Upgrade to 20200601

* Update Mozilla certificate authority bundle to version 2.40.
* Add distrusted Symantec CA list to blacklist for explicit removal.
* Blacklist expired root certificate, "AddTrust External Root".

The following certificate authorities were added (+):
+ "Certigna Root CA"
+ "emSign ECC Root CA - C3"
+ "emSign ECC Root CA - G3"
+ "emSign Root CA - C1"
+ "emSign Root CA - G1"
+ "Entrust Root Certification Authority - G4"
+ "GTS Root R1"
+ "GTS Root R2"
+ "GTS Root R3"
+ "GTS Root R4"
+ "Hongkong Post Root CA 3"
+ "UCA Extended Validation Root"
+ "UCA Global G2 Root"

The following certificate authorities were removed (-):
- "AddTrust External Root"
- "Certinomis - Root CA"
- "Certplus Class 2 Primary CA"
- "Deutsche Telekom Root CA 2"
- "GeoTrust Global CA"
- "GeoTrust Primary Certification Authority"
- "GeoTrust Primary Certification Authority - G2"
- "GeoTrust Primary Certification Authority - G3"
- "GeoTrust Universal CA"
- "thawte Primary Root CA"
- "thawte Primary Root CA - G2"
- "thawte Primary Root CA - G3"
- "VeriSign Class 3 Public Primary Certification Authority - G4"
- "VeriSign Class 3 Public Primary Certification Authority - G5"
- "VeriSign Universal Root Certification Authority"

Changes for pkgsrc packaging:
* Add README.pkgsrc, replacing MESSAGE.
* Improve DESCR to better describe the functionality of the package.
* Install changelog and README.source from the distribution package.

6 files changed, 85 insertions, 58 deletions

diff --git a/security/ca-certificates/DESCR b/security/ca-certificates/DESCR
index f36fec7645a..328683f5a9e 100644
--- a/security/ca-certificates/DESCR
+++ b/security/ca-certificates/DESCR
@@ -1,6 +1,7 @@
 This package provides the certificates distributed by the Mozilla
-Project.
+Project and will, by default, install certificates trusted by the
+Mozilla Project in the system certificate store.
 
-It also provides a script, update-ca-certs, which can be used to manage
-a location that makes certificates usable by TLS implementations,
-including installing select certificates from this package.
+The sysadmin can configure the list of trusted certificates and also
+add local certificates as needed by editing ca-certificates.conf and
+re-running update-ca-certificates.
diff --git a/security/ca-certificates/MESSAGE b/security/ca-certificates/MESSAGE
deleted file mode 100644
index 5914a1aaa80..00000000000
--- a/security/ca-certificates/MESSAGE
+++ /dev/null
@@ -1,24 +0,0 @@
-===========================================================================
-$NetBSD: MESSAGE,v 1.1 2020/05/31 15:53:44 kim Exp $
-
-Execute this command to install and rehash select CA root certificates
-distributed by the Mozilla Project, so that they can be used by third
-party applications using OpenSSL. It also creates a single file
-certificate bundle in PEM format which can be used by applications using
-GnuTLS.
-
-	# update-ca-certificates
-
-You can edit /etc/ca-certificates.conf to configure which certificates are
-installed. Additionally any certificates in /usr/local/share/ca-certificates
-will be installed.
-
-To mark these certificates as trusted for users of gnupg2, do
-the following (assuming default PKG_SYSCONFBASE and a Bourne shell):
-
-	# mkdir -p /usr/pkg/etc/gnupg
-	# cd /usr/pkg/etc/gnupg
-	# for c in /etc/openssl/certs/*.pem; do
-	> openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|'
-	> done > trustlist.txt
-===========================================================================
diff --git a/security/ca-certificates/Makefile b/security/ca-certificates/Makefile
index 41674afab44..94e6728f31e 100644
--- a/security/ca-certificates/Makefile
+++ b/security/ca-certificates/Makefile
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.1 2020/05/31 15:53:44 kim Exp $
+# $NetBSD: Makefile,v 1.2 2020/06/08 09:55:36 kim Exp $
 
-PKGNAME=	ca-certificates-20190110
+PKGNAME=	ca-certificates-20200601
 DISTNAME=	${PKGNAME:C/-([^-]*)$/_\1/}
 CATEGORIES=	security
 MASTER_SITES=	http://deb.debian.org/debian/pool/main/c/ca-certificates/
@@ -14,11 +14,13 @@ LICENSE=	gnu-gpl-v2 AND mpl-2.0
 NO_CONFIGURE=		yes
 PYTHON_FOR_BUILD_ONLY=	yes
 
-USE_TOOLS=	awk:run echo:run expr:run ln:run ls:run openssl:run rm:run mkdir:run
+USE_TOOLS=	echo:run find:run ln:run openssl:run rm:run sed:run sort:run wc:run
 
 WRKSRC=		${WRKDIR}/${PKGNAME_NOREV}
 DATADIR=	${PREFIX}/share/${PKGBASE}
+DOCDIR=		${PREFIX}/share/doc/${PKGBASE}
 EGDIR=		${PREFIX}/share/examples/${PKGBASE}
+MANDIR=		${PREFIX}/share/man/man8
 
 # Set paths depending on whether we depend on builtin or pkgsrc
 # openssl.  \todo Arguably, we should consider installing into both
@@ -43,26 +45,37 @@ SUBST_STAGE.paths=	post-build
 SUBST_FILES.paths=	Makefile sbin/Makefile
 SUBST_FILES.paths+=	ca-certificates.conf
 SUBST_FILES.paths+=	sbin/update-ca-certificates sbin/update-ca-certificates.8
+SUBST_FILES.paths+=	README.pkgsrc
 SUBST_SED.paths=	-e 's,/usr/sbin,${PREFIX}/sbin,g'
 SUBST_SED.paths+=	-e 's,/etc/ca-certificates.conf,${PKG_SYSCONFDIR}/ca-certificates.conf,g'
 SUBST_SED.paths+=	-e 's,/etc/ssl,${SSLDIR},g'
 SUBST_SED.paths+=	-e 's,/usr/share/ca-certificates,${DATADIR},g'
 
-INSTALLATION_DIRS=	sbin ${DATADIR} ${EGDIR} share/man/man8
+INSTALLATION_DIRS=	sbin ${DATADIR} ${DOCDIR} ${EGDIR} ${MANDIR}
 
 CONF_FILES=		${EGDIR}/ca-certificates.conf \
 			${PKG_SYSCONFDIR}/ca-certificates.conf
 
 pre-build:
-	@${CP} ${FILESDIR}/ca-certificates.conf ${WRKSRC}/
+	@${CP} ${FILESDIR}/ca-certificates.conf ${FILESDIR}/README.pkgsrc ${WRKSRC}/
 	@${GREP} '^share/ca-certificates/' ${FILESDIR}/../PLIST \
 	    >> ${WRKSRC}/ca-certificates.conf
 
+post-extract:
+	${MV} ${WRKDIR}/work ${WRKSRC}
+
 post-install:
-	${INSTALL_MAN} ${WRKSRC}/sbin/update-ca-certificates.8 \
-	    ${DESTDIR}${PREFIX}/share/man/man8/update-ca-certificates.8
-	${INSTALL_DATA} ${WRKSRC}/ca-certificates.conf \
-	    ${DESTDIR}${EGDIR}/ca-certificates.conf
+	${INSTALL_MAN} \
+	    ${WRKSRC}/sbin/update-ca-certificates.8 \
+	    ${DESTDIR}${MANDIR}/
+	${INSTALL_DATA} \
+	    ${WRKSRC}/README.pkgsrc \
+	    ${WRKSRC}/debian/README.source \
+	    ${WRKSRC}/debian/changelog \
+	    ${DESTDIR}${DOCDIR}/
+	${INSTALL_DATA} \
+	    ${WRKSRC}/ca-certificates.conf \
+	    ${DESTDIR}${EGDIR}/
 
