Also skip certs masked as CKT_NSS_TRUST_UNKNOWN.

Fix posted by Tomas Hoger <thoger redhat com>.

diff --git a/lib/mk-ca-bundle.pl b/lib/mk-ca-bundle.pl
index 868e238..189ed01 100755 (executable)
--- a/lib/mk-ca-bundle.pl
+++ b/lib/mk-ca-bundle.pl
@@ -160,7 +160,8 @@ while (<TXT>) {
     }
     while (<TXT>) {
       last if (/^#$/);
-      $untrusted = 1 if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/);
+      $untrusted = 1 if (/^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_NOT_TRUSTED$/
+                     or /^CKA_TRUST_SERVER_AUTH\s+CK_TRUST\s+CKT_NSS_TRUST_UNKNOWN$/);
     }
     if ($untrusted) {
       $skipnum ++;