[dev] `ca-certificates`: removing Mozilla CAs in favour of Microsoft ones (#1437)

2021-10-07 12:51:39 -07:00 · 2021-10-07 12:51:39 -07:00 · 514a5fcc54
parent 4f550c59ba
commit 514a5fcc54
17 changed files with 148 additions and 27396 deletions
--- a/.github/workflows/check_entangled_specs.py
+++ b/.github/workflows/check_entangled_specs.py
@ -19,6 +19,7 @@ version_release_matching_groups = [
    ]),
    frozenset([
        "SPECS/ca-certificates/ca-certificates.spec",
+        "SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec",
        "SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec"
    ])
 ]
--- a/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
+++ b/SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
--- a/SPECS/LICENSES-AND-NOTICES/data/licenses.json
+++ b/SPECS/LICENSES-AND-NOTICES/data/licenses.json
@ -316,6 +316,7 @@
                "perl-Test-Warnings",
                "perl-Text-Template",
                "pigz",
+                "prebuilt-ca-certificates",
                "prebuilt-ca-certificates-base",
                "python-cachetools",
                "python-cherrypy",
--- a/SPECS/ca-certificates/ca-certificates.signatures.json
+++ b/SPECS/ca-certificates/ca-certificates.signatures.json
@ -10,15 +10,10 @@
  "README.src": "86184318d451bec55d70c84e618cbfe10c8adb7dc893964ce4aaecff99d83433",
  "README.usr": "0d2e90b6cf575678cd9d4f409d92258ef0d676995d4d733acdb2425309a38ff8",
  "bundle2pem.sh": "a61e0d9f34e21456cfe175e9a682f56959240e66dfeb75bd2457226226aa413a",
-  "ca-legacy": "de73a03a0cde4aff31ce3d5e27eecd03284a637c102e46b9e47d4369b5152ae0",
-  "ca-legacy.8.txt": "4fef2b8fed41d21ae559803b06074ca61a3f46648f174832542e3223d16dabf4",
-  "ca-legacy.conf": "400b96da374503fa6b6350a867347082d0c90e05ba4d02cc6b51b11229199c4d",
  "certdata.base.txt": "76c4cd1860b9a6f6ee9c2a0dcddcef46f65950b7ec12d2a7eeabeedca4e379f9",
-  "certdata.microsoft.txt": "37a832a646e56f75cd8a128d40bdb20a23b4e8794692b1b2d9ae243351c4d255",
-  "certdata.txt": "cc6408bd4be7fbfb8699bdb40ccb7f6de5780d681d87785ea362646e4dad5e8e",
-  "certdata2pem.py": "0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0",
-  "nssckbi.h": "9d916fe1586259d94632f186a736449e8344b8a18f7ac97253f13efc764d77ea",
-  "pem2bundle.sh": "79012e7fabf560c3b950349e500770a314006e5b330621a50147eeda11c633ea",
+  "certdata.microsoft.txt": "68736961bfab066c9e3d0edd23ede65fbe09650489b4cb64878cceb61db0d990",
+  "certdata2pem.py": "4f5848c14210758f19ab9fdc9ffd83733303a48642a3d47c4d682f904fdc0f33",
+  "pem2bundle.sh": "f96a2f0071fb80e30332c0bd95853183f2f49a3c98d5e9fc4716aeeb001e3426",
  "trust-fixes": "01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b",
  "update-ca-trust": "0c0c0600587db7f59ba5e399666152ea6de6059f37408f3946c43438d607efdd",
  "update-ca-trust.8.txt": "2470551bd11cc393ddf4cf43cf101c29d9f308c15469ee5e78908cfcf2437579"
--- a/SPECS/ca-certificates/ca-certificates.spec
+++ b/SPECS/ca-certificates/ca-certificates.spec
@ -1,91 +1,58 @@
 %define pkidir %{_sysconfdir}/pki
-%define catrustdir %{_sysconfdir}/pki/ca-trust
+%define catrustdir %{pkidir}/ca-trust
 %define classic_tls_bundle ca-bundle.crt
 %define openssl_format_trust_bundle ca-bundle.trust.crt
-%define legacy_default_bundle ca-bundle.legacy.default.crt
-%define legacy_disable_bundle ca-bundle.legacy.disable.crt
 %define java_bundle java/cacerts
-%define p11_format_mozilla_bundle ca-bundle.trust.mozilla.p11-kit
-%define legacy_default_mozilla_bundle ca-bundle.legacy.default.mozilla.crt
-%define legacy_disable_mozilla_bundle ca-bundle.legacy.disable.mozilla.crt
+
 %define p11_format_base_bundle ca-bundle.trust.base.p11-kit
-%define legacy_default_base_bundle ca-bundle.legacy.default.base.crt
-%define legacy_disable_base_bundle ca-bundle.legacy.disable.base.crt
+
 %define p11_format_microsoft_bundle ca-bundle.trust.microsoft.p11-kit
-%define legacy_default_microsoft_bundle ca-bundle.legacy.default.microsoft.crt
-%define legacy_disable_microsoft_bundle ca-bundle.legacy.disable.microsoft.crt

 # List of packages triggering legacy certs generation if 'ca-certificates-legacy'
 # is installed.
-%global watched_pkgs %{name}, %{name}-base, %{name}-microsoft
+%global watched_pkgs %{name}, %{name}-base

 # Rebuilding cert bundles with source certificates.
 %global refresh_bundles \
-%{_bindir}/ca-legacy install\
 %{_bindir}/update-ca-trust

-# Converts certdata.txt files to p11-kit format bundles and legacy crt files.
+# Converts certdata.txt files to p11-kit format bundles.
 # Arguments:
 # %1 - the source certdata.txt file;
 %define convert_certdata() \
 WORKDIR=$(basename %{1}.d) \
-mkdir -p $WORKDIR/certs/legacy-default \
-mkdir $WORKDIR/certs/legacy-disable \
+mkdir -p $WORKDIR/certs \
 mkdir $WORKDIR/java \
 pushd $WORKDIR/certs \
 pwd $WORKDIR \
 cp %{1} certdata.txt \
 python3 %{SOURCE4} >c2p.log 2>c2p.err \
 popd \
-%{SOURCE19} $WORKDIR %{SOURCE1} %{openssl_format_trust_bundle} %{legacy_default_bundle} %{legacy_disable_bundle} %{SOURCE3}
+%{SOURCE19} $WORKDIR %{openssl_format_trust_bundle} %{SOURCE3}

 # Installs bundle files to the right directories.
 # Arguments:
 # %1 - the source certdata.txt file;
 # %2 - output p11-kit format bundle name;
-# %3 - output legacy default bundle name;
-# %4 - output legacy disabled bundle name;
 %define install_bundles() \
 WORKDIR=$(basename %{1}.d) \
 install -p -m 644 $WORKDIR/%{openssl_format_trust_bundle} %{buildroot}%{_datadir}/pki/ca-trust-source/%{2} \
-install -p -m 644 $WORKDIR/%{legacy_default_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{3} \
-install -p -m 644 $WORKDIR/%{legacy_disable_bundle} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{4} \
-touch -r %{SOURCE0} %{buildroot}%{_datadir}/pki/ca-trust-source/%{2} \
-touch -r %{SOURCE0} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{3} \
-touch -r %{SOURCE0} %{buildroot}%{_datadir}/pki/ca-trust-legacy/%{4}
+touch -r %{SOURCE23} %{buildroot}%{_datadir}/pki/ca-trust-source/%{2}

 Summary:        Certificate Authority certificates
 Name:           ca-certificates
-# The files, certdata.txt and nssckbi.h, should be taken from a released version of NSS, as published
-# at https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/
-#
-# The versions that are used by the latest released version of
-# Mozilla Firefox should be available from:
-# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
-# https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
-#
-# The most recent development versions of the files can be found at
-# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/nssckbi.h
-# http://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
-# (but these files might have not yet been released).

 # When updating, "Version" AND "Release" tags must be updated in the "prebuilt-ca-certificates" package as well.
 Version:        20200720
-Release:        15%{?dist}
+Release:        19%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          System Environment/Security
 URL:            https://hg.mozilla.org
-# Please always update both certdata.txt and nssckbi.h
-Source0:        https://hg.mozilla.org/releases/mozilla-release/raw-file/712412cb974c0392afe31fd9ce974b26ae3993c3/security/nss/lib/ckfw/builtins/certdata.txt
-Source1:        nssckbi.h
 Source2:        update-ca-trust
 Source3:        trust-fixes
 Source4:        certdata2pem.py
-Source5:        ca-legacy.conf
-Source6:        ca-legacy
-Source9:        ca-legacy.8.txt
 Source10:       update-ca-trust.8.txt
 Source11:       README.usr
 Source12:       README.etc
@ -99,6 +66,7 @@ Source19:       pem2bundle.sh
 Source20:       LICENSE
 Source21:       certdata.base.txt
 Source22:       bundle2pem.sh
+# The certdata.microsoft.txt is provided by Microsoft's Trusted Root Program.
 Source23:       certdata.microsoft.txt

 BuildRequires:  /bin/ln
@ -116,18 +84,19 @@ Requires(post): %{name}-tools = %{version}-%{release}
 Requires(post): coreutils
 Requires(postun): %{name}-tools = %{version}-%{release}

+Provides:       ca-certificates-microsoft = %{version}-%{release}
 Provides:       ca-certificates-mozilla = %{version}-%{release}

 BuildArch:      noarch

 %description
-The Public Key Inrastructure is used for many security issues in a
-Linux system. In order for a certificate to be trusted, it must be
-signed by a trusted agent called a Certificate Authority (CA). The
-certificates loaded by this section are from the list on the Mozilla
-version control system and formats it into a form used by
-OpenSSL-1.0.1e. The certificates can also be used by other applications
-either directly of indirectly through openssl.
+The Public Key Inrastructure is used for many security issues in
+a Linux system. In order for a certificate to be trusted, it must be
+signed by a trusted agent called a Certificate Authority (CA).
+The certificates loaded by this section are from the list of CAs trusted
+through the Microsoft Trusted Root Program and formats it into a form
+used by OpenSSL-1.0.1e. The certificates can also be used by other
+applications either directly of indirectly through OpenSSL.

 %package shared
 Summary:        A set of directories and files required by all certificate packages.
@ -148,18 +117,6 @@ Requires(postun): %{name}-tools = %{version}-%{release}
 %description base
 %{summary}

-%package microsoft
-Summary:        A list of CAs trusted through the Microsoft Trusted Root Program.
-Group:          System Environment/Security
-
-Requires:       %{name}-shared = %{version}-%{release}
-Requires(post): %{name}-tools = %{version}-%{release}
-Requires(post): coreutils
-Requires(postun): %{name}-tools = %{version}-%{release}
-
-%description microsoft
-%{summary}
-
 %package tools
 Summary:        Cert generation tools.
 Group:          System Environment/Security
@ -178,28 +135,21 @@ Requires:       %{name}-shared = %{version}-%{release}

 %description legacy
 Provides a legacy version of ca-bundle.crt in the format of "[hash].0 -> [hash].pem"
-pairs under %{_sysconfdir}/pki/tls/certs.
+pairs under %{pkidir}/tls/certs.

 %prep -q
-rm -rf %{name}
 mkdir %{name}

 %build
 cp -p %{SOURCE20} .

-%convert_certdata %{SOURCE0}
 %convert_certdata %{SOURCE21}
 %convert_certdata %{SOURCE23}

 #manpage
 cp %{SOURCE10} %{name}/update-ca-trust.8.txt
 asciidoc.py -v -d manpage -b docbook %{name}/update-ca-trust.8.txt
-xsltproc --nonet -o %{name}/update-ca-trust.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml
-
-cp %{SOURCE9} %{name}/ca-legacy.8.txt
-asciidoc.py -v -d manpage -b docbook %{name}/ca-legacy.8.txt
-xsltproc --nonet -o %{name}/ca-legacy.8 /etc/asciidoc/docbook-xsl/manpage.xsl %{name}/ca-legacy.8.xml
-
+xsltproc --nonet -o %{name}/update-ca-trust.8 %{_sysconfdir}/asciidoc/docbook-xsl/manpage.xsl %{name}/update-ca-trust.8.xml

 %install
 mkdir -p -m 755 %{buildroot}%{pkidir}/tls/certs
@ -216,12 +166,10 @@ mkdir -p -m 755 %{buildroot}%{catrustdir}/extracted/edk2
 mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source
 mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source/anchors
 mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-source/blacklist
-mkdir -p -m 755 %{buildroot}%{_datadir}/pki/ca-trust-legacy
 mkdir -p -m 755 %{buildroot}%{_bindir}
 mkdir -p -m 755 %{buildroot}%{_mandir}/man8

 install -p -m 644 %{name}/update-ca-trust.8 %{buildroot}%{_mandir}/man8
-install -p -m 644 %{name}/ca-legacy.8 %{buildroot}%{_mandir}/man8
 install -p -m 644 %{SOURCE11} %{buildroot}%{_datadir}/pki/ca-trust-source/README
 install -p -m 644 %{SOURCE12} %{buildroot}%{catrustdir}/README
 install -p -m 644 %{SOURCE13} %{buildroot}%{catrustdir}/extracted/README
@ -231,23 +179,16 @@ install -p -m 644 %{SOURCE16} %{buildroot}%{catrustdir}/extracted/pem/README
 install -p -m 644 %{SOURCE17} %{buildroot}%{catrustdir}/extracted/edk2/README
 install -p -m 644 %{SOURCE18} %{buildroot}%{catrustdir}/source/README

-install -p -m 644 %{SOURCE5} %{buildroot}%{catrustdir}/ca-legacy.conf
-
-# Mozilla certs
-%install_bundles %{SOURCE0} %{p11_format_mozilla_bundle} %{legacy_default_mozilla_bundle} %{legacy_disable_mozilla_bundle}
-
 # base certs
-%install_bundles %{SOURCE21} %{p11_format_base_bundle} %{legacy_default_base_bundle} %{legacy_disable_base_bundle}
+%install_bundles %{SOURCE21} %{p11_format_base_bundle}

 # Microsoft certs
-%install_bundles %{SOURCE23} %{p11_format_microsoft_bundle} %{legacy_default_microsoft_bundle} %{legacy_disable_microsoft_bundle}
+%install_bundles %{SOURCE23} %{p11_format_microsoft_bundle}

 # TODO: consider to dynamically create the update-ca-trust script from within
 #       this .spec file, in order to have the output file+directory names at once place only.
 install -p -m 755 %{SOURCE2} %{buildroot}%{_bindir}/update-ca-trust

-install -p -m 755 %{SOURCE6} %{buildroot}%{_bindir}/ca-legacy
-
 install -p -m 755 %{SOURCE22} %{buildroot}%{_bindir}/bundle2pem.sh

 # touch ghosted files that will be extracted dynamically
@ -264,37 +205,28 @@ touch %{buildroot}%{catrustdir}/extracted/%{java_bundle}
 chmod 444 %{buildroot}%{catrustdir}/extracted/%{java_bundle}
 touch %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin
 chmod 444 %{buildroot}%{catrustdir}/extracted/edk2/cacerts.bin
-touch %{buildroot}%{_datadir}/pki/ca-trust-source/%{legacy_default_bundle}
-chmod 444 %{buildroot}%{_datadir}/pki/ca-trust-source/%{legacy_default_bundle}
-touch %{buildroot}%{_datadir}/pki/ca-trust-source/%{legacy_disable_bundle}
-chmod 444 %{buildroot}%{_datadir}/pki/ca-trust-source/%{legacy_disable_bundle}

-# /etc/ssl/certs symlink for 3rd-party tools
-ln -s ../pki/tls/certs \
-    %{buildroot}%{_sysconfdir}/ssl/certs
-# legacy filenames
+# Directory links for compatibility with 3rd-party tools
+mkdir -p %{buildroot}%{_libdir}/ssl
+for link in "%{_sysconfdir}/ssl/certs" "%{_libdir}/ssl/certs"; do
+  ln -s %{pkidir}/tls/certs "%{buildroot}$link"
+done
+
+# Legacy file names and links for compatibility with 3rd-party tools
+for link in "%{classic_tls_bundle}" ca-certificates.crt; do
+  ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem "%{buildroot}%{pkidir}/tls/certs/$link"
+done
 ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
    %{buildroot}%{pkidir}/tls/cert.pem
-ln -s %{catrustdir}/extracted/pem/tls-ca-bundle.pem \
-    %{buildroot}%{pkidir}/tls/certs/%{classic_tls_bundle}
 ln -s %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle} \
    %{buildroot}%{pkidir}/tls/certs/%{openssl_format_trust_bundle}
 ln -s %{catrustdir}/extracted/%{java_bundle} \
    %{buildroot}%{pkidir}/%{java_bundle}

 %post
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_default_mozilla_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_default_bundle}
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_disable_mozilla_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_disable_bundle}
 %{refresh_bundles}

 %post base
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_default_base_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_default_base_bundle}
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_disable_base_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_disable_base_bundle}
-%{refresh_bundles}
-
-%post microsoft
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_default_microsoft_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_default_microsoft_bundle}
-cp -f %{_datadir}/pki/ca-trust-legacy/%{legacy_disable_microsoft_bundle} %{_datadir}/pki/ca-trust-source/%{legacy_disable_microsoft_bundle}
 %{refresh_bundles}

 %postun
@ -319,53 +251,26 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %triggerpostun -n %{name}-legacy -- %{watched_pkgs}
 %{_bindir}/bundle2pem.sh %{pkidir}/tls/certs/%{classic_tls_bundle}

-%postun microsoft
-%{refresh_bundles}
-
-%clean
-
-
 %files
-# Mozilla certs bundle file with trust
-%{_datadir}/pki/ca-trust-source/%{p11_format_mozilla_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_default_mozilla_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_mozilla_bundle}
-
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_default_bundle}
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_disable_bundle}
+# Microsoft certs bundle file with trust
+%{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle}

 %files base
 %{_datadir}/pki/ca-trust-source/%{p11_format_base_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_default_base_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_base_bundle}
-
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_default_base_bundle}
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_disable_base_bundle}
-
-%files microsoft
-%{_datadir}/pki/ca-trust-source/%{p11_format_microsoft_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_default_microsoft_bundle}
-%{_datadir}/pki/ca-trust-legacy/%{legacy_disable_microsoft_bundle}
-
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_default_microsoft_bundle}
-%ghost %{_datadir}/pki/ca-trust-source/%{legacy_disable_microsoft_bundle}

 %files shared
 %license LICENSE

-%config(noreplace) %{catrustdir}/ca-legacy.conf
-
 # symlinks for old locations
 %{pkidir}/tls/cert.pem
 %{pkidir}/tls/certs/%{classic_tls_bundle}
 %{pkidir}/tls/certs/%{openssl_format_trust_bundle}
+%{pkidir}/tls/certs/ca-certificates.crt
 %{pkidir}/%{java_bundle}

 # symlink directory
 %{_sysconfdir}/ssl/certs
-
-# ghost files
-%ghost %{catrustdir}/source/ca-bundle.legacy.crt
+%{_libdir}/ssl/certs

 # README files
 %{_datadir}/pki/ca-trust-source/README
@ -381,7 +286,6 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %dir %{_datadir}/pki/ca-trust-source
 %dir %{_datadir}/pki/ca-trust-source/anchors
 %dir %{_datadir}/pki/ca-trust-source/blacklist
-%dir %{_datadir}/pki/ca-trust-legacy
 %dir %{_sysconfdir}/ssl
 %dir %{catrustdir}
 %dir %{catrustdir}/extracted
@ -406,15 +310,27 @@ rm -f %{pkidir}/tls/certs/*.{0,pem}
 %files tools
 # update/extract tool
 %{_bindir}/update-ca-trust
-%{_bindir}/ca-legacy

 %{_mandir}/man8/update-ca-trust.8.gz
-%{_mandir}/man8/ca-legacy.8.gz

 %files legacy
 %{_bindir}/bundle2pem.sh

 %changelog
+* Thu Sep 23 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-19
+- Removing Mozilla certs and making Microsoft's the default ones.
+- Removed support for legacy certdata.txt fields.
+- Removed the use of checked-in "nssckbi.h".
+
+* Mon Sep 13 2021 CBL-Mariner Service Account <cblmargh@microsoft.com> - 20200720-18
+- Updating Microsoft trusted root CAs.
+
+* Fri Aug 20 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-17
+- Adding directory and files links for compatibility reasons.
+
+* Fri Aug 20 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-16
+- Removing the 'ca-legacy' script along with the empty files and broken links it generated.
+
 * Wed Jul 07 2021 CBL-Mariner Service Account <cblmargh@microsoft.com> - 20200720-15
 - Updating Microsoft trusted root CAs.

--- a/SPECS/ca-certificates/certdata.microsoft.txt
+++ b/SPECS/ca-certificates/certdata.microsoft.txt
--- a/SPECS/ca-certificates/certdata.txt
+++ b/SPECS/ca-certificates/certdata.txt
--- a/SPECS/ca-certificates/certdata2pem.py
+++ b/SPECS/ca-certificates/certdata2pem.py
@ -158,18 +158,6 @@ trust_types = {
  "CKA_TRUST_STEP_UP_APPROVED": "step-up-approved",
 }

-legacy_trust_types = {
-  "LEGACY_CKA_TRUST_SERVER_AUTH": "server-auth",
-  "LEGACY_CKA_TRUST_CODE_SIGNING": "code-signing",
-  "LEGACY_CKA_TRUST_EMAIL_PROTECTION": "email-protection",
-}
-
-legacy_to_real_trust_types = {
-  "LEGACY_CKA_TRUST_SERVER_AUTH": "CKA_TRUST_SERVER_AUTH",
-  "LEGACY_CKA_TRUST_CODE_SIGNING": "CKA_TRUST_CODE_SIGNING",
-  "LEGACY_CKA_TRUST_EMAIL_PROTECTION": "CKA_TRUST_EMAIL_PROTECTION",
-}
-
 openssl_trust = {
  "CKA_TRUST_SERVER_AUTH": "serverAuth",
  "CKA_TRUST_CLIENT_AUTH": "clientAuth",
@ -185,8 +173,6 @@ for tobj in objects:
        distrustbits = []
        openssl_trustflags = []
        openssl_distrustflags = []
-        legacy_trustbits = []
-        legacy_openssl_trustflags = []
        for t in list(trust_types.keys()):
            if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
                trustbits.append(t)
@ -197,15 +183,6 @@ for tobj in objects:
                if t in openssl_trust:
                    openssl_distrustflags.append(openssl_trust[t])

-        for t in list(legacy_trust_types.keys()):
-            if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
-                real_t = legacy_to_real_trust_types[t]
-                legacy_trustbits.append(real_t)
-                if real_t in openssl_trust:
-                    legacy_openssl_trustflags.append(openssl_trust[real_t])
-            if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
-                raise NotImplementedError('legacy distrust not supported.\n' + line)
-
        fname = obj_to_filename(tobj)
        try:
            obj = certmap[key]
@ -219,40 +196,6 @@ for tobj in objects:
        #dumpf.write(str(tobj));
        #dumpf.close();

-        is_legacy = 0
-        if 'LEGACY_CKA_TRUST_SERVER_AUTH' in tobj or 'LEGACY_CKA_TRUST_EMAIL_PROTECTION' in tobj or 'LEGACY_CKA_TRUST_CODE_SIGNING' in tobj:
-            is_legacy = 1
-            if obj == None:
-                raise NotImplementedError('found legacy trust without certificate.\n' + line)
-
-            legacy_fname = "legacy-default/" + fname + ".crt"
-            f = open(legacy_fname, 'w')
-            f.write("# alias=%s\n"%tobj['CKA_LABEL'])
-            f.write("# trust=" + " ".join(legacy_trustbits) + "\n")
-            if legacy_openssl_trustflags:
-                f.write("# openssl-trust=" + " ".join(legacy_openssl_trustflags) + "\n")
-            f.write("-----BEGIN CERTIFICATE-----\n")
-            temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
-            temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
-            f.write("\n".join(temp_wrapped))
-            f.write("\n-----END CERTIFICATE-----\n")
-            f.close()
-
-            if 'CKA_TRUST_SERVER_AUTH' in tobj or 'CKA_TRUST_EMAIL_PROTECTION' in tobj or 'CKA_TRUST_CODE_SIGNING' in tobj:
-                legacy_fname = "legacy-disable/" + fname + ".crt"
-                f = open(legacy_fname, 'w')
-                f.write("# alias=%s\n"%tobj['CKA_LABEL'])
-                f.write("# trust=" + " ".join(trustbits) + "\n")
-                if openssl_trustflags:
-                    f.write("# openssl-trust=" + " ".join(openssl_trustflags) + "\n")
-                f.write("-----BEGIN CERTIFICATE-----\n")
-                f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
-                f.write("\n-----END CERTIFICATE-----\n")
-                f.close()
-
-            # don't produce p11-kit output for legacy certificates
-            continue
-
        pk = ''
        cert_comment = ''
        if obj != None:
--- a/SPECS/ca-certificates/pem2bundle.sh
+++ b/SPECS/ca-certificates/pem2bundle.sh
@ -8,70 +8,20 @@ set -x
 echo Parameters passed: $@

 CERTDIR="$1"
-NSSCKBI_H="$2"
-P11_FORMAT_BUNDLE="$3"
-LEGACY_DEFAULT_BUNDLE="$4"
-LEGACY_DISABLE_BUNDLE="$5"
-TRUST_FIXES="$6"
+P11_FORMAT_BUNDLE="$2"
+TRUST_FIXES="$3"

 pushd $CERTDIR
 (
   cat <<EOF
-# This is a bundle of X.509 certificates of public Certificate
-# Authorities.  It was generated from a list of root CAs.
+# This is a bundle of X.509 certificates of Microsoft-trusted Certificate
+# Authorities. It was generated from a list of root CAs.
 # These certificates and trust/distrust attributes use the file format accepted
 # by the p11-kit-trust module.
-#
-# Source: nss/lib/ckfw/builtins/certdata.txt
-# Source: nss/lib/ckfw/builtins/nssckbi.h
-#
-# Generated from:
 EOF
-   cat $NSSCKBI_H  |grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}';
-   echo '#';
 ) > $P11_FORMAT_BUNDLE
- 
-  touch $LEGACY_DEFAULT_BUNDLE
- NUM_LEGACY_DEFAULT=`find certs/legacy-default -type f | wc -l`
- if [ $NUM_LEGACY_DEFAULT -ne 0 ]; then
-     for f in certs/legacy-default/*.crt; do 
-       echo "processing $f"
-       tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
-       alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
-       targs=""
-       if [ -n "$tbits" ]; then
-          for t in $tbits; do
-             targs="${targs} -addtrust $t"
-          done
-       fi
-       if [ -n "$targs" ]; then
-          echo "legacy default flags $targs for $f" >> info.trust
-          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> $LEGACY_DEFAULT_BUNDLE
-       fi
-     done
- fi

- touch $LEGACY_DISABLE_BUNDLE
- NUM_LEGACY_DISABLE=`find certs/legacy-disable -type f | wc -l`
- if [ $NUM_LEGACY_DISABLE -ne 0 ]; then
-     for f in certs/legacy-disable/*.crt; do 
-       echo "processing $f"
-       tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
-       alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
-       targs=""
-       if [ -n "$tbits" ]; then
-          for t in $tbits; do
-             targs="${targs} -addtrust $t"
-          done
-       fi
-       if [ -n "$targs" ]; then
-          echo "legacy disable flags $targs for $f" >> info.trust
-          openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> $LEGACY_DISABLE_BUNDLE
-       fi
-     done
- fi
-
- P11FILES=`find certs -name \*.tmp-p11-kit | wc -l`
+ P11FILES=$(find certs -name \*.tmp-p11-kit | wc -l)
 if [ $P11FILES -ne 0 ]; then
   for p in certs/*.tmp-p11-kit; do 
     cat "$p" >> $P11_FORMAT_BUNDLE
--- a/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec
+++ b/SPECS/prebuilt-ca-certificates-base/prebuilt-ca-certificates-base.spec
@ -2,7 +2,7 @@
 Summary:        Prebuilt version of ca-certificates-base package.
 Name:           prebuilt-ca-certificates-base
 Version:        20200720
-Release:        15%{?dist}
+Release:        19%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -10,31 +10,26 @@ Group:          System Environment/Security
 URL:            https://hg.mozilla.org
 BuildArch:      noarch

+BuildRequires:  ca-certificates-base = %{version}-%{release}
+
+Conflicts:      ca-certificates-shared
+Conflicts:      prebuilt-ca-certificates
+
 %description
 Prebuilt version of the ca-certificates-base package with no runtime dependencies.

-BuildRequires:  ca-certificates-base
-
-Conflicts:      ca-certificates
-Conflicts:      ca-certificates-base
-Conflicts:      ca-certificates-microsoft
-
 %prep -q

 %build

 %install

-mkdir -p %{buildroot}%{_datadir}/pki/ca-trust-legacy/
 mkdir -p %{buildroot}%{_sysconfdir}/pki/

-install -p -m 644 %{_datadir}/pki/ca-trust-legacy/* %{buildroot}%{_datadir}/pki/ca-trust-legacy/
 cp -r %{_sysconfdir}/pki/* %{buildroot}%{_sysconfdir}/pki/

 find %{buildroot} -name README -delete

-rm %{buildroot}%{_sysconfdir}/pki/ca-trust/ca-legacy.conf
-rm %{buildroot}%{_sysconfdir}/pki/ca-trust/source/ca-bundle.legacy.crt
 rm %{buildroot}%{_sysconfdir}/pki/tls/*.cnf
 rm %{buildroot}%{_sysconfdir}/pki/rpm-gpg/*

@ -44,9 +39,23 @@ rm %{buildroot}%{_sysconfdir}/pki/rpm-gpg/*
 %{_sysconfdir}/pki/tls/certs/*
 %{_sysconfdir}/pki/ca-trust/extracted/*
 %{_sysconfdir}/pki/java/cacerts
-%{_datadir}/pki/ca-trust-legacy/*

 %changelog
+* Thu Sep 23 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-19
+- Making 'Release' match with 'ca-certificates'.
+- Removing legacy components.
+- Adding a conflict with a new prebuilt set of certs.
+
+* Mon Sep 13 2021 CBL-Mariner Service Account <cblmargh@microsoft.com> - 20200720-18
+- Making 'Release' match with 'ca-certificates'.
+
+* Fri Aug 20 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-17
+- Making 'Release' match with 'ca-certificates'.
+
+* Fri Aug 20 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-16
+- Making 'Release' match with 'ca-certificates'.
+- No longer have to remove 'ca-bundle.legacy.crt' and 'ca-legacy.conf' - gone from 'ca-certificates'.
+
 * Wed Jul 07 2021 CBL-Mariner Service Account <cblmargh@microsoft.com> - 20200720-15
 - Making 'Release' match with 'ca-certificates'.

--- a/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec
+++ b/SPECS/prebuilt-ca-certificates/prebuilt-ca-certificates.spec
@ -0,0 +1,49 @@
+# When updating, "Version" AND "Release" tags must be updated in the "ca-certificates" package as well.
+Summary:        Prebuilt version of ca-certificates package.
+Name:           prebuilt-ca-certificates
+Version:        20200720
+Release:        19%{?dist}
+License:        MIT
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+Group:          System Environment/Security
+URL:            https://hg.mozilla.org
+BuildArch:      noarch
+
+BuildRequires:  ca-certificates = %{version}-%{release}
+
+Conflicts:      ca-certificates-shared
+Conflicts:      prebuilt-ca-certificates-base
+
+%description
+Prebuilt version of the ca-certificates package with no runtime dependencies.
+
+%prep -q
+
+# We don't want the pre-installed base set of certificates
+# to get mixed into the bundle provided by 'ca-certificates'.
+rpm -e ca-certificates-base
+
+%build
+
+%install
+
+mkdir -p %{buildroot}%{_sysconfdir}/pki/
+
+cp -r %{_sysconfdir}/pki/* %{buildroot}%{_sysconfdir}/pki/
+
+find %{buildroot} -name README -delete
+
+rm %{buildroot}%{_sysconfdir}/pki/tls/*.cnf
+rm %{buildroot}%{_sysconfdir}/pki/rpm-gpg/*
+
+%files
+# Certs bundle file with trust
+%{_sysconfdir}/pki/tls/cert.pem
+%{_sysconfdir}/pki/tls/certs/*
+%{_sysconfdir}/pki/ca-trust/extracted/*
+%{_sysconfdir}/pki/java/cacerts
+
+%changelog
+* Thu Sep 23 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 20200720-19
+- Original version for CBL-Mariner.
--- a/toolkit/docs/security/ca-certificates.md
+++ b/toolkit/docs/security/ca-certificates.md
@ -11,7 +11,7 @@
 This package contains the basic SSL CA certificates available to use on all images. The certificates are split into two sub packages:

 - `ca-certificates-base` - package containing the minimal set of certificates required by the package management tools to authenticate the package repositories.
- `ca-certificates` - package containig a collection of Mozilla certificates listed in [Mozzila's certdata.txt file](https://hg.mozilla.org/releases/mozilla-release/file/tip/security/nss/lib/ckfw/builtins/certdata.txt). For exact version information please consult the [`ca-certificates.spec`](../../../SPECS/ca-certificates/ca-certificates.spec). Installing this package will automatically pull in `ca-certificates-base`.
+- `ca-certificates` - package containing a collection of CAs trusted through the [Microsoft Trusted Root Program](https://docs.microsoft.com/en-us/security/trusted-root/release-notes). For exact version information please consult the [`ca-certificates.spec`](../../../SPECS/ca-certificates/ca-certificates.spec). Installing this package will automatically pull in `ca-certificates-base`.

 In addition to the certificates, the `ca-certificates-tools` package provides tooling for [installation of custom certificates](#custom-configuration-of-the-ca-certificates).

--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@ -225,9 +225,9 @@ libffi-devel-3.2.1-12.cm2.aarch64.rpm
 libtasn1-4.14-3.cm2.aarch64.rpm
 p11-kit-0.23.22-3.cm2.aarch64.rpm
 p11-kit-trust-0.23.22-3.cm2.aarch64.rpm
-ca-certificates-shared-20200720-15.cm2.noarch.rpm
-ca-certificates-tools-20200720-15.cm2.noarch.rpm
-ca-certificates-base-20200720-15.cm2.noarch.rpm
+ca-certificates-shared-20200720-19.cm2.noarch.rpm
+ca-certificates-tools-20200720-19.cm2.noarch.rpm
+ca-certificates-base-20200720-19.cm2.noarch.rpm
 dwz-0.13-4.cm2.aarch64.rpm
 unzip-6.0-19.cm2.aarch64.rpm
 python3-3.7.10-3.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@ -225,9 +225,9 @@ libffi-devel-3.2.1-12.cm2.x86_64.rpm
 libtasn1-4.14-3.cm2.x86_64.rpm
 p11-kit-0.23.22-3.cm2.x86_64.rpm
 p11-kit-trust-0.23.22-3.cm2.x86_64.rpm
-ca-certificates-shared-20200720-15.cm2.noarch.rpm
-ca-certificates-tools-20200720-15.cm2.noarch.rpm
-ca-certificates-base-20200720-15.cm2.noarch.rpm
+ca-certificates-shared-20200720-19.cm2.noarch.rpm
+ca-certificates-tools-20200720-19.cm2.noarch.rpm
+ca-certificates-base-20200720-19.cm2.noarch.rpm
 dwz-0.13-4.cm2.x86_64.rpm
 unzip-6.0-19.cm2.x86_64.rpm
 python3-3.7.10-3.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@ -17,12 +17,11 @@ bzip2-1.0.6-16.cm2.aarch64.rpm
 bzip2-debuginfo-1.0.6-16.cm2.aarch64.rpm
 bzip2-devel-1.0.6-16.cm2.aarch64.rpm
 bzip2-libs-1.0.6-16.cm2.aarch64.rpm
-ca-certificates-20200720-15.cm2.noarch.rpm
-ca-certificates-base-20200720-15.cm2.noarch.rpm
-ca-certificates-legacy-20200720-15.cm2.noarch.rpm
-ca-certificates-microsoft-20200720-15.cm2.noarch.rpm
-ca-certificates-shared-20200720-15.cm2.noarch.rpm
-ca-certificates-tools-20200720-15.cm2.noarch.rpm
+ca-certificates-20200720-19.cm2.noarch.rpm
+ca-certificates-base-20200720-19.cm2.noarch.rpm
+ca-certificates-legacy-20200720-19.cm2.noarch.rpm
+ca-certificates-shared-20200720-19.cm2.noarch.rpm
+ca-certificates-tools-20200720-19.cm2.noarch.rpm
 check-0.12.0-5.cm2.aarch64.rpm
 check-debuginfo-0.12.0-5.cm2.aarch64.rpm
 cmake-3.17.3-5.cm2.aarch64.rpm
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@ -17,12 +17,11 @@ bzip2-1.0.6-16.cm2.x86_64.rpm
 bzip2-debuginfo-1.0.6-16.cm2.x86_64.rpm
 bzip2-devel-1.0.6-16.cm2.x86_64.rpm
 bzip2-libs-1.0.6-16.cm2.x86_64.rpm
-ca-certificates-20200720-15.cm2.noarch.rpm
-ca-certificates-base-20200720-15.cm2.noarch.rpm
-ca-certificates-legacy-20200720-15.cm2.noarch.rpm
-ca-certificates-microsoft-20200720-15.cm2.noarch.rpm
-ca-certificates-shared-20200720-15.cm2.noarch.rpm
-ca-certificates-tools-20200720-15.cm2.noarch.rpm
+ca-certificates-20200720-19.cm2.noarch.rpm
+ca-certificates-base-20200720-19.cm2.noarch.rpm
+ca-certificates-legacy-20200720-19.cm2.noarch.rpm
+ca-certificates-shared-20200720-19.cm2.noarch.rpm
+ca-certificates-tools-20200720-19.cm2.noarch.rpm
 check-0.12.0-5.cm2.x86_64.rpm
 check-debuginfo-0.12.0-5.cm2.x86_64.rpm
 cmake-3.17.3-5.cm2.x86_64.rpm
--- a/toolkit/resources/manifests/package/update_manifests.sh
+++ b/toolkit/resources/manifests/package/update_manifests.sh
@ -44,7 +44,6 @@ remove_packages_for_pkggen_core () {
    sed -i '/alsa-lib-/d' $TmpPkgGen
    sed -i '/ca-certificates-[0-9]/d' $TmpPkgGen
    sed -i '/ca-certificates-legacy/d' $TmpPkgGen
-    sed -i '/ca-certificates-microsoft/d' $TmpPkgGen
    sed -i '/libtasn1-d/d' $TmpPkgGen
    sed -i '/libpkgconf-devel/d' $TmpPkgGen
    sed -i '/lua-static/d' $TmpPkgGen