 .include "../../lang/python/tool.mk"
 .include "../../mk/bsd.pkg.mk"
diff --git a/security/ca-certificates/PLIST b/security/ca-certificates/PLIST
index bb69475a6f1..daea1c0abd8 100644
--- a/security/ca-certificates/PLIST
+++ b/security/ca-certificates/PLIST
@@ -1,9 +1,8 @@
-@comment $NetBSD: PLIST,v 1.1 2020/05/31 15:53:44 kim Exp $
+@comment $NetBSD: PLIST,v 1.2 2020/06/08 09:55:36 kim Exp $
 sbin/update-ca-certificates
 share/ca-certificates/mozilla/ACCVRAIZ1.crt
 share/ca-certificates/mozilla/AC_RAIZ_FNMT-RCM.crt
 share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
-share/ca-certificates/mozilla/AddTrust_External_Root.crt
 share/ca-certificates/mozilla/AffirmTrust_Commercial.crt
 share/ca-certificates/mozilla/AffirmTrust_Networking.crt
 share/ca-certificates/mozilla/AffirmTrust_Premium.crt
@@ -23,8 +22,7 @@ share/ca-certificates/mozilla/COMODO_Certification_Authority.crt
 share/ca-certificates/mozilla/COMODO_ECC_Certification_Authority.crt
 share/ca-certificates/mozilla/COMODO_RSA_Certification_Authority.crt
 share/ca-certificates/mozilla/Certigna.crt
-share/ca-certificates/mozilla/Certinomis_-_Root_CA.crt
-share/ca-certificates/mozilla/Certplus_Class_2_Primary_CA.crt
+share/ca-certificates/mozilla/Certigna_Root_CA.crt
 share/ca-certificates/mozilla/Certum_Trusted_Network_CA.crt
 share/ca-certificates/mozilla/Certum_Trusted_Network_CA_2.crt
 share/ca-certificates/mozilla/Chambers_of_Commerce_Root_-_2008.crt
@@ -33,7 +31,6 @@ share/ca-certificates/mozilla/Cybertrust_Global_Root.crt
 share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
 share/ca-certificates/mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
 share/ca-certificates/mozilla/DST_Root_CA_X3.crt
-share/ca-certificates/mozilla/Deutsche_Telekom_Root_CA_2.crt
 share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
 share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G2.crt
 share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_G3.crt
@@ -49,12 +46,12 @@ share/ca-certificates/mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority.crt
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
 share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G2.crt
+share/ca-certificates/mozilla/Entrust_Root_Certification_Authority_-_G4.crt
 share/ca-certificates/mozilla/GDCA_TrustAUTH_R5_ROOT.crt
-share/ca-certificates/mozilla/GeoTrust_Global_CA.crt
-share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority.crt
-share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
-share/ca-certificates/mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
-share/ca-certificates/mozilla/GeoTrust_Universal_CA.crt
+share/ca-certificates/mozilla/GTS_Root_R1.crt
+share/ca-certificates/mozilla/GTS_Root_R2.crt
+share/ca-certificates/mozilla/GTS_Root_R3.crt
+share/ca-certificates/mozilla/GTS_Root_R4.crt
 share/ca-certificates/mozilla/GeoTrust_Universal_CA_2.crt
 share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
 share/ca-certificates/mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
@@ -69,6 +66,7 @@ share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_ECC_Ro
 share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
 share/ca-certificates/mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
 share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt
+share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt
 share/ca-certificates/mozilla/ISRG_Root_X1.crt
 share/ca-certificates/mozilla/IdenTrust_Commercial_Root_CA_1.crt
 share/ca-certificates/mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
@@ -116,17 +114,20 @@ share/ca-certificates/mozilla/TrustCor_ECA-1.crt
 share/ca-certificates/mozilla/TrustCor_RootCert_CA-1.crt
 share/ca-certificates/mozilla/TrustCor_RootCert_CA-2.crt
 share/ca-certificates/mozilla/Trustis_FPS_Root_CA.crt
+share/ca-certificates/mozilla/UCA_Extended_Validation_Root.crt
+share/ca-certificates/mozilla/UCA_Global_G2_Root.crt
 share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt
 share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt
-share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
-share/ca-certificates/mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
-share/ca-certificates/mozilla/VeriSign_Universal_Root_Certification_Authority.crt
 share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
 share/ca-certificates/mozilla/XRamp_Global_CA_Root.crt
 share/ca-certificates/mozilla/certSIGN_ROOT_CA.crt
 share/ca-certificates/mozilla/ePKI_Root_Certification_Authority.crt
-share/ca-certificates/mozilla/thawte_Primary_Root_CA.crt
-share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G2.crt
-share/ca-certificates/mozilla/thawte_Primary_Root_CA_-_G3.crt
+share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_C3.crt
+share/ca-certificates/mozilla/emSign_ECC_Root_CA_-_G3.crt
+share/ca-certificates/mozilla/emSign_Root_CA_-_C1.crt
+share/ca-certificates/mozilla/emSign_Root_CA_-_G1.crt
+share/doc/ca-certificates/README.pkgsrc
+share/doc/ca-certificates/README.source
+share/doc/ca-certificates/changelog
 share/examples/ca-certificates/ca-certificates.conf
 share/man/man8/update-ca-certificates.8
diff --git a/security/ca-certificates/distinfo b/security/ca-certificates/distinfo
index 3fb888886a3..c40f266f4a5 100644
--- a/security/ca-certificates/distinfo
+++ b/security/ca-certificates/distinfo
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.1 2020/05/31 15:53:44 kim Exp $
+$NetBSD: distinfo,v 1.2 2020/06/08 09:55:36 kim Exp $
 
-SHA1 (ca-certificates_20190110.tar.xz) = 47d4584eae85fc905e4994766eb3930a8a84e2e1
-RMD160 (ca-certificates_20190110.tar.xz) = cbf8f474fba527dc96413632ac5874385bd38e17
-SHA512 (ca-certificates_20190110.tar.xz) = 9ce2661018edb120d0ef5bd3ed52c0f73f577d7607d135a31730549f5eb4176db4865cdb8bde77a78dc3efb8968846da5e72af8a833a9da2a8a7deb4f1560372
-Size (ca-certificates_20190110.tar.xz) = 243472 bytes
+SHA1 (ca-certificates_20200601.tar.xz) = f17235bc9c3aec538065a655681815c242a6d7d5
+RMD160 (ca-certificates_20200601.tar.xz) = a9f1f232f46ecb06c53d5d814c29d3b9aca88323
+SHA512 (ca-certificates_20200601.tar.xz) = 7bfd3122430be0a46bd10dcb0e0664561d1e0b2656b9f37677d89f71a1dcb0e668c25ffe08412888125fa9a53ee8245a4b3fc1004c419a159766665b1241113c
+Size (ca-certificates_20200601.tar.xz) = 245668 bytes
diff --git a/security/ca-certificates/files/README.pkgsrc b/security/ca-certificates/files/README.pkgsrc
new file mode 100644
index 00000000000..d0f3f5a42ba
--- /dev/null
+++ b/security/ca-certificates/files/README.pkgsrc
@@ -0,0 +1,36 @@
+$NetBSD: README.pkgsrc,v 1.1 2020/06/08 09:55:37 kim Exp $
+
+This package provides the certificates distributed by the Mozilla
+Project and will, by default, install certificates trusted by the
+Mozilla Project in the system certificate store (/etc/ssl),
+so that they can be used by third party applications using OpenSSL.
+
+Edit /etc/ca-certificates.conf to further configure which
+certificates are installed.
+
+To install local certificate authorities to be implicitly trusted,
+place the certificate files in /usr/local/share/ca-certificates/
+as single files ending with ".crt".
+
+After changing the configuration and adding local certificates run this
+command to install and rehash the certificates:
+
+    # /usr/sbin/update-ca-certificates
+
+After removing local certificates run this command to remove dangling
+symlinks from /etc/ssl/certs:
+
+    # /usr/sbin/update-ca-certificates --fresh
+
+The update-ca-certificates tool also creates a single file certificate
+bundle in PEM format in /etc/ssl/certs/ca-certificates.crt
+which can be used by applications using GnuTLS.
+
+To mark the installed certificates as trusted for users of gnupg2 do
+the following (assuming default PKG_SYSCONFBASE and a Bourne shell):
+
+    # mkdir -p /usr/pkg/etc/gnupg
+    # cd /usr/pkg/etc/gnupg
+    # for c in /etc/ssl/certs/*.pem; do
+    > openssl x509 -in $c -noout -fingerprint|sed 's|^.*=\(.*\)|\1 S|'
+    > done > trustlist.txt