p11-kit-0.23.2-4.8.3

- Also build documentation (boo#1013125)

- support loading NSS attribute CKA_NSS_MOZILLA_CA_POLICY so Firefox
  detects built in certificates (boo#1154871,
  0001-Fix-a-typo-in-x-cetrificate-value-see-also-https-bug.patch,
  0001-Support-loading-new-NSS-attribute-CKA_NSS_MOZILLA_CA.patch)

- Use %license instead of %doc [bsc#1082318]

- 32-bit compatibility fixes:
  * Add PKCS11 module to p11-kit-32bit (bsc#996047#c39)
  * Add p11-kit-nss-trust-32bit NSS module
  * Fix potential bi-arch issue with private binaries
    (fdo#98817, p11-kit-biarch.patch)

- Update to 0.23.2
  * Fix forking issues with libffi
  * Fix various crashes in corner cases
  * Updated translations
  * Build fixes
- Make building more verbose
- Enable tests
- Small spec file cleanup with spec-cleaner

- Update to version 0.23.1 (stable)
  * Use new PKCS#11 URI draft fields for URIs [fdo#86474 fdo#87582]
  * Add pem-directory-hash extract format
  * Build fixes
- Remove 0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff;
  fixed on upstream release
- Remove autoconf, automake and libtool require; unneeded dependencies
- Add gtk-doc require; needed to build html documentation
- Remove redundant %clean section

- remove patches:
  * trust-Print-label-of-certificate-when-complaining-.patch
  * trust-Dont-use-invalid-public-keys-for-looking-up-.patch
- new version 0.20.7 (stable)
  * New public pkcs11x.h header containing extensions [fdo#83495]
  * Export necessary defines to lookup attached extensions [fdo#83495]
  * Build fixes
- new version 0.20.6 (stable)
  * Make the p11-kit-proxy.so module respect critical = no [fdo#83651]
  * Build fix for FreeBSD [fdo#75674]
- new version 0.20.5 (stable)
  * Don't use invalid keys for looking up stapled extensions [fdo#82328]
  * Better error messages when invalid certificate extensions
  * Fix parsing of some odd OpenSSL TRUSTED CERTIFICATE files
  * Fix some leaks, and memory issues
  * Silence some clang scanner warnings
- new version 0.20.4 (stable)
  * Don't complain about C_Finalize after a fork
  * Fix typo

- new version 0.20.3
  * Fix problems reinitializing managed modules after fork
  * Fix bad bookeeping when fail initializing one of the modules
  * Fix case where module would be unloaded while in use [#74919]
  * Remove assertions when module used before initialized [#74919]
  * Fix handling of mmap failure and mapping empty files [#74773]
  * Stable p11_kit_be_quiet() and p11_kit_be_loud() functions
  * Require automake 1.12 or later
  * Build fixes for Windows [#76594 #74149]
- apply patches to avoid errors from certificates with invalid public key
  (fdo#82328, bnc#890908,
  trust-Dont-use-invalid-public-keys-for-looking-up-.patch,
  trust-Print-label-of-certificate-when-complaining-.patch)

- New version 0.20.2
  * Fix bug where blacklist didn't affect extracted ca-anchors if the anchor
    and blacklist were not in the same trust path (regression) [fdo#73558]
  * Check for race in BasicConstraints stapled extension [fdo#69314]
  * Build fixes and cleanup

- added .sig file. trying to locate source of the keyring.

- trust: allow to also add openssl style hashes to pem-directory
  0001-trust-allow-to-also-add-openssl-style-hashes-to-pem-d.diff

- upgrade to 0.20.1 which is 0.19 declared stable
  * Extract compat trust data after we've changes
  * Skip compat extraction if running as non-root
  * Better failure messages when removing anchors

- 0001-common-Use-reallocarray-instead-of-realloc-as-approp.patch
  0001-Check-for-arithmetic-overflows-before-allocating.patch
  0001-Follow-up-to-arithmetic-overflow-fix.patch:
  Fixed multiple integer overflows in rpc code (bsc#1180064
  CVE-2020-29361)

- Add support for CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER (bsc#1187993,
  0001-trust-Support-CKA_NSS_-SERVER-EMAIL-_DISTRUST_AFTER.patch)
- add bcond to spec file to enable debug easily

- new version 0.19.4
  * 'trust anchor' now adds/removes certificate anchors
  * 'trust list' lists trust policy stuff
  * 'p11-kit extract' is now 'trust extract'
  * 'p11-kit extract-trust' is now 'trust extract-compat'
  * Workarounds for working on broken zfsonlinux.org [#68525]
  * Add --with-module-config parameter to the configure script [#68122]
  * Add support for removing stored PKCS#11 objects in trust module

- new version 0.19.3
  * Fix up problems with automake testing
  * Fix a bunch of memory leaks in newly refactored code
  * Don't use _GNU_SOURCE and the unportability it brings
  * Add basic 'trust anchor' command to store a new anchor
  * Support for writing out trust token objects
  * Port to use CKA_PUBLIC_KEY_INFO and updated trust store spec
  * Add option to use freebl for hashing
  * Implement reloading of token data
  * Fix warnings and possible minor bugs higlighted by code scanners
  * Don't load configs in home directories when running setuid or setgid
  * Support treating ~/.config as $XDG_CONFIG_HOME
  * Use $XDG_DATA_HOME/pkcs11 as default user config directory
  * Use $TMPDIR instead of $TEMP while testing
  * Open files and fds with O_CLOEXEC
  * Abort initialization if a critical module fails to load
  * Don't use thread-unsafe functions: strerror, getpwuid
  * Fix p11_kit_space_strlen() result when empty string
  * Refactoring of where various components live

- fix 32bit provides of libnssckbi.so
- repace p11-kit-extract-trust with update-ca-certificates

- provide libnssckbi.so to replace mozilla-nss-certs

- add p11-kit-nss-trust subpackage that serves as drop-in
  replacement for mozilla-nss-certs

- use /etc/pki/trust and /usr/share/pki/trust as system CA
  certificate store

- CVE-2020-29362: Fixed a 4 byte overread (bsc#1180065)
  Added p11-kit-CVE-2020-29362.patch: