++++++-
 make-ca.conf.dist |  4 ++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/make-ca b/make-ca
index 2dc8c7c..fc37e54 100644
--- a/make-ca
+++ b/make-ca
@@ -40,7 +40,7 @@ else
     NSSDB="${PKIDIR}/nssdb"
     LOCALDIR="${SSLDIR}/local"
     DESTDIR=""
-    URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
+    URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
 fi
 
 # Some data in the certs have UTF-8 characters
@@ -372,6 +372,12 @@ function convert_moz_distrust(){
     fi
   elif test "${val}" == "MULTILINE_OCTAL"; then
     mozsadistrust=`printf $(grep -A1 "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | tail -n1)`
+    # FIXME - Work around P11-kit breakage
+    cdate=$(date -u +%y%m%d)
+    mozsadate=${mozsadistrust::6}
+    if test ${cdate} -gt ${mozsadate}; then
+      satrust="p"
+    fi
   else
     mozsadistrust="UNKNOWN"
   fi
@@ -387,6 +393,12 @@ function convert_moz_distrust(){
     fi
   elif test "${val}" == "MULTILINE_OCTAL"; then
     mozsmdistrust=`printf $(grep -A1 "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | tail -n1)`
+    # FIXME - Work around P11-kit breakage
+    cdate=$(date -u +%y%m%d)
+    mozsmdate=${mozsmdistrust::6}
+    if test ${cdate} -gt ${mozsmdate}; then
+      smtrust="p"
+    fi
   else
     mozsmdistrust="UNKNOWN"
   fi
diff --git a/make-ca.conf.dist b/make-ca.conf.dist
index 81b0ccf..b9a2a20 100644
--- a/make-ca.conf.dist
+++ b/make-ca.conf.dist
@@ -19,14 +19,14 @@ KEYSTORE="${PKIDIR}/tls/java"
 NSSDB="${PKIDIR}/nssdb"
 LOCALDIR="${SSLDIR}/local"
 DESTDIR=""
-URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt"
+URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
 
 # Source must be downloaded over https
 # Valid urls for download are below
 # Default to NSS release branch
 
-# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
 # https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt
+# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
 # https://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
 # https://hg.mozilla.org/releases/mozilla-beta/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
 # https://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt