head 1.5; access; symbols netbsd-11-0-RC5:1.5 netbsd-11-0-RC4:1.5 netbsd-11-0-RC3:1.5 netbsd-11-0-RC2:1.5 netbsd-11-0-RC1:1.5 perseant-exfatfs-base-20250801:1.5 netbsd-11:1.5.0.2 netbsd-11-base:1.5 netbsd-10-1-RELEASE:1.2.2.4 perseant-exfatfs-base-20240630:1.4 perseant-exfatfs:1.4.0.2 perseant-exfatfs-base:1.4 netbsd-10-0-RELEASE:1.2.2.3 netbsd-10-0-RC6:1.2.2.3 netbsd-10-0-RC5:1.2.2.2 netbsd-10-0-RC4:1.2.2.2 netbsd-10-0-RC3:1.2.2.2 netbsd-10-0-RC2:1.2.2.2 netbsd-10-0-RC1:1.2.2.2 netbsd-10:1.2.0.2; locks; strict; comment @# @; 1.5 date 2024.09.08.15.23.55; author riastradh; state Exp; branches; next 1.4; commitid kKQIrgovAuJL41pF; 1.4 date 2024.03.03.04.24.41; author riastradh; state Exp; branches 1.4.2.1; next 1.3; commitid NFeVIGlcy3qhvF0F; 1.3 date 2023.09.27.00.28.32; author riastradh; state Exp; branches; next 1.2; commitid 4k8YTlArBPM8hlGE; 1.2 date 2023.09.02.17.39.52; author riastradh; state Exp; branches 1.2.2.1; next 1.1; commitid Cg0Ks9jkQdbMMdDE; 1.1 date 2023.08.26.05.47.53; author riastradh; state Exp; branches; next ; commitid B2GI3bYthEbt4gCE; 1.4.2.1 date 2025.08.02.05.54.23; author perseant; state Exp; branches; next ; commitid 23j6GFaDws3O875G; 1.2.2.1 date 2023.09.02.17.39.52; author martin; state dead; branches; next 1.2.2.2; commitid 2TUS7rO7f7zuGtDE; 1.2.2.2 date 2023.09.04.17.33.27; author martin; state Exp; branches; next 1.2.2.3; commitid 2TUS7rO7f7zuGtDE; 1.2.2.3 date 2024.03.11.17.09.42; author martin; state Exp; branches; next 1.2.2.4; commitid A3ycPymqx1TKtL1F; 1.2.2.4 date 2024.10.13.11.09.47; author martin; state Exp; branches; next ; commitid 0P2SN3x1DfIPxutF; desc @@ 1.5 log @mozilla-certdata: Update reference in Makefile. @ text @# $NetBSD: Makefile,v 1.4 2024/03/03 04:24:41 riastradh Exp $ # MOZCERTS= /usr/share/certs/mozilla FILESDIR= ${MOZCERTS}/all TRUSTDOMAINS= server email code # Normally it is a bad idea to use file system globs to list sources in # a makefile, but we replace the directory wholesale on regen using the # same pattern below. So in this case, maintaining an explicit list of # files would be more error-prone. CERTS!= cd ${.CURDIR:Q} && echo certs/*.pem FILES+= ${CERTS} .for D in ${TRUSTDOMAINS} $D_CERTS!= cat ${.CURDIR:Q}/$D.trust . for C in ${$D_CERTS} SYMLINKS+= ../all/$C.pem ${MOZCERTS}/$D/$C.pem . endfor .endfor # The upstream Mozilla certdata.txt lives in the Mozilla nss repository # at https://hg.mozilla.org/projects/nss, under # lib/ckfw/builtins/certdata.txt. # # Updates: # # 1. Go to: # https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt # # 2. Find the top revision and follow the link to `diff'. # # 3. For the file lib/ckfw/builtins/certdata.txt, follow the link to # `file'. # # 4. Follow the link to `raw'. # # 5. Record the date of the latest revision and the URL to the # raw file in the comment below (includes hg revision). # # 6. Verify that the file matches when downloaded from at least # three different networks. (Suggestions: Your home # residential network, a TNF server, and Tor.) # # 7. Once you have verified this, commit certdata.txt. # # 8. Review https://wiki.mozilla.org/CA/Additional_Trust_Changes # for new special cases and apply to certdata.awk if # appropriate. # # 9. After committing certdata.txt and updating certdata.awk, run # `make regen' and verify that it builds and installs and # generally looks sensible. # # 10. Once you have verified that it builds and installs, cvs add # any new files and cvs rm any deleted files under certs/, # and commit certs/ and *.trust. # # Latest revision, from 2024-08-23: # # https://hg.mozilla.org/projects/nss/raw-file/872bd5fefe12bc48a9c65e9ea7f189df243d835a/lib/ckfw/builtins/certdata.txt # regen: .PHONY rm -f certs/*.pem rm -f ${TRUSTDOMAINS:=.trust} mkdir tmp env LC_ALL=C \ awk -f certdata.awk \ -v CERTDIR=certs \ -v CODETRUST=code.trust \ -v EMAILTRUST=email.trust \ -v OPENSSL=openssl \ -v SERVERTRUST=server.trust \ -v WORKDIR=tmp \ <${.CURDIR:Q}/../dist/certdata.txt rm -rf tmp .include .include # XXX .include @ 1.4 log @mozilla-certdata: Update reference in Makefile. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.3 2023/09/27 00:28:32 riastradh Exp $ d60 1 a60 1 # Latest revision, from 2024-02-12: d62 1 a62 1 # https://hg.mozilla.org/projects/nss/raw-file/c17a3709bdd6e706040ac268a1d2b488c2fab5d8/lib/ckfw/builtins/certdata.txt @ 1.4.2.1 log @Sync with HEAD @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.5 2024/09/08 15:23:55 riastradh Exp $ d60 1 a60 1 # Latest revision, from 2024-08-23: d62 1 a62 1 # https://hg.mozilla.org/projects/nss/raw-file/872bd5fefe12bc48a9c65e9ea7f189df243d835a/lib/ckfw/builtins/certdata.txt @ 1.3 log @mozilla-certdata: Run certdata.awk with LC_ALL=C. This has to be able to printf("%c", ...) to emit arbitrary bytes of output in order to decode the octal-formatted DER data and print it as raw binary DER data. Relevant only at import time, doesn't affect builds. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2 2023/09/02 17:39:52 riastradh Exp $ d60 1 a60 1 # Latest revision, from 2023-07-19: d62 1 a62 1 # https://hg.mozilla.org/projects/nss/raw-file/f479bdba756c78ef9355a48c88744c69fdb4768e/lib/ckfw/builtins/certdata.txt @ 1.2 log @mozilla-certdata: Install relative symlinks. Slightly more compact this way, and you can examine them in a destdir without chrooting. Not terribly important, but a minor convenience. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.1 2023/08/26 05:47:53 riastradh Exp $ d68 1 @ 1.2.2.1 log @file Makefile was added on branch netbsd-10 on 2023-09-04 17:33:27 +0000 @ text @d1 80 @ 1.2.2.2 log @Pull up following revision(s) (requested by riastradh in ticket #343): external/mpl/mozilla-certdata/dist/certdata.txt: revision 1.1.1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_G3.pem: revision 1.1 distrib/sets/lists/man/mi: revision 1.1764 external/mpl/mozilla-certdata/share/certs/ACCVRAIZ1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem: revision 1.1 tests/usr.sbin/certctl/certs4/DigiCert_Global_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Server_Authentication_Root_R46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Secure_Mail_Root_E45.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Root_Certification_Authority_ECC.pem: revision 1.1 tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: revision 1.1 tests/usr.sbin/certctl/certs2/GTS_Root_R1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/BJCA_Global_Root_CA1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Izenpe.com.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_2.pem: revision 1.1 tests/usr.sbin/certctl/certs4/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Global_Chambersign_Root_-_2008.pem: revision 1.1 distrib/sets/lists/etc/mi: revision 1.272 external/mpl/mozilla-certdata/share/certs/ISRG_Root_X1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TunTrust_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_BR_Root_CA_1_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Root_Certification_Authority_RSA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_EC-384_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_RootCA3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/IdenTrust_Public_Sector_Root_CA_1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_EC1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SZAFIR_ROOT_CA2.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.1 external/mpl/mozilla-certdata/share/certs/UCA_Global_G2_Root.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_Client_ECC_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/COMODO_ECC_Certification_Authority.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.2 tests/usr.sbin/certctl/certs1/DigiCert_Global_Root_CA.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.3 external/mpl/mozilla-certdata/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/DIGITALSIGN_GLOBAL_ROOT_RSA_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GTS_Root_R2.pem: revision 1.1 usr.sbin/certctl/certctl.sh: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.4 external/mpl/mozilla-certdata/share/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SwissSign_Silver_CA_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Starfield_Class_2_CA.pem: revision 1.1 usr.sbin/certctl/certctl.sh: revision 1.2 tests/usr.sbin/certctl/t_certctl.sh: revision 1.5 usr.sbin/certctl/certctl.sh: revision 1.3 