1 |
pterjan |
16345 |
# don't make useless debug packages |
2 |
|
|
%define _enable_debug_packages %{nil} |
3 |
|
|
%define debug_package %{nil} |
4 |
|
|
|
5 |
|
|
# _without = java enabled, _with = java disabled |
6 |
|
|
%ifnarch %arm %mips |
7 |
|
|
%bcond_without java |
8 |
|
|
%else |
9 |
|
|
%bcond_with java |
10 |
|
|
%endif |
11 |
|
|
|
12 |
|
|
Summary: Bundle of CA Root Certificates |
13 |
|
|
Name: rootcerts |
14 |
|
|
# <mrl> Use this versioning style in order to be easily backportable. |
15 |
|
|
# Note that the release is the last two digits on the version. |
16 |
|
|
# All BuildRequires for rootcerts should be done this way: |
17 |
|
|
# BuildRequires: rootcerts >= 0:20070402.00, for example |
18 |
|
|
# - NEVER specifying the %%{release} |
19 |
|
|
Epoch: 1 |
20 |
oden |
605584 |
Version: 20140318.00 |
21 |
luigiwalser |
551152 |
Release: %mkrel 1 |
22 |
pterjan |
16345 |
License: GPL |
23 |
fwang |
392002 |
Group: Security |
24 |
wally |
18895 |
URL: http://www.mageia.org |
25 |
pterjan |
16345 |
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2 |
26 |
|
|
Source0: rootcerts.tar.bz2 |
27 |
|
|
# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html |
28 |
luigiwalser |
551152 |
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt |
29 |
|
|
# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions |
30 |
oden |
605584 |
# https://hg.mozilla.org/mozilla-central/raw-file/3bc3b9e2cd99/security/nss/lib/ckfw/builtins/certdata.txt |
31 |
oden |
491361 |
Source1: certdata-%{version}.txt |
32 |
pterjan |
16345 |
Source2: rootcerts-igp-brasil.txt |
33 |
|
|
# http://www.cacert.org/certs/root.der |
34 |
|
|
Source3: cacert.org.der |
35 |
|
|
# http://qa.mandriva.com/show_bug.cgi?id=29612 |
36 |
|
|
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html |
37 |
|
|
Source4: verisign-class-3-secure-server-ca.pem |
38 |
|
|
# Java JKS keystore generator: |
39 |
|
|
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl |
40 |
|
|
Source6: generate-cacerts.pl |
41 |
|
|
# Fix overwriting issue with generate-cacerts.pl |
42 |
|
|
Patch0: generate-cacerts-fix-entrustsslca.patch |
43 |
|
|
# Some hacks to make generate-cacerts.pl work with some of our certificates |
44 |
wally |
18895 |
Patch1: generate-cacerts-mageia.patch |
45 |
|
|
# Just rename identically named certificates that are not handled by mageia.patch |
46 |
pterjan |
16345 |
Patch2: generate-cacerts-rename-duplicates.patch |
47 |
|
|
BuildRequires: perl openssl nss |
48 |
|
|
%if %with java |
49 |
luigiwalser |
491390 |
BuildRequires: javapackages-tools |
50 |
|
|
BuildRequires: java-devel |
51 |
pterjan |
16345 |
%endif |
52 |
|
|
|
53 |
|
|
%description |
54 |
|
|
This is a bundle of X.509 certificates of public Certificate |
55 |
|
|
Authorities (CA). These were automatically extracted from Mozilla's |
56 |
|
|
root CA list (the file "certdata.txt"). It contains the certificates |
57 |
|
|
in both plain text and PEM format and therefore can be directly used |
58 |
|
|
with an Apache/mod_ssl webserver for SSL client authentication. Just |
59 |
|
|
configure this file as the SSLCACertificateFile. |
60 |
|
|
|
61 |
|
|
%if %with java |
62 |
|
|
%package java |
63 |
|
|
Summary: Bundle of CA Root Certificates for Java |
64 |
|
|
Group: Development/Java |
65 |
|
|
|
66 |
|
|
%description java |
67 |
|
|
Bundle of X.509 certificates of public Certificate Authorities (CA) |
68 |
|
|
in a format used by Java Runtime Environment. |
69 |
|
|
%endif |
70 |
|
|
|
71 |
|
|
%prep |
72 |
|
|
|
73 |
|
|
%setup -q -n rootcerts |
74 |
|
|
|
75 |
|
|
mkdir -p builtins |
76 |
|
|
cp %{SOURCE1} builtins/certdata.txt |
77 |
|
|
|
78 |
|
|
# extract the license |
79 |
oden |
491361 |
head -4 builtins/certdata.txt > LICENSE |
