From 6629b908cd04f098327f13019c5db40ddf4fd078 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Wed, 8 Jan 2025 10:48:24 +0100
Subject: [PATCH] main/ca-certificates: backport fix to restore still valid
 certs

The following certs are restored:

- Entrust.net Premium 2048 Secure Server CA
- Entrust Root Certification Authority
- AffirmTrust Commercial
- AffirmTrust Networking
- AffirmTrust Premium
- AffirmTrust Premium ECC
- Entrust Root Certification Authority - G2
- Entrust Root Certification Authority - EC
- GLOBALTRUST 2020

ref: https://gitlab.alpinelinux.org/alpine/ca-certificates/-/issues/6
fixes: https://gitlab.alpinelinux.org/alpine/aports/-/issues/16812
---
 ...ove-CKA_NSS_SERVER_DISTRUST_AFTER-co.patch | 90 +++++++++++++++++++
 main/ca-certificates/APKBUILD                 |  7 +-
 2 files changed, 95 insertions(+), 2 deletions(-)
 create mode 100644 main/ca-certificates/0001-mk-ca-bundle-remove-CKA_NSS_SERVER_DISTRUST_AFTER-co.patch

diff --git a/main/ca-certificates/0001-mk-ca-bundle-remove-CKA_NSS_SERVER_DISTRUST_AFTER-co.patch b/main/ca-certificates/0001-mk-ca-bundle-remove-CKA_NSS_SERVER_DISTRUST_AFTER-co.patch
new file mode 100644
index 000000000000..3200d06542ec
--- /dev/null
+++ b/main/ca-certificates/0001-mk-ca-bundle-remove-CKA_NSS_SERVER_DISTRUST_AFTER-co.patch
@@ -0,0 +1,90 @@
+From 103d13b09c84715b868b0acff1e8240cc4f0cdba Mon Sep 17 00:00:00 2001
+From: Kevin Daudt <kdaudt@alpinelinux.org>
+Date: Tue, 7 Jan 2025 17:41:44 +0100
+Subject: [PATCH] mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
+
+Apply the [upstream patch][0] to restore certificates that are going to
+be removed in the future, but should still be available to verify
+existing certificates.
+
+Note that the CKA_NSS_SERVER_DISTRUST_AFTER attribute cannot be encoded
+in the generated certificate bundle, so that means newly generated
+certificates will be trusted as well. This is a trade-off between
+breaking existing certificates versus not trusting newly generated
+certificates.
+
+With this change, the following root certificates would be restored:
+
+- Entrust.net Premium 2048 Secure Server CA
+- Entrust Root Certification Authority
+- AffirmTrust Commercial
+- AffirmTrust Networking
+- AffirmTrust Premium
+- AffirmTrust Premium ECC
+- Entrust Root Certification Authority - G2
+- Entrust Root Certification Authority - EC
+- GLOBALTRUST 2020
+
+[0]:https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c.patch
+
+Fixes #6
+---
+ mk-ca-bundle.pl | 42 ------------------------------------------
+ 1 file changed, 42 deletions(-)
+
+diff --git a/mk-ca-bundle.pl b/mk-ca-bundle.pl
+index 926478f..3732213 100644
+--- a/mk-ca-bundle.pl
++++ b/mk-ca-bundle.pl
+@@ -552,48 +552,6 @@ while (<TXT>) {
+       }
+       next;
+     }
+-    elsif (/^CKA_NSS_SERVER_DISTRUST_AFTER (CK_BBOOL CK_FALSE|MULTILINE_OCTAL)/) {
+-      # Example:
+-      # CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
+-      # \062\060\060\066\061\067\060\060\060\060\060\060\132
+-      # END
+-      if($1 eq "MULTILINE_OCTAL") {
+-        my @timestamp;
+-        while (<TXT>) {
+-          last if (/^END/);
+-          chomp;
+-          my @octets = split(/\\/);
+-          shift @octets;
+-          for (@octets) {
+-            push @timestamp, chr(oct);
+-          }
+-        }
+-        scalar(@timestamp) == 13 or die "Failed parsing timestamp";
+-        # A trailing Z in the timestamp signifies UTC
+-        if($timestamp[12] ne "Z") {
+-          report "distrust date stamp is not using UTC";
+-        }
+-        # Example date: 200617000000Z
+-        # Means 2020-06-17 00:00:00 UTC
+-        my $distrustat =
+-          timegm($timestamp[10] . $timestamp[11], # second
+-                 $timestamp[8] . $timestamp[9],   # minute
+-                 $timestamp[6] . $timestamp[7],   # hour
+-                 $timestamp[4] . $timestamp[5],   # day
+-                 ($timestamp[2] . $timestamp[3]) - 1, # month
+-                 "20" . $timestamp[0] . $timestamp[1]); # year
+-        if(time >= $distrustat) {
+-          # not trusted anymore
+-          $skipnum++;
+-          report "Skipping: $main_block_name is not trusted anymore" if ($opt_v);
+-          $valid = 0;
+-        }
+-        else {
+-          # still trusted
+-        }
+-      }
+-      next;
+-    }
+     else {
+       next;
+     }
+-- 
+2.47.1
+
diff --git a/main/ca-certificates/APKBUILD b/main/ca-certificates/APKBUILD
index 9bda8560d034..cad4b9d251bc 100644
--- a/main/ca-certificates/APKBUILD
+++ b/main/ca-certificates/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=ca-certificates
 pkgver=20241121
-pkgrel=0
+pkgrel=1
 pkgdesc="Common CA certificates PEM files from Mozilla"
 url="https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/"
 arch="all"
@@ -15,7 +15,9 @@ replaces="openssl"
 options="!fhs !check"
 triggers="ca-certificates.trigger=/usr/share/ca-certificates:/usr/local/share/ca-certificates:/etc/ssl/certs:/etc/ca-certificates/update.d"
 install="$pkgname.post-deinstall"
-source="https://gitlab.alpinelinux.org/alpine/ca-certificates/-/archive/$pkgver/ca-certificates-$pkgver.tar.bz2"
+source="https://gitlab.alpinelinux.org/alpine/ca-certificates/-/archive/$pkgver/ca-certificates-$pkgver.tar.bz2
+	0001-mk-ca-bundle-remove-CKA_NSS_SERVER_DISTRUST_AFTER-co.patch
+	"
 
 build() {
 	make
@@ -70,4 +72,5 @@ bundle() {
 
 sha512sums="
 b24fba0f1f30933c9a27f1b2232ce3fcfddc6ad4de9f6bf42b5517ddc20268604823ed6e57821fe08ab9a5da7f2a4926ba0ecb08e095380eccc5c33cbe63df75  ca-certificates-20241121.tar.bz2
+b053077948458a50e013edac1434c684c19092fe47bbbbbd0e4a945db59011f8793530211065dda0198c87226928a8aa40c14dbced51dc3955c8c24558ef8826  0001-mk-ca-bundle-remove-CKA_NSS_SERVER_DISTRUST_AFTER-co.patch
 "
-- 
GitLab