tests/usr.sbin/certctl/t_certctl.sh: revision 1.6 usr.sbin/certctl/certctl.sh: revision 1.4 tests/usr.sbin/certctl/t_certctl.sh: revision 1.7 external/mpl/mozilla-certdata/share/certs/Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem: revision 1.1 tests/usr.sbin/certctl/t_certctl.sh: revision 1.8 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Server_Authentication_Root_E46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Hongkong_Post_Root_CA_3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_G4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Go_Daddy_Root_Certificate_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/ANF_Secure_Server_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Chambers_of_Commerce_Root_-_2008.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Go_Daddy_Class_2_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/USERTrust_RSA_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Trustwave_Global_ECC_P384_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certdata.awk: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_TLS_ECC_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_ECC_G2_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Email_Protection_Root_R46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TrustCor_ECA-1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_ECC_Root_CA_-_R5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_TLS_ECC_Root_CA_2022.pem: revision 1.1 usr.sbin/Makefile: revision 1.292 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Premium.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/CA_Disig_Root_R2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_Root_CA_-_C1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA_-_R6.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Trusted_Root_G4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_RSA_G2_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/vTrus_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/T-TeleSec_GlobalRoot_Class_2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_R46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-2.pem: revision 1.1 etc/mtree/special: revision 1.176 external/mpl/mozilla-certdata/share/certs/USERTrust_ECC_Certification_Authority.pem: revision 1.1 etc/mtree/special: revision 1.177 etc/mtree/special: revision 1.178 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Premium_ECC.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/vTrus_ECC_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_TLS_ECC_P384_Root_G5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/NAVER_Global_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/server.trust: revision 1.1 external/mpl/mozilla-certdata/share/certs/SecureTrust_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/code.trust: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_TLS_RSA_Root_CA_2022.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_TLS_RSA4096_Root_G5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_G2.pem: revision 1.1 tests/usr.sbin/certctl/certs1/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Sectigo_Public_Email_Protection_Root_E46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TWCA_Global_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_SMIME_RSA4096_Root_G5.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Client_ECC_Root_CA_2022.pem: revision 1.1 share/man/man7/hier.7: revision 1.141 external/mpl/mozilla-certdata/share/certs/Certigna.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/certSIGN_Root_CA_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certigna_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust.net_Premium_2048_Secure_Server_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GTS_Root_R4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/T-TeleSec_GlobalRoot_Class_3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Telia_Root_CA_v2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_3_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_ECC_Root_CA_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_RootCA2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TWCA_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Buypass_Class_2_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_ECC_Root_CA_-_C3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_EV_Root_Certification_Authority_RSA_R2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GTS_Root_R1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_Client_RSA_Root_CA_2022.