1. photon
  2. SPECS
  3. ca-certificates
  4. ca-certificates.spec
Raw Blame History 
Summary:	Certificate Authority certificates 
Name:		ca-certificates
Version:	20130524
Release:	1%{?dist}
License:	Custom
URL:		http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/
Group:		System Environment/Security
Vendor:		VMware, Inc.
Distribution:	Photon
Source0:	certdata.txt
Requires:	openssl
BuildRequires:	openssl
%description
The Public Key Inrastructure is used for many security issues in a
Linux system. In order for a certificate to be trusted, it must be
signed by a trusted agent called a Certificate Authority (CA). The
certificates loaded by this section are from the list on the Mozilla
version control system and formats it into a form used by 
OpenSSL-1.0.1e. The certificates can also be used by other applications
either directly of indirectly through openssl.
%prep -p exit
%build
[ %{builddir} != "/"] && rm -rf %{builddir}/*
install -vdm 755 %{_builddir}/bin/
cp %{SOURCE0} %{_builddir}
#
#	make-cert.pl
#
cat > %{_builddir}/bin/make-cert.pl << "EOF"
#!/usr/bin/perl -w
# Used to generate PEM encoded files from Mozilla certdata.txt.
# Run as ./make-cert.pl > certificate.crt
# Parts of this script courtesy of RedHat (mkcabundle.pl)
# This script modified for use with single file data (tempfile.cer) extracted
# from certdata.txt, taken from the latest version in the Mozilla NSS source.
# mozilla/security/nss/lib/ckfw/builtins/certdata.txt
# Authors:	DJ Lucas
#		Bruce Dubbs
# Version 20120211
my $certdata = './tempfile.cer';
open( IN, "cat $certdata|" )
    || die "could not open $certdata";
my $incert = 0;
while ( <IN> )
{
    if ( /^CKA_VALUE MULTILINE_OCTAL/ )
    {
        $incert = 1;
        open( OUT, "|openssl x509 -text -inform DER -fingerprint" )
            || die "could not pipe to openssl x509";
    }
    elsif ( /^END/ && $incert )
    {
        close( OUT );
        $incert = 0;
        print "\n\n";
    }
    elsif ($incert)
    {
        my @bs = split( /\\/ );
        foreach my $b (@bs)
        {
            chomp $b;
            printf( OUT "%c", oct($b) ) unless $b eq '';
        }
    }
}
EOF
#
#	make-ca.sh
#
cat > %{_builddir}/bin/make-ca.sh << "EOF"
#!/bin/bash
# Begin make-ca.sh
# Script to populate OpenSSL's CApath from a bundle of PEM formatted CAs
# The file certdata.txt must exist in the local directory
# Version number is obtained from the version of the data.
# Authors: DJ Lucas
#          Bruce Dubbs
# Version 20120211
certdata="certdata.txt"
if [ ! -r $certdata ]; then
  echo "$certdata must be in the local directory"
  exit 1
fi
REVISION=$(grep CVS_ID $certdata | cut -f4 -d'$')
if [ -z "${REVISION}" ]; then
  echo "$certfile has no 'Revision' in CVS_ID"
  exit 1
fi
VERSION=$(echo $REVISION | cut -f2 -d" ")
TEMPDIR=$(mktemp -d)
TRUSTATTRIBUTES="CKA_TRUST_SERVER_AUTH"
BUNDLE="BLFS-ca-bundle-${VERSION}.crt"
CONVERTSCRIPT="bin/make-cert.pl"
SSLDIR="/etc/ssl"
mkdir "${TEMPDIR}/certs"
# Get a list of staring lines for each cert
CERTBEGINLIST=$(grep -n "^# Certificate" "${certdata}" | cut -d ":" -f1)
# Get a list of ending lines for each cert
CERTENDLIST=`grep -n "^CKA_TRUST_STEP_UP_APPROVED" "${certdata}" | cut -d ":" -f 1`
# Start a loop
for certbegin in ${CERTBEGINLIST}; do
  for certend in ${CERTENDLIST}; do
    if test "${certend}" -gt "${certbegin}"; then
      break
    fi
  done
  # Dump to a temp file with the name of the file as the beginning line number
  sed -n "${certbegin},${certend}p" "${certdata}" > "${TEMPDIR}/certs/${certbegin}.tmp"
done
unset CERTBEGINLIST CERTDATA CERTENDLIST certebegin certend
mkdir -p certs
rm certs/*      # Make sure the directory is clean
for tempfile in ${TEMPDIR}/certs/*.tmp; do
  # Make sure that the cert is trusted...
  grep "CKA_TRUST_SERVER_AUTH" "${tempfile}" | \
    egrep "TRUST_UNKNOWN|NOT_TRUSTED" > /dev/null
  if test "${?}" = "0"; then
    # Throw a meaningful error and remove the file
    cp "${tempfile}" tempfile.cer
    perl ${CONVERTSCRIPT} > tempfile.crt
    keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
    echo "Certificate ${keyhash} is not trusted!  Removing..."
    rm -f tempfile.cer tempfile.crt "${tempfile}"
    continue
  fi
  # If execution made it to here in the loop, the temp cert is trusted
  # Find the cert data and generate a cert file for it
  cp "${tempfile}" tempfile.cer
  perl ${CONVERTSCRIPT} > tempfile.crt
  keyhash=$(openssl x509 -noout -in tempfile.crt -hash)
  mv tempfile.crt "certs/${keyhash}.pem"
  rm -f tempfile.cer "${tempfile}"
  echo "Created ${keyhash}.pem"
done
# Remove blacklisted files
# MD5 Collision Proof of Concept CA
if test -f certs/8f111d69.pem; then
  echo "Certificate 8f111d69 is not trusted!  Removing..."
  rm -f certs/8f111d69.pem
fi
# Finally, generate the bundle and clean up.
cat certs/*.pem >  ${BUNDLE}
rm -r "${TEMPDIR}"
EOF
#
#	remove-expired-certs.sh\
#
cat > %{_builddir}/bin/remove-expired-certs.sh << "EOF"
#!/bin/bash
# Begin /bin/remove-expired-certs.sh
# Version 20120211
# Make sure the date is parsed correctly on all systems
function mydate()
{
  local y=$( echo $1 | cut -d" " -f4 )
  local M=$( echo $1 | cut -d" " -f1 )
  local d=$( echo $1 | cut -d" " -f2 )
  local m
  if [ ${d} -lt 10 ]; then d="0${d}"; fi
  case $M in
    Jan) m="01";;
    Feb) m="02";;
    Mar) m="03";;
    Apr) m="04";;
    May) m="05";;
    Jun) m="06";;
    Jul) m="07";;
    Aug) m="08";;
    Sep) m="09";;
    Oct) m="10";;
    Nov) m="11";;
    Dec) m="12";;
  esac
  certdate="${y}${m}${d}"
}
OPENSSL=/usr/bin/openssl
DIR=certs
if [ $# -gt 0 ]; then
  DIR="$1"
fi
certs=$( find ${DIR} -type f -name "*.pem" -o -name "*.crt" )
today=$( date +%Y%m%d )
for cert in $certs; do
  notafter=$( $OPENSSL x509 -enddate -in "${cert}" -noout )
  date=$( echo ${notafter} |  sed 's/^notAfter=//' )
  mydate "$date"
  if [ ${certdate} -lt ${today} ]; then
     echo "${cert} expired on ${certdate}! Removing..."
     rm -f "${cert}"
  fi
done
EOF

