pkgsrc-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: pkg/49176: certdata-20140820.txt of mozilla-rootcerts missing cert marks previous cert untrusted



The following reply was made to PR pkg/49176; it has been noted by GNATS.

From: "John D. Baker" <jdbaker%mylinuxisp.com@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: pkg/49176: certdata-20140820.txt of mozilla-rootcerts missing
 cert marks previous cert untrusted
Date: Fri, 5 Sep 2014 19:26:30 -0500 (CDT)

 Looking again, there were a number of instances of consecutive
 trust/distrust sections without intervening certificates, some of which
 caused trusted certificates to be erroneously deleted as untrusted.
 
 Here is a comprehensive patch that corrects all of these instances:
 
 +--- certdata-20140820.txt.orig        2014-09-05 18:59:08.000000000 -0500
 ++++ certdata-20140820.txt     2014-09-05 19:13:55.000000000 -0500
 +@@ -607,6 +607,17 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
 + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 + 
 ++#
 ++# Certificate Placeholder for missing certificate
 ++#
 ++# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 ++# Serial Number: 1407252 (0x157914)
 ++# Subject: CN=*.pb.com,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US
 ++# Not Valid Before: Mon Feb 01 14:54:04 2010
 ++# Not Valid After : Tue Sep 30 00:00:00 2014
 ++# Fingerprint (MD5): 8F:46:BE:99:47:6F:93:DC:5C:01:54:50:D0:4A:BD:AC
 ++# Fingerprint (SHA1): 
30:F1:82:CA:1A:5E:4E:4F:F3:6E:D0:E6:38:18:B8:B9:41:CB:5F:8C
 ++
 + # Distrust "Distrust a pb.com certificate that does not comply with the 
baseline requirements."
 + # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 + # Serial Number: 1407252 (0x157914)
 +@@ -2193,6 +2204,17 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
 + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 + 
 ++#
 ++# Certificate Placeholder for missing certificate
 ++#
 ++# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - 
G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust 
Network,O="VeriSign, Inc.",C=US
 ++# Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34
 ++# Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator 
CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa 
(c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
 ++# Not Valid Before: Sun May 18 00:00:00 2008
 ++# Not Valid After : Thu May 17 23:59:59 2018
 ++# Fingerprint (MD5): A7:91:05:96:B1:56:01:26:4E:BF:80:80:08:86:1B:4D
 ++# Fingerprint (SHA1): 
6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1
 ++
 + # Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
 + # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - 
G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust 
Network,O="VeriSign, Inc.",C=US
 + # Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34
 +@@ -2230,6 +2252,16 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
 + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 + 
 ++#
 ++# Certificate Placeholder for missing certificate
 ++#
 ++# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - 
G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust 
Network,O="VeriSign, Inc.",C=US
 ++# Serial Number:3e:0c:9e:87:69:aa:95:5c:ea:23:d8:45:9e:d4:5b:51
 ++# Subject: CN=Egypt Trust Class 3 Managed PKI Operational Administrator 
CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa 
(c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
 ++# Not Valid Before: Sun May 18 00:00:00 2008
 ++# Not Valid After : Thu May 17 23:59:59 2018
 ++# Fingerprint (MD5): D0:C3:71:17:3E:39:80:C6:50:4F:04:22:DF:40:E1:34
 ++# Fingerprint (SHA1): 
9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E
 + 
 + # Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
 + # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - 
G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust 
Network,O="VeriSign, Inc.",C=US
 +@@ -2268,6 +2300,17 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
 + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 + 
 ++#
 ++# Certificate Placeholder for missing certificate
 ++#
 ++# Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - 
G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust 
Network,O="VeriSign, Inc.",C=US
 ++# Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76
 ++# Subject: CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms 
of use at https://www.egypttrust.com/repository/rpa (c)08,OU=VeriSign Trust 
Network,O=Egypt Trust,C=EG
 ++# Not Valid Before: Sun May 18 00:00:00 2008
 ++# Not Valid After : Thu May 17 23:59:59 2018
 ++# Fingerprint (MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E
 ++# Fingerprint (SHA1): 
