mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions

Apply the [upstream patch][0] to restore certificates that are going to be removed in the future, but should still be available to verify existing certificates. Note that the CKA_NSS_SERVER_DISTRUST_AFTER cannot be encoded in the generated certificate bundle, so that means newly generated certificates will be trusted as well. This is a trade-off between breaking existing certificates versus not trusting newly generated certificates. With this change, the following root certificates would be restored: - Entrust.net Premium 2048 Secure Server CA - Entrust Root Certification Authority - AffirmTrust Commercial - AffirmTrust Networking - AffirmTrust Premium - AffirmTrust Premium ECC - Entrust Root Certification Authority - G2 - Entrust Root Certification Authority - EC - GLOBALTRUST 2020 [0]:https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c.patch Fixes #6

mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
45f9e4dd · Kevin Daudt · 35fc7508 · 45f9e4dd
Commit 45f9e4dd authored 2 months ago by Kevin Daudt
--- a/mk-ca-bundle.pl
+++ b/mk-ca-bundle.pl
@@ -552,48 +552,6 @@ while (<TXT>) {
      }
      next;
    }
-    elsif (/^CKA_NSS_SERVER_DISTRUST_AFTER (CK_BBOOL CK_FALSE|MULTILINE_OCTAL)/) {
-      # Example:
-      # CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL
-      # \062\060\060\066\061\067\060\060\060\060\060\060\132
-      # END
-      if($1 eq "MULTILINE_OCTAL") {
-        my @timestamp;
-        while (<TXT>) {
-          last if (/^END/);
-          chomp;
-          my @octets = split(/\\/);
-          shift @octets;
-          for (@octets) {
-            push @timestamp, chr(oct);
-          }
-        }
-        scalar(@timestamp) == 13 or die "Failed parsing timestamp";
-        # A trailing Z in the timestamp signifies UTC
-        if($timestamp[12] ne "Z") {
-          report "distrust date stamp is not using UTC";
-        }
-        # Example date: 200617000000Z
-        # Means 2020-06-17 00:00:00 UTC
-        my $distrustat =
-          timegm($timestamp[10] . $timestamp[11], # second
-                 $timestamp[8] . $timestamp[9],   # minute
-                 $timestamp[6] . $timestamp[7],   # hour
-                 $timestamp[4] . $timestamp[5],   # day
-                 ($timestamp[2] . $timestamp[3]) - 1, # month
-                 "20" . $timestamp[0] . $timestamp[1]); # year
-        if(time >= $distrustat) {
-          # not trusted anymore
-          $skipnum++;
-          report "Skipping: $main_block_name is not trusted anymore" if ($opt_v);
-          $valid = 0;
-        }
-        else {
-          # still trusted
-        }
-      }
-      next;
-    }
    else {
      next;
    }