pkg/49176: certdata-20140820.txt of mozilla-rootcerts missing cert marks previous cert untrusted

[jdbaker%mylinuxisp.com@localhost]

>Number:         49176
>Category:       pkg
>Synopsis:       certdata-20140820.txt of mozilla-rootcerts missing cert marks 
>previous cert untrusted
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 05 23:05:00 +0000 2014
>Originator:     John D. Baker
>Release:        pkgsrc-HEAD (25-Aug-2014 08:35 UTC)
>Organization:
>Environment:
NetBSD gx260a 7.99.1 NetBSD 7.99.1 (NO_DRM) #5: Sun Aug 24 20:26:20 CDT 2014  
sysop%verthandi.technoskunk.fur@localhost:/d0/build/current/obj/i386/sys/arch/i386/compile/NO_DRM
 i386

>Description:
When running 'mozilla-rootcerts' with the "extract" or "install"
options, several certificates are later flagged "untrusted" and
removed immediately after extraction.

How the 'mozilla-rootcerts' script does this depends on maintaining
the regular structure of the "certdata*.txt" input file.  Specifically:

#
# Certificate foo
#
# blah
# blah
[...]
CKA_VALUE MULTILINE_OCTAL
<octal data>
[...]
END

# Trust for Certificate foo
# blah
# blah
[...]
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATE
[...]

#
# Certificate bar
#
[...]

The script first extracts the CKA_VALUE data, passing it to 'openssl'
to convert to PEM format and saving it in a file.

It then parses the trust data assumed to be following the certificate,
looking for something with "NOT_TRUSTED" or "UNTRUSTED" as a signal
to delete the file.  It only stops parsing trust data when it sees
a line containing only a "#" (regexp /^#$/) such as found at the start
of the next Certificate.

The "certdata-20140820.txt" file contains a trust data section without
a preceeding certificate.  The trust section indicates the missing
certificate is untrusted.  The 'mozilla-rootcerts' script parses this
extraneous trust section as though it belonged to the preceeding certificate, 
marking it untrusted and removing it.
>How-To-Repeat:
Build and install "security/mozilla-rootcerts" from pkgsrc-HEAD after
25 August 2014 08:35UTC.

Build and install "net/clive".

Clean out or move aside "/etc/ssl/certs" and "/etc/openssl/certs" and
run 'mozilla-rootcerts install'

Attempt to fetch a video from YouTube with an "https://..."; url using
'clive'.

Watch it fail to authenticate due to missing root certificate.
>Fix:
The following patch adds a placeholder for the missing certificate
that satisfies the requirements of the 'mozilla-rootcerts' script to
stop parsing certificate trust data.

--- certdata-20140820.txt.orig  2014-09-05 17:16:28.000000000 -0500
+++ certdata-20140820.txt       2014-09-05 17:20:01.000000000 -0500
@@ -607,6 +607,17 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
+#
+# Certificate Placeholder for missing certificate
+#
+# Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
+# Serial Number: 1407252 (0x157914)
+# Subject: CN=*.pb.com,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US
+# Not Valid Before: Mon Feb 01 14:54:04 2010
+# Not Valid After : Tue Sep 30 00:00:00 2014
+# Fingerprint (MD5): 8F:46:BE:99:47:6F:93:DC:5C:01:54:50:D0:4A:BD:AC
+# Fingerprint (SHA1): 
30:F1:82:CA:1A:5E:4E:4F:F3:6E:D0:E6:38:18:B8:B9:41:CB:5F:8C
+
 # Distrust "Distrust a pb.com certificate that does not comply with the 
baseline requirements."
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 1407252 (0x157914)