1. photon
  2. Blame
SPECS/ca-certificates/ca-certificates.spec
5f8fa5ff 
 Summary:        Certificate Authority certificates
 Name:           ca-certificates
 Version:        20190521
 Release:        1%{?dist}
 License:        Custom
0a64d93c 
 # http://anduin.linuxfromscratch.org/BLFS/other/certdata.txt
5f8fa5ff 
 URL:            http://anduin.linuxfromscratch.org/BLFS/other/
 Group:          System Environment/Security
 Vendor:         VMware, Inc.
 Distribution:   Photon
 Source0:        certdata.txt
 Requires:       openssl
c071b36c 
 BuildRequires:  openssl
5f8fa5ff 
 Requires:       ca-certificates-pki = %{version}-%{release}
9d42f28e 
 Requires(post): /bin/ln
d59d977a 
 Provides:       ca-certificates-mozilla
5f8fa5ff
f4d17450 
 %description
 The Public Key Inrastructure is used for many security issues in a
 Linux system. In order for a certificate to be trusted, it must be
 signed by a trusted agent called a Certificate Authority (CA). The
 certificates loaded by this section are from the list on the Mozilla
5f8fa5ff 
 version control system and formats it into a form used by
f4d17450 
 OpenSSL-1.0.1e. The certificates can also be used by other applications
 either directly of indirectly through openssl.
5f8fa5ff
7fbd3a1e 
 %package pki
 Summary:  Certificate Authority certificates (pki tls certs)
 Group:    System Environment/Security
5f8fa5ff
7fbd3a1e 
 %description pki
 Certificate Authority certificates (pki tls certs)
f4d17450 
 %prep -p exit
5f8fa5ff
f4d17450 
 %build
 [ %{builddir} != "/"] && rm -rf %{builddir}/*
 install -vdm 755 %{_builddir}/bin/
 cp %{SOURCE0} %{_builddir}
 #
c071b36c 
 # make-cert.pl
f4d17450 
 #
 cat > %{_builddir}/bin/make-cert.pl << "EOF"
 #!/usr/bin/perl -w
 # Used to generate PEM encoded files from Mozilla certdata.txt.
 # Run as ./make-cert.pl > certificate.crt
 # Parts of this script courtesy of RedHat (mkcabundle.pl)
 # This script modified for use with single file data (tempfile.cer) extracted
 # from certdata.txt, taken from the latest version in the Mozilla NSS source.
 # mozilla/security/nss/lib/ckfw/builtins/certdata.txt
c071b36c 
 # Authors:  DJ Lucas
 #   Bruce Dubbs
f4d17450 
 # Version 20120211
 my $certdata = './tempfile.cer';
 open( IN, "cat $certdata|" )
     || die "could not open $certdata";
 my $incert = 0;
 while ( <IN> )
 {
     if ( /^CKA_VALUE MULTILINE_OCTAL/ )
     {
         $incert = 1;
         open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
             || die "could not pipe to openssl x509";
     }
     elsif ( /^END/ && $incert )
     {
         close( OUT );
         $incert = 0;
         print "\n\n";
     }
     elsif ($incert)
     {
         my @bs = split( /\\/ );
         foreach my $b (@bs)
         {
             chomp $b;
             printf( OUT "%c", oct($b) ) unless $b eq '';
         }
     }
 }
 EOF
 #
c071b36c 
 # make-ca.sh
f4d17450 
 #
 cat > %{_builddir}/bin/make-ca.sh << "EOF"
 #!/bin/bash
 # Begin make-ca.sh
 # Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
 # The file certdata.txt must exist in the local directory
 # Version number is obtained from the version of the data.
 # Authors: DJ Lucas
 #          Bruce Dubbs
 # Version 20120211
 certdata="certdata.txt"
 if [ ! -r $certdata ]; then
   echo "$certdata must be in the local directory"
   exit 1
 fi
 REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
 if [ -z "${REVISION}" ]; then
   echo "$certfile has no 'Revision' in CVS_ID"
   exit 1
 fi
 VERSION=$(echo $REVISION | cut -f2 -d" ")
 TEMPDIR=$(mktemp -d)
 TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
 BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
 CONVERTSCRIPT="bin/make-cert.pl"
 SSLDIR="/etc/ssl"
 mkdir "${TEMPDIR}/certs"
 # Get a list of staring lines for each cert
 CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
 # Get a list of ending lines for each cert
 CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
 # Start a loop
 for certbegin in ${CERTBEGINLIST}; do
   for certend in ${CERTENDLIST}; do
     if test "${certend}" -gt "${certbegin}"; then
       break
     fi
   done
   # Dump to a temp file with the name of the file as the beginning line number
   sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
 done
 unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
 mkdir -p certs
 rm certs/*      # Make sure the directory is clean
 for tempfile in ${TEMPDIR}/certs/*.tmp; do
   # Make sure that the cert is trusted...
   grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
     egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
   if test "${?}" = "0"; then
     # Throw a meaningful error and remove the file
     cp "${tempfile}" tempfile.cer
     perl ${CONVERTSCRIPT} > tempfile.crt
     keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
     echo "Certificate ${keyhash} is not trusted!  Removing..."
     rm -f tempfile.cer tempfile.crt "${tempfile}"
     continue
   fi
   # If execution made it to here in the loop, the temp cert is trusted
   # Find the cert data and generate a cert file for it
   cp "${tempfile}" tempfile.cer
   perl ${CONVERTSCRIPT} > tempfile.crt
   keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
   mv tempfile.crt "certs/${keyhash}.pem"
   rm -f tempfile.cer "${tempfile}"
   echo "Created ${keyhash}.pem"
 done
 # Remove blacklisted files
 # MD5 Collision Proof of Concept CA
 if test -f certs/8f111d69.pem; then
   echo "Certificate 8f111d69 is not trusted!  Removing..."
   rm -f certs/8f111d69.pem
 fi
 # Finally, generate the bundle and clean up.
 cat certs/*.pem >  ${BUNDLE}
 rm -r "${TEMPDIR}"
 EOF
 #
c071b36c 
 # remove-expired-certs.sh\
f4d17450 
 #
 cat > %{_builddir}/bin/remove-expired-certs.sh << "EOF"
 #!/bin/bash
 # Begin /bin/remove-expired-certs.sh
 # Version 20120211
 # Make sure the date is parsed correctly on all systems
 function mydate()
 {
   local y=$( echo $1 | cut -d" " -f4 )
   local M=$( echo $1 | cut -d" " -f1 )
   local d=$( echo $1 | cut -d" " -f2 )
   local m
   if [ ${d} -lt 10 ]; then d="0${d}"; fi
   case $M in
     Jan) m="01";;
     Feb) m="02";;
     Mar) m="03";;
     Apr) m="04";;
     May) m="05";;
     Jun) m="06";;
     Jul) m="07";;
     Aug) m="08";;
     Sep) m="09";;
     Oct) m="10";;
     Nov) m="11";;
     Dec) m="12";;
   esac
   certdate="${y}${m}${d}"
 }
 OPENSSL=/usr/bin/openssl
 DIR=certs
 if [ $# -gt 0 ]; then
   DIR="$1"
 fi
 certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
 today=$( date +%Y%m%d )
 for cert in $certs; do
   notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
   date=$( echo ${notafter} |  sed 's/^notAfter=//' )
   mydate "$date"
   if [ ${certdate} -lt ${today} ]; then
      echo "${cert} expired on ${certdate}! Removing..."
      rm -f "${cert}"
   fi
 done
 EOF
 
