current/SPECS/rootcerts.spec

# don't make useless debug packages
%define _enable_debug_packages  %{nil}
%define debug_package           %{nil}

# _without = java enabled, _with = java disabled
%ifnarch %arm %mips
%bcond_without java
%else
%bcond_with java
%endif

Summary:        Bundle of CA Root Certificates
Name:           rootcerts
# <mrl> Use this versioning style in order to be easily backportable.
# Note that the release is the last two digits on the version.
# All BuildRequires for rootcerts should be done this way:
# BuildRequires: rootcerts >= 0:20070402.00, for example
# - NEVER specifying the %%{release}
Epoch:          1
Version:        20101202.00
Release:        %mkrel 1
License:        GPL
Group:          System/Servers
URL:            http://www.mandriva.com
# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
Source0:        rootcerts.tar.bz2
# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
Source1:        certdata.txt
Source2:        rootcerts-igp-brasil.txt
# http://www.cacert.org/certs/root.der
Source3:        cacert.org.der
# http://qa.mandriva.com/show_bug.cgi?id=29612
# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
Source4:        verisign-class-3-secure-server-ca.pem
# Java JKS keystore generator:
# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
Source6:        generate-cacerts.pl
# Fix overwriting issue with generate-cacerts.pl
Patch0:         generate-cacerts-fix-entrustsslca.patch
# Some hacks to make generate-cacerts.pl work with some of our certificates
Patch1:         generate-cacerts-mandriva.patch
# Just rename identically named certificates that are not handled by mandriva.cpatch
Patch2:         generate-cacerts-rename-duplicates.patch
# remove the MD5 Collisions Forged Rogue CA 25c3 one
Patch3:         certdata-MD5_Collisions_Forged_Rogue_CA_25c3.diff
BuildRequires:  perl openssl nss
%if %with java
BuildRequires:  java-rpmbuild
%endif
Buildroot:      %{_tmppath}/%{name}-%{version}-%{release}-buildroot

%description
This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

%if %with java
%package java
Summary:        Bundle of CA Root Certificates for Java
Group:          Development/Java

%description java
Bundle of X.509 certificates of public Certificate Authorities (CA)
in a format used by Java Runtime Environment.
%endif

%prep

%setup -q -n rootcerts

#cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt > certdata.txt

mkdir -p builtins
cp %{SOURCE1} builtins/certdata.txt
%patch3 -p0

# extract the license
head -36 builtins/certdata.txt > LICENSE

# add additional CA's here, needs to have the mozilla format...
cat %{SOURCE2} >> builtins/certdata.txt

# CAcert
cp %{SOURCE3} .

cp %{SOURCE6} .
%patch0 -p0
%patch1 -p0
%patch2 -p0

%build 
rm -f configure
libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy

# CAcert
# http://wiki.cacert.org/wiki/NSSLib
addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt

# new verisign intermediate certificate
# -t trust        trust flags (cCTpPuw).
openssl x509 -in %{SOURCE4} -inform PEM -outform DER | \
        addbuiltin -n "VeriSign Class 3 Secure Server CA" \
        -t "CT,C,C" >> builtins/certdata.txt

perl mkcerts.pl > certs.sh

%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
%make
cat pem/*.pem > ca-bundle.crt
cat %{SOURCE4} >> ca-bundle.crt

%if %with java
mkdir -p java
cd java
LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
cd ..
%endif

%install
rm -rf %{buildroot}

%makeinstall_std

install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
install -d %{buildroot}%{_bindir}

install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem

install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/

%if %with java
install -d %{buildroot}%{_sysconfdir}/pki/java
install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
%endif

cat > README << EOF

R O O T C E R T S
-----------------

This is a bundle of X.509 certificates of public Certificate
Authorities (CA). These were automatically extracted from Mozilla's
root CA list (the file "certdata.txt"). It contains the certificates
in both plain text and PEM format and therefore can be directly used
with an Apache/mod_ssl webserver for SSL client authentication. Just
configure this file as the SSLCACertificateFile.

