freebsd
diff --git a/‎security/ca_root_nss/Makefile‎
Lines changed: 1 addition & 0 deletions b/‎security/ca_root_nss/Makefile‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎security/ca_root_nss/files/MAca-bundle.pl.in‎
Lines changed: 39 additions & 10 deletions b/‎security/ca_root_nss/files/MAca-bundle.pl.in‎
Lines changed: 39 additions & 10 deletions
@@ -1,5 +1,6 @@
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
 
@@ -44,6 +44,8 @@ print <<EOH;
 ##  Authorities (CA). These were automatically extracted from Mozilla's
 ##  root CA list (the file `certdata.txt').
 ##
+##  It contains certificates trusted for server authentication.
+##
 ##  Extracted from nss-%%VERSION_NSS%%
 ##
 EOH
@@ -55,6 +57,13 @@ $debug++
 my %certs;
 my %trusts;
 
+# returns a string like YYMMDDhhmmssZ of current time in GMT zone
+sub timenow()
+{
+	my ($sec,$min,$hour,$mday,$mon,$year,undef,undef,undef) = gmtime(time);
+	return sprintf "%02d%02d%02d%02d%02d%02dZ", $year-100, $mon+1, $mday, $hour, $min, $sec;
+}
+
 sub printcert_plain($$)
 {
     my ($label, $certdata) = @_;
@@ -80,6 +89,8 @@ sub printcert($$) {
     printcert_info($a, $b);
 }
 
+# converts a datastream that is to be \177-style octal constants
+# from <> to a (binary) string and returns it
 sub graboct()
 {
     my $data;
@@ -94,12 +105,12 @@ sub graboct()
     return $data;
 }
 
-
 sub grabcert()
 {
     my $certdata;
-    my $cka_label;
-    my $serial;
+    my $cka_label = '';
+    my $serial = 0;
+    my $distrust = 0;
 
     while (<>) {
 	chomp;
@@ -116,6 +127,19 @@ sub grabcert()
 	if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
 	    $serial = graboct();
 	}
+
+	if (/^CKA_NSS_SERVER_DISTRUST_AFTER MULTILINE_OCTAL/)
+	{
+	    my $distrust_after = graboct();
+	    my $time_now = timenow();
+	    if ($time_now >= $distrust_after) { $distrust = 1; }
+	    if ($debug) {
+		printf STDERR "line $.: $cka_label ser #%d: distrust after %s, now: %s -> distrust $distrust\n", $serial, $distrust_after, timenow();
+	    }
+	    if ($distrust) {
+		return undef;
+	    }
+	}
     }
     return ($serial, $cka_label, $certdata);
 }
@@ -138,13 +162,13 @@ sub grabtrust() {
 	    $serial = graboct();
 	}
 
-	if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/)
+	if (/^CKA_TRUST_SERVER_AUTH CK_TRUST (\S+)$/)
 	{
-	    if ($2 eq      'CKT_NSS_NOT_TRUSTED') {
+	    if ($1 eq      'CKT_NSS_NOT_TRUSTED') {
 		$distrust = 1;
-	    } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
+	    } elsif ($1 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
 		$maytrust = 1;
-	    } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
+	    } elsif ($1 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
 		confess "Unknown trust setting on line $.:\n"
 		. "$_\n"
 		. "Script must be updated:";
@@ -160,13 +184,19 @@ sub grabtrust() {
     return ($serial, $cka_label, $trust);
 }
 
+my $untrusted = 0;
+
 while (<>) {
     if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
 	my ($serial, $label, $certdata) = grabcert();
 	if (defined $certs{$label."\0".$serial}) {
 	    warn "Certificate $label duplicated!\n";
 	}
-	$certs{$label."\0".$serial} = $certdata;
+	if (defined $certdata) {
+	    $certs{$label."\0".$serial} = $certdata;
+	} else { # $certdata undefined? distrust_after in effect
+	    $untrusted ++;
+	}
     } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) {
 	my ($serial, $label, $trust) = grabtrust();
 	if (defined $trusts{$label."\0".$serial}) {
@@ -180,12 +210,11 @@ while (<>) {
 
 sub printlabel(@) {
     my @res = @_;
-    map { s/\0.*//; s/[^[:print:]]/_/g; $_ = "\"$_\""; } @res;
+    map { s/\0.*//; s/[^[:print:]]/_/g; "\"$_\""; } @res;
     return wantarray ? @res : $res[0];
 }
 
 # weed out untrusted certificates
-my $untrusted = 0;
 foreach my $it (keys %trusts) {
     if (!$trusts{$it}) {
 	if (!exists($certs{$it})) {