current/SPECS/rootcerts.spec

# don't make useless debug packages
%define _enable_debug_packages  %{nil}
%define debug_package           %{nil}

# _without = java enabled, _with = java disabled
%ifnarch %arm %mips
%bcond_without java
%else
%bcond_with java
%endif

Summary:        Bundle of CA Root Certificates
Name:           rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch:          1
Version:        20140318.00
Release:        %mkrel 1
License:        GPL
Group:          Security
URL:            http://www.mageia.org
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0:        rootcerts.tar.bz2
# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
# https://hg.mozilla.org/mozilla-central/raw-file/3bc3b9e2cd99/security/nss/lib/ckfw/builtins/certdata.txt
Source1:        certdata-%{version}.txt
Source2:        rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3:        cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4:        verisign-class-3-secure-server-ca.pem
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6:        generate-cacerts.pl
# Fix overwriting issue with generate-cacerts.pl
Patch0:         generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1:         generate-cacerts-mageia.patch
# Just rename identically named certificates that are not handled by mageia.patch
Patch2:         generate-cacerts-rename-duplicates.patch
BuildRequires:  perl openssl nss
%if %with java
BuildRequires:  javapackages-tools
BuildRequires:  java-devel
%endif

%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

%if %with java
%package java
Summary:        Bundle of CA Root Certificates for Java
Group:          Development/Java

%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif

%prep

%setup -q -n rootcerts

mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt

# extract the license
head -4 builtins/certdata.txt > LICENSE

# add additional CA's here, needs to have the mozilla format...
cat %{SOURCE2} >> builtins/certdata.txt

# CAcert
cp %{SOURCE3} .

cp %{SOURCE6} .
%patch0 -p0
%patch1 -p0
%patch2 -p0

%build 
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy

# CAcert
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt

# new verisign intermediate certificate
# -t trust        trust flags (cCTpPuw).
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \
        addbuiltin -n "VeriSign Class 3 Secure Server CA" \
        -t "CT,C,C" >> builtins/certdata.txt

perl mkcerts.pl > certs.sh

%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
%make
cat pem/*.pem > ca-bundle.crt
cat %{SOURCE4} >> ca-bundle.crt

%if %with java
mkdir -p java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif

%install
rm -rf %{buildroot}

%makeinstall_std

install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}

install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem

install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/

%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif

cat > README << EOF

R O O T C E R T S
-----------------

This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

EOF

# be compatible with Debian/Ubuntu SSL paths
# fix #58107 (also used by dovecot default config)
install -d %{buildroot}%{_sysconfdir}/ssl
for d in certs private; do
    ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
done

%clean
rm -rf %{buildroot}

%files 
%defattr(-,root,root)
%doc README LICENSE
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs
%{_sysconfdir}/ssl/private

