Bug#683403: ca-certificates: Missing Verisign md2 certs due to broken extract script

Thu, 05 Dec 2013 05:22:41 -0800 

Package: ca-certificates
Version: 20130906
Followup-For: Bug #683403
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu trusty ubuntu-patch



*** /tmp/tmpG_KsCC/bug_body

Openssl doesn't appear to correctly handle not having both versions
of the same signed roots. I have decided that we need to ship both
versions to fix a long standing bug where some websites simply weren't
accessible.

In Ubuntu, the attached patch was applied to achieve the following:

  * mozilla/certdata2pem.py: Work around openssl issue by shipping both
    versions of the same signed roots. Previously, the script would simply
    overwrite the first one found in the certdata.txt with the later one
    since they both have the same CKA_LABEL, resulting in identical
    filenames. (LP: #1014640)


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers saucy-updates
  APT policy: (500, 'saucy-updates'), (500, 'saucy-security'), (500, 
'saucy-proposed'), (500, 'saucy'), (100, 'saucy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.11.0-15-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru ca-certificates-20130906/debian/changelog ca-certificates-20130906ubuntu1/debian/changelog
diff -Nru ca-certificates-20130906/mozilla/certdata2pem.py ca-certificates-20130906ubuntu1/mozilla/certdata2pem.py
--- ca-certificates-20130906/mozilla/certdata2pem.py	2013-09-07 03:40:28.000000000 -0400
+++ ca-certificates-20130906ubuntu1/mozilla/certdata2pem.py	2013-12-05 07:38:27.000000000 -0500
@@ -116,12 +116,16 @@
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
             continue
-        fname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
+        bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                       .replace(' ', '_')\
                                       .replace('(', '=')\
                                       .replace(')', '=')\
-                                      .replace(',', '_') + '.crt'
-        fname = fname.decode('string_escape')
+                                      .replace(',', '_')
+        bname = bname.decode('string_escape')
+        fname = bname + '.crt'
+        if os.path.exists(fname):
+            print "Found duplicate certificate name %s, renaming." % bname
+            fname = bname + '_2.crt'
         f = open(fname, 'w')
         f.write("-----BEGIN CERTIFICATE-----\n")
         f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))

Reply via email to