 chmod +x %{_builddir}/bin/make-cert.pl
 chmod +x %{_builddir}/bin/make-ca.sh
 chmod +x %{_builddir}/bin/remove-expired-certs.sh
 
 printf "making certs\n"
 bin/make-ca.sh
 printf "Removing expired certs\n"
 bin/remove-expired-certs.sh
 printf "Build portion completed\n"
 
 sed -i 's|CONVERTSCRIPT="bin/make-cert.pl"|CONVERTSCRIPT="/bin/make-cert.pl"|' bin/make-ca.sh
 sed -i 's|DIR=certs|DIR=/etc/ssl/certs|' bin/remove-expired-certs.sh
5f8fa5ff
f4d17450 
 %install
 SSLDIR=/etc/ssl
 install -d %{buildroot}/${SSLDIR}/certs
 install -d %{buildroot}/etc/pki/tls/certs
 cp -v certs/*.pem %{buildroot}/${SSLDIR}/certs
 install BLFS-ca-bundle*.crt %{buildroot}/etc/pki/tls/certs/ca-bundle.crt
 #ln -sfv ../$(readlink %{buildroot}/${SSLDIR}/ca-bundle.crt) %{buildroot}/${SSLDIR}/certs/ca-certificates.crt
 unset SSLDIR
 
 install -Dm644 bin/make-ca.sh %{buildroot}/bin/make-ca.sh
 install -Dm644 bin/make-cert.pl %{buildroot}/bin/make-cert.pl
 install -Dm644 bin/remove-expired-certs.sh %{buildroot}/bin/remove-expired-certs.sh
 %{_fixperms} %{buildroot}/*
5f8fa5ff 
 
 %post
2e05dc15 
 cd /etc/ssl/certs;
ecf99c06 
 for file in *.pem; do ln -sf $file `openssl x509 -hash -noout -in $file`.0; done
f4d17450 
 exit 0
5f8fa5ff
f4d17450 
 %clean
 %files
 %defattr(-,root,root)
 /etc/ssl/certs/*
 /bin/make-ca.sh
 /bin/remove-expired-certs.sh
 /bin/make-cert.pl
5f8fa5ff
7fbd3a1e 
 %files pki
 %defattr(-,root,root)
 /etc/pki/tls/certs/ca-bundle.crt
5f8fa5ff
f4d17450 
 %changelog
5f8fa5ff 
 * Wed May 22 2019 Gerrit Photon <photon-checkins@vmware.com> 20190521-1
 - Automatic Version Bump
0a64d93c 
 * Tue Sep 25 2018 Ankit Jain <ankitja@vmware.com> 20180919-1
 - Updating mozilla certdata.txt to latest revision
9d42f28e 
 * Wed May  3 2017 Bo Gan <ganb@vmware.com> 20170406-3
 - Fixed dependency on coreutils
7fbd3a1e 
 * Fri Apr 14 2017 Alexey Makhalov <amakhalov@vmware.com> 20170406-2
 - Added -pki subpackage
c071b36c 
 * Fri Apr 07 2017 Anish Swaminathan <anishs@vmware.com> 20170406-1
 - Updating mozilla certdata.txt to latest revision
 * Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 20160109-5
 - GA - Bump release of all rpms
 * Wed Feb 10 2016 Anish Swaminathan <anishs@vmware.com> 20160109-4
 - Add Provides field
5f8fa5ff 
 * Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> 20160109-3
c071b36c 
 - Force create links for certificates
 * Mon Feb 01 2016 Anish Swaminathan <anishs@vmware.com> 20160109-2
 - Remove c_rehash dependency
 * Wed Jan 13 2016 Divya Thaluru <dthaluru@vmware.com> 20160109-1
 - Updating mozilla certdata.txt to latest revision
 * Wed Oct 15 2014 Divya Thaluru <dthaluru@vmware.com> 20130524-1
 - Initial build.  First version