mozilla has switched to a scheme of explicitly distrusting certificates

in its stable branch (ie firefox-6.0.2) too, so deal with this in the mozilla-rootcerts script (this is not great - it depends on syntactic details of the file where it should better use checksums, but the perl script which is distributed with "curl" works the same way), and switch back to the certificate list in CVS HEAD
2011-09-08 19:46:01 +00:00 · 2011-09-08 19:46:01 +00:00 · 0b08870926
commit 0b08870926
parent 8448fc018c
3 changed files with 21 additions and 12 deletions
--- a/security/mozilla-rootcerts/Makefile
+++ b/security/mozilla-rootcerts/Makefile
@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.7 2011/08/31 11:42:43 drochner Exp $
+# $NetBSD: Makefile,v 1.8 2011/09/08 19:46:01 drochner Exp $

 DISTNAME=	mozilla-rootcerts-1.0.${CERTDATA_DATE}
 CATEGORIES=	security
@ -15,12 +15,7 @@ PKG_DESTDIR_SUPPORT=	user-destdir

 USE_TOOLS=	awk:run echo:run expr:run ln:run ls:run openssl:run rm:run

-# This is not the file from the repository in HOMEPAGE above but
-# the version distributed with firefox-6.0.1.
-# (Newer versions seem to handle trust explicitely so that the mere
-# presence of a certificate doesn't mean that it is trusted. The
-# extraction by our "mozilla-rootcerts" script doesn't handle this.)
-CERTDATA_DATE=	20110830
+CERTDATA_DATE=	20110902
 CERTDATA=	certdata-${CERTDATA_DATE}.txt

 WRKSRC=		${WRKDIR}
--- a/security/mozilla-rootcerts/distinfo
+++ b/security/mozilla-rootcerts/distinfo
@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.4 2011/08/31 11:42:43 drochner Exp $
+$NetBSD: distinfo,v 1.5 2011/09/08 19:46:01 drochner Exp $

-SHA1 (certdata-20110830.txt) = a43ca7e68478739b2a12fb5d32a745b29170dfa1
-RMD160 (certdata-20110830.txt) = c31be39b17bbced1ea0caec011ca58cdef7ddde3
-Size (certdata-20110830.txt) = 1151237 bytes
+SHA1 (certdata-20110902.txt) = 57a828431cc50f38726b483f967d8bb941f60672
+RMD160 (certdata-20110902.txt) = 6a47daa687a9b62163d9f4cf6506757f5ebc8fe0
+Size (certdata-20110902.txt) = 1224942 bytes
--- a/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
+++ b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: mozilla-rootcerts.sh,v 1.3 2010/10/22 10:41:50 wiz Exp $
+# $NetBSD: mozilla-rootcerts.sh,v 1.4 2011/09/08 19:46:01 drochner Exp $
 #
 # This script is meant to be used as follows:
 #
@ -156,6 +156,20 @@ extract)
 				}
 			}
 			close(cmd)
+			# kill untrusted certificates (not clean, but the script which comes
+			# with "curl" works the same way)
+			untrusted = 0
+			while (getline) {
+				if ($0 ~ /^#$/) break
+				if ($0 ~ /^CKA_TRUST_SERVER_AUTH.*CK_TRUST.*CKT_NSS_NOT_TRUSTED$/)
+					untrusted = 1
+				if ($0 ~ /^CKA_TRUST_SERVER_AUTH.*CK_TRUST.*CKT_NETSCAPE_UNTRUSTED$/)
+					untrusted = 1
+			}
+			if (untrusted) {
+				print filename " untrusted"
+				system("rm -f " filename)
+			}
 		}
 	}'
 	;;