83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2
 ++
 + # Distrust "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"
 + # Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - 
G3,OU="(c) 1999 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust 
Network,O="VeriSign, Inc.",C=US
 + # Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76
 +@@ -12588,6 +12631,17 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
 + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 + 
 ++#
 ++# Certificate Placeholder for missing certificate
 ++#
 ++# Issuer: CN=AC DGTPE Signature Authentification,O=DGTPE,C=FR
 ++# Serial Number: 204199 (0x31da7)
 ++# Subject: CN=AC DG Tr..sor SSL,O=DG Tr..sor,C=FR
 ++# Not Valid Before: Thu Jul 18 10:05:28 2013
 ++# Not Valid After : Fri Jul 18 10:05:28 2014
 ++# Fingerprint (MD5): 3A:EA:9E:FC:00:0C:E2:06:6C:E0:AC:39:C1:31:DE:C8
 ++# Fingerprint (SHA1): 
5C:E3:39:46:5F:41:A1:E4:23:14:9F:65:54:40:95:40:4D:E6:EB:E2
 ++
 + # Distrust "Distrusted AC DG Tresor SSL"
 + # Issuer: CN=AC DGTPE Signature Authentification,O=DGTPE,C=FR
 + # Serial Number: 204199 (0x31da7)
 +@@ -24419,6 +24473,14 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
 + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 + 
 ++#
 ++# Certificate Placeholder for missing certificate
 ++#
 ++# Issuer: E=ca%trustwave.com@localhost,CN="Trustwave Organization Issuing 
CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
 ++# Serial Number: 1800000005 (0x6b49d205)
 ++# Not Before: Apr  7 15:37:15 2011 GMT
 ++# Not After : Apr  4 15:37:15 2021 GMT
 ++
 + # Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
 + # Issuer: E=ca%trustwave.com@localhost,CN="Trustwave Organization Issuing 
CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
 + # Serial Number: 1800000005 (0x6b49d205)
 +@@ -24450,6 +24512,14 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
 + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 + 
 ++#
 ++# Certificate Placeholder for missing certificate
 ++#
 ++# Issuer: E=ca%trustwave.com@localhost,CN="Trustwave Organization Issuing 
CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
 ++# Serial Number: 1800000006 (0x6b49d206)
 ++# Not Before: Apr 18 21:09:30 2011 GMT
 ++# Not After : Apr 15 21:09:30 2021 GMT
 ++
 + # Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929
 + # Issuer: E=ca%trustwave.com@localhost,CN="Trustwave Organization Issuing 
CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
 + # Serial Number: 1800000006 (0x6b49d206)
 +@@ -25753,6 +25823,17 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
 + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 + 
 ++#
 ++# Certificate Placeholder for missing certificate
 ++#
 ++# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri 
A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
 ++# Serial Number: 2087 (0x827)
 ++# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
 ++# Not Valid Before: Mon Aug 08 07:07:51 2011
 ++# Not Valid After : Tue Jul 06 07:07:51 2021
 ++# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E
 ++# Fingerprint (SHA1): 
C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1
 ++
 + # Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
 + # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri 
A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
 + # Serial Number: 2087 (0x827)
 +@@ -25787,6 +25868,17 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
 + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
 + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 + 
 ++#
 ++# Certificate Placeholder for missing certificate
 ++#
 ++# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri 
A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
 ++# Serial Number: 2148 (0x864)
 ++# Subject: 
E=ileti%kktcmerkezbankasi.org@localhost,CN=e-islem.kktcmerkezbankasi.org,O=KKTC 
Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR
 ++# Not Valid Before: Mon Aug 08 07:07:51 2011
 ++# Not Valid After : Thu Aug 05 07:07:51 2021
 ++# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2
 ++# Fingerprint (SHA1): 
F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB
 ++
 + # Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022
 + # Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri 
A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
 + # Serial Number: 2148 (0x864)
 
 -- 
 |/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
 |\ / jdbaker[snail]mylinuxisp[flyspeck]com    OpenBSD            FreeBSD
 | X  No HTML/proprietary data in email.   BSD just sits there and works!
 |/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645
 


Home | Main Index | Thread Index | Old Index