Import ca-certificates 2008-4.
This commit is contained in:
parent
1841f55888
commit
d01a981fd7
10625
ca-bundle.crt
Normal file
10625
ca-bundle.crt
Normal file
File diff suppressed because it is too large
Load Diff
71
ca-certificates.spec
Normal file
71
ca-certificates.spec
Normal file
@ -0,0 +1,71 @@
|
||||
### Note that mkcabundle.pl is used to generate ca-bundle.crt
|
||||
### before generating a source RPM, and is not used during the
|
||||
### build.
|
||||
|
||||
%define pkidir %{_sysconfdir}/pki
|
||||
|
||||
Summary: The Mozilla CA root certificate bundle
|
||||
Name: ca-certificates
|
||||
Version: 2008
|
||||
Release: 4
|
||||
License: Public Domain
|
||||
Group: System Environment/Base
|
||||
URL: http://www.mozilla.org/
|
||||
Source0: ca-bundle.crt
|
||||
Source1: generate-cacerts.pl
|
||||
Source2: mkcabundle.pl
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
BuildRequires: perl, java-openjdk
|
||||
BuildArch: noarch
|
||||
|
||||
%description
|
||||
This package contains the set of CA certificates chosen by the
|
||||
Mozilla Foundation for use with the Internet PKI.
|
||||
|
||||
%prep
|
||||
rm -rf %{name}
|
||||
mkdir %{name}
|
||||
|
||||
%build
|
||||
pushd %{name}
|
||||
%{__perl} %{SOURCE1} %{_bindir}/keytool %{SOURCE0}
|
||||
touch -r %{SOURCE0} cacerts
|
||||
popd
|
||||
|
||||
%install
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
mkdir -p $RPM_BUILD_ROOT{%{pkidir}/tls/certs,%{pkidir}/java}
|
||||
|
||||
install -p -m 644 %{SOURCE0} $RPM_BUILD_ROOT%{pkidir}/tls/certs/ca-bundle.crt
|
||||
|
||||
# Install Java cacerts file.
|
||||
mkdir -p -m 700 $RPM_BUILD_ROOT%{pkidir}/java
|
||||
install -p -m 644 %{name}/cacerts $RPM_BUILD_ROOT%{pkidir}/java/
|
||||
|
||||
%clean
|
||||
rm -rf $RPM_BUILD_ROOT
|
||||
|
||||
%files
|
||||
%defattr(-,root,root,-)
|
||||
%dir %{pkidir}/java
|
||||
%config(noreplace) %{pkidir}/java/cacerts
|
||||
%dir %{pkidir}/tls
|
||||
%dir %{pkidir}/tls/certs
|
||||
%config(noreplace) %{pkidir}/tls/certs/ca-bundle.crt
|
||||
|
||||
%changelog
|
||||
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-4
|
||||
- use package name for temp dir, recreate it in prep
|
||||
|
||||
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-3
|
||||
- fix source script perms
|
||||
- mark packaged files as config(noreplace)
|
||||
|
||||
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-2
|
||||
- add (but don't use) mkcabundle.pl
|
||||
- tweak description
|
||||
- use /usr/bin/keytool directly; BR java-openjdk
|
||||
|
||||
* Tue May 27 2008 Joe Orton <jorton@redhat.com> 2008-1
|
||||
- Initial build (#448497)
|
105
generate-cacerts.pl
Executable file
105
generate-cacerts.pl
Executable file
@ -0,0 +1,105 @@
|
||||
#!/usr/bin/perl
|
||||
|
||||
# Copyright (C) 2007, 2008 Red Hat, Inc.
|
||||
#
|
||||
# This program is free software; you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation; either version 2 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
|
||||
# generate-cacerts.pl generates a JKS keystore named 'cacerts' from
|
||||
# OpenSSL's certificate bundle using OpenJDK's keytool.
|
||||
|
||||
# First extract each of OpenSSL's bundled certificates into its own
|
||||
# aliased filename.
|
||||
$file = $ARGV[1];
|
||||
open(CERTS, $file);
|
||||
@certs = <CERTS>;
|
||||
close(CERTS);
|
||||
|
||||
$pem_file_number = 0;
|
||||
$writing_cert = 0;
|
||||
foreach $cert (@certs)
|
||||
{
|
||||
if ($cert eq "-----BEGIN CERTIFICATE-----\n")
|
||||
{
|
||||
if ($writing_cert != 0)
|
||||
{
|
||||
die "$file is malformed.";
|
||||
}
|
||||
$pem_file_number++;
|
||||
# Numbering each file guarantees that cert aliases will be
|
||||
# unique.
|
||||
$pem_file_name = "$pem_file_number$cert_alias.pem";
|
||||
$writing_cert = 1;
|
||||
open(PEM, ">$pem_file_name");
|
||||
print PEM $cert;
|
||||
}
|
||||
elsif ($cert eq "-----END CERTIFICATE-----\n")
|
||||
{
|
||||
$writing_cert = 0;
|
||||
print PEM $cert;
|
||||
close(PEM);
|
||||
}
|
||||
elsif ($cert =~ /Issuer: /)
|
||||
{
|
||||
# Generate an alias using the OU and CN attributes of the
|
||||
# Issuer field if both are present, otherwise use only the CN
|
||||
# attribute. The Issuer field must have either the OU or the
|
||||
# CN attribute.
|
||||
$_ = $cert;
|
||||
if ($cert =~ /OU=/)
|
||||
{
|
||||
s/Issuer:.*?OU=//;
|
||||
# Remove other occurrences of OU=.
|
||||
s/OU=.*CN=//;
|
||||
# Remove CN= if there were not other occurrences of OU=.
|
||||
s/CN=//;
|
||||
}
|
||||
elsif ($cert =~ /CN=/)
|
||||
{
|
||||
s/Issuer:.*CN=//;
|
||||
}
|
||||
s/\W//g;
|
||||
tr/A-Z/a-z/;
|
||||
$cert_alias = $_
|
||||
}
|
||||
else
|
||||
{
|
||||
if ($writing_cert == 1)
|
||||
{
|
||||
print PEM $cert;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Check that the correct number of .pem files were produced.
|
||||
@pem_files = <*.pem>;
|
||||
if (@pem_files != $pem_file_number)
|
||||
{
|
||||
die "Number of .pem files produced does not match".
|
||||
" number of certs read from $file.";
|
||||
}
|
||||
|
||||
# Now store each cert in the 'cacerts' file using keytool.
|
||||
$certs_written_count = 0;
|
||||
foreach $pem_file (@pem_files)
|
||||
{
|
||||
system "yes | $ARGV[0] -import".
|
||||
" -alias `basename $pem_file .pem`".
|
||||
" -keystore cacerts -storepass 'changeit' -file $pem_file";
|
||||
unlink($pem_file);
|
||||
$certs_written_count++;
|
||||
}
|
||||
|
||||
# Check that the correct number of certs were added to the keystore.
|
||||
if ($certs_written_count != $pem_file_number)
|
||||
{
|
||||
die "Number of certs added to keystore does not match".
|
||||
" number of certs read from $file.";
|
||||
}
|
41
mkcabundle.pl
Executable file
41
mkcabundle.pl
Executable file
@ -0,0 +1,41 @@
|
||||
#!/usr/bin/perl -w
|
||||
#
|
||||
# Used to regenerate ca-bundle.crt from the Mozilla certdata.txt.
|
||||
# Run as ./mkcabundle.pl > ca-bundle.crt
|
||||
#
|
||||
|
||||
my $cvsroot = ':pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot';
|
||||
my $certdata = 'mozilla/security/nss/lib/ckfw/builtins/certdata.txt';
|
||||
|
||||
open(IN, "cvs -d $cvsroot co -p $certdata|")
|
||||
|| die "could not check out certdata.txt";
|
||||
|
||||
my $incert = 0;
|
||||
|
||||
print<<EOH;
|
||||
# This is a bundle of X.509 certificates of public Certificate
|
||||
# Authorities. It was generated from the Mozilla root CA list.
|
||||
#
|
||||
# Source: $certdata
|
||||
#
|
||||
EOH
|
||||
|
||||
while (<IN>) {
|
||||
if (/^CKA_VALUE MULTILINE_OCTAL/) {
|
||||
$incert = 1;
|
||||
open(OUT, "|openssl x509 -text -inform DER -fingerprint")
|
||||
|| die "could not pipe to openssl x509";
|
||||
} elsif (/^END/ && $incert) {
|
||||
close(OUT);
|
||||
$incert = 0;
|
||||
print "\n\n";
|
||||
} elsif ($incert) {
|
||||
my @bs = split(/\\/);
|
||||
foreach my $b (@bs) {
|
||||
chomp $b;
|
||||
printf(OUT "%c", oct($b)) unless $b eq '';
|
||||
}
|
||||
} elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
|
||||
print "# Generated from certdata.txt RCS revision $1\n#\n";
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user