mozilla has switched to a scheme of explicitly distrusting certificates

in its stable branch (ie firefox-6.0.2) too,
so deal with this in the mozilla-rootcerts script (this is not great -
it depends on syntactic details of the file where it should better
use checksums, but the perl script which is distributed with "curl"
works the same way),
and switch back to the certificate list in CVS HEAD

3 files changed, 21 insertions, 12 deletions

diff --git a/security/mozilla-rootcerts/Makefile b/security/mozilla-rootcerts/Makefile
index a3eb70c564a..9426acb9fc3 100644
--- a/security/mozilla-rootcerts/Makefile
+++ b/security/mozilla-rootcerts/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.7 2011/08/31 11:42:43 drochner Exp $
+# $NetBSD: Makefile,v 1.8 2011/09/08 19:46:01 drochner Exp $
 
 DISTNAME=	mozilla-rootcerts-1.0.${CERTDATA_DATE}
 CATEGORIES=	security
@@ -15,12 +15,7 @@ PKG_DESTDIR_SUPPORT=	user-destdir
 
 USE_TOOLS=	awk:run echo:run expr:run ln:run ls:run openssl:run rm:run
 
-# This is not the file from the repository in HOMEPAGE above but
-# the version distributed with firefox-6.0.1.
-# (Newer versions seem to handle trust explicitely so that the mere
-# presence of a certificate doesn't mean that it is trusted. The
-# extraction by our "mozilla-rootcerts" script doesn't handle this.)
-CERTDATA_DATE=	20110830
+CERTDATA_DATE=	20110902
 CERTDATA=	certdata-${CERTDATA_DATE}.txt
 
 WRKSRC=		${WRKDIR}
diff --git a/security/mozilla-rootcerts/distinfo b/security/mozilla-rootcerts/distinfo
index 348cc512650..ce894ee87dc 100644
--- a/security/mozilla-rootcerts/distinfo
+++ b/security/mozilla-rootcerts/distinfo
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.4 2011/08/31 11:42:43 drochner Exp $
+$NetBSD: distinfo,v 1.5 2011/09/08 19:46:01 drochner Exp $
 
-SHA1 (certdata-20110830.txt) = a43ca7e68478739b2a12fb5d32a745b29170dfa1
-RMD160 (certdata-20110830.txt) = c31be39b17bbced1ea0caec011ca58cdef7ddde3
-Size (certdata-20110830.txt) = 1151237 bytes
+SHA1 (certdata-20110902.txt) = 57a828431cc50f38726b483f967d8bb941f60672
+RMD160 (certdata-20110902.txt) = 6a47daa687a9b62163d9f4cf6506757f5ebc8fe0
+Size (certdata-20110902.txt) = 1224942 bytes
diff --git a/security/mozilla-rootcerts/files/mozilla-rootcerts.sh b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
index 9cc783184eb..4638303ec3e 100644
--- a/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
+++ b/security/mozilla-rootcerts/files/mozilla-rootcerts.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: mozilla-rootcerts.sh,v 1.3 2010/10/22 10:41:50 wiz Exp $
+# $NetBSD: mozilla-rootcerts.sh,v 1.4 2011/09/08 19:46:01 drochner Exp $
 #
 # This script is meant to be used as follows:
 #
@@ -156,6 +156,20 @@ extract)
 				}
 			}
 			close(cmd)
+			# kill untrusted certificates (not clean, but the script which comes
+			# with "curl" works the same way)
+			untrusted = 0
+			while (getline) {
+				if ($0 ~ /^#$/) break
+				if ($0 ~ /^CKA_TRUST_SERVER_AUTH.*CK_TRUST.*CKT_NSS_NOT_TRUSTED$/)
+					untrusted = 1
+				if ($0 ~ /^CKA_TRUST_SERVER_AUTH.*CK_TRUST.*CKT_NETSCAPE_UNTRUSTED$/)
+					untrusted = 1
+			}
+			if (untrusted) {
+				print filename " untrusted"
+				system("rm -f " filename)
+			}
 		}
 	}'
 	;;