80 |
pterjan |
16345 |
|
81 |
|
|
# add additional CA's here, needs to have the mozilla format... |
82 |
|
|
cat %{SOURCE2} >> builtins/certdata.txt |
83 |
|
|
|
84 |
|
|
# CAcert |
85 |
|
|
cp %{SOURCE3} . |
86 |
|
|
|
87 |
|
|
cp %{SOURCE6} . |
88 |
|
|
%patch0 -p0 |
89 |
|
|
%patch1 -p0 |
90 |
|
|
%patch2 -p0 |
91 |
|
|
|
92 |
|
|
%build |
93 |
|
|
rm -f configure |
94 |
|
|
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy |
95 |
|
|
|
96 |
|
|
# CAcert |
97 |
|
|
# http://wiki.cacert.org/wiki/NSSLib |
98 |
|
|
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt |
99 |
|
|
|
100 |
|
|
# new verisign intermediate certificate |
101 |
|
|
# -t trust trust flags (cCTpPuw). |
102 |
|
|
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \ |
103 |
|
|
addbuiltin -n "VeriSign Class 3 Secure Server CA" \ |
104 |
|
|
-t "CT,C,C" >> builtins/certdata.txt |
105 |
|
|
|
106 |
|
|
perl mkcerts.pl > certs.sh |
107 |
|
|
|
108 |
|
|
%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts |
109 |
|
|
%make |
110 |
|
|
cat pem/*.pem > ca-bundle.crt |
111 |
|
|
cat %{SOURCE4} >> ca-bundle.crt |
112 |
|
|
|
113 |
|
|
%if %with java |
114 |
|
|
mkdir -p java |
115 |
|
|
cd java |
116 |
|
|
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt |
117 |
|
|
cd .. |
118 |
|
|
%endif |
119 |
|
|
|
120 |
|
|
%install |
121 |
|
|
rm -rf %{buildroot} |
122 |
|
|
|
123 |
|
|
%makeinstall_std |
124 |
|
|
|
125 |
|
|
install -d %{buildroot}%{_sysconfdir}/pki/tls/certs |
126 |
|
|
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla |
127 |
|
|
install -d %{buildroot}%{_bindir} |
128 |
|
|
|
129 |
|
|
install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/ |
130 |
|
|
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem |
131 |
|
|
|
132 |
|
|
install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/ |
133 |
|
|
|
134 |
|
|
%if %with java |
135 |
|
|
install -d %{buildroot}%{_sysconfdir}/pki/java |
136 |
|
|
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/ |
137 |
|
|
%endif |
138 |
|
|
|
139 |
|
|
cat > README << EOF |
140 |
|
|
|
141 |
|
|
R O O T C E R T S |
142 |
|
|
----------------- |
143 |
|
|
|
144 |
|
|
This is a bundle of X.509 certificates of public Certificate |
145 |
|
|
Authorities (CA). These were automatically extracted from Mozilla's |
146 |
|
|
root CA list (the file "certdata.txt"). It contains the certificates |
147 |
|
|
in both plain text and PEM format and therefore can be directly used |
148 |
|
|
with an Apache/mod_ssl webserver for SSL client authentication. Just |
149 |
|
|
configure this file as the SSLCACertificateFile. |
150 |
|
|
|
151 |
|
|
EOF |
152 |
|
|
|
153 |
blino |
340430 |
# be compatible with Debian/Ubuntu SSL paths |
154 |
|
|
# fix #58107 (also used by dovecot default config) |
155 |
pterjan |
16345 |
install -d %{buildroot}%{_sysconfdir}/ssl |
156 |
blino |
340430 |
for d in certs private; do |
157 |
|
|
ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/ |
158 |
|
|
done |
159 |
pterjan |
16345 |
|
160 |
|
|
%clean |
161 |
|
|
rm -rf %{buildroot} |
162 |
|
|
|
163 |
|
|
%files |
164 |
|
|
%defattr(-,root,root) |
165 |
|
|
%doc README LICENSE |
166 |
|
|
%{_sysconfdir}/pki/tls/cert.pem |
167 |
|
|
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt |
168 |
|
|
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/* |
169 |
|
|
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt |
170 |
|
|
%{_sysconfdir}/ssl/certs |
171 |
blino |
340430 |
%{_sysconfdir}/ssl/private |
172 |
pterjan |
16345 |
|
173 |
|
|
%if %with java |
174 |
|
|
%files java |
175 |
|
|
%defattr(-,root,root) |
176 |
|
|
%dir %{_sysconfdir}/pki/java |
177 |
|
|
%config(noreplace) %{_sysconfdir}/pki/java/cacerts |
178 |
|
|
%endif |