ca-certificates.cygport

NAME="ca-certificates"
VERSION=2.32
RELEASE=1
CATEGORY="Net"
SUMMARY="CA root certificates"
DESCRIPTION="Mozilla's CA root certificates for use with OpenSSL, NSS, GnuTLS,
and other software that handles certificate verification."
HOMEPAGE="http://www.mozilla.org/projects/security/certs/"
SRC_URI="
	 https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
	 https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/nssckbi.h
	 fedora/update-ca-trust
	 fedora/trust-fixes
	 fedora/certdata2pem.py
	 fedora/ca-legacy.conf
	 fedora/ca-legacy
	 fedora/ca-legacy.8.txt
	 fedora/update-ca-trust.8.txt
	 fedora/README.usr
	 fedora/README.etc
	 fedora/README.extr
	 fedora/README.edk2
	 fedora/README.java
	 fedora/README.openssl
	 fedora/README.pem
	 fedora/README.src
"
SRC_DIR=.

ARCH=noarch

BUILD_REQUIRES="asciidoc openssl python3 libxslt"

ca_certificates_REQUIRES="p11-kit p11-kit-trust"
ca_certificates_CONTENTS="
	etc/defaults/etc/pki/ca-trust/ca-legacy.conf
	etc/pki/ca-trust/
	etc/pki/tls/cert.pem
	etc/pki/tls/certs/ca-bundle*.crt
	etc/postinstall/${NAME}.sh
	etc/preremove/${NAME}.sh
	etc/ssl/certs
	usr/bin/ca-legacy
	usr/bin/update-ca-trust
	usr/libexec/p11-kit/
	usr/lib/security/cacerts
	usr/share/man/man8/*
	usr/share/pki/
"

src_compile() {
	mkdir -p ${B}/certs/legacy-{default,disable}
	cd ${B}/certs
	cp ${S}/certdata.txt .
	python3 ${S}/certdata2pem.py

	cd ${B}
	(
		cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities.  It was generated from the Mozilla root CA list.
# These certificates and trust/distrust attributes use the file format accepted
# by the p11-kit-trust module.
#
# Source: mozilla/security/nss/lib/ckfw/builtins/certdata.txt
# Source: mozilla/security/nss/lib/ckfw/builtins/nssckbi.h
#
# Generated from:
EOF
		grep -w NSS_BUILTINS_LIBRARY_VERSION ${S}/nssckbi.h | awk '{print "# " $2 " " $3}';
		echo '#';
	) > ca-bundle.trust.p11-kit

	> ca-bundle.legacy.default.crt
	> ca-bundle.legacy.disable.crt

	for f in certs/legacy-default/*.crt
	do
		[ -f $f ] || continue
		echo "processing $f"
		tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
		alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
		targs=""
		if [ -n "$tbits" ]
		then
			for t in $tbits
			do
				targs="$targs -addtrust $t"
			done
		fi
		if [ -n "$targs" ]
		then
			echo "legacy default flags $targs for $f" >> info.trust
			openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ca-bundle.legacy.default.crt
		fi
	done

	for f in certs/legacy-disable/*.crt
	do
		[ -f $f ] || continue
		echo "processing $f"
		tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
		alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
		targs=""
		if [ -n "$tbits" ]
		then
			for t in $tbits
			do
				targs="${targs} -addtrust $t"
			done
		fi
		if [ -n "$targs" ]
		then
			echo "legacy disable flags $targs for $f" >> info.trust
			openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >> ca-bundle.legacy.disable.crt
		fi
	done

	P11FILES=`find certs -name *.tmp-p11-kit | wc -l`
	if [ $P11FILES -ne 0 ]
	then
		for p in certs/*.tmp-p11-kit
		do
			cat "$p" >> ca-bundle.trust.p11-kit
		done
	fi
	cat ${S}/trust-fixes >> ca-bundle.trust.p11-kit

	for man in update-ca-trust.8 ca-legacy.8
	do
		asciidoc -v -d manpage -b docbook -o ${B}/$man.xml ${S}/$man.txt
		xsltproc --nonet -o ${B}/$man /etc/asciidoc/docbook-xsl/manpage.xsl ${B}/$man.xml
	done
}

src_install() {
	dobin ${S}/update-ca-trust ${S}/ca-legacy
	doman ${B}/update-ca-trust.8 ${B}/ca-legacy.8
	sed -i -e 's/sln/ln -sf/' ${D}/usr/bin/ca-legacy

	# for p11-kit
	dodir /usr/libexec/p11-kit
	dosym ../../bin/update-ca-trust /usr/libexec/p11-kit/trust-extract-compat

	insinto /usr/share/pki/ca-trust-source
	doins ${B}/ca-bundle.trust.p11-kit
	newins ${S}/README.usr README
	dodir /usr/share/pki/ca-trust-source/{anchors,blacklist}
	keepdir /usr/share/pki/ca-trust-source/{anchors,blacklist}

	insinto /usr/share/pki/ca-trust-legacy
	doins ${B}/ca-bundle.legacy.default.crt
	doins ${B}/ca-bundle.legacy.disable.crt

	insinto /etc/pki/ca-trust
	doins ${S}/ca-legacy.conf
	make_etc_defaults /etc/pki/ca-trust/ca-legacy.conf

	cat >> ${D}/etc/postinstall/${NAME}.sh <<-_EOF
		/usr/bin/ca-legacy install
		/usr/bin/update-ca-trust
	_EOF

	# touch all files overwritten by update-ca-trust for easy cleanup
	insinto /etc/pki/ca-trust/extracted
	newins ${S}/README.extr README

	insinto /etc/pki/ca-trust/extracted/openssl
	newins ${S}/README.openssl README
	touch ${D}/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

	insinto /etc/pki/ca-trust/extracted/pem
	newins ${S}/README.pem README
	touch ${D}/etc/pki/ca-trust/extracted/pem/{tls,email,objsign}-ca-bundle.pem

	insinto /etc/pki/ca-trust/extracted/java
	newins ${S}/README.java README
	touch ${D}/etc/pki/ca-trust/extracted/java/cacerts

	insinto /etc/pki/ca-trust/extracted/edk2
	newins ${S}/README.edk2 README
	touch ${D}/etc/pki/ca-trust/extracted/edk2/cacerts.bin

	insinto /etc/pki/ca-trust/source
	newins ${S}/README.src README
	dodir /etc/pki/ca-trust/source/{anchors,blacklist}
	keepdir /etc/pki/ca-trust/source/{anchors,blacklist}

	dodir /etc/pki/tls/certs /etc/ssl
	# for OpenSSL
	dosym /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/cert.pem
	# for backwards compatibility
	dosym /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/pki/tls/certs/ca-bundle.crt
	dosym /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt /etc/pki/tls/certs/ca-bundle.trust.crt
	# for other hardcoded ca-certificates consumers
	dosym /etc/pki/tls/certs /etc/ssl/certs

	# for GNU Classpath Java
	dodir /usr/lib/security
	dosym /etc/pki/ca-trust/extracted/java/cacerts /usr/lib/security/cacerts
}