From 474e2665c36421fbdf81f35c7e14a019195e6b9b Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Mon, 3 Mar 2014 14:05:03 +0000
Subject: main/nss: distrust mis-issued ANSSI/DCSSI cert

fixes #2572
---
 main/nss/APKBUILD                          |  6 +++--
 main/nss/distrusted-ac-dg-tresor-ssl.patch | 39 ++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 main/nss/distrusted-ac-dg-tresor-ssl.patch

(limited to 'main')

diff --git a/main/nss/APKBUILD b/main/nss/APKBUILD
index 4358dcfebe..c61f04777e 100644
--- a/main/nss/APKBUILD
+++ b/main/nss/APKBUILD
@@ -2,7 +2,7 @@
 pkgname=nss
 pkgver=3.13.4
 _ver=${pkgver//./_}
-pkgrel=0
+pkgrel=1
 pkgdesc="Mozilla Network Security Services"
 url="http://www.mozilla.org/projects/security/pki/nss/"
 arch="all"
@@ -16,6 +16,7 @@ source="ftp://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${_ver}_RTM/src
 	nss-config.in
 	add_spi+cacert_ca_certs.patch
 	ssl-renegotiate-transitional.patch
+	distrusted-ac-dg-tresor-ssl.patch
 	"
 depends_dev="nspr-dev"
 
@@ -145,4 +146,5 @@ e5c97db0c884d5f4cfda21e562dc9bba  nss-no-rpath.patch
 c547b030c57fe1ed8b77c73bf52b3ded  nss.pc.in
 46bee81908f1e5b26d6a7a2e14c64d9f  nss-config.in
 7f39c19b1dfd62d7db7d8bf19f156fed  add_spi+cacert_ca_certs.patch
-d83c7b61abb7e9f8f7bcd157183d1ade  ssl-renegotiate-transitional.patch"
+d83c7b61abb7e9f8f7bcd157183d1ade  ssl-renegotiate-transitional.patch
+c529827935164ef44d68efab40352563  distrusted-ac-dg-tresor-ssl.patch"
diff --git a/main/nss/distrusted-ac-dg-tresor-ssl.patch b/main/nss/distrusted-ac-dg-tresor-ssl.patch
new file mode 100644
index 0000000000..924921ecca
--- /dev/null
+++ b/main/nss/distrusted-ac-dg-tresor-ssl.patch
@@ -0,0 +1,39 @@
+diff --git a/mozilla/security/nss/lib/ckfw/builtins/certdata.txt b/mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+index a1d1e6e..3612ad1 100644
+--- a/mozilla/security/nss/lib/ckfw/builtins/certdata.txt
++++ b/mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+@@ -12507,6 +12507,34 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
++# Distrust "Distrusted AC DG Tresor SSL"
++# Issuer: CN=AC DGTPE Signature Authentification,O=DGTPE,C=FR
++# Serial Number: 204199 (0x31da7)
++# Subject: CN=AC DG Tr..sor SSL,O=DG Tr..sor,C=FR
++# Not Valid Before: Thu Jul 18 10:05:28 2013
++# Not Valid After : Fri Jul 18 10:05:28 2014
++# Fingerprint (MD5): 3A:EA:9E:FC:00:0C:E2:06:6C:E0:AC:39:C1:31:DE:C8
++# Fingerprint (SHA1): 5C:E3:39:46:5F:41:A1:E4:23:14:9F:65:54:40:95:40:4D:E6:EB:E2
++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
++CKA_TOKEN CK_BBOOL CK_TRUE
++CKA_PRIVATE CK_BBOOL CK_FALSE
++CKA_MODIFIABLE CK_BBOOL CK_FALSE
++CKA_LABEL UTF8 "Distrusted AC DG Tresor SSL"
++CKA_ISSUER MULTILINE_OCTAL
++\060\113\061\013\060\011\006\003\125\004\006\023\002\106\122\061
++\016\060\014\006\003\125\004\012\023\005\104\107\124\120\105\061
++\054\060\052\006\003\125\004\003\023\043\101\103\040\104\107\124
++\120\105\040\123\151\147\156\141\164\165\162\145\040\101\165\164
++\150\145\156\164\151\146\151\143\141\164\151\157\156
++END
++CKA_SERIAL_NUMBER MULTILINE_OCTAL
++\002\003\003\035\247
++END
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
++
+ #
+ # Certificate "Security Communication EV RootCA1"
+ #
-- 
cgit v1.2.3