%if %with java
%files java
%defattr(-,root,root)
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif
1	pterjan	16345	# don't make useless debug packages
2			%define _enable_debug_packages %{nil}
3			%define debug_package %{nil}
4
5			# _without = java enabled, _with = java disabled
6			%ifnarch %arm %mips
7			%bcond_without java
8			%else
9			%bcond_with java
10			%endif
11
12			Summary: Bundle of CA Root Certificates
13			Name: rootcerts
14			# <mrl> Use this versioning style in order to be easily backportable.
15			# Note that the release is the last two digits on the version.
16			# All BuildRequires for rootcerts should be done this way:
17			# BuildRequires: rootcerts >= 0:20070402.00, for example
18			# - NEVER specifying the %%{release}
19			Epoch: 1
20	oden	605584	Version: 20140318.00
21	luigiwalser	551152	Release: %mkrel 1
22	pterjan	16345	License: GPL
23	fwang	392002	Group: Security
24	wally	18895	URL: http://www.mageia.org
25	pterjan	16345	# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
26			Source0: rootcerts.tar.bz2
27			# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
28	luigiwalser	551152	# https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt
29			# See https://hg.mozilla.org/projects/nss/log/default/lib/ckfw/builtins/certdata.txt for new versions
30	oden	605584	# https://hg.mozilla.org/mozilla-central/raw-file/3bc3b9e2cd99/security/nss/lib/ckfw/builtins/certdata.txt
31	oden	491361	Source1: certdata-%{version}.txt
32	pterjan	16345	Source2: rootcerts-igp-brasil.txt
33			# http://www.cacert.org/certs/root.der
34			Source3: cacert.org.der
35			# http://qa.mandriva.com/show_bug.cgi?id=29612
36			# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
37			Source4: verisign-class-3-secure-server-ca.pem
38			# Java JKS keystore generator:
39			# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
40			Source6: generate-cacerts.pl
41			# Fix overwriting issue with generate-cacerts.pl
42			Patch0: generate-cacerts-fix-entrustsslca.patch
43			# Some hacks to make generate-cacerts.pl work with some of our certificates
44	wally	18895	Patch1: generate-cacerts-mageia.patch
45			# Just rename identically named certificates that are not handled by mageia.patch
46	pterjan	16345	Patch2: generate-cacerts-rename-duplicates.patch
47			BuildRequires: perl openssl nss
48			%if %with java
49	luigiwalser	491390	BuildRequires: javapackages-tools
50			BuildRequires: java-devel
51	pterjan	16345	%endif
52
53			%description
54			This is a bundle of X.509 certificates of public Certificate
55			Authorities (CA). These were automatically extracted from Mozilla's
56			root CA list (the file "certdata.txt"). It contains the certificates
57			in both plain text and PEM format and therefore can be directly used
58			with an Apache/mod_ssl webserver for SSL client authentication. Just
59			configure this file as the SSLCACertificateFile.
60
61			%if %with java
62			%package java
63			Summary: Bundle of CA Root Certificates for Java
64			Group: Development/Java
65
66			%description java
67			Bundle of X.509 certificates of public Certificate Authorities (CA)
68			in a format used by Java Runtime Environment.
69			%endif
70
71			%prep
72
73			%setup -q -n rootcerts
74
75			mkdir -p builtins
76			cp %{SOURCE1} builtins/certdata.txt
77
78			# extract the license
79	oden	491361	head -4 builtins/certdata.txt > LICENSE
80	pterjan	16345
81			# add additional CA's here, needs to have the mozilla format...
82			cat %{SOURCE2} >> builtins/certdata.txt
83
84			# CAcert
85			cp %{SOURCE3} .
86
87			cp %{SOURCE6} .
88			%patch0 -p0
89			%patch1 -p0
90			%patch2 -p0
91
92			%build
93			rm -f configure
94			libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
95
96			# CAcert
97			# http://wiki.cacert.org/wiki/NSSLib
98			addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
99
100			# new verisign intermediate certificate
101			# -t trust trust flags (cCTpPuw).
102			openssl x509 -in %{SOURCE4} -inform PEM -outform DER \| \
103			addbuiltin -n "VeriSign Class 3 Secure Server CA" \
104			-t "CT,C,C" >> builtins/certdata.txt
105
106			perl mkcerts.pl > certs.sh
107
108			%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
109			%make
110			cat pem/*.pem > ca-bundle.crt
111			cat %{SOURCE4} >> ca-bundle.crt
112
113			%if %with java
114			mkdir -p java
115			cd java
116			LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
117			cd ..
118			%endif
119
120			%install
121			rm -rf %{buildroot}
122
123			%makeinstall_std
124
125			install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
126			install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
127			install -d %{buildroot}%{_bindir}
128
129			install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
130			ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem
131
132			install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
133
134			%if %with java
135			install -d %{buildroot}%{_sysconfdir}/pki/java
136			install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
137			%endif
138
139			cat > README << EOF
140
141			R O O T C E R T S
142			-----------------
143
144			This is a bundle of X.509 certificates of public Certificate
145			Authorities (CA). These were automatically extracted from Mozilla's
146			root CA list (the file "certdata.txt"). It contains the certificates
147			in both plain text and PEM format and therefore can be directly used
148			with an Apache/mod_ssl webserver for SSL client authentication. Just
149			configure this file as the SSLCACertificateFile.
150
151			EOF
152
153	blino	340430	# be compatible with Debian/Ubuntu SSL paths
154			# fix #58107 (also used by dovecot default config)
155	pterjan	16345	install -d %{buildroot}%{_sysconfdir}/ssl
156	blino	340430	for d in certs private; do
157			ln -sf %{_sysconfdir}/pki/tls/$d %{buildroot}%{_sysconfdir}/ssl/
158			done
159	pterjan	16345
160			%clean
161			rm -rf %{buildroot}
162
163			%files
164			%defattr(-,root,root)
165			%doc README LICENSE
166			%{_sysconfdir}/pki/tls/cert.pem
167			%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
168			%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
169			%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
170			%{_sysconfdir}/ssl/certs
171	blino	340430	%{_sysconfdir}/ssl/private
172	pterjan	16345
173			%if %with java
174			%files java
175			%defattr(-,root,root)
176			%dir %{_sysconfdir}/pki/java
177			%config(noreplace) %{_sysconfdir}/pki/java/cacerts
178			%endif