+ is_distrusted = False
+ has_server_trust = False
+ has_email_trust = False
+ has_code_trust = False
+
+ if 'CKA_TRUST_SERVER_AUTH' in tobj:
+ if tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED':
+ is_distrusted = True
+ elif tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR':
+ has_server_trust = True
+
+ if 'CKA_TRUST_EMAIL_PROTECTION' in tobj:
+ if tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED':
+ is_distrusted = True
+ elif tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR':
+ has_email_trust = True
+
+ if 'CKA_TRUST_CODE_SIGNING' in tobj:
+ if tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED':
+ is_distrusted = True
+ elif tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_TRUSTED_DELEGATOR':
+ has_code_trust = True
+
+ if is_distrusted:
+ trust_ext_oid = "1.3.6.1.4.1.3319.6.10.1"
+ trust_ext_value = "0.%06%0a%2b%06%01%04%01%99w%06%0a%01%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
+ write_cert_ext_to_file(f, trust_ext_oid, trust_ext_value, pk)
+
+ trust_ext_oid = "2.5.29.37"
+ if has_server_trust:
+ if has_email_trust:
+ if has_code_trust:
+ # server + email + code
+ trust_ext_value = "0%2a%06%03U%1d%25%01%01%ff%04 0%1e%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
+ else:
+ # server + email
+ trust_ext_value = "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%01"
+ else:
+ if has_code_trust:
+ # server + code
+ trust_ext_value = "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%01%06%08%2b%06%01%05%05%07%03%03"
+ else:
+ # server
+ trust_ext_value = "0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%01"
+ else:
+ if has_email_trust:
+ if has_code_trust:
+ # email + code
+ trust_ext_value = "0 %06%03U%1d%25%01%01%ff%04%160%14%06%08%2b%06%01%05%05%07%03%04%06%08%2b%06%01%05%05%07%03%03"
+ else:
+ # email
+ trust_ext_value = "0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%04"
+ else:
+ if has_code_trust:
+ # code
+ trust_ext_value = "0%16%06%03U%1d%25%01%01%ff%04%0c0%0a%06%08%2b%06%01%05%05%07%03%03"
+ else:
+ # none
+ trust_ext_value = "0%18%06%03U%1d%25%01%01%ff%04%0e0%0c%06%0a%2b%06%01%04%01%99w%06%0a%10"
+
+ # no 2.5.29.37 for neutral certificates
+ if (is_distrusted or has_server_trust or has_email_trust or has_code_trust):
+ write_cert_ext_to_file(f, trust_ext_oid, trust_ext_value, pk)
+
+ pk = ''
+ f.write("\n")
+
+ f.write("[p11-kit-object-v1]\n")
+ f.write("label: ");
+ f.write(tobj['CKA_LABEL'])
+ f.write("\n")
+ if is_distrusted:
+ f.write("x-distrusted: true\n")
+ elif has_server_trust or has_email_trust or has_code_trust:
+ f.write("trusted: true\n")
+ else:
+ f.write("trusted: false\n")
+
+ # requires p11-kit >= 0.23.4
+ f.write("nss-mozilla-ca-policy: true\n")
+ f.write("modifiable: false\n");
+
+ # requires p11-kit >= 0.23.19
+ for t in list(cert_distrust_types.keys()):
+ if t in obj:
+ value = obj[t]
+ if value == 'CK_FALSE':
+ value = bytearray(1)
+ f.write(cert_distrust_types[t] + ": \"")
+ f.write(urllib.parse.quote(value));
+ f.write("\"\n")
+