current/SPECS/rootcerts.spec

# don't make useless debug packages
%define _enable_debug_packages  %{nil}
%define debug_package           %{nil}

# _without = java enabled, _with = java disabled
%ifnarch %arm %mips
%bcond_without java
%else
%bcond_with java
%endif

Summary:        Bundle of CA Root Certificates
Name:           rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch:          1
Version:        20110323.00
Release:        %mkrel 1
License:        GPL
Group:          System/Servers
URL:            http://www.mageia.org
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0:        rootcerts.tar.bz2
# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
#cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt > certdata.txt
Source1:        certdata.txt
Source2:        rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3:        cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4:        verisign-class-3-secure-server-ca.pem
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6:        generate-cacerts.pl
# Fix overwriting issue with generate-cacerts.pl
Patch0:         generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1:         generate-cacerts-mageia.patch
# Just rename identically named certificates that are not handled by mageia.patch
Patch2:         generate-cacerts-rename-duplicates.patch
# remove the MD5 Collisions Forged Rogue CA 25c3 one
Patch3:         certdata-MD5_Collisions_Forged_Rogue_CA_25c3.diff
BuildRequires:  perl openssl nss
%if %with java
BuildRequires:  java-rpmbuild
%endif
Buildroot:      %{_tmppath}/%{name}-%{version}-%{release}-buildroot

%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

%if %with java
%package java
Summary:        Bundle of CA Root Certificates for Java
Group:          Development/Java

%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif

%prep

%setup -q -n rootcerts

mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt
%patch3 -p0

# extract the license
head -36 builtins/certdata.txt > LICENSE

# add additional CA's here, needs to have the mozilla format...
cat %{SOURCE2} >> builtins/certdata.txt

# CAcert
cp %{SOURCE3} .

cp %{SOURCE6} .
%patch0 -p0
%patch1 -p0
%patch2 -p0

%build 
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy

# CAcert
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt

# new verisign intermediate certificate
# -t trust        trust flags (cCTpPuw).
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \
        addbuiltin -n "VeriSign Class 3 Secure Server CA" \
        -t "CT,C,C" >> builtins/certdata.txt

perl mkcerts.pl > certs.sh

%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
%make
cat pem/*.pem > ca-bundle.crt
cat %{SOURCE4} >> ca-bundle.crt

%if %with java
mkdir -p java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif

%install
rm -rf %{buildroot}

%makeinstall_std

install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}

install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem

install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/

%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif

cat > README << EOF

R O O T C E R T S
-----------------

This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

EOF

# fix #58107
install -d %{buildroot}%{_sysconfdir}/ssl
ln -sf %{_sysconfdir}/pki/tls/certs %{buildroot}%{_sysconfdir}/ssl/certs

%clean
rm -rf %{buildroot}

%files 
%defattr(-,root,root)
%doc README LICENSE
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs

%if %with java
%files java
%defattr(-,root,root)
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif
1	pterjan	16345	# don't make useless debug packages
2			%define _enable_debug_packages %{nil}
3			%define debug_package %{nil}
4
5			# _without = java enabled, _with = java disabled
6			%ifnarch %arm %mips
7			%bcond_without java
8			%else
9			%bcond_with java
10			%endif
11
12			Summary: Bundle of CA Root Certificates
13			Name: rootcerts
14			# <mrl> Use this versioning style in order to be easily backportable.
15			# Note that the release is the last two digits on the version.
16			# All BuildRequires for rootcerts should be done this way:
17			# BuildRequires: rootcerts >= 0:20070402.00, for example
18			# - NEVER specifying the %%{release}
19			Epoch: 1
20	pterjan	89064	Version: 20110323.00
21			Release: %mkrel 1
22	pterjan	16345	License: GPL
23			Group: System/Servers
24	wally	18895	URL: http://www.mageia.org
25	pterjan	16345	# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
26			Source0: rootcerts.tar.bz2
27			# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
28	pterjan	89070	#cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt > certdata.txt
29	pterjan	16345	Source1: certdata.txt
30			Source2: rootcerts-igp-brasil.txt
31			# http://www.cacert.org/certs/root.der
32			Source3: cacert.org.der
33			# http://qa.mandriva.com/show_bug.cgi?id=29612
34			# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
35			Source4: verisign-class-3-secure-server-ca.pem
36			# Java JKS keystore generator:
37			# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
38			Source6: generate-cacerts.pl
39			# Fix overwriting issue with generate-cacerts.pl
40			Patch0: generate-cacerts-fix-entrustsslca.patch
41			# Some hacks to make generate-cacerts.pl work with some of our certificates
42	wally	18895	Patch1: generate-cacerts-mageia.patch
43			# Just rename identically named certificates that are not handled by mageia.patch
44	pterjan	16345	Patch2: generate-cacerts-rename-duplicates.patch
45			# remove the MD5 Collisions Forged Rogue CA 25c3 one
46			Patch3: certdata-MD5_Collisions_Forged_Rogue_CA_25c3.diff
47			BuildRequires: perl openssl nss
48			%if %with java
49			BuildRequires: java-rpmbuild
50			%endif
51			Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
52
53			%description
54			This is a bundle of X.509 certificates of public Certificate
55			Authorities (CA). These were automatically extracted from Mozilla's
56			root CA list (the file "certdata.txt"). It contains the certificates
57			in both plain text and PEM format and therefore can be directly used
58			with an Apache/mod_ssl webserver for SSL client authentication. Just
59			configure this file as the SSLCACertificateFile.
60
61			%if %with java
62			%package java
63			Summary: Bundle of CA Root Certificates for Java
64			Group: Development/Java
65
66			%description java
67			Bundle of X.509 certificates of public Certificate Authorities (CA)
68			in a format used by Java Runtime Environment.
69			%endif
70
71			%prep
72
73			%setup -q -n rootcerts
74
75			mkdir -p builtins
76			cp %{SOURCE1} builtins/certdata.txt
77			%patch3 -p0
78
79			# extract the license
80			head -36 builtins/certdata.txt > LICENSE
81
82			# add additional CA's here, needs to have the mozilla format...
83			cat %{SOURCE2} >> builtins/certdata.txt
84
85			# CAcert
86			cp %{SOURCE3} .
87
88			cp %{SOURCE6} .
89			%patch0 -p0
90			%patch1 -p0
91			%patch2 -p0
92
93			%build
94			rm -f configure
95			libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
96
97			# CAcert
98			# http://wiki.cacert.org/wiki/NSSLib
99			addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
100
101			# new verisign intermediate certificate
102			# -t trust trust flags (cCTpPuw).
103			openssl x509 -in %{SOURCE4} -inform PEM -outform DER \| \
104			addbuiltin -n "VeriSign Class 3 Secure Server CA" \
105			-t "CT,C,C" >> builtins/certdata.txt
106
107			perl mkcerts.pl > certs.sh
108
109			%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
110			%make
111			cat pem/*.pem > ca-bundle.crt
112			cat %{SOURCE4} >> ca-bundle.crt
113
114			%if %with java
115			mkdir -p java
116			cd java
117			LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
118			cd ..
119			%endif
120
121			%install
122			rm -rf %{buildroot}
123
124			%makeinstall_std
125
126			install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
127			install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
128			install -d %{buildroot}%{_bindir}
129
130			install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
131			ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem
132
133			install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
134
135			%if %with java
136			install -d %{buildroot}%{_sysconfdir}/pki/java
137			install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
138			%endif
139
140			cat > README << EOF
141
142			R O O T C E R T S
143			-----------------
144
145			This is a bundle of X.509 certificates of public Certificate
146			Authorities (CA). These were automatically extracted from Mozilla's
147			root CA list (the file "certdata.txt"). It contains the certificates
148			in both plain text and PEM format and therefore can be directly used
149			with an Apache/mod_ssl webserver for SSL client authentication. Just
150			configure this file as the SSLCACertificateFile.
151
152			EOF
153
154			# fix #58107
155			install -d %{buildroot}%{_sysconfdir}/ssl
156			ln -sf %{_sysconfdir}/pki/tls/certs %{buildroot}%{_sysconfdir}/ssl/certs
157
158			%clean
159			rm -rf %{buildroot}
160
161			%files
162			%defattr(-,root,root)
163			%doc README LICENSE
164			%{_sysconfdir}/pki/tls/cert.pem
165			%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
166			%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
167			%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
168			%{_sysconfdir}/ssl/certs
169
170			%if %with java
171			%files java
172			%defattr(-,root,root)
173			%dir %{_sysconfdir}/pki/java
174			%config(noreplace) %{_sysconfdir}/pki/java/cacerts
175			%endif