Improve detection of untrusted certificates. From John D. Baker

in PR 49176. Bump PKGREVISION.

2 files changed, 12 insertions, 7 deletions

diff --git a/security/mozilla-rootcerts/Makefile b/security/mozilla-rootcerts/Makefile
index 69e49c2fd9e..2e109189d04 100644
--- a/security/mozilla-rootcerts/Makefile
+++ b/security/mozilla-rootcerts/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.14 2014/08/25 08:34:44 mlelstv Exp $
+# $NetBSD: Makefile,v 1.15 2014/09/06 08:03:00 wiz Exp $
 
 DISTNAME=	mozilla-rootcerts-1.0.${CERTDATA_DATE}
+PKGREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_LOCAL}
 DISTFILES=	${CERTDATA}
diff --git a/security/mozilla-rootcerts/files/mozilla-rootcerts.sh b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
index aacb1a2c106..1aa02b55cc9 100644
--- a/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
+++ b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: mozilla-rootcerts.sh,v 1.5 2013/03/15 16:14:55 bsiegert Exp $
+# $NetBSD: mozilla-rootcerts.sh,v 1.6 2014/09/06 08:03:00 wiz Exp $
 #
 # This script is meant to be used as follows:
 #
@@ -162,13 +162,17 @@ extract)
 			# kill untrusted certificates (not clean, but the script which comes
 			# with "curl" works the same way)
 			untrusted = 0
+			# Read lines only until we find the trust data
+			# following the certificate, then stop.
 			while (getline) {
-				if ($0 ~ /^#$/) break
-				if ($0 ~ /^CKA_TRUST_SERVER_AUTH.*CK_TRUST.*CKT_NSS_NOT_TRUSTED$/)
-					untrusted = 1
-				if ($0 ~ /^CKA_TRUST_SERVER_AUTH.*CK_TRUST.*CKT_NETSCAPE_UNTRUSTED$/)
-					untrusted = 1
+				if ($0 ~ /^CKA_TRUST_SERVER_AUTH/) break
 			}
+			# Test the result for untrusted status
+			if ($0 ~ /^CKA_TRUST_SERVER_AUTH.*CK_TRUST.*CKT_NSS_NOT_TRUSTED$/)
+				untrusted = 1
+			if ($0 ~ /^CKA_TRUST_SERVER_AUTH.*CK_TRUST.*CKT_NETSCAPE_UNTRUSTED$/)
+				untrusted = 1
+
 			if (untrusted) {
 				print filename " untrusted"
 				system("rm -f " filename)