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Assured_ID_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HiPKI_Root_CA_-_G1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Starfield_Root_Certificate_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SwissSign_Gold_CA_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GB_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Networking.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: revision 1.1 tests/usr.sbin/certctl/Makefile.inc: revision 1.1 external/mpl/mozilla-certdata/share/certs/COMODO_RSA_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Network_CA_2.pem: revision 1.1 tests/usr.sbin/certctl/certs2/GlobalSign_Root_CA_-_R3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GC_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_Class_3_CA_2_EV_2009.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AffirmTrust_Commercial.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Buypass_Class_3_Root_CA.pem: revision 1.1 distrib/sets/lists/tests/mi: revision 1.1292 external/mpl/mozilla-certdata/share/certs/UCA_Extended_Validation_Root.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Trustwave_Global_ECC_P256_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Network_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_2.pem: revision 1.1 external/mpl/mozilla-certdata/share/email.trust: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_2011.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Trusted_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_EV_Root_CA_1_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/ePKI_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DIGITALSIGN_GLOBAL_ROOT_ECDSA_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_ECC_Root_CA_-_R4.pem: revision 1.1 tests/usr.sbin/certctl/certs2/Makefile: revision 1.1 tests/usr.sbin/Makefile: revision 1.8 external/mpl/mozilla-certdata/share/certs/Trustwave_Global_Certification_Authority.pem: revision 1.1 tests/usr.sbin/certctl/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/IdenTrust_Commercial_Root_CA_1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_SMIME_ECC_P384_Root_G5.pem: revision 1.1 tests/usr.sbin/certctl/certs1/Explicitly_Distrust_DigiNotar_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Staat_der_Nederlanden_Root_CA_-_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_3.pem: revision 1.1 external/mpl/mozilla-certdata/share/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/Makefile: revision 1.2 external/mpl/mozilla-certdata/share/certs/Microsec_e-Szigno_Root_CA_2009.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/BJCA_Global_Root_CA2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_Client_RSA_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GDCA_TrustAUTH_R5_ROOT.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Amazon_Root_CA_3.pem: revision 1.1 tests/usr.sbin/certctl/certs4/AC_RAIZ_FNMT-RCM.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/ISRG_Root_X2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_CA_3_2013.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Microsoft_RSA_Root_Certificate_Authority_2017.pem: revision 1.1 etc/mtree/NetBSD.dist.base: revision 1.252 external/mpl/mozilla-certdata/share/certs/CFCA_EV_ROOT.pem: revision 1.1 etc/mtree/NetBSD.dist.base: revision 1.253 external/mpl/mozilla-certdata/share/certs/Starfield_Services_Root_Certificate_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_Global_Root_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/emSign_Root_CA_-_G1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Microsoft_ECC_Root_Certificate_Authority_2017.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Explicitly_Distrust_DigiNotar_Root_CA.pem: revision 1.1 usr.sbin/certctl/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/Security_Communication_ECC_RootCA1.pem: revision 1.1 usr.sbin/certctl/Makefile: revision 1.2 usr.sbin/certctl/Makefile: revision 1.3 external/mpl/mozilla-certdata/share/certs/GTS_Root_R3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/e-Szigno_Root_CA_2017.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/certSIGN_ROOT_CA.pem: revision 1.1 doc/3RDPARTY: revision 1.1949 external/mpl/mozilla-certdata/share/certs/Certainly_Root_R1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TeliaSonera_Root_CA_v1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/HARICA_TLS_RSA_Root_CA_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/NetLock_Arany_Class_Gold.pem: revision 1.1 usr.sbin/postinstall/postinstall.in: revision 1.53 usr.sbin/postinstall/postinstall.in: revision 1.54 tests/usr.sbin/certctl/certs3/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.1 etc/Makefile: revision 1.467 usr.sbin/postinstall/postinstall.in: revision 1.55 tests/usr.sbin/certctl/certs3/Makefile: revision 1.1 external/mpl/mozilla-certdata/share/certs/GLOBALTRUST_2020.pem: revision 1.1 etc/mtree/NetBSD.dist.tests: revision 1.200 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_1_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_CA_-_R3.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Actalis_Authentication_Root_CA.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1326 distrib/sets/lists/base/mi: revision 1.1327 external/mpl/mozilla-certdata/share/certs/SecureSign_RootCA11.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1328 external/mpl/mozilla-certdata/share/certs/Comodo_AAA_Services_root.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Entrust_Root_Certification_Authority_-_G2.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/QuoVadis_Root_CA_2_G3.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1329 external/mpl/mozilla-certdata/share/certs/COMODO_Certification_Authority.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certum_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/DigiCert_High_Assurance_EV_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Secure_Mail_Root_R45.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Secure_Global_CA.pem: revision 1.1 usr.sbin/certctl/certctl.8: revision 1.1 external/mpl/mozilla-certdata/share/certs/XRamp_Global_CA_Root.pem: revision 1.1 external/mpl/Makefile: revision 1.5 usr.sbin/certctl/certctl.8: revision 1.2 external/mpl/mozilla-certdata/share/certs/D-TRUST_Root_Class_3_CA_2_2009.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Baltimore_CyberTrust_Root.pem: revision 1.1 usr.sbin/certctl/certs.conf: revision 1.1 external/mpl/mozilla-certdata/share/certs/LAWtrust_Root_CA2_4096.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/AC_RAIZ_FNMT-RCM.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_ECC_TLS_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/OISTE_WISeKey_Global_Root_GA_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Certainly_Root_E1.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/GlobalSign_Root_E46.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Atos_TrustedRoot_Root_CA_RSA_TLS_2021.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SSL.com_EV_Root_Certification_Authority_ECC.pem: revision 1.1 certctl(8): New tool for managing OpenSSL CA certificates. Same command-line syntax as FreeBSD, clearer semantics about which parts are config and which parts are cache. mozilla-certdata: Record in doc/3RDPARTY. mozilla-certdata: Makefile infrastructure. mozilla-certdata: regen (actually, just `gen', this first time) mozilla-certdata: Connect it up to the build. postinstall(8): Add opensslcerts item to regen /etc/openssl/certs. Works only with destdir /, since it relies on running openssl(1), which is not available as a tool or required in the cross-build environment. certctl(8): Add xfail test for missing certs.conf. Command should fail, i.e., exit with nonzero status, but it exits with zero instead. certctl(8): Exit nonzero on missing certs.conf. certctl(8): Test prepopulated /etc/openssl/certs. This is the scenario when you have previously populated /etc/openssl/certs manually, or with a package like mozilla-rootcerts or