make-ca{,.conf.dist}: set nss tree to default source and introduce workaround for p11-kit mishandling of nss-{email,server}-distrust-after values.

This commit is contained in:
DJ Lucas 2022-12-21 23:10:22 -06:00
parent dac19a3cf1
commit 327c7e9306
2 changed files with 15 additions and 3 deletions

14
make-ca
View File

@ -40,7 +40,7 @@ else
NSSDB="${PKIDIR}/nssdb" NSSDB="${PKIDIR}/nssdb"
LOCALDIR="${SSLDIR}/local" LOCALDIR="${SSLDIR}/local"
DESTDIR="" DESTDIR=""
URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt" URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
fi fi
# Some data in the certs have UTF-8 characters # Some data in the certs have UTF-8 characters
@ -372,6 +372,12 @@ function convert_moz_distrust(){
fi fi
elif test "${val}" == "MULTILINE_OCTAL"; then elif test "${val}" == "MULTILINE_OCTAL"; then
mozsadistrust=`printf $(grep -A1 "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | tail -n1)` mozsadistrust=`printf $(grep -A1 "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | tail -n1)`
# FIXME - Work around P11-kit breakage
cdate=$(date -u +%y%m%d)
mozsadate=${mozsadistrust::6}
if test ${cdate} -gt ${mozsadate}; then
satrust="p"
fi
else else
mozsadistrust="UNKNOWN" mozsadistrust="UNKNOWN"
fi fi
@ -387,6 +393,12 @@ function convert_moz_distrust(){
fi fi
elif test "${val}" == "MULTILINE_OCTAL"; then elif test "${val}" == "MULTILINE_OCTAL"; then
mozsmdistrust=`printf $(grep -A1 "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | tail -n1)` mozsmdistrust=`printf $(grep -A1 "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | tail -n1)`
# FIXME - Work around P11-kit breakage
cdate=$(date -u +%y%m%d)
mozsmdate=${mozsmdistrust::6}
if test ${cdate} -gt ${mozsmdate}; then
smtrust="p"
fi
else else
mozsmdistrust="UNKNOWN" mozsmdistrust="UNKNOWN"
fi fi

View File

@ -19,14 +19,14 @@ KEYSTORE="${PKIDIR}/tls/java"
NSSDB="${PKIDIR}/nssdb" NSSDB="${PKIDIR}/nssdb"
LOCALDIR="${SSLDIR}/local" LOCALDIR="${SSLDIR}/local"
DESTDIR="" DESTDIR=""
URL="https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt" URL="https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt"
# Source must be downloaded over https # Source must be downloaded over https
# Valid urls for download are below # Valid urls for download are below
# Default to NSS release branch # Default to NSS release branch
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt # https://hg.mozilla.org/projects/nss/raw-file/tip/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt # https://hg.mozilla.org/mozilla-central/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/releases/mozilla-beta/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt # https://hg.mozilla.org/releases/mozilla-beta/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
# https://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt # https://hg.mozilla.org/releases/mozilla-aurora/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt