From 0ce410a62970237823902b30fd851778f09dc089 Mon Sep 17 00:00:00 2001
From: Guenter Knauf <lists@gknw.net>
Date: Mon, 5 Aug 2013 13:02:27 +0200
Subject: [PATCH] Simplify check for trusted certificates.

This changes the previous check for untrusted certs to a check for
certs explicitely marked as trusted.
The change is backward-compatible (tested with certdata.txt v1.80).
---
 lib/mk-ca-bundle.pl  | 8 +++-----
 lib/mk-ca-bundle.vbs | 8 +++-----
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index 873f8fb77..1a9c85985 100755
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -164,7 +164,7 @@ while (<TXT>) {
   if ($start_of_cert && /^CKA_LABEL UTF8 \"(.*)\"/) {
     $caname = $1;
   }
-  my $untrusted = 0;
+  my $untrusted = 1;
   if ($start_of_cert && /^CKA_VALUE MULTILINE_OCTAL/) {
     my $data;
     while (<TXT>) {
@@ -184,10 +184,8 @@ while (<TXT>) {
     # now scan the trust part for untrusted certs
     while (<TXT>) {
       last if (/^#/);
-      if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
-          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/
-          or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_MUST_VERIFY_TRUST/) {
-        $untrusted = 1;
+      if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUSTED_DELEGATOR$/) {
+          $untrusted = 0;
       }
     }
     if ($untrusted) {
diff --git a/lib/mk-ca-bundle.vbs b/lib/mk-ca-bundle.vbs
index a8b2358a1..d86807929 100755
--- a/lib/mk-ca-bundle.vbs
+++ b/lib/mk-ca-bundle.vbs
@@ -130,10 +130,8 @@ For i = 0 To UBound(myLines)
       myInsideCert = FALSE
       While (i < UBound(myLines)) And Not (myLines(i) = "#")
         i = i + 1
-        If (InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED") Or _
-           InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN") Or _
-           InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST")) Then
-          myUntrusted = TRUE
+        If InstrRev(myLines(i), "CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR") Then
+          myUntrusted = FALSE
         End If
       Wend
       If (myUntrusted = TRUE) Then
@@ -183,7 +181,7 @@ For i = 0 To UBound(myLines)
   End If
   If InstrRev(myLines(i), "CKA_VALUE MULTILINE_OCTAL") Then
     myInsideCert = TRUE
-    myUntrusted = FALSE
+    myUntrusted = TRUE
     myData = ""
   End If
   If InstrRev(myLines(i), "***** BEGIN LICENSE BLOCK *****") Then