EOF

# fix #58107
install -d %{buildroot}%{_sysconfdir}/ssl
ln -sf %{_sysconfdir}/pki/tls/certs %{buildroot}%{_sysconfdir}/ssl/certs

%clean
rm -rf %{buildroot}

%files 
%defattr(-,root,root)
%doc README LICENSE
%{_sysconfdir}/pki/tls/cert.pem
%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
%{_sysconfdir}/ssl/certs

%if %with java
%files java
%defattr(-,root,root)
%dir %{_sysconfdir}/pki/java
%config(noreplace) %{_sysconfdir}/pki/java/cacerts
%endif


1	# don't make useless debug packages
2	%define _enable_debug_packages %{nil}
3	%define debug_package %{nil}
4
5	# _without = java enabled, _with = java disabled
6	%ifnarch %arm %mips
7	%bcond_without java
8	%else
9	%bcond_with java
10	%endif
11
12	Summary: Bundle of CA Root Certificates
13	Name: rootcerts
14	# <mrl> Use this versioning style in order to be easily backportable.
15	# Note that the release is the last two digits on the version.
16	# All BuildRequires for rootcerts should be done this way:
17	# BuildRequires: rootcerts >= 0:20070402.00, for example
18	# - NEVER specifying the %%{release}
19	Epoch: 1
20	Version: 20101202.00
21	Release: %mkrel 1
22	License: GPL
23	Group: System/Servers
24	URL: http://www.mandriva.com
25	# S0 originates from http://switch.dl.sourceforge.net/sourceforge/courier/courier-0.52.1.tar.bz2
26	Source0: rootcerts.tar.bz2
27	# www.mail-archive.com/ modssl-users@modssl.org/msg16980.html
28	Source1: certdata.txt
29	Source2: rootcerts-igp-brasil.txt
30	# http://www.cacert.org/certs/root.der
31	Source3: cacert.org.der
32	# http://qa.mandriva.com/show_bug.cgi?id=29612
33	# https://www.verisign.com/support/verisign-intermediate-ca/secure-site-intermediate/index.html
34	Source4: verisign-class-3-secure-server-ca.pem
35	# Java JKS keystore generator:
36	# http://cvs.fedora.redhat.com/viewcvs/devel/ca-certificates/generate-cacerts.pl
37	Source6: generate-cacerts.pl
38	# Fix overwriting issue with generate-cacerts.pl
39	Patch0: generate-cacerts-fix-entrustsslca.patch
40	# Some hacks to make generate-cacerts.pl work with some of our certificates
41	Patch1: generate-cacerts-mandriva.patch
42	# Just rename identically named certificates that are not handled by mandriva.cpatch
43	Patch2: generate-cacerts-rename-duplicates.patch
44	# remove the MD5 Collisions Forged Rogue CA 25c3 one
45	Patch3: certdata-MD5_Collisions_Forged_Rogue_CA_25c3.diff
46	BuildRequires: perl openssl nss
47	%if %with java
48	BuildRequires: java-rpmbuild
49	%endif
50	Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
51
52	%description
53	This is a bundle of X.509 certificates of public Certificate
54	Authorities (CA). These were automatically extracted from Mozilla's
55	root CA list (the file "certdata.txt"). It contains the certificates
56	in both plain text and PEM format and therefore can be directly used
57	with an Apache/mod_ssl webserver for SSL client authentication. Just
58	configure this file as the SSLCACertificateFile.
59
60	%if %with java
61	%package java
62	Summary: Bundle of CA Root Certificates for Java
63	Group: Development/Java
64
65	%description java
66	Bundle of X.509 certificates of public Certificate Authorities (CA)
67	in a format used by Java Runtime Environment.