chmod +x %{_builddir}/bin/make-cert.pl
chmod +x %{_builddir}/bin/make-ca.sh
chmod +x %{_builddir}/bin/remove-expired-certs.sh

printf "making certs\n"
bin/make-ca.sh
printf "Removing expired certs\n"
bin/remove-expired-certs.sh
printf "Build portion completed\n"

sed -i 's|CONVERTSCRIPT="bin/make-cert.pl"|CONVERTSCRIPT="/bin/make-cert.pl"|' bin/make-ca.sh
sed -i 's|DIR=certs|DIR=/etc/ssl/certs|' bin/remove-expired-certs.sh
%install
SSLDIR=/etc/ssl
install -d %{buildroot}/${SSLDIR}/certs
install -d %{buildroot}/etc/pki/tls/certs
cp -v certs/*.pem %{buildroot}/${SSLDIR}/certs
install BLFS-ca-bundle*.crt %{buildroot}/etc/pki/tls/certs/ca-bundle.crt
#ln -sfv ../$(readlink %{buildroot}/${SSLDIR}/ca-bundle.crt) %{buildroot}/${SSLDIR}/certs/ca-certificates.crt
unset SSLDIR

install -Dm644 bin/make-ca.sh %{buildroot}/bin/make-ca.sh
install -Dm644 bin/make-cert.pl %{buildroot}/bin/make-cert.pl
install -Dm644 bin/remove-expired-certs.sh %{buildroot}/bin/remove-expired-certs.sh
%{_fixperms} %{buildroot}/*
%post 
cd /etc/ssl/certs;c_rehash .
exit 0
%clean
%files
%defattr(-,root,root)
/etc/pki/tls/certs/ca-bundle.crt
/etc/ssl/certs/*
/bin/make-ca.sh
/bin/remove-expired-certs.sh
/bin/make-cert.pl
%changelog
*	Wed Oct 15 2014 Divya Thaluru <dthaluru@vmware.com> 20130524-1
-	Initial build.	First version