From patchwork Sun Mar  5 20:39:51 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 6666
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4PVD9L29sVz3wcv
	for <patchwork@web04.haj.ipfire.org>; Sun,  5 Mar 2023 20:40:06 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4PVD9K3lsHz1FD;
	Sun,  5 Mar 2023 20:40:05 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4PVD9K2NWhz2yK4;
	Sun,  5 Mar 2023 20:40:05 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4PVD974kfjz2xGk
 for <development@lists.ipfire.org>; Sun,  5 Mar 2023 20:39:55 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4PVD962r7MzBD
 for <development@lists.ipfire.org>; Sun,  5 Mar 2023 20:39:53 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1678048795;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=wfIydOnkYCNMIYSND5zQn8v4a/IdMb8DgZBuRepSPcA=;
 b=tDKuJFIbNuNcQqMnO3HB91QB2hMOvrLVmP7ReN/ZA/XRBcLPlvN/q8pDMXJn8SVPq/b/NY
 LmQ1+nOb2FP517CQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1678048795;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=wfIydOnkYCNMIYSND5zQn8v4a/IdMb8DgZBuRepSPcA=;
 b=Xjj6cB7g83Hxm6TbWS4wpnP34xYBDyt/Twf2tp1+vQYoM5HN+AdlCsUqqehjmiMyqgk0VN
 CMdsaTKYdMBaMQwyeMndtV4lWo1lNMiPCcU3cvj6JKwN+TW2P5tUa4GEUcWrT//x0gN5/R
 g8rfJCeVYzqzp4m8vmuZuX3pCGf6NWyIJWyUM3Vgp3V9UBdDWoDKgV+gm+0WvtDI37giGl
 nwf0gpecl0QGA89HLb1aFfGH0K4XuyYKUraOUPjvo7qdYwEVNrADA055WBq06FThw+p17q
 S46TkIcDsRhU2+yEhX9fQcT6CM6QjhWZXz06bATopOh6TF1FmSvDu+AxqUJPbQ==
Message-ID: <590c63e4-139f-f598-3dce-58db7492aad5@ipfire.org>
Date: Sun, 5 Mar 2023 20:39:51 +0000
MIME-Version: 1.0
Subject: [PATCH 2/2] ca-certificates: Rebase patch for removing TrustCor root
 CAs
Content-Language: en-US
To: development@lists.ipfire.org
References: <74bcbc48-8208-d7da-89a0-60afcdccf600@ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
In-Reply-To: <74bcbc48-8208-d7da-89a0-60afcdccf600@ipfire.org>
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This is necessary since the certdata2pem.py script does not take
meta information such as "distrust after date" into account, hence
Mozilla's changes to TrustCor's root CAs are not sufficient to have them
removed from or distrusted on IPFire installations.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 ...tes-Remove-TrustCor-Systems-root-CAs.patch | 45 +++++++++++++------
 1 file changed, 32 insertions(+), 13 deletions(-)

diff --git a/src/patches/ca-certificates-Remove-TrustCor-Systems-root-CAs.patch b/src/patches/ca-certificates-Remove-TrustCor-Systems-root-CAs.patch
index 99498a41a..889d5e63a 100644
--- a/src/patches/ca-certificates-Remove-TrustCor-Systems-root-CAs.patch
+++ b/src/patches/ca-certificates-Remove-TrustCor-Systems-root-CAs.patch
@@ -1,9 +1,10 @@
---- certdata.txt	2022-12-01 10:23:58.186454756 +0100
-+++ certdata.txt	2022-12-01 10:25:19.587297113 +0100
-@@ -15292,517 +15292,6 @@
+--- certdata.txt
++++ certdata.txt
+@@ -14609,536 +14609,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
  CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
- 
- #
+
+-#
 -# Certificate "TrustCor RootCert CA-1"
 -#
 -# Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
@@ -120,8 +121,14 @@
 -\132\171\054\031
 -END
 -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
--CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
--CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+-# For Server Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
+-# For Email Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
 -
 -# Trust for "TrustCor RootCert CA-1"
 -# Issuer: CN=TrustCor RootCert CA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
@@ -313,8 +320,15 @@
 -\326\354\011
 -END
 -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
--CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
--CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+-# For Server Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
+-# For Email Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
+-
 -
 -# Trust for "TrustCor RootCert CA-2"
 -# Issuer: CN=TrustCor RootCert CA-2,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
@@ -471,8 +485,14 @@
 -\264\237\327\346
 -END
 -CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
--CKA_NSS_SERVER_DISTRUST_AFTER CK_BBOOL CK_FALSE
--CKA_NSS_EMAIL_DISTRUST_AFTER CK_BBOOL CK_FALSE
+-# For Server Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
+-# For Email Distrust After: Wed Nov 30 00:00:00 2022
+-CKA_NSS_EMAIL_DISTRUST_AFTER MULTILINE_OCTAL
+-\062\062\061\061\063\060\060\060\060\060\060\060\132
+-END
 -
 -# Trust for "TrustCor ECA-1"
 -# Issuer: CN=TrustCor ECA-1,OU=TrustCor Certificate Authority,O=TrustCor Systems S. de R.L.,L=Panama City,ST=Panama,C=PA
@@ -514,7 +534,6 @@
 -CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
 -CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 -
--#
+ #
  # Certificate "SSL.com Root Certification Authority RSA"
  #
- # Issuer: CN=SSL.com Root Certification Authority RSA,O=SSL Corporation,L=Houston,ST=Texas,C=US