68	%endif
69
70	%prep
71
72	%setup -q -n rootcerts
73
74	#cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -p mozilla/security/nss/lib/ckfw/builtins/certdata.txt > certdata.txt
75
76	mkdir -p builtins
77	cp %{SOURCE1} builtins/certdata.txt
78	%patch3 -p0
79
80	# extract the license
81	head -36 builtins/certdata.txt > LICENSE
82
83	# add additional CA's here, needs to have the mozilla format...
84	cat %{SOURCE2} >> builtins/certdata.txt
85
86	# CAcert
87	cp %{SOURCE3} .
88
89	cp %{SOURCE6} .
90	%patch0 -p0
91	%patch1 -p0
92	%patch2 -p0
93
94	%build
95	rm -f configure
96	libtoolize --copy --force; aclocal; autoconf; automake --foreign --add-missing --copy
97
98	# CAcert
99	# http://wiki.cacert.org/wiki/NSSLib
100	addbuiltin -n "CAcert Inc." -t "CT,C,C" < cacert.org.der >> builtins/certdata.txt
101
102	# new verisign intermediate certificate
103	# -t trust trust flags (cCTpPuw).
104	openssl x509 -in %{SOURCE4} -inform PEM -outform DER \| \
105	addbuiltin -n "VeriSign Class 3 Secure Server CA" \
106	-t "CT,C,C" >> builtins/certdata.txt
107
108	perl mkcerts.pl > certs.sh
109
110	%configure2_5x --with-certdb=%{_sysconfdir}/pki/tls/rootcerts
111	%make
112	cat pem/*.pem > ca-bundle.crt
113	cat %{SOURCE4} >> ca-bundle.crt
114
115	%if %with java
116	mkdir -p java
117	cd java
118	LC_ALL=C perl ../generate-cacerts.pl %{java_home}/bin/keytool ../ca-bundle.crt
119	cd ..
120	%endif
121
122	%install
123	rm -rf %{buildroot}
124
125	%makeinstall_std
126
127	install -d %{buildroot}%{_sysconfdir}/pki/tls/certs
128	install -d %{buildroot}%{_sysconfdir}/pki/tls/mozilla
129	install -d %{buildroot}%{_bindir}
130
131	install -m0644 ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/certs/
132	ln -s certs/ca-bundle.crt %{buildroot}%{_sysconfdir}/pki/tls/cert.pem
133
134	install -m0644 builtins/certdata.txt %{buildroot}%{_sysconfdir}/pki/tls/mozilla/
135
136	%if %with java
137	install -d %{buildroot}%{_sysconfdir}/pki/java
138	install -m0644 java/cacerts %{buildroot}%{_sysconfdir}/pki/java/
139	%endif
140
141	cat > README << EOF
142
143	R O O T C E R T S
144	-----------------
145
146	This is a bundle of X.509 certificates of public Certificate
147	Authorities (CA). These were automatically extracted from Mozilla's
148	root CA list (the file "certdata.txt"). It contains the certificates
149	in both plain text and PEM format and therefore can be directly used
150	with an Apache/mod_ssl webserver for SSL client authentication. Just
151	configure this file as the SSLCACertificateFile.
152
153	EOF
154
155	# fix #58107
156	install -d %{buildroot}%{_sysconfdir}/ssl
157	ln -sf %{_sysconfdir}/pki/tls/certs %{buildroot}%{_sysconfdir}/ssl/certs
158
159	%clean
160	rm -rf %{buildroot}
161
162	%files
163	%defattr(-,root,root)
164	%doc README LICENSE
165	%{_sysconfdir}/pki/tls/cert.pem
166	%config(noreplace) %{_sysconfdir}/pki/tls/certs/ca-bundle.crt
167	%config(noreplace) %{_sysconfdir}/pki/tls/rootcerts/*
168	%config(noreplace) %{_sysconfdir}/pki/tls/mozilla/certdata.txt
169	%{_sysconfdir}/ssl/certs
170
171	%if %with java
172	%files java
173	%defattr(-,root,root)
174	%dir %{_sysconfdir}/pki/java
175	%config(noreplace) %{_sysconfdir}/pki/java/cacerts
176	%endif
177
178