mozilla-rootcerts-openssl, and you update to a version of NetBSD with certctl(8). In this case, certctl(8) should avoid destroying your work. While here, also test some related but less likely edge cases: - nonexistent - symlink - regular file certctl(8): Avoid clobbering prepopulated /etc/openssl/certs. Also avoid clobbering some other edge cases like symlinks or non-directories there. This way, we have the following transitions on system updates: - If /etc/openssl/certs is empty (as in default NetBSD<10 installs): quietly populated on rehash. - If /etc/openssl/certs is nonempty (you've added things to it, e.g. by hand or with mozilla-rootcerts) and has never been managed by certctl(8): left alone on rehash, with an error message to explain what you need to do. - If /etc/openssl/certs has been managed by certctl(8): quietly updated on rehash. Note: This means current installations made since certctl(8) was added will be treated like /etc/openssl/certs is nonempty and has never been managed by certctl(8). To work around this, you can just delete /etc/openssl/certs and rerun `certctl rehash'. postinstall(8): Fail if `certctl rehash' fails. Not using `set -e' here, evidently (maybe we should), so the separate return 0 suppressed the error. distrib/sets/lists: certs.conf belongs in etc, not in base. Oops. certctl(8): Set certs.conf 644 and add it to etc/mtree/special. Now that we have /etc/openssl/certs.conf mentioned here, also list /etc/openssl. hier(7): Document /etc/openssl. certctl(8): Minor man page clarifications. - Specify exactly what /etc/openssl/certs gets populated with. - Change HTTPS to TLS. - Specify the permitted character class in certs.conf. (Maybe more conservative than strictly needed; but let's stay on the safe side.) certctl(8): Fix some bugs with evil pathnames. certctl(8): Fix quoting and whitespace style in evilpath test. No functional change intended. etc/mtree/special: Fix spaces/tabs. No functional change intended. mozilla-certdata: Install relative symlinks. Slightly more compact this way, and you can examine them in a destdir without chrooting. Not terribly important, but a minor convenience. certctl(8): Test more evil pathnames. certctl(8): Install certs.conf in /usr/share/examples too. This way postinstall(8) can refer to the default one when you've done an upgrade without etcupdate or similar to pull in new config files from etc.tgz. Not great -- we should do this systematically for all config files in /etc, but this one-off hack is less risky for 10. postinstall(8): Handle various certs.conf scenarios gracefully. Tested the following scenarios: 1. fresh install empty /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash [x] check: fail -- needs rehash [x] fix: pass -- quietly rehash successfully (go to 4) 2. fresh upgrade empty /etc/openssl/certs no /etc/openssl/certs.conf - opensslcertsconf [x] check: fail -- complain missing /etc/openssl/certs.conf [x] fix: pass -- install default /etc/openssl/certs.conf (go to 1) - opensslcertsrehash [x] check: fail -- complain missing /etc/openssl/certs.conf - [x] fix: fail -- complain missing /etc/openssl/certs.conf 3. upgrade from certctl, changes to certs certctl-managed /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash [x] check: fail -- needs rehash [x] fix: pass -- quietly rehash successfully (go to 4) 4. upgrade from certctl, no changes to certs certctl-managed /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash [x] check: pass [x] fix: pass -- quietly rehash successfully (go to 4) 5. upgrade from mozilla-rootcerts populated /etc/openssl/certs no /etc/openssl/certs.conf - opensslcertsconf: [x] check: fail -- complain missing /etc/openssl/certs.conf [x] fix: pass -- install manual /etc/openssl/certs.conf (go to 7) - opensslcertsrehash: [x] check: fail -- complain missing /etc/openssl/certs.conf [x] fix: fail -- complain missing /etc/openssl/certs.conf 6. upgrade from mozilla-rootcerts with etcupdate naively populated /etc/openssl/certs default /etc/openssl/certs.conf - opensslcertsconf: [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash: [x] check: fail -- complain mismatched certs/ and certs.conf [x] fix: fail -- complain mismatched certs/ and certs.conf 7. upgrade from mozilla-rootcerts with etcupdate manually populated /etc/openssl/certs manual /etc/openssl/certs.conf - opensslcertsconf: [x] check: pass [x] fix: pass -- nothing - opensslcertsrehash: [x] check: pass [x] fix: pass -- skip rehash because manual (go to 7) XXX Someone should draft automatic tests for postinstall. It has a very good track record, but it sure would be nice to automate this testing rather than redo it each time I make a tiny change. @ text @a0 80 # $NetBSD: Makefile,v 1.1 2023/08/26 05:47:53 riastradh Exp $ # MOZCERTS= /usr/share/certs/mozilla FILESDIR= ${MOZCERTS}/all TRUSTDOMAINS= server email code # Normally it is a bad idea to use file system globs to list sources in # a makefile, but we replace the directory wholesale on regen using the # same pattern below. So in this case, maintaining an explicit list of # files would be more error-prone. CERTS!= cd ${.CURDIR:Q} && echo certs/*.pem FILES+= ${CERTS} .for D in ${TRUSTDOMAINS} $D_CERTS!= cat ${.CURDIR:Q}/$D.trust . for C in ${$D_CERTS} SYMLINKS+= ../all/$C.pem ${MOZCERTS}/$D/$C.pem . endfor .endfor # The upstream Mozilla certdata.txt lives in the Mozilla nss repository # at https://hg.mozilla.org/projects/nss, under # lib/ckfw/builtins/certdata.txt. # # Updates: # # 1. Go to: # https://hg.mozilla.org/projects/nss/log/tip/lib/ckfw/builtins/certdata.txt # # 2. Find the top revision and follow the link to `diff'. # # 3. For the file lib/ckfw/builtins/certdata.txt, follow the link to # `file'. # # 4. Follow the link to `raw'. # # 5. Record the date of the latest revision and the URL to the # raw file in the comment below (includes hg revision). # # 6. Verify that the file matches when downloaded from at least # three different networks. (Suggestions: Your home # residential network, a TNF server, and Tor.) # # 7. Once you have verified this, commit certdata.txt. # # 8. Review https://wiki.mozilla.org/CA/Additional_Trust_Changes # for new special cases and apply to certdata.awk if # appropriate. # # 9. After committing certdata.txt and updating certdata.awk, run # `make regen' and verify that it builds and installs and # generally looks sensible. # # 10. Once you have verified that it builds and installs, cvs add # any new files and cvs rm any deleted files under certs/, # and commit certs/ and *.trust. # # Latest revision, from 2023-07-19: # # https://hg.mozilla.org/projects/nss/raw-file/f479bdba756c78ef9355a48c88744c69fdb4768e/lib/ckfw/builtins/certdata.txt # regen: .PHONY rm -f certs/*.pem rm -f ${TRUSTDOMAINS:=.trust} mkdir tmp awk -f certdata.awk \ -v CERTDIR=certs \ -v CODETRUST=code.trust \ -v EMAILTRUST=email.trust \ -v OPENSSL=openssl \ -v SERVERTRUST=server.trust \ -v WORKDIR=tmp \ <${.CURDIR:Q}/../dist/certdata.txt rm -rf tmp .include .include # XXX .include @ 1.2.2.3 log @Pull up following revision(s) (requested by riastradh in ticket #620): external/mpl/mozilla-certdata/dist/certdata.txt up to 1.1.1.2 external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-2.pem: file removal external/mpl/mozilla-certdata/share/certs/CommScope_Public_Trust_ECC_Root-01.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1334 external/mpl/mozilla-certdata/share/certs/Global_Chambersign_Root_-_2008.pem: file removal external/mpl/mozilla-certdata/share/certs/Telekom_Security_SMIME_ECC_Root_2021.pem: revision 1.1 doc/3RDPARTY: revision 1.1994 external/mpl/mozilla-certdata/share/certs/TrustAsia_Global_Root_CA_G3.pem: revision 1.1 external/mpl/mozilla-certdata/share/email.trust: revision 1.2 external/mpl/mozilla-certdata/share/certs/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem: file removal external/mpl/mozilla-certdata/share/certs/CommScope_Public_Trust_RSA_Root-01.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem: file removal external/mpl/mozilla-certdata/share/certs/D-Trust_SBR_Root_CA_2_2022.pem: revision 1.1 external/mpl/mozilla-certdata/share/server.trust: revision 1.2 external/mpl/mozilla-certdata/share/certs/D-Trust_SBR_Root_CA_1_2022.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Telekom_Security_TLS_ECC_Root_2020.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TrustCor_RootCert_CA-1.pem: file removal external/mpl/mozilla-certdata/share/certs/Security_Communication_Root_CA.pem: file removal external/mpl/mozilla-certdata/share/certs/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem: file removal doc/3RDPARTY: revision 1.1982 external/mpl/mozilla-certdata/share/certs/Telekom_Security_TLS_RSA_Root_2023.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem: file removal external/mpl/mozilla-certdata/share/certs/CommScope_Public_Trust_ECC_Root-02.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Telekom_Security_SMIME_RSA_Root_2023.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Chambers_of_Commerce_Root_-_2008.pem: file removal external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem: revision 1.2 external/mpl/mozilla-certdata/share/certs/TrustCor_ECA-1.pem: file removal external/mpl/mozilla-certdata/share/Makefile: revision 1.4 external/mpl/mozilla-certdata/share/certs/TrustAsia_Global_Root_CA_G4.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/CommScope_Public_Trust_RSA_Root-02.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.1.pem: file removal external/mpl/mozilla-certdata/share/certdata.awk: revision 1.3 new mozilla-certdata out mozilla-certdata: Update Mozilla certdata.txt. nss hg date: 2024-02-12 nss hg revision: c17a3709bdd6e706040ac268a1d2b488c2fab5d8 Status: Vendor Tag: MOZILLA-CERTDATA Release Tags: mozilla-certdata-20240212 U src/external/mpl/mozilla-certdata/dist/certdata.txt No conflicts created by this import From http://mail-index.netbsd.org/source-changes/2024/03/03/msg150226.html: Committed By: riastradh Date: Sun Mar 3 04:24:41 UTC 2024 mozilla-certdata: Update reference in Makefile. mozilla-certdata: regen mozilla-certdata: Update set lists. doc/3RDPARTY: mozilla-certdata is up-to-date. mozilla-certdata: Fix typo: sprintf, not snprintf, in awk. Only used during import, and only in case something is wrong anyway requiring manual intervention, so no change to builds. @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2.2.2 2023/09/04 17:33:27 martin Exp $ d60 1 a60 1 # Latest revision, from 2024-02-12: d62 1 a62 1 # https://hg.mozilla.org/projects/nss/raw-file/c17a3709bdd6e706040ac268a1d2b488c2fab5d8/lib/ckfw/builtins/certdata.txt @ 1.2.2.4 log @Pull up following revision(s) (requested by riastradh in ticket #958): external/mpl/mozilla-certdata/dist/certdata.txt up to 1.1.1.3 external/mpl/mozilla-certdata/share/certs/FIRMAPROFESIONAL_CA_ROOT-A_WEB.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SecureSign_Root_CA15.pem: revision 1.1 distrib/sets/lists/base/mi: revision 1.1351 distrib/sets/lists/base/mi: revision 1.1352 distrib/sets/lists/base/mi: revision 1.1353 external/mpl/mozilla-certdata/share/email.trust: revision 1.3 external/mpl/mozilla-certdata/share/server.trust: revision 1.3 external/mpl/mozilla-certdata/share/certs/SecureSign_Root_CA12.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/SecureSign_Root_CA14.pem: revision 1.1 external/mpl/mozilla-certdata/share/Makefile: revision 1.5 external/mpl/mozilla-certdata/share/certs/TWCA_CYBER_Root_CA.pem: revision 1.1 external/mpl/mozilla-certdata/share/certs/TWCA_Global_Root_CA_G2.pem: revision 1.1 mozilla-certdata: Update reference in Makefile. mozilla-certdata: regen mozilla-certdata: Update set lists. One more mozilla-rootcerts file that is now obsolete. This fixes one current build breakage, but there is more to come. distrib/sets/lists/base/mi: Un-obsolete certSIGN_ROOT_CA.pem file. The CA is still kosher for TLS servers, so the original file /usr/share/certs/mozilla/all/certSIGN_ROOT_CA.pem and the symlink /usr/share/certs/mozilla/server/certSIGN_ROOT_CA.pem should still be there. It was only removed from S/MIME email trust, so only the symlink /usr/share/certs/mozilla/email/certSIGN_ROOT_CA.pem is obsolete. PR misc/58667 @ text @d1 1 a1 1 # $NetBSD: Makefile,v 1.2.2.3 2024/03/11 17:09:42 martin Exp $ d60 1 a60 1 # Latest revision, from 2024-08-23: d62 1 a62 1 # https://hg.mozilla.org/projects/nss/raw-file/872bd5fefe12bc48a9c65e9ea7f189df243d835a/lib/ckfw/builtins/certdata.txt @ 1.1 log @mozilla-certdata: Makefile infrastructure. @ text @d1 1 a1 1 # $NetBSD$ d19 1 a19 1 SYMLINKS+= ${MOZCERTS}/all/$C.pem ${MOZCERTS}